Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown/Unresolved Infection/s

  • Please log in to reply
1 reply to this topic

#1 chwatson


  • Members
  • 1 posts
  • Local time:03:23 PM

Posted 02 February 2009 - 01:11 PM

In a moment of unrivaled stupidity, I downloaded a music editing/production program through bittorrent without really looking at what the torrent contained. The main program file was legitimate, but when I ran a 'required' .exe to permanently unlock it (which had no symbol in front of it in the thumbnail view), several hundred instances of rundll32 appeared. I knew something was wrong and tried my best to fix the problem, but after trying Panda, Norton, AVG, and several other programs (none of which found anything beyond an initial detection by AVG, which was supposedly resolved), I'm confident that something is still wrong. Predictably, there are things in task manager that weren't there before, but I don't know what's what.

This all happened several weeks ago, and while there are no major problems or errors, the machine seems to be running significantly slower. Previously, I could run several tabs of firefox, winamp, and other programs flawlessly. Now there is a noticeable lag between keystrokes and actual text within Trillian, for example. Also, winamp seems to routinely freeze, as does firefox or IE. For lack of a better description, something isn't right.

If there is any more information I can provide that might help, I'm glad to oblige. Thank you in advance for the help--the problem's beginning to scare me a bit.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Cameron at 12:46:50.01 on Mon 02/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.830 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\BitTornado\btdownloadgui.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Cameron\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [rundll] c:\windows\system32\rundll.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\cameron\startm~1\programs\startup\speedfan.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\atitool.lnk - c:\program files\atitool\ATITool.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: whataboutarabit.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188436445031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-8-29 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2007-8-29 17328]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2008-12-9 69632]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-12-9 98304]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-3-15 627840]
R4 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090129.001\idsxpx86.sys --> c:\documents and settings\all users.windows\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090129.001\IDSxpx86.sys [?]
R4 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1002000.007\symefa.sys --> c:\windows\system32\drivers\nav\1002000.007\SYMEFA.SYS [?]
RUnknown pavboot;pavboot; [x]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-2-2 14976]

=============== Created Last 30 ================

2009-02-02 12:39 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-02-02 12:39 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-02-02 12:33 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-02-02 12:33 <DIR> --d----- c:\program files\Sophos
2009-02-02 12:33 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Sophos
2009-02-02 12:18 104,704 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-02-02 12:18 35,584 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-02-02 12:18 14,976 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-02-02 12:18 <DIR> --d----- C:\stdtsa
2009-01-21 09:44 <DIR> --d----- c:\docume~1\cameron\applic~1\HorizonWimba
2009-01-20 22:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-15 19:51 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Symantec
2009-01-15 19:49 <DIR> --d----- c:\windows\LastGood.Tmp
2009-01-15 19:48 <DIR> --d----- c:\program files\Norton AntiVirus
2009-01-15 19:48 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Norton
2009-01-15 19:46 <DIR> --d----- c:\program files\NortonInstaller
2009-01-15 19:46 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\NortonInstaller

==================== Find3M ====================

2008-12-11 06:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2006-12-20 02:19 5,277 a------- c:\program files\debug.log
2006-12-20 02:19 218 a------- c:\program files\scripts.log
2004-09-01 15:05 4 a------- c:\program files\locale.msg
2004-07-13 15:07 13 a------- c:\program files\locale.dzn
2004-06-30 15:31 147,456 a------- c:\program files\Lokalizator.dll
2003-02-21 07:42 348,160 a------- c:\program files\msvcr71.dll

============= FINISH: 12:47:18.10 ===============

Attached Files

BC AdBot (Login to Remove)


#2 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:04:23 PM

Posted 15 February 2009 - 09:54 AM

Hello chwatson

Welcome to BleepingComputer :thumbup2:
Running software from bittorrent most times are cracks that almost always drop infections, plus those programs are illegal to use.

Also you are running 2 antivirus programs.
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Sophos.
Please post an updated dds log then do the following:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users