Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Malware Infections including Virut.AJ.Dropper


  • This topic is locked This topic is locked
4 replies to this topic

#1 disneeze

disneeze

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 05 February 2009 - 11:38 PM

I believe my computer is infected with various Malware/Spyware etc. I have ran a complete AVG Virus Scan, as well as Malwarebytes' Anti-Malware and RegCure scans. I know I am still infected by the Virut.AJ.Dropper virus. AVG will recognize the virus, but is unable to heal as it is attached to winlogon.exe in the System32 folder.

Other virus' found and not healed by AVG are: Trojan horse Rootkit-Agent.BU, Trojan horse Injector.CD, Trojan horse Agent.AXNU, Trojan horse Generic12.AZCN, Trojan horse Generic12.BJEG, Trojan horse Generic12.BJMF and HackTool.GEC. All infecting files in the System32 folder.

Also, Internet Explorer will not load any images from any website.

DDS Log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Chan at 20:09:47.81 on 2009-02-05
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.82.1033.18.2038.1267 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Chan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231363520943&h=50234230b62463d741e03bd67fe0e14e/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: Antiwpa - antiwpa.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - SABShellExecuteHook Class

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chan\applic~1\mozilla\firefox\profiles\50t1dxes.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-4 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-4 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-4 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-4 107272]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-5-15 61424]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-5 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-5 298264]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
R3 WSIMD;wsimd Service;c:\windows\system32\drivers\wsimd.sys [2009-1-7 57344]

