BleepingComputer.com: Nasty Virus I have no idea what kind of virus I'm dealing with.

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Nasty Virus I have no idea what kind of virus I'm dealing with.

#1 User is offline   Up2NoGood 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 25-December 08

Posted 26 December 2008 - 12:17 AM

My laptop's in the shop and I decided to dust off my cousin's old dinosaur that's been sitting in the garage until I get it back. Anyway, it's got some sort of virus in it. AVG picked it up on the initial installation but when I tried to delete or move the virus file it immediately shut me out with the dreaded blue dump screen of death. I wasn't even able to get down the file name before it shut me out. Every time I do a virus scan it does the same. I tried the trend micro online virus scan and the kaspersky online virus scan and every time it starts scanning Windows Explorer goes haywire and it cuts off my wireless connection. I created a hijackthis log but I have no idea what I'm looking for. It's a Compaq Presario and it's running off Windows XP Home Edition SP2. Any help would be greatly appreciated. I've never had to deal with a virus this stubborn before. Something SuperAntispyware can't even find.


DDS (Version 1.1.0) - FAT32x86 MINIMAL
Run by Administrator at 0:06:33.98 on Fri 12/26/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.248.150 [GMT -5:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Documents and Settings\Administrator.PAULS-PC\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [D-Link Wireless G WUA-1340] c:\program files\d-link\wireless g wua-1340\AirGCFG.exe
mRun: [BtcMaestro] "c:\program files\hp usb multimedia keyboard\KMaestro.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [RRT-Auto] c:\docume~1\valerie\locals~1\temp\temporary directory 1 for rrt.zip\RRT.exe auto
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.pau\applic~1\mozilla\firefox\profiles\8gqpseu7.default\

============= SERVICES / DRIVERS ===============

S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-12-25 227344]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 8944]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\SASKUTIL.sys [2008-12-4 55024]
S2 AVP;Kaspersky Anti-Virus;"c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe" -r [2008-11-11 206088]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys []
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 trid3d;trid3d;c:\windows\system32\drivers\trid3dm.sys [2007-6-22 222336]

=============== Created Last 30 ================

2008-12-25 23:54 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-25 23:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-25 23:50 <DIR> --dsh--- C:\FOUND.005
2008-12-25 23:38 <DIR> --dsh--- C:\FOUND.004
2008-12-25 23:31 <DIR> --dsh--- C:\FOUND.003
2008-12-25 21:16 96,976 a------- c:\windows\system32\drivers\klin.dat
2008-12-25 21:16 87,855 a------- c:\windows\system32\drivers\klick.dat
2008-12-25 21:13 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2008-12-25 21:13 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-25 21:13 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-25 21:13 32 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-25 21:13 <DIR> --d----- c:\program files\Kaspersky Lab
2008-12-25 21:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-12-25 20:59 <DIR> --d----- c:\program files\VS Revo Group
2008-12-25 14:51 16,244 a------- c:\windows\system32\rrt_is.wav
2008-12-25 14:51 7,302 a------- c:\windows\system32\rrt_vf.wav
2008-12-25 14:51 7,148 a------- c:\windows\system32\rrt_tv.wav
2008-12-25 14:51 6,282 a------- c:\windows\system32\rrt_tn.wav
2008-12-25 14:49 <DIR> --d----- c:\docume~1\admini~1.pau\applic~1\SUPERAntiSpyware.com
2008-12-25 14:40 <DIR> --d----- c:\documents and settings\Administrator.PAULS-PC
2008-12-25 14:30 <DIR> --d----- c:\program files\Your Uninstaller 2008
2008-12-25 13:59 <DIR> --d----- c:\program files\Unlocker
2008-12-25 12:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-12-25 02:15 1,181 a------- c:\windows\mozver.dat
2008-12-25 01:58 <DIR> --d----- c:\program files\Trend Micro
2008-12-25 01:33 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2008-12-25 01:28 <DIR> --dsh--- C:\FOUND.002
2008-12-25 01:03 <DIR> --d----- c:\windows\system32\CatRoot_bak
2008-12-25 00:53 138,368 -------- c:\windows\system32\dllcache\afd.sys
2008-12-25 00:45 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2008-12-25 00:45 8 a------- c:\windows\msoffice.ini
2008-12-24 23:59 <DIR> --d----- c:\windows\system32\dumps
2008-12-24 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-24 22:47 <DIR> --d----- c:\program files\Glary Registry Repair
2008-12-24 19:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-24 19:47 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-24 19:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-24 18:58 3,284 a------- c:\windows\system32\ANIWZCS{A6F920C9-124B-4872-99A8-ECDB3069FD80}
2008-12-24 17:59 <DIR> --d----- c:\program files\IObit
2008-12-24 16:46 83,216 -------- c:\windows\system32\KmRemove.exe
2008-12-24 16:45 <DIR> --d----- c:\program files\HP USB Multimedia Keyboard
2008-12-24 16:01 21,504 a------- c:\windows\system32\hidserv.dll
2008-12-24 16:01 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2008-12-24 16:01 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2008-12-24 16:01 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2008-12-24 15:50 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2008-12-24 15:50 31,616 a------- c:\windows\system32\dllcache\usbccgp.sys
2008-12-24 15:44 <DIR> --dsh--- C:\FOUND.001

==================== Find3M ====================

2008-12-25 21:55 90,112 a------- c:\windows\DUMPf899.tmp
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-11-11 19:58 25,601 a------- c:\windows\system32\drivers\klopp.dat
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 08:01 283,648 a------- c:\windows\system32\gdi32.dll
2008-10-23 08:01 283,648 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 08:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 08:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 02:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 02:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 05:15 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 05:15 247,326 -------- c:\windows\system32\dllcache\strmdll.dll

============= FINISH: 0:07:41.66 ===============


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:15 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link Wireless G WUA-1340] C:\Program Files\D-Link\Wireless G WUA-1340\AirGCFG.exe
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\HP USB Multimedia Keyboard\KMaestro.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [RRT-Auto] C:\DOCUME~1\Valerie\LOCALS~1\Temp\Temporary Directory 1 for RRT.zip\RRT.exe auto
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1182579266752
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 4374 bytes

This post has been edited by Up2NoGood: 26 December 2008 - 12:19 AM

#2 User is offline   Up2NoGood 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 25-December 08

Posted 26 December 2008 - 06:56 PM

I think I figured out what kind of virus it is. It looks like it's a rootkit but I have no idea how to get rid of it.

This post has been edited by Up2NoGood: 27 December 2008 - 04:16 PM

#3 User is offline   KoanYorel 

  • Bleepin' Conundrum
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 19,461
  • Joined: 26-April 04
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA

Posted 07 January 2009 - 01:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 User is offline   KoanYorel 

  • Bleepin' Conundrum
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 19,461
  • Joined: 26-April 04
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA

Posted 12 January 2009 - 08:51 AM

Due to the lack of feedback, this Topic is now closed.

If you still have problems, please Start a new topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users