Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is it and why won't it die?


  • This topic is locked This topic is locked
4 replies to this topic

#1 Jade Jean

Jade Jean

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:50 PM

Posted 11 March 2009 - 11:15 AM

Hi there,
Thank you for taking the time to help me with this. My name is Jade and I am at my wits end. My boyfriend and I were infected with something about 5 months ago. One night we were set up on our laptops next to each other and we both noticed something weird with our computers. We both were notified that our computer was scheduled to reboot and install a new unknown "device" or "component", I forget the exact term it used. We both attempted to stop the reboot, however we were unsuccessful. It was really odd. Then, soon after, we both noticed significant changes in the performance of our computers such as extreme lag, constant hangups, getting locked out of files and programs. But mainly, the noise. Our computers started running really loud and eating up memory left and right. I ran every single virus, malware, spyware scan I could find. Nothing was ever detected. I reset our router, still no change. I ended up getting a new computer from my mom, because I was so frustrated. This new laptop is a Toshiba Satellite. I've only had it about 2 weeks. It is my mom's old computer, she bought a new one for herself. When I received it, I wiped the harddrive and ran Killdisk. I then installed Windows XP. Now, this one is acting exactly like my last one did. Then, it dawned on me, if this infection is a network worm then we all have it, including my mom's router. I used her wireless connection all the time with my old computer. As I had before, I've run many different scans to try to detect this. I did finally start getting results, but they were confusing. AVG came with the install disk for XP. It found the following:

Autoit.worm.ayr
Boot Sector Corruption

Then I ran Microsoft Malicious Software Remover and it said it found Rustock variant, but it could not be removed automatically.


I tried running all of the online scans such as Kapersky, Panda, Eset etc.. None of them would initiate. Now, I'm getting an application error 0x0c0000022 on almost half of my programs. I cannot open mmc.exe at all and I can only access a few items from my control panel. When I open task manager, it opens about 50 processes for itself. I have also noticed that I am aquiring all kinds of media files such as .avi, .bmp, .gif and so on, but I don't know where all of these files are coming from. So, I'm hoping I can get some help. I ran DDS and Hijackthis. I will attach the hijackthis log and attach.txt Here is my DDS log.



DDS (Ver_09-02-01.01) - NTFSx86
Run by LadyLuck13 at 4:50:43.14 on Wed 03/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.191.25 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\visualtasktips.exe
C:\WINDOWS\System32\topdesk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Reg Organizer\organizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\LadyLuck13\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [VisualTaskTips] c:\windows\system32\visualtasktips.exe
uRun: [TopDesk] c:\windows\system32\topdesk.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [InCD] c:\program files\nero\nero 7\incd\InCD.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
dRun: [VisualTaskTips] c:\windows\system32\visualtasktips.exe
dRun: [TopDesk] c:\windows\system32\topdesk.exe
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [ProfileFolderName] hc /w cmd.exe /c Reg Add

"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}" /v "" /t REG_SZ /d

"%UserName%" /f
dRunOnce: [CheckUpdates] wuauclt /detectnow
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program

files\java\jre1.6.0_02\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ladylu~1\applic~1\mozilla\firefox\profiles\sdari58r.default\
FF - component: c:\users\ladyluck13\application

data\mozilla\firefox\profiles\sdari58r.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

============= SERVICES / DRIVERS ===============

R0 ATIIDE;ATIIDE;c:\windows\system32\drivers\ATIIDE.sys [2007-10-11 6016]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2009-3-10 821728]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2009-3-10 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2009-3-10 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2009-3-10 3968]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2009-3-10 4960]

============== File Associations ===============

inifile="c:\program files\reg organizer\organizer.exe" -ini "%1"
regfile="c:\program files\reg organizer\organizer.exe" -import "%1"