=============== Created Last 30 ================

2009-02-05 09:31 5,376 a------- c:\windows\system32\antiwpa.dll
2009-02-05 00:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-04 23:30 1,343,616 a------- c:\windows\system32\drivers\athw.sys
2009-02-04 11:59 527 a------- c:\windows\system32\win32hlp.cnf
2009-02-04 11:17 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-02-04 11:17 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-04 11:16 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-04 11:16 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-04 11:16 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-04 11:16 <DIR> --d----- c:\docume~1\chan\applic~1\AVGTOOLBAR
2009-02-04 11:16 <DIR> --d----- c:\program files\AVG
2009-02-04 09:34 96,256 a------- c:\windows\system32\bthc.dll
2009-02-03 17:33 0 a------- c:\windows\system32\1B.tmp
2009-02-03 17:31 9,950 a------- c:\windows\system32\20.tmp
2009-02-03 17:30 20,480 a------- c:\windows\system32\1E.tmp
2009-02-03 14:23 32,768 a---h--- c:\documents and settings\chan\tfqohts.exe
2009-02-03 13:21 32,768 a---h--- c:\documents and settings\chan\qiobb.exe
2009-02-03 13:20 32,768 a---h--- c:\documents and settings\chan\hwqfg.exe
2009-02-03 13:20 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-03 12:09 0 a------- c:\windows\system32\1C.tmp
2009-02-03 10:24 0 a------- c:\windows\system32\2C.tmp
2009-02-03 09:56 1 a------- c:\windows\system32\uniq.tll
2009-02-02 15:10 0 a------- c:\windows\system32\40.tmp
2009-02-02 14:51 5 a------- c:\windows\_id.dat
2009-02-02 14:51 124 a------- c:\windows\adobe.bat
2009-02-01 14:46 221,184 a------- c:\windows\system32\wmpns.dll
2009-01-21 18:50 <DIR> --d----- c:\program files\common files\CyberLink
2009-01-21 18:49 29,480 a------- c:\windows\system32\msxml3a.dll
2009-01-21 16:25 285,184 a------- c:\windows\system32\drivers\tos_sps32.sys
2009-01-21 16:24 <DIR> --d----- C:\temp.hddvdplayer
2009-01-21 15:49 14 a------- c:\windows\system32\SystemInfo32.sys
2009-01-21 09:35 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-01-21 09:35 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-01-21 09:35 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-01-21 09:35 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-01-17 15:32 273 a------- c:\windows\cdplayer.ini
2009-01-09 18:08 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-09 13:52 <DIR> --d----- c:\program files\common files\HP
2009-01-09 13:52 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-01-09 13:50 118,272 a------- c:\windows\system32\hpz3l5mu.dll
2009-01-09 13:49 49,920 a------- c:\windows\system32\drivers\HPZid412.sys
2009-01-09 13:49 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys
2009-01-09 13:49 271,704 a------- c:\windows\system32\hpzids01.dll
2009-01-09 13:49 1,373,528 a------- c:\windows\hpzshl01.exe
2009-01-09 13:49 1,140,056 a------- c:\windows\hpzmsi01.exe
2009-01-09 13:49 10,709 a------- c:\windows\hpwscr19.dat
2009-01-09 13:49 <DIR> --d----- c:\windows\yellowtail
2009-01-09 13:49 <DIR> --d----- c:\program files\HP
2009-01-09 13:49 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-01-09 13:49 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-01-09 13:47 176,495 a------- c:\windows\hpwins19.dat
2009-01-09 13:47 997 a------- c:\windows\hpwmdl19.dat
2009-01-09 13:32 21,568 a------- c:\windows\system32\drivers\HPZius12.sys
2009-01-09 13:32 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-01-09 13:32 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-09 13:29 32,128 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-01-09 13:29 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-01-09 09:04 <DIR> --d----- c:\program files\common files\xing shared
2009-01-09 09:04 <DIR> --d----- c:\program files\common files\Real
2009-01-07 14:35 77,878 ac------ c:\windows\system32\dllcache\imjpdadm.exe
2009-01-07 14:34 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-01-07 14:34 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-01-07 14:34 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-01-07 14:34 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-01-07 14:34 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-01-07 14:34 8,192 a------- c:\windows\system32\kbdkor.dll
2009-01-07 14:34 6,144 a------- c:\windows\system32\kbd101c.dll
2009-01-07 14:34 5,632 a------- c:\windows\system32\kbd103.dll
2009-01-07 14:34 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-01-07 14:34 6,144 a------- c:\windows\system32\kbd101b.dll
2009-01-07 14:34 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-01-07 14:34 6,144 a------- c:\windows\system32\kbd106.dll
2009-01-07 14:31 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-07 14:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-07 14:19 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-07 13:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-07 13:16 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-07 13:16 376 a------- c:\windows\ODBC.INI
2009-01-07 13:16 17,920 a------- c:\windows\system32\mdimon.dll
2009-01-07 13:15 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-01-07 13:15 <DIR> --d----- c:\windows\SHELLNEW
2009-01-07 12:54 <DIR> --d----- c:\program files\Synaptics
2009-01-07 12:46 <DIR> --d----- c:\windows\pss
2009-01-07 12:33 <DIR> --d----- c:\docume~1\chan\applic~1\Windows Search
2009-01-07 12:22 <DIR> --d----- c:\docume~1\chan\applic~1\Windows Desktop Search
2009-01-07 12:22 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-01-07 12:22 <DIR> --d----- c:\program files\Windows Desktop Search
2009-01-07 12:21 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-01-07 12:21 <DIR> --d----- c:\windows\system32\LogFiles
2009-01-07 12:17 <DIR> --d----- c:\windows\system32\URTTemp
2009-01-07 11:57 172,032 a------- c:\windows\system32\igfxres.dll
2009-01-07 11:55 507,904 a------- c:\windows\system32\cselect.exe
2009-01-07 11:55 128,113 a------- c:\windows\system32\csellang.ini
2009-01-07 11:55 98,304 a------- c:\windows\system32\tosmreg.exe
2009-01-07 11:55 45,056 a------- c:\windows\system32\csellang.dll
2009-01-07 11:55 10,150 a------- c:\windows\system32\tosmreg.ini
2009-01-07 11:55 7,671 a------- c:\windows\system32\cseltbl.ini
2009-01-07 11:55 <DIR> --d----- c:\program files\ltmoh
2009-01-07 11:55 553 a------- c:\windows\USetup.iss
2009-01-07 11:55 69,632 a------- c:\windows\system32\ChCfg.exe
2009-01-07 11:54 <DIR> --d----- c:\program files\Realtek
2009-01-07 11:54 335,872 a------- c:\windows\HideWin.exe
