Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Happenings


  • Please log in to reply
9 replies to this topic

#1 seems_to_be

seems_to_be

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 23 October 2007 - 02:19 AM

Hello I'm having quite a bit of strange happenings on my computer. First off Device Manager is blank, my usb ports won't recognize any devices due to this, my network places icon does not reveal a lan and dialup utility icon. Also there is no monitor icon in the lower right corner of my windows task bar. In addition to this Firefox downloads only function halfway then they freeze. I have Spybot Search&Destroy, Ad Aware, Hijack This, AVG virus scan, and I ran a copy of the miniscan Ewido offers. It brought up a small.trojan as well as a few adware programs and a bunch of cookies. A few days ago I woke up to find that another Windows User account had been created and registered as: "GLITCH". My system resources have been maxing to 100%. Earlier I ran spysweeper and it identified a hidden process in my temp folder (catchme.sys) as a type of Trojan. Here is my Hijack This log and I've also posted an autorun log of key entries that have no file associated with them. Any help on this matter would be greatly appreciated.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Berrelli\Local Settings\Temp\autoruns.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = ?
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093322714410
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)



Here is the AutoRun Log:

HKLM\System\CurrentControlSet\Services:
catchme File not found: C:\DOCUME~1\Berrelli\LOCALS~1\Temp\catchme.sys
Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
GEARAspiWDM File not found: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
LVUSBSta File not found: C:\WINDOWS\System32\Drivers\LVUSBSta.sys
PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
pepifilter File not found: C:\WINDOWS\System32\Drivers\pepifilter.sys
PID_08A0 File not found: C:\WINDOWS\System32\Drivers\PID_08A0.sys
WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
ZSMC301b File not found: C:\WINDOWS\System32\Drivers\ZSMC301b.sys

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components:
0 File not found: About:Home

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved:
Display Panning CPL Extension File not found: deskpan.dll

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:59 AM

Posted 12 November 2007 - 09:08 PM

Hi seems_to_be,

Sorry for the delay, this forum is overwhelmed right now.

Your log is incomplete -- the header is missing. This is the part that lists your operating system, boot mode and so forth. This information is important.

If you still need help, please run a fresh HJT scan and post the entire log to a reply here.

Dave

#3 seems_to_be

seems_to_be
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 18 November 2007 - 11:02 PM

Sorry Here is my hijackthis log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:54 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\SPYWAR~3\sp_rsser.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~3\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: D-Link AirPlus.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093322714410
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~3\sp_rsser.exe

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:59 AM

Posted 20 November 2007 - 07:29 AM

Hi again,

Sorry for the delay in responding, I am totally tied up at work these days and had a funeral to attend last night.

Your HJT log looks clean. You are running a lot of security programs, one of them has a checkered history: please click this link and scroll down to read the entry about Spyware Terminator. Then decide if you want to continue using it.

Questions: do you still have that "Glitch" user account on your computer? If so, have you tried to remove it? Also, have you used Combofix in the past? Then, have you used Task Manager to try and identify which process is eating up your CPU cycles? And finally, have you tried uninstalling Firefox and downloading the latest version? If so, did that fix the download problem? Whether or not, are you able to download files using Internet Explorer?

Please answer these questions and give me any other information you have about the current situation, then we will do some further scanning and/or other checks.

Dave

#5 seems_to_be

seems_to_be
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 23 November 2007 - 09:05 PM

Hi,

I uninstalled Spyware Terminator. I dunno it seemed pretty legit because it had a real timer scanner and tea timer that monitored registry key changes or exe modifications. At one point it was picking up this Microsoft Plugin called: MSIMG and the information said it's for Japanese translations or something which is odd because I don't visit any Japanese sites. Anyhow.. I'm pretty sure that GLITCH is gone. Now when I boot up safe mode, two accounts show: admin, and my main account. Yes I did run combofix in the past. As far as the task manager, it appears I have quite a few service host copies running. One such one is usually 14,000- 20 or higher. At random times I'll lose my internet connection but when I go to safe mode, it works fine. Also everytime I restart my computer, I have to reinstall my sound driver via add hardware. My usb ports do not work either and my device manager is blank. In conclusion, I can once again download.

Hope this helps with further diagnostics.

Edited by seems_to_be, 23 November 2007 - 09:07 PM.


#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:59 AM

Posted 23 November 2007 - 11:21 PM

Hi again,

Please go to this Microsoft KB article and follow the steps outlined there. See if that resolves your problem with Device Manager.

If it does, then check in Device Manager and see if there are warning icons (yellow exclamation points) next to any or all of your USB controllers. Expand the USB Controllers listing by clicking the "+" next to that entry. Let me know what you find.

Dave

#7 seems_to_be

seems_to_be
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 24 November 2007 - 12:31 PM

Hello I tried that a few months ago but to no avail it remains the same. I'm also getting a BSOD of saying the value is not greater or less than in kbd.class. Also some interesting issues came up. For starters, AVG ran a scan and found windowsupdate has been infected with a Trojan Horse Generic 2.VOI.

Edited by seems_to_be, 24 November 2007 - 01:23 PM.


#8 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:59 AM

Posted 26 November 2007 - 09:04 PM

Hello,

Again apologies for the delay in answering, I had to travel yesterday and did not have access to the internet.

