Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I have Win32Worm.Pinit, Win32.Agent.icb and others.


  • Please log in to reply
1 reply to this topic

#1 Justin Bruns

Justin Bruns

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 04 March 2009 - 11:29 AM

Last week my son downloaded a program and attempted to 'crack' it. I have spoken to him about this and removed the offending program, but ever since then our scanners have been detecting Trojans and Worms.

We are running Windows XP Home, with AVG 8.0.237 as our AntiVirus and ZoneAlarm 8.0.065 as our firewall. Immediately after he tried to run the crack, he came to me and said that AVG caught a virus. At first we thought AVG had solved the problem, but as a few days passed we started receiving more and more alerts, so I started looking for help online.

Restore points are disabled and not an option, and I have followed instructions to delete old restore points just in case one of them was hiding the Trojan.

Yesterday, we disabled the internet and ran AVG, Malwarebyte's Anti-Malware, SpyBot Search and Destroy and Ad-Aware one after the other. All are updated. We then restarted the computer in safe mode and ran them all again, in that order. We then rebooted into normal mode and had SpyBot run on startup, and then ran them all again. Ever since then, things have actually been worse than ever.

Now whenever I run any software, I get an AVG resident shield alert that says
C:\WINDOWS\system32\user32.DLL is infected with 'Trojan horse Patched_c.BON'. Choosing to remove selected infections does nothing.

When I run SpyBot, I continually find Win32.Agent.icb and Win32.Delf.uc. SpyBot says it fixes them, but they always return.

When I run Ad Aware, I continually find Win32Worm.Pinit and other trojans.

I also continue to get alerts that ZoneAlarm has blocked '9.tmp' or 7.tmp' from accessing the internet.

May I just say, this forum is wonderful and the service you people perform for the PC community is quite admirable. If I hadn't found this forum, I would be out purchasing a new Windows disk right now (which is a bit of an expense on a tight budget). I am performing a new backup as we speak in case things can't be recovered, but we are having difficulty locating the Windows XP install disk, so I am hoping to solve this problem without having to do a re-install if at all possible. I would hate to have to purchase a new Windows XP disk when I still have my key printed on the side of my case.

My DDS log follows:



DDS (Ver_09-02-01.01) - NTFSx86
Run by Murphy at 11:08:53.79 on Wed 03/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1078 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
D:\Program Files\Pidgin\pidgin.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Azureus\Azureus.exe
C:\Documents and Settings\Murphy\Desktop\dds.scr
C:\Program Files\AVG\AVG8\avgcsrvx.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.netflix.com/WiHome?lnkctr=mhWN&lnkce=mhwi
uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-25 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-29 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-29 27656]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-15 353680]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-4 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2002-1-16 93696]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S1 asbp2poa;asbp2poa;\??\c:\docume~1\murphy\locals~1\temp\asbp2poa.sys --> c:\docume~1\murphy\locals~1\temp\asbp2poa.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 NB762_XP;NB 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanUZXP.sys [2008-2-15 437760]

=============== Created Last 30 ================

2009-03-04 10:44 160 a---h--- C:\aaw7boot.cmd
2009-03-04 09:41 40 a------- c:\windows\system32\8.tmp
2009-03-03 20:12 40 a------- c:\windows\system32\6.tmp
2009-03-03 14:34 1 a------- c:\windows\system32\3.tmp
2009-03-03 14:34 124 a------- c:\windows\system32\2.tmp
2009-03-03 14:33 64,512 a------- c:\windows\system32\wer3.pf
2009-03-03 14:33 32,768 a------- c:\windows\system32\febbn.wa
2009-03-03 14:33 78,336 a------- c:\windows\system32\nvaux32.dll
2009-03-03 14:33 215,552 ac------ c:\windows\system32\dllcache\termsrv.dll
2009-03-03 14:33 207,872 a------- c:\windows\system32\azton.mt
2009-03-03 14:33 207,872 a------- c:\windows\system32\4.tmp
2009-03-03 01:49 <DIR> --d----- c:\docume~1\murphy\applic~1\Malwarebytes
2009-03-03 01:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-03 01:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-03 01:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-25 15:49 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-25 14:46 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-02-25 14:44 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 14:44 <DIR> --d----- c:\program files\Lavasoft
2009-02-25 13:14 578,560 a------- c:\windows\system32\mivqjw
2009-02-25 13:09 0 a------- c:\windows\mqcd.dbt
2009-02-25 13:08 28,672 a------- c:\windows\system32\kdoqmn.sr
2009-02-25 13:08 32,768 a------- c:\windows\system32\odjan.wa
2009-02-25 13:08 32,768 a------- c:\windows\system32\kei1w.an
2009-02-25 13:08 28,672 a------- c:\windows\system32\doqkm.zt
2009-02-25 13:08 77,312 a------- c:\windows\system32\rkoq.pxf
2009-02-24 15:29 127 a------- c:\windows\system32\55.tmp
2009-02-24 15:29 0 a------- c:\windows\system32\56.tmp
2009-02-24 15:29 84 a------- c:\windows\system32\54.tmp
2009-02-24 15:25 1,221,008 a------- c:\windows\system32\zpeng25.dll
2009-02-24 15:00 1 a------- c:\windows\system32\5E.tmp
2009-02-24 15:00 84 a------- c:\windows\system32\5D.tmp
2009-02-24 10:03 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-02-24 10:02 0 a------- c:\windows\system32\E81.tmp
2009-02-24 10:02 88 a------- c:\windows\system32\E7E.tmp
2009-02-23 08:55 <DIR> --d----- c:\docume~1\murphy\applic~1\Final Draft
2009-02-23 08:54 1,073,152 a----r-- c:\windows\system32\cdintf210.dll
2009-02-23 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Final Draft
2009-02-23 08:54 <DIR> --d----- c:\program files\Final Draft Tagger
2009-02-04 15:56 10,520 a------- c:\windows\system32\avgrsstx.dll

==================== Find3M ====================

2009-03-03 14:33 578,560 a------- c:\windows\system32\user32.DLL
2009-03-03 14:33 215,552 a------- c:\windows\system32\termsrv.dll
2009-02-24 15:26 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-02-24 10:03 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-02-23 09:30 13,836 a---h--- c:\windows\system32\mlfcache.dat
2009-02-04 15:56 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-07 14:28 34,308 a------- c:\windows\system32\Chip.dll
2008-12-07 14:28 22,004 a------- c:\windows\system32\Pvt.tmp
2008-12-07 13:47 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 11:10:11.37 ===============


I have not run a Kaspersky scan because I am afraid to disable my antivirus even for a moment!

Thank you for your help, I will be checking back frequently for your advice.

Attached Files



BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 10 March 2009 - 08:16 PM

Hi,

Unfortunately I have some bad news, your computer is infected with Virut.

Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (software) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

I don't feel there is any point in trying to clean this machine. Sorry to be the bearer of bad news, but that's how I see it.

You can read more about it here if you want; http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

If you have any questions let me know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users