Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.Worm.Viking & unknown


  • This topic is locked This topic is locked
3 replies to this topic

#1 redhawk1

redhawk1

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 03 February 2009 - 12:45 AM

Hi there out there your site looks lie a real gem in helping rookies like me with these maalware /virus issues. I have got a virus that has caused two columbs of "sponsor links" on the search page of Google, I have done a Ad aware scan, AntiVir, and Malewarebytes scans found a few Trojens, and worms, but the y have not nailed this problem. I am running Online Armor for a firewall. I will include the HijackThis Log file;Hope this info is appropriate and helpful;

DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 21:28:01.15 on 02/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.1535.952 [GMT -8:00]

AV: Bitdefender Antivirus *On-access scanning disabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
FW: Online Armor Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\User\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://google.com/
uURLSearchHooks: CurrentBins.com Toolbar: {0072ad52-7ddc-4f35-bc26-ffd9147ec36d} - c:\program files\currentbins.com\tbCurr.dll
uURLSearchHooks: ftabins Toolbar: {42fe564a-cb41-4b4c-b6ae-c52b73f6150d} - c:\program files\ftabins\tbftab.dll
BHO: AutorunsDisabled - No File
BHO: {F7F6584C-864B-411D-A410-BB2DE0D33CA1} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: F.T.A. Toolbar: {f904d379-5b2e-44ee-96c9-3b51bd98696c} - c:\program files\f.t.a\tbF.T..dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: CurrentBins.com Toolbar: {0072ad52-7ddc-4f35-bc26-ffd9147ec36d} - c:\program files\currentbins.com\tbCurr.dll
TB: ftabins Toolbar: {42fe564a-cb41-4b4c-b6ae-c52b73f6150d} - c:\program files\ftabins\tbftab.dll
TB: F.T.A. Toolbar: {f904d379-5b2e-44ee-96c9-3b51bd98696c} - c:\program files\f.t.a\tbF.T..dll
EB: Search panel: {69d6d3ea-4d75-722a-e353-2ac1c50c2500} - c:\windows\system32\iefwsobgmrr.dll
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
StartupFolder: c:\docume~1\user\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: adobe.com\www
Trusted Zone: dlms.ca\www
Trusted Zone: google.ca\www
Trusted Zone: onlinemarketmasterauction.com\www
DPF: pcpitstop-tracks-checker - hxxp://www.pcpitstop.com/privacy/PCPTracks.cab
DPF: {0e5f0222-96b9-11d3-8997-00104bd12d94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {1842b0ee-b597-11d4-8997-00104bd12d94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229546724088
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169932394421
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9732fb42-c321-11d1-836f-00a0c993f125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0011-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://pc.mywebexpc.com/pc/mywebex/tool/syscheck/ieatgpc.cab
DPF: {ffb3a759-98b1-446f-bda9-909c6eb18cc7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-12-12 11840]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-2-2 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-2-2 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-2-2 28872]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 antivirscheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-12-12 68865]
R2 antivirservice;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-12-12 151297]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-2-2 1402568]
R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-2-2 3321032]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-12-12 52032]
S1 70960341;70960341;c:\windows\system32\drivers\70960341.sys --> c:\windows\system32\drivers\70960341.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\superantispyware\sasdifsv.sys --> c:\program files\superantispyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 agsrkg;Update Universal;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gbsmvk;Shell Task;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 gupdate1c91f7cebc9159a;Google Update Service (gupdate1c91f7cebc9159a);c:\program files\google\update\GoogleUpdate.exe [2008-9-25 133104]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\drivers\video3d.sys --> c:\windows\system32\drivers\Video3D.sys [?]

