Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/worm In C:\system Volume


  • This topic is locked This topic is locked
5 replies to this topic

#1 D_Vincent

D_Vincent

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 26 May 2008 - 11:42 AM

Not sure how the virus/worms got on the computer however Im guessing someone probably was on a prono site or something...I usually dont view those sites because Im usually recording music when Im on the computer.

I did 3 virus scans...I used avast and a virus warning appeared one time and I clicked repair however I think i should of moved to chest however when scan was finished it said the puter had 11 infected files...After that I did bit defender online virus scan and No problems found so I did another avast scan because i figuered the warning should of popped up 11 times if there were 11 infections and on the second scan the warning did pop up 11 times and ecah time I moved infection to chest which avast advised to do.

All infections seem to be in the C:\System Volume...my computer has onboard audio i believe.

The computer is running fine however I was wondering if I can get rid of the infections.

Here is a High jack This Log.

Thanks for any help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:57 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Portrait Displays\forteManager\DTHtml.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [DT LGE] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -LGE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205792621109
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

--
End of file - 8234 bytes


Here is a screen shot of the infected files that avast successfully moved to chest.

Direct link to image
http://img389.imageshack.us/img389/4488/avastvr9.png

Edited by D_Vincent, 26 May 2008 - 11:49 AM.


BC AdBot (Login to Remove)

 


#2 D_Vincent

D_Vincent
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 26 May 2008 - 02:56 PM

Sorry for the double post however it seems the computer is infected with the Win32:Trojan-gen

Looking for an answer on how to get rid of it...computer is running fine however i definately want to get rid of it.

Thanks

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 26 May 2008 - 03:30 PM

HI

Anything in system Volume (restore points) is not a threat unless you perform a system restore ... & it's easy enough to purge the restore points and remove the infections ...

But First, empty your avast quarantine & run another scan .. see if it still finds anything ?

Win32:Trojan-gen is a way of describing any file which shows the characteristics of a Trojan, many legit files also fall into this description...

I'll need you to run some additional scans ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

steam

Edited by steamwiz, 26 May 2008 - 03:32 PM.
correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 D_Vincent

D_Vincent
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 26 May 2008 - 04:24 PM

Before you posted I downloaded a free 30 day trial of a squared Anti-maleware which Ive used in the past and there seems to be 11 low risk files in the C:\System Volume information plus another 8 low risk tracking cookies...I am probably going to repair/fix them then I will do the kapersky online scanner unless you say to wait and not repair them in a squared...I was in the middle of the a squared scan when i read your post.

Here is the screenshot of asquared results...looks like something from PKR poker which I downloaded and tried out months ago however i uninstalled it and dumped PKR because it took up to much ram to run...seems odd that the infections show up now since i do a virus scan every few days or so...you would think they would of showed up in scan before now.

Note the screenshot only says 9 files low risk however im not done scanning and I know it will end up being 11 in the end.

Screenshot
http://img135.imageshack.us/img135/9811/asquaredpz9.png

I already have kapersky up and ready to scan however Im waiting for a squared to finish.

I did not remove 11 infections from avast chest yet...Its the same 11 infections I see in a squared...I wonder if I should remove from chest first then fix using a squared...a squared is a pretty good program however its only free for 30 days per email address.

EDIT:...finished a squared scan...ended up only being 9 and not 11 files low risk...its asking me to quarintine or delete...wonder if I should delete or not?

here is a report from a squared...I know its not the program you asked me to download however it seems to be working.

a-squared Anti-Malware - Version 3.5
Last update: 5/26/2008 5:32:38 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 5/26/2008 5:32:52 PM

C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@bs.serving-sys[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@com[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@indextools[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@questionmarket[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@server.iad.liveperson[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@serving-sys[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@tribalfusion[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\XP PRO OEM\Cookies\xp pro oem@www.bullguard[1].txt detected: Trace.TrackingCookie
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP26\A0001899.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP41\A0005619.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP43\A0006649.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP56\A0012153.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP56\A0012691.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP56\A0013674.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP58\A0014316.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP58\A0015727.exe detected: Riskware.Monitor.Win32.PKRPoker.a
C:\System Volume Information\_restore{21F27A2E-C962-49DA-B5FB-797B16444963}\RP58\A0016187.exe detected: Riskware.Monitor.Win32.PKRPoker.a

Scanned

Files: 113395
Traces: 427330
Cookies: 69
Processes: 46

Found

Files: 9
Traces: 0
Cookies: 8
Processes: 0
Registry keys: 0

Scan end: 5/26/2008 6:32:25 PM
Scan time: 0:59:33

-------------------

Now im doing kapersky online scan...

I actually might be able to solve this problem on my own thanks to a squared...sorry to bother you guys...Im sure you have bigger problems to solve however if i still have problems i will post here.

Thanks again

Edited by D_Vincent, 26 May 2008 - 05:30 PM.


#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 27 May 2008 - 02:15 PM

Hi

I did not remove 11 infections from avast chest yet...Its the same 11 infections I see in a squared...


Sorry ... NO ... they are totally different ...

I actually might be able to solve this problem on my own thanks to a squared..


Again ... NO ... not with a-squared Anti-Malware :thumbsup:

You can get a-squared Anti-Malware to delete all it finds ... then run Avast, the others will still be there ... empty avast quarantine as I said then run avast again & tell me if it still finds anything ?

Then run & post the scans I asked for ...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 27 June 2008 - 02:54 PM

Due to lack of feedback This thread is now treated as resolved and duly closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users