Infected with god knows what!

#1 Beedab


Posted 23 February 2009 - 04:05 PM


I am fairly new to this but will attempt an explanation of the problems.

I believe I have a virus I may have picked up off a streaming website (never again!)

To begin with it really messed my PC up - it started running really slow and after using spybot to try and remove some spyware it ended up in a cycle where it would continually restart itself. Also out of no-where it started asking me to log into windows even though I never used to - luckily the password was blank.

So because I couldn't actually get into the computer because it kept restarting I decided to use my PC recovery tool. I think this re-installs windows - my hard drive is partitioned so this didn't erase my whole hard drive.

This appeared to work to begin with. I then installed AVG and Spybot again in the hope this would immunise my PC.

Obviously this hasn't worked.

Although I can go on the internet it runs very slowly and I am weary of using online banking and website which reveal personal information.

I have followed the steps suggested before posting a HiJack this script. I believe my firewall is enabled but it wasn't quite the same process as described so maybe not.

AVG keeps bringing up a multitude of messages such as the following:

Virus found Win32/Heur - Object is in whitelist

- this is the most common message

So I guess my next step is to post my log file and beg for help!

I would be indebted to anyone who could help me with this problem!


DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Owner at 20:51:17.09 on 23/02/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.344 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Micronet SP907GK Wireless Network Utility\RtWLan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
C:\Documents and Settings\Compaq_Owner.YOUR-447023AE6B\reader_s.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner.YOUR-447023AE6B\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,c:\windows\system32\7z.exe,c:\windows\system32\gcc.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {a974ca32-824f-4f6e-b1e4-ad0bde6b45d5} - c:\windows\system32\bgeldub.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [reader_s] c:\documents and settings\compaq_owner.your-447023ae6b\reader_s.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler]
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [reader_s] c:\documents and settings\compaq_owner.your-447023ae6b\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micron~1.lnk - c:\program files\micronet sp907gk wireless network utility\RtWLan.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: etbkudma - bgeldub.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-22 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-22 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-22 107272]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-22 903960]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-22 298264]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-7-31 38144]
R2 pyaktqdt;Microcode Update Monitor;c:\windows\system32\svchost.exe -k netsvcs [2007-10-27 14336]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2009-2-22 238976]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-02-23 20:25 <DIR> --d----- c:\program files\Trend Micro
2009-02-23 20:06 67,585 a------- c:\windows\system32\1A.tmp
2009-02-23 20:06 25,601 a------- c:\windows\system32\19.tmp
2009-02-23 20:03 161,792 a------- c:\windows\system32\7.tmp
2009-02-23 20:03 168 a------- c:\windows\system32\3.tmp
2009-02-23 19:58 67,585 a------- c:\windows\system32\F.tmp
2009-02-23 19:58 47,104 a------- c:\documents and settings\compaq_owner.your-447023ae6b\reader_s.exe
2009-02-23 19:58 30,208 a------- c:\windows\system32\reader_s.exe
2009-02-23 19:58 25,601 a------- c:\windows\system32\E.tmp
2009-02-23 19:55 168 a------- c:\windows\system32\4.tmp
2009-02-22 22:27 <DIR> --d----- c:\docume~1\compaq~1.you\applic~1\uTorrent
2009-02-22 22:15 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-22 22:15 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-22 22:15 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-22 22:15 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-22 22:11 <DIR> --dsh--- c:\windows\system32\twain32
2009-02-22 22:11 79,360 a------- c:\windows\system32\38.tmp
2009-02-22 22:10 1 a------- c:\windows\system32\37.tmp
2009-02-22 22:10 84 a------- c:\windows\system32\36.tmp
2009-02-22 22:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-22 22:06 21,035 a------- c:\windows\system32\drivers\AegisP.sys
2009-02-22 22:06 238,976 -----r-- c:\windows\system32\drivers\rtl8187B.sys
2009-02-22 22:06 <DIR> --d----- c:\windows\system32\Micronet SP907GK Wireless Network Utility
2009-02-22 21:59 <DIR> --dshr-- C:\cmdcons
2009-02-22 21:27 221,184 a------- c:\windows\system32\wmpns.dll
2009-02-22 21:27 1,880 a--shr-- c:\windows\system32\drivers\103C_HP_CPC_EP155AA-ABU SR1739UK GB610_YC_0Pres_QCZX611_E61GBheRED1_48_IAsterope_SHewleet-Packard_V1.0_B3.07_T060127_WXH2_L409_M960_J80_7Intel_8Pentium 4_92.93_#071026_N10EC8139_Z_G10025A61_OPIONEER DVD-RW DVR-116D.MRK
2009-02-22 20:55 <DIR> --d----- c:\documents and settings\compaq_owner.your-447023ae6b\WINDOWS
2009-02-22 20:55 <DIR> --d----- c:\docume~1\compaq~1.you\applic~1\Symantec
2009-02-22 20:55 <DIR> --d----- c:\documents and settings\Compaq_Owner.YOUR-447023AE6B
2009-02-22 16:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-02-22 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-02-22 16:45 <DIR> --d----- c:\windows\pss
2009-02-22 11:18 56,321 a------- c:\windows\services.ex_
2009-02-22 00:55 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-22 00:49 <DIR> --d----- c:\program files\AVG
2009-02-22 00:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-08 20:26 <DIR> --d----- c:\program files\TallStick
2009-02-03 19:18 <DIR> --d----- c:\program files\Roland

==================== Find3M ====================

2009-02-23 19:58 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-02-23 19:58 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-22 20:24 90,112 a------- c:\windows\DUMP7b69.tmp

============= FINISH: 20:52:00.81 ===============

#2 miekiemoes


Posted 24 February 2009 - 05:48 AM


I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
#3 miekiemoes


Posted 06 March 2009 - 07:12 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
