Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32/Virut.n


  • This topic is locked This topic is locked
2 replies to this topic

#1 shuz

shuz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 08 February 2009 - 01:59 PM

McAFee detected many forms of W32/Virut.n and removed all of them except for Explorer.exe, which appears to be legitimate. I also can't access my desktop because it closes it.
Any help would be appreciated.

Explorer.exe is in the normal C:\WINDOWS\Explorer.exe


DDS (Ver_09-02-01.01) - NTFSx86
Run by user1 at 12:49:53.75 on Sun 02/08/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.366 [GMT -6:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\FlashOffliner\FlashOffliner.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [jsf8uiw3jnjgffght] c:\windows\temp\winlognn.exe
dRun: [jsf8uiw3jnjgffght] c:\windows\temp\winlognn.exe
dRun: [tezrtsjhfr84iusjfo84f] c:\windows\temp\csrssc.exe
StartupFolder: c:\docume~1\user1\startm~1\programs\startup\memoni~1.lnk - c:\program files\sprint music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download &Flash Movies - c:\program files\flash2x\flash hunter\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1106528745343
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205011783781
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: ftzloe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\aWoOFvtT

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user1\applic~1\mozilla\firefox\profiles\ahnkdw7c.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - plugin: c:\program files\mozilla firefox\plugins\npcnc32.dll
FF - plugin: c:\windows\system32\clickteam\vitalize\v4\npcnc32.dll
FF - HiddenExtension: XUL Cache: {7BC3CF96-93F0-4F5E-A852-5BA3606AFF36} - c:\documents and settings\shu\local settings\application data\{7BC3CF96-93F0-4F5E-A852-5BA3606AFF36}

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-2-15 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-2-15 72264]
S3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-2-15 34152]
S3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-2-15 170408]

=============== Created Last 30 ================

2009-02-06 18:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-02-06 18:25 <DIR> --d----- c:\program files\Security Task Manager
2009-02-06 16:49 <DIR> --d----- c:\docume~1\user1\applic~1\McAfee
2009-02-06 12:08 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-06 10:30 <DIR> --d----- c:\docume~1\user1\applic~1\Malwarebytes
2009-02-06 10:30 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-06 10:30 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-06 10:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 10:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 14:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-05 14:11 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-05 14:11 <DIR> --d----- c:\docume~1\user1\applic~1\SUPERAntiSpyware.com
2009-02-05 13:51 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-05 13:45 <DIR> --d----- c:\program files\Unlocker
2009-02-05 13:16 <DIR> --d----- c:\documents and settings\user1\DoctorWeb
2009-02-04 20:16 <DIR> --d----- c:\program files\FreeCommander
2009-02-03 15:57 0 a------- c:\windows\system32\18.tmp
2009-02-01 13:26 48,166 a--sh--- c:\windows\system32\TtvFOoWa.ini2
2009-02-01 13:26 48,166 a--sh--- c:\windows\system32\TtvFOoWa.ini
2009-01-31 13:36 <DIR> --d----- c:\program files\Yahoo!
2009-01-29 15:48 <DIR> --d----- c:\docume~1\user1\applic~1\NCH Software
2009-01-29 15:48 <DIR> --d----- c:\program files\NCH Swift Sound
2009-01-29 15:48 <DIR> --d----- c:\program files\NCH Software
2009-01-24 14:44 <DIR> --d----- c:\program files\FlashOffliner
2009-01-21 18:50 <DIR> --d----- c:\program files\Audible
2009-01-15 19:43 <DIR> --d----- c:\program files\Safer Networking
2009-01-15 19:37 <DIR> --d----- c:\windows\pss
2009-01-13 20:45 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-01-13 20:45 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-01-10 22:03 28 a------- c:\windows\AdvConfig.ini
2009-01-10 22:03 <DIR> --d----- c:\docume~1\user1\applic~1\Kingsoft
2009-01-10 22:00 <DIR> --d----- c:\program files\Kingsoft
2009-01-10 22:00 <DIR> --d----- c:\program files\common files\Kingsoft

==================== Find3M ====================

2009-02-08 10:18 34 a------- c:\documents and settings\user1\jagex_runescape_preferences.dat
2009-02-06 19:50 135,680 a------- c:\windows\system32\taskmgr.exe
2009-02-06 14:46 169,984 a------- c:\windows\pchealth\helpctr\binaries\msconfig.exe
2009-02-06 14:46 18,432 a------- c:\windows\pchealth\helpctr\binaries\hscupd.exe
2009-02-06 14:46 744,448 a------- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2009-02-06 14:46 769,024 a------- c:\windows\pchealth\helpctr\binaries\helpctr.exe
2009-02-06 13:58 283,633 a------- c:\windows\winhlp32.exe
2009-02-06 13:58 1,658,880 a------- c:\windows\UNNeroBurnRights.exe
2009-02-06 13:58 1,658,880 a------- c:\windows\UNMRW.exe
2009-02-06 13:56 28,680 a------- c:\windows\slrundll.exe
2009-02-06 13:56 146,432 a------- c:\windows\regedit.exe
2009-02-06 13:53 306,688 a------- c:\windows\IsUninst.exe
2009-02-06 13:52 10,752 a------- c:\windows\hh.exe
2009-02-06 13:05 289,792 a------- c:\windows\system32\vssvc.exe
2009-02-06 13:05 28,657 a------- c:\windows\system32\verclsid.exe
2009-02-06 13:05 347,136 a------- c:\windows\system32\tourstart.exe
2009-02-06 13:05 45,056 a------- c:\windows\system32\shmgrate.exe
2009-02-06 13:05 11,776 a------- c:\windows\system32\regsvr32.exe
2009-02-06 13:05 69,632 a------- c:\windows\system32\odbcconf.exe
2009-02-06 13:03 55,808 a------- c:\windows\system32\ipconfig.exe
2009-02-06 13:02 19,968 a------- c:\windows\system32\cacls.exe
2009-02-06 13:02 142,848 a------- c:\windows\system32\bootcfg.exe
2009-02-06 13:02 71,680 a------- c:\windows\system32\blastcln.exe
2009-02-06 13:02 14,336 a------- c:\windows\system32\auditusr.exe
2009-02-06 13:02 12,288 a------- c:\windows\system32\attrib.exe
2009-02-06 13:02 11,264 a------- c:\windows\system32\atmadm.exe
2009-02-06 13:02 25,088 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-06 13:02 32,768 a------- c:\windows\system32\asr_pfu.exe
2009-02-06 13:02 30,208 a------- c:\windows\system32\asr_fmt.exe
2009-02-06 13:02 25,088 a------- c:\windows\system32\at.exe
2009-02-06 13:02 184,320 a------- c:\windows\system32\accwiz.exe
2009-02-06 12:58 150,513 a------- c:\windows\pchealth\uploadlb\binaries\uploadm.exe
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 12:50:21.76 ===============

BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:27 AM

Posted 17 February 2009 - 10:30 AM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,shuz. :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
In the meantime, please refrain from making any changes to your computer, and please do in the following:

Step1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please post back:

1.RSIT log.txt and info.txt. Thanks

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:27 AM

Posted 27 February 2009 - 05:27 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users