Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

all system and user processes being treated as viruses


  • This topic is locked This topic is locked
5 replies to this topic

#1 jhenault

jhenault

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 15 February 2009 - 06:12 PM

All my SYSTEM, NETWORK, and user processes are being seen as viruses in my adware (Ad-Aware), virus (AVG 8), and malware (MBAB) removal programs. if i heal them, nothing works, if i let it be, the comp restarts and fails all the time and is running slowly, i also noticed several processes are duplicating, and sometimes when i start up, there is no user/system distinction on the task manager.. I ran a HiJackThis log, i heard this forum is great about offering help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:10 PM, on 2/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Joshua\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Joshua\ske.exe \s
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Joshua\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Joshua\reader_s.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nttzhcen.exe] C:\WINDOWS\nttzhcen.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fprimnze.exe] C:\WINDOWS\fprimnze.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [hdicntwe.exe] C:\WINDOWS\hdicntwe.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Joshua\reader_s.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1234423536502
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6595 bytes

BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:45 AM

Posted 15 February 2009 - 08:13 PM

Hi jhenault
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

Please do this.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 jhenault

jhenault
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:45 AM

Posted 16 February 2009 - 12:28 AM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Joshua at 21:27:16.78 on Sun 02/15/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2815.2340 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\vVX1000.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joshua\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2006-6-18 22752]

=============== Created Last 30 ================

2009-02-15 21:21 <DIR> --d----- c:\documents and settings\joshua\Tracing
2009-02-15 21:21 <DIR> --d----- c:\program files\Microsoft
2009-02-15 21:21 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-15 21:18 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-15 21:13 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-02-15 21:13 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-02-15 21:13 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-02-15 21:13 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-02-15 21:13 28,672 ac------ c:\windows\system32\dllcache\vidcap.ax
2009-02-15 21:13 90,624 a------- c:\windows\system32\kswdmcap.ax
2009-02-15 21:13 61,952 a------- c:\windows\system32\kstvtune.ax
2009-02-15 21:13 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-02-15 21:13 43,008 a------- c:\windows\system32\ksxbar.ax
2009-02-15 21:13 28,672 a------- c:\windows\system32\vidcap.ax
2009-02-15 21:11 1,966,312 a------- c:\windows\system32\drivers\VX1000.sys
2009-02-15 21:11 709,992 a------- c:\windows\vVX1000.exe
2009-02-15 21:11 476,520 a------- c:\windows\vVX1000.dll
2009-02-15 21:11 202,088 a------- c:\windows\system32\LCCoin14.dll
2009-02-15 21:11 185,704 a------- c:\windows\system32\cVX1000.dll
2009-02-15 21:11 111,976 a------- c:\windows\VX1000.dll
2009-02-15 21:11 15,498 a------- c:\windows\VX1000.ini
2009-02-15 21:11 13,023 a------- c:\windows\VX1000.src
2009-02-15 21:10 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-02-15 21:07 12,740 a------- c:\windows\system32\wpa.bak
2009-02-15 20:57 <DIR> --d----- c:\program files\common files\ATI Technologies
2009-02-15 20:51 520,192 -------- c:\windows\system32\ati2sgag.exe
2009-02-15 20:51 <DIR> --d----- c:\program files\ATI Technologies
2009-02-15 20:50 <DIR> --d----- C:\AMD
2009-02-15 20:49 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-02-15 20:47 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-15 20:46 <DIR> --d----- c:\windows\system32\drivers\system32
2009-02-15 20:46 <DIR> --d----- c:\windows\system32\drivers\INF
2009-02-15 20:43 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-15 19:42 83,200 a----r-- c:\windows\system32\drivers\Rtenicxp.sys
2009-02-15 19:42 <DIR> --d----- c:\program files\Realtek
2009-02-15 19:41 <DIR> --d----- c:\program files\Analog Devices
2009-02-15 19:39 5,810 a----r-- c:\windows\system32\drivers\ASACPI.sys
2009-02-15 19:39 15,196 a------- c:\windows\Ascd_tmp.ini
2009-02-15 19:39 10,288 a------- c:\windows\system32\drivers\ASUSHWIO.SYS
2009-02-15 19:37 <DIR> --d----- C:\SYSPREP
2009-02-15 19:37 <DIR> --d----- c:\documents and settings\joshua\WINDOWS
2009-02-15 19:37 <DIR> --d----- c:\documents and settings\Joshua
2009-02-15 19:35 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-15 19:33 333 a------- c:\windows\system32\$ncsp$.inf
2009-02-15 19:32 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-15 19:32 2 a------- C:\REQUEST_OEMRESET_ENDUSER
2009-02-15 19:32 2 ---shr-- C:\USER
2009-02-15 19:27 60 a------- c:\windows\system32\SYSDRV.DAT
2009-02-15 19:22 13,824 a------- c:\windows\system32\wowfaxui.dll
2009-02-15 19:22 3,200 a------- c:\windows\system32\wowfax.dll
2009-02-15 19:22 23,552 ac------ c:\windows\system32\dllcache\wdmaud.drv
2009-02-15 19:22 23,552 a------- c:\windows\system32\wdmaud.drv
2009-02-15 19:20 72,192 a------- c:\windows\system32\sprio800.dll
2009-02-15 19:19 12,416 a------- c:\windows\system32\drivers\tunmp.sys
2009-02-15 19:18 707 a------- c:\windows\_default.pif
2009-02-15 19:17 145,408 a------- c:\windows\system32\wiavusd.dll
2009-02-15 19:16 562,176 a------- c:\windows\system32\qedit.dll
2009-02-15 19:15 552,989 a------- c:\windows\system32\msrepl40.dll
2009-02-15 19:13 360,448 a------- c:\windows\system32\l3codecp.acm
2009-02-15 19:12 212,480 a------- c:\windows\system32\dpvoice.dll
2009-02-15 19:11 136,704 a------- c:\windows\system32\bootcfg.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

==================== Find3M ====================

2006-06-22 22:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 21:27:33.15 ===============

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:45 AM

Posted 16 February 2009 - 01:24 AM

Hi
Please do this so I have a better look at your system files.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.
  • The program will launch and then begin downloading the latest definition files:
  • Under Scan on the left side.Click on My Computer
  • This will start the program and scan your system.
  • Click the “Scan Report” On the left side.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
  • Save the text file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky results.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:45 AM

Posted 20 February 2009 - 12:59 AM

Hi
Please respond to this post if you still require help.

It will be closed in two days if no response.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:45 PM

Posted 22 February 2009 - 12:53 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users