Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virut Infection Still Present After Windows Repair


  • This topic is locked This topic is locked
2 replies to this topic

#1 zumzum

zumzum

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 30 April 2008 - 12:18 PM

this laptop was impossible to be cleaned and so I decided to repair windows from the recovery console.

but still antivirus (avira free-av) cannot be installed: The CRC sum of C:...\setup.exe has been changed! This could be due to a virus! Do you want to shut down Setup?

Also combofix.exe cannot be run.

Hopefully somebody can help me - even if I only have the dss.exe-log.

the majority of files have been infectet with a virus called virut. even explorer.exe and rundll.exe and sfc.exe have been hijacked.

Here the log>


Deckard's System Scanner v20071014.68
Run by Zum-Zum on 2008-04-30 19:50:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-30 19:51:18
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Zum-Zum\Desktop\dss.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\NPJPI150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
O23 - Service: ClipBook (ClipSrv) - Unknown owner - C:\WINDOWS\system32\clipsrv.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
O23 - Service: MWAgent - Unknown owner - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe


--
End of file - 4709 bytes

-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-30 19:50:07 497664 --a------ C:\WINDOWS\system32\CF7414.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-30 19:49:10 432128 --a------ C:\WINDOWS\system32\CF7228.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-30 19:46:13 0 dr-h----- C:\Documents and Settings\Zum-Zum\Recent
2008-04-26 12:57:58 67584 --a------ C:\WINDOWS\system32\moonlight.scr
2008-04-26 12:57:53 67584 --ahs---- C:\WINDOWS\system32\884054180417l.exe
2008-04-26 12:57:53 67584 --a------ C:\WINDOWS\l422844.exe
2008-04-26 12:57:44 0 d--h----- C:\WINDOWS\system32\27001a
2008-04-26 12:57:44 0 dr-hs---- C:\WINDOWS\81484
2008-04-25 18:48:37 209408 --a------ C:\WINDOWS\system32\wuauclt1.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:48:34 110592 --a------ C:\WINDOWS\system32\mnmsrvc.exe <Not Verified; Microsoft Corporation; Windows® NetMeeting®>
2008-04-25 18:48:34 66048 --a------ C:\WINDOWS\system32\fltMc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:48:33 23040 --a------ C:\WINDOWS\system32\mstinit.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:43 16384 --a------ C:\WINDOWS\system32\write.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:42 163328 --a------ C:\WINDOWS\system32\winmine.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:42 67584 --a------ C:\WINDOWS\system32\sol.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:42 215040 --a------ C:\WINDOWS\system32\sndvol32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:42 189440 --a------ C:\WINDOWS\system32\charmap.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:42 125440 --a------ C:\WINDOWS\system32\calc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 27648 --a------ C:\WINDOWS\system32\tsshutdn.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 59904 --a------ C:\WINDOWS\system32\tskill.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 123904 --a------ C:\WINDOWS\system32\tsdiscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 222208 --a------ C:\WINDOWS\system32\tscon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 25600 --a------ C:\WINDOWS\system32\shadow.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 124928 --a------ C:\WINDOWS\system32\rwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 53248 --a------ C:\WINDOWS\system32\reset.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 137728 --a------ C:\WINDOWS\system32\mshearts.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:41 66048 --a------ C:\WINDOWS\system32\freecell.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 77312 --a------ C:\WINDOWS\system32\regini.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 32768 --a------ C:\WINDOWS\system32\qwinsta.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 27648 --a------ C:\WINDOWS\system32\qappsrv.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 31744 --a------ C:\WINDOWS\system32\msg.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 91648 --a------ C:\WINDOWS\system32\logoff.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:40 48640 --a------ C:\WINDOWS\system32\dcomcnfg.exe <Not Verified; Microsoft Corporation; COM Services>