=============== Created Last 30 ================

2009-02-02 15:23 <DIR> --d----- c:\program files\Trend Micro
2009-02-02 11:08 <DIR> --d----- c:\docume~1\user\applic~1\OnlineArmor
2009-02-02 11:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OnlineArmor
2009-02-02 11:08 178,376 a------- c:\windows\system32\drivers\OADriver.sys
2009-02-02 11:08 30,920 a------- c:\windows\system32\drivers\OAmon.sys
2009-02-02 11:08 28,872 a------- c:\windows\system32\drivers\OAnet.sys
2009-02-02 11:08 <DIR> --d----- c:\program files\Tall Emu
2009-01-31 21:31 69,170 a------- c:\windows\system32\iefwsobgmrr.dll-uninst.exe
2009-01-31 21:30 48,278 a------- c:\windows\system32\pndwiczqkhxutpg.exe
2009-01-30 11:00 568,320 a------- c:\windows\system32\iefwsobgmrr.dll
2009-01-29 15:28 <DIR> --d----- c:\program files\IrfanView
2009-01-24 21:27 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-01-24 21:27 1,272,320 -------- c:\windows\system32\msxml4.dll
2009-01-24 21:27 82,944 -------- c:\windows\system32\msxml4r.dll
2009-01-24 21:27 45,056 -------- c:\windows\system32\msxml4a.dll
2009-01-24 21:27 <DIR> --d----- c:\program files\Seagate Software
2009-01-24 21:27 303,104 -------- c:\windows\system32\p2sodbc.dll
2009-01-24 21:27 188,416 -------- c:\windows\system32\P2smon.dll
2009-01-24 21:27 622,592 -------- c:\windows\system32\Crpaig80.dll
2009-01-24 21:27 66,560 -------- c:\windows\system32\crwrap32.dll
2009-01-24 21:27 40,448 -------- c:\windows\system32\dsofile.dll
2009-01-23 16:50 <DIR> --d----- C:\ie-spyad
2009-01-23 16:41 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-23 16:30 <DIR> --d----- C:\VundoFix Backups
2009-01-21 22:22 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-21 22:22 1,409 a------- c:\windows\QTFont.for
2009-01-21 15:01 <DIR> --d----- c:\program files\Realtek AC97
2009-01-21 14:12 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-01-11 12:28 446,464 a------- c:\windows\system32\nvunrm.exe
2009-01-11 12:28 6,045 a------- c:\windows\system32\nvnrm.nvu
2009-01-11 12:28 4,984 a------- c:\windows\system32\drivers\nvphy.bin
2009-01-11 11:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-01-09 11:24 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-08 19:47 <DIR> --d----- c:\program files\F.T.A
2009-01-06 15:14 107,520 a------- C:\General Bus 2009.or5
2009-01-06 15:14 110 a------- C:\General Bus 2009.GCF
2009-01-06 15:14 0 a------- C:\General Bus 2009.LCK

==================== Find3M ====================

2008-12-13 18:48 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-13 18:30 209,816 a------- c:\program files\jre-6u11-windows-i586-p-iftw-k.exe
2008-12-13 18:28 0 -------- c:\program files\jre-6u11-windows-i586-p.exe
2008-12-13 18:28 1,230 a------- c:\program files\jre-6u11-windows-i586-p.exe.sdm
2008-12-12 23:03 685,056 a------- c:\windows\isRS-000.tmp
2008-12-12 15:46 14,336 a------- c:\windows\system32\svchost.exe
2008-12-09 12:09 34,031,720 a------- c:\program files\GoogleSketchUpWEN.exe
2008-09-01 10:24 724,984 a------- c:\documents and settings\user\gotomypc_437.exe
2008-09-01 10:17 3,902,784 a------- c:\documents and settings\user\gosetup.exe
2008-08-16 15:25 3 ac------ c:\program files\sFile64sys.ico
2008-07-16 11:11 104,640 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2007-01-06 14:31 21,822,168 a------- c:\program files\AdbeRdr80_en_US.exe
2007-01-05 14:20 359,112 ac------ c:\program files\LimeWireWin.exe
2007-01-05 14:08 6,653,000 ac------ c:\program files\winamp532_full_emusic-7plus.exe
2004-10-01 15:00 40,960 a------- c:\program files\Uninstall_CDS.exe
2008-05-13 01:03 431,724 a--sh--- c:\windows\system32\AHilknpo.ini2
2008-05-13 00:59 1,490,693 a--sh--- c:\windows\system32\ahnnnyem.ini2
2008-05-21 08:06 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052120080522\index.dat

============= FINISH: 21:30:39.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 PM

Posted 14 February 2009 - 10:55 AM

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 PM

Posted 17 February 2009 - 08:42 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 PM

Posted 19 February 2009 - 05:25 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users