2009-01-07 11:54 520,192 a------- c:\windows\RtlExUpd.dll
2009-01-07 11:53 <DIR> --d----- c:\windows\tiinst
2009-01-07 11:53 <DIR> --d----- c:\docume~1\chan\applic~1\WinBatch
2009-01-07 11:50 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-07 11:50 53,248 a------- c:\windows\system32\CSVer.dll
2009-01-07 11:50 <DIR> --d----- C:\Intel
2009-01-07 11:50 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-01-07 11:50 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-01-07 11:50 <DIR> --d----- c:\windows\system32\Lang
2009-01-07 11:48 <DIR> --d----- c:\windows\system32\SDA
2009-01-07 11:48 <DIR> --d----- c:\program files\TOSHIBA
2009-01-07 11:42 146,048 ac------ c:\windows\system32\dllcache\portcls.sys
2009-01-07 11:22 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-07 11:22 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-01-07 11:19 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 11:19 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 11:19 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 11:19 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 11:18 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 11:11 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-01-07 11:11 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-07 11:11 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-07 11:10 <DIR> --dsh--- c:\documents and settings\chan\UserData
2009-01-07 11:09 2,838 a------- c:\windows\machine.ver
2009-01-07 11:09 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-07 11:07 57,344 a------- c:\windows\system32\wsimd.sys
2009-01-07 11:07 57,344 a------- c:\windows\system32\drivers\wsimd.sys
2009-01-07 11:07 12,552 a------- c:\windows\system32\wsimdp.cat
2009-01-07 11:07 12,129 a------- c:\windows\system32\wsimd.cat
2009-01-07 11:07 5,361 a------- c:\windows\system32\wsimdp.inf
2009-01-07 11:07 2,179 a------- c:\windows\system32\wsimd.inf
2009-01-07 10:52 1,847,296 a------- c:\windows\SkyTel.exe
2009-01-07 10:52 1,212,416 a------- c:\windows\RtlUpd.exe
2009-01-07 10:52 282,624 a------- c:\windows\system32\RTSndMgr.cpl
2009-01-07 10:52 106,496 a------- c:\windows\SoundMan.exe
2009-01-07 10:52 9,734,144 a------- c:\windows\RTLCPL.exe
2009-01-07 10:52 4,632,576 a------- c:\windows\system32\drivers\RtkHDAud.sys
2009-01-07 10:52 16,877,568 a------- c:\windows\RTHDCPL.exe
2009-01-07 10:52 2,828,288 a------- c:\windows\alcwzrd.exe
2009-01-07 10:52 2,184,192 a------- c:\windows\MicCal.exe
2009-01-07 10:52 299,008 a------- c:\windows\system32\ALSndMgr.cpl
2009-01-07 10:52 90,112 a------- c:\windows\Alcmtr.exe
2009-01-07 09:47 50,752 -------- c:\windows\agrsmdel.exe
2009-01-07 09:35 <DIR> --d----- c:\program files\MultiRes
2009-01-07 09:35 451,072 a------- c:\windows\Radeon Omega Drivers v3.8.330 Uninstall.exe
2009-01-07 09:35 <DIR> --d----- c:\program files\Radeon Omega Drivers
2009-01-07 09:34 <DIR> --d----- c:\windows\OPTIONS
2009-01-07 09:32 547,904 a------- c:\windows\system32\drivers\ar5211.sys
2009-01-07 09:32 28,544 a------- c:\windows\system32\drivers\callistx.sys
2009-01-07 08:53 <DIR> --d----- c:\program files\Atheros
2009-01-07 08:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Atheros
2009-01-06 22:02 67 a------- c:\windows\swupdate.INI
2009-01-06 21:58 <DIR> --d----- C:\TOSHIBA
2009-01-06 21:56 <DIR> --d----- c:\documents and settings\Chan
2009-01-06 21:55 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-06 21:47 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-06 21:45 58,368 ac------ c:\windows\system32\dllcache\msiregmv.exe
2009-01-06 21:44 45,568 ac------ c:\windows\system32\dllcache\browscap.dll
2009-01-06 21:43 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-06 21:43 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-01-06 21:43 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-06 21:43 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-01-06 21:43 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-01-06 21:43 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-06 21:43 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-06 21:43 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-06 21:43 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-06 21:43 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-06 21:43 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-01-06 21:43 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-06 21:42 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-06 21:40 <DIR> --d----- c:\program files\Online Services
2009-01-06 21:40 <DIR> --d----- c:\program files\Messenger
2009-01-06 21:40 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-06 21:39 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2089-12-31 17:05 32,768 a---h--- c:\documents and settings\chan\ieffast.exe
2009-02-03 10:56 171,282 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-02-03 09:57 142,848 a------- c:\windows\system32\userinit.exe
2009-01-21 18:49 505,128 a------- c:\windows\system32\msvcp71.dll
2009-01-21 18:49 353,576 a------- c:\windows\system32\msvcr71.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-07 09:52 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-06 21:41 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-17 16:09 119,552 a------- c:\windows\system32\drivers\Rtenicxp.sys
2008-12-17 16:08 27,648 a------- c:\windows\system32\RtNicProp32.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 20:10:25.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 14 February 2009 - 11:25 AM

Hello.

Seems a lot of users are having this very nasty infection, Virut.

Posted ImageVirut File Infector Warning
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Tell me what you wish to do.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 disneeze

disneeze
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:21 PM

Posted 14 February 2009 - 01:01 PM

Thanks for the response extremeboy.

I had a feeling this was a serious infection... :thumbup2:

I am going to backup my documents, photos and music and do a clean install.

Best Regards,

~ disneeze

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 14 February 2009 - 02:06 PM

Hello.

Good idea. Glad I could help. Also, after the reinstall, you may also want to do a complete format if you wish, to be 100% secure. :thumbup2:

Some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Additional Security Programs

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:21 PM

Posted 14 February 2009 - 07:08 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users