2008-04-25 18:46:38 175104 --a------ C:\WINDOWS\system32\sndrec32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:38 134144 --a------ C:\WINDOWS\system32\mplay32.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:38 194560 --a------ C:\WINDOWS\system32\accwiz.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:37 549376 --a------ C:\WINDOWS\system32\spider.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:37 353792 --a------ C:\WINDOWS\system32\mspaint.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:37 113664 --a------ C:\WINDOWS\system32\clipbrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 88064 --a------ C:\WINDOWS\system32\tscupgrd.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 348160 --a------ C:\WINDOWS\system32\sessmgr.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 77824 --a------ C:\WINDOWS\system32\rdshost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 24576 --a------ C:\WINDOWS\system32\rdsaddin.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 73216 --a------ C:\WINDOWS\system32\rdpclip.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 64000 --a------ C:\WINDOWS\system32\qprocess.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:36 418304 --a------ C:\WINDOWS\system32\mstsc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-25 18:46:35 49664 --a------ C:\WINDOWS\system32\msdtc.exe <Not Verified; Microsoft Corporation; Microsoft Distributed Transaction Coordinator>
2008-04-25 18:34:57 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-25 16:03:27 0 d------c- C:\327882R2FWJFW
2008-04-25 14:14:50 163840 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-25 14:14:41 60416 --a------ C:\WINDOWS\system32\drivers\Combo-Fix.sys
2008-04-25 14:14:41 67584 --a------ C:\WINDOWS\034237415.exe
2008-04-25 14:14:41 67584 --a------ C:\WINDOWS\031804175.exe
2008-04-25 14:14:30 120 --a------ C:\WINDOWS\system32\crtsys.dll
2008-04-25 14:14:30 67584 --a------ C:\WINDOWS\031804275.exe
2008-04-25 14:14:30 67584 --a------ C:\WINDOWS\030883165.exe
2008-04-25 14:13:58 67584 --a------ C:\WINDOWS\lsass.exe
2008-04-25 14:13:58 67584 --a------ C:\WINDOWS\037561845.exe
2008-04-25 12:51:22 191 --a------ C:\WINDOWS\system32\pwdclean.cmd
2008-04-25 09:31:02 67584 --ahs---- C:\WINDOWS\l300632.exe
2008-04-24 20:07:09 67584 --a------ C:\WINDOWS\system32\562732756184l.exe
2008-04-24 20:06:56 0 d--h----- C:\WINDOWS\system32\05778a
2008-04-24 20:06:54 0 dr-hs---- C:\WINDOWS\57151
2008-04-24 20:06:53 0 d-------- C:\WINDOWS\system32\04678a
2008-04-24 20:06:53 0 dr-hs---- C:\WINDOWS\57051
2008-04-24 20:06:25 67584 --ahs---- C:\WINDOWS\system32\662832180427l.exe
2008-04-24 20:06:25 67584 --ahs---- C:\WINDOWS\l310733.exe
2008-04-24 20:06:24 0 d--h----- C:\WINDOWS\system32\15780a
2008-04-24 20:06:24 0 dr-hs---- C:\WINDOWS\70273
2008-04-24 19:59:54 111616 --a------ C:\WINDOWS\zip.exe
2008-04-24 19:59:54 65092 --a------ C:\WINDOWS\VFind.exe
2008-04-24 19:59:54 419840 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-24 19:59:54 214016 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-24 19:59:54 205824 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-24 19:59:54 175616 --a------ C:\WINDOWS\sed.exe
2008-04-24 19:59:54 91164 --a------ C:\WINDOWS\grep.exe
2008-04-24 19:59:54 86016 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-24 17:55:00 67584 --ahs---- C:\WINDOWS\system32\805165423741l.exe