First, Unhide files and folders:

1. Close all programs so that you are at your desktop.
2. Click Start, My Computer.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Navigate to the C:\windows\System32 folder and search for the file services.exe. If you find it there, right click the icon and select Properties. Write down the file's dates, both the date created and the date modified, and the file size (not the size on disk). Please include this information in your next reply.

AVG ran a scan and found windowsupdate has been infected with a Trojan Horse Generic 2.VOI.


Could you please post the report from that AVG scan? Here's how to get it:
  • Open AVG. In the menu across the top click Results.
  • Select the test that showed the problem. Confirm by clicking the tab to show the Virus Results.
  • Press <Ctrl> - S to save the report to a file.
  • When the Save window opens, keep the default file type (tabbed list), name the file avgscan.tab and in the Save in box select your desktop.
  • Double cluck the file on your desktop, it will open in Notepad. Press <Ctrl> - A to select the entire document, the press <Ctrl> - C to copy it.
Paste the report into your next reply.

Also I would like to see the results of a Kaspersky online scan.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Copy and paste that log to your next reply.

Finally, if you get another BSOD, please copy down the entire error message and include it in your reply too.

Dave

#9 seems_to_be

seems_to_be
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:59 AM

Posted 27 November 2007 - 02:50 PM

Here is the services.exe info

Created:Thursday, August 23, 2001, 10:00:00 AM
Modified: Wednesday, August 04, 2004, 2:56:55 AM
Accessed:Today, November 27, 2007, 2:45:21 PM
Size: 105 KB (108,032 bytes)


Here are the AVG scan results:
"General properties" ""
"Report name" "Complete Test"
"Start time" "11/24/2007 12:26:17 PM"
"End time" "11/24/2007 1:33:17 PM (total: 1:07:59.4 hrs)"
"Launch method" "Scanning launched by scheduler"
"Scanning result" "Threats found"
"Report status" "Scanning completed successfully"
" " ""
"Object summary" ""
"Scanned" "102115"
"Threats Found" "2"
"Cleaned" "0"
"Moved to vault" "0"
"Deleted" "2"
"Errors" "0"
"C:\WINDOWS\system32\shell32.dll" "Change" "Changed"
"C:\WINDOWS\system32\drivers\etc\hosts" "Change" "Changed"
"C:\WINDOWS\AutoUpdateWin31.dll" "" "Deleted"
"C:\WINDOWS\WindowsUpdates.exe" "" "Deleted"

-------------------------------------------------------------------------------
Finally here is the Kaspersky log

KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 27, 2007 2:40:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 437716
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84509
Number of viruses found: 4
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 02:15:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Aim\ftfctiyd\laisseseperdre\cert8.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Aim\ftfctiyd\laisseseperdre\key3.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\AVG7\l_000222.log Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\cert8.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\history.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\key3.db Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\parent.lock Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Berrelli\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Berrelli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Application Data\Mozilla\Firefox\Profiles\axolf1vu.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\History\History.IE5\MSHist012007112720071128\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Berrelli\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Berrelli\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP26\change.log Object is locked skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.gmx skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/crack.exe Infected: Trojan-Downloader.Win32.Agent.dlu skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar/install.exe Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe/data.rar Infected: Virus.Win32.Virut.av skipped
C:\System Volume Information\_restore{29150F25-0AFD-4DC9-A0B7-869AAB3F52F4}\RP6\A0000139.exe RarSFX: infected - 5 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SophosEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Edited by seems_to_be, 27 November 2007 - 02:51 PM.


#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:08:59 AM

Posted 27 November 2007 - 07:17 PM

I am sorry to tell you that there is a bot worm on your computer. :thumbsup:

A bot worm is a program that is installed without your knowledge and enables a hacker, sitting at another computer perhaps thousands of miles away, to control your computer so that it does what he wants -- it becomes his "bot."

Bots can be used to launch denial-of-service attacks (This is where hundreds of bots simultaneously bombard a website with requests for information, overwhelming its capacity to respond and, thereby, shutting it down) and for other sorts of mischief. The bot can also do mass spam mailing, download files to the computer, or upload files and data, including passwords and other private information.

Here is a link to trend Micro's writeup of the bot worm on your computer. Please note the final paragraph:

It executes the said commands locally on an affected system, providing the remote user virtual control over the machine.


Read the entire article, and also the linked writeup of the troj_rootkit.e. This bot includes a rootkit component which is a type of stealth technology that can hide bots and other infections from AV scanners. Notice that neither AVG nor Kaspersky found the rootkit component. It's still on your machine, and active.

For these reasons it is very important that, starting immediately, this machine be kept off the internet and physically disconnected from any network it may be part of.

If you use or have used this computer for online banking or shopping or for accessing or storing personal information such as school records, then you need to take steps to protect your information that may have been compromised. I recommend these steps for action:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

In addition, Kaspersky reports traces of the infamous Virut file infector. This virus is basically incurable, because it infects numerous system files, and the way it injects its code into those files makes it impossible for antivirus programs to disinfect them. Therefore, the only way the AV program can deal with the files is to delete or quarantine them, and the end result is a crippled system.

This is something i don't like to recommend normally, but with a computer this badly infected, the only sure solution for your safety is to reformat the hard drive and reinstall Windows. In your case, even if you are willing to risk the possibility of a continued security breach, the Virut infection is so devastating that I cannot recommend any other course of action.

Please read the following link very carefully:

When Should I Format, How Should I Reinstall

To reformat and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

Again, sorry to be the bearer of bad news.

Dave

Edited by DaveM59, 27 November 2007 - 07:20 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users