2008-04-24 17:54:59 0 d--h----- C:\WINDOWS\system32\48123a
2008-04-24 17:54:59 67584 --ahs---- C:\WINDOWS\l643166.exe
2008-04-24 17:54:59 0 dr-hs---- C:\WINDOWS\02505
2008-04-24 17:42:21 0 d------c- C:\cmdcons
2008-04-24 16:48:55 0 d--h---c- C:\ErdUndoCache
2008-04-24 15:07:20 67584 --ahs---- C:\WINDOWS\system32\673843201528l.exe
2008-04-24 15:07:20 0 d--h----- C:\WINDOWS\system32\16880a
2008-04-24 15:07:20 67584 --ahs---- C:\WINDOWS\l311733.exe
2008-04-24 15:07:20 0 dr-hs---- C:\WINDOWS\81384
2008-04-24 13:20:52 0 d------c- C:\hijackthis
2008-04-23 14:46:43 0 d-------- C:\Program Files\Trend Micro
2008-04-19 14:54:31 9136 --a------ C:\WINDOWS\system\Inetwh16.dll
2008-04-19 14:54:31 73856 --a------ C:\WINDOWS\system\hlp256.dll <Not Verified; Blue Sky Software; Multimedia WinHelp by Blue Sky Software>
2008-04-19 14:54:30 0 d-------- C:\Program Files\Mindscape
2008-04-13 18:03:42 0 d-------- C:\Program Files\Facility
2008-04-11 11:50:22 0 d-------- C:\Program Files\AskTBar
2008-04-11 11:38:05 0 d-------- C:\Documents and Settings\user\Application Data\K-Meleon
2008-04-09 15:51:03 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-09 15:50:59 0 d-------- C:\Documents and Settings\user\Application Data\Azureus
2008-04-09 15:34:35 0 d-------- C:\Program Files\Azureus
2008-04-08 18:31:42 118784 --a------ C:\WINDOWS\system32\snapapi.dll
2008-04-08 18:31:42 37888 --a------ C:\WINDOWS\system32\setupnt.dll
2008-04-08 18:31:42 77728 --a------ C:\WINDOWS\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
2008-04-08 18:31:39 0 d-------- C:\Program Files\Common Files\Acronis
2008-04-08 18:31:39 0 d-------- C:\Program Files\Acronis
2008-04-02 13:03:03 0 d-------- C:\Documents and Settings\internet only\Application Data\HP
2008-03-31 12:07:04 0 d-------- C:\Documents and Settings\user\Application Data\Image Zone Express
2008-03-31 11:26:08 0 d-------- C:\Documents and Settings\user\Application Data\HP
2008-03-31 11:25:31 0 d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-03-31 11:19:35 0 d-------- C:\Program Files\Common Files\HP
2008-03-31 10:40:35 117616 --a------ C:\WINDOWS\hpoins11.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-25 18:48:36 0 d-------- C:\Program Files\Movie Maker
2008-04-25 18:46:45 0 d-------- C:\Program Files\Messenger
2008-04-25 17:33:39 0 d-------- C:\Program Files\Free Download Manager
2008-04-25 14:14:23 0 d-------- C:\Program Files\Common Files\Autodesk Shared
2008-04-25 14:14:06 0 d-------- C:\Program Files\Common Files\Wextech Shared
2008-04-24 18:14:12 0 d-------- C:\Program Files\RegCleaner
2008-04-24 18:14:03 0 d-------- C:\Program Files\AutoCAD 2002
2008-04-24 16:50:30 0 d-------- C:\Program Files\WordWeb
2008-04-24 16:50:30 0 d-------- C:\Program Files\QuickTime
2008-04-22 12:22:16 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-13 22:18:44 0 d-------- C:\Program Files\Google
2008-04-13 18:32:15 0 d-------- C:\Program Files\Nokia
2008-04-13 18:32:14 0 d-------- C:\Program Files\Common Files
2008-04-13 18:32:13 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-10 17:04:12 0 d-------- C:\Program Files\Ahead
2008-03-31 11:20:22 0 d-------- C:\Program Files\HP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown



-- End of Deckard's System Scanner: finished at 2008-04-30 19:51:39 ------------

Many thanx in advance.
zumzum
in tanzania, east africa

BC AdBot (Login to Remove)

 


#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:02 AM

Posted 20 May 2008 - 03:24 PM

Hi zumzum
Sorry for the delay in answering your post.
If you still need help could you please post back a new Hjt log.... things change so quickly and we need to see what's happening now.
Thanks

Starbuck

BBPP6nz.png


#3 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:02 AM

Posted 27 May 2008 - 10:14 AM

Due to the lack of feedback, this Topic will now be closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

BBPP6nz.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users