=============== Created Last 30 ================

2009-03-10 23:32 <DIR> --d----- c:\program files\Yahoo!
2009-03-10 21:31 <DIR> --d----- c:\users\ladylu~1\applic~1\ChemTable Software
2009-03-10 21:28 <DIR> --d----- c:\program files\Reg Organizer
2009-03-10 21:27 <DIR> --d-h--- c:\windows\PIF
2009-03-10 21:17 <DIR> --d----- c:\program files\Total Uninstall 5
2009-03-10 20:16 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-03-10 20:16 <DIR> --d----- c:\program files\MSECACHE
2009-03-10 19:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-10 12:17 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-03-10 11:31 <DIR> --d----- c:\program files\common files\Jasc Software Inc
2009-03-10 11:30 <DIR> --d----- c:\users\ladyluck13\My PSP Files
2009-03-10 11:30 <DIR> --d----- c:\program files\Jasc Software Inc
2009-03-10 10:18 <DIR> --d----- c:\program files\common files\Nova Development
2009-03-10 10:16 <DIR> --d----- c:\users\alluse~1\applic~1\Nova Development
2009-03-10 10:16 <DIR> --d----- c:\program files\common files\Ulead Systems
2009-03-10 10:16 <DIR> --d----- c:\program files\Nova Development
2009-03-10 10:13 <DIR> --d----- c:\program files\PictureProject In Touch Downloader
2009-03-10 10:11 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-10 10:11 1,409 a------- c:\windows\QTFont.for
2009-03-10 10:08 212,480 a------- c:\windows\PCDLIB32.DLL
2009-03-10 10:06 <DIR> --d----- c:\program files\common files\Nikon
2009-03-10 10:05 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-03-10 08:56 393,600 a------- c:\windows\system32\drivers\ar5211.sys
2009-03-10 08:56 270,336 a------- c:\windows\system32\PlugPlayPCIDevice.exe
2009-03-10 08:56 163,840 a------- c:\windows\system32\MFCFirstRemove.exe
2009-03-10 08:56 32,768 a------- c:\windows\system32\RmWLAN.exe
2009-03-10 08:56 32,768 a------- c:\windows\system32\CloseACU.exe
2009-03-10 08:56 28,672 a------- c:\windows\system32\InstallInf.exe
2009-03-10 08:56 766 a------- c:\windows\system32\AddRemove.ico
2009-03-10 08:56 <DIR> --d----- c:\program files\Atheros
2009-03-10 08:56 <DIR> --d----- C:\AtherosMB51.temp
2009-03-10 08:49 244 a---h--- C:\sqmnoopt00.sqm
2009-03-10 08:49 232 a---h--- C:\sqmdata00.sqm
2009-03-10 08:48 552 a------- c:\windows\system32\d3d8caps.dat
2009-03-10 08:48 <DIR> --d----- c:\users\ladylu~1\applic~1\AVG7
2009-03-10 08:46 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-10 08:44 <DIR> --d--r-- c:\users\ladyluck13\Music
2009-03-10 08:44 <DIR> --d--r-- c:\users\ladyluck13\Pictures
2009-03-10 08:42 <DIR> --d----- c:\users\alluse~1\applic~1\Grisoft
2009-03-10 08:33 <DIR> a-d----- c:\program files\Nero
2009-03-10 08:33 <DIR> --d----- c:\users\alluse~1\applic~1\Nero
2009-03-10 08:16 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-10 08:15 14,048 -------- c:\windows\system32\spmsg2.dll
2009-03-10 08:08 2,188,288 a------- c:\windows\system32\ntoskrnl.backup
2009-03-10 08:08 <DIR> --dsh--- c:\users\ladyluck13\Contacts
2009-03-10 08:08 <DIR> --ds---- c:\users\ladyluck13\Videos
2009-03-10 08:08 <DIR> --ds---- c:\users\ladyluck13\Downloads
2009-03-10 08:08 <DIR> --ds---- c:\users\ladyluck13\Documents
2009-03-10 08:08 <DIR> --d-h--- c:\users\ladyluck13\My Received Files
2009-03-10 08:08 <DIR> --d-h--- c:\users\ladyluck13\Microsoft Games
2009-03-10 08:08 <DIR> --d--r-- c:\users\LadyLuck13
2009-03-10 08:08 <DIR> --d----- c:\users\ladylu~1\applic~1\OtakuSoftware
2009-03-10 08:08 <DIR> --d----- c:\users\ladylu~1\applic~1\ESTsoft
2009-03-10 08:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-10 08:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-10 07:58 46,592 ac------ c:\windows\system32\dllcache\svcext51.dll
2009-03-10 07:57 2,036,224 ac------ c:\windows\system32\dllcache\lhmstscx.dll
2009-03-10 07:56 94,208 ac------ c:\windows\system32\dllcache\fpencode.dll
2009-03-10 07:55 76,800 ac------ c:\windows\system32\dllcache\logui.ocx
2009-03-10 07:54 10,752 a------- c:\windows\system32\ff_vfw.dll
2009-03-10 07:54 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-03-10 07:54 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-03-10 07:54 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-10 07:54 <DIR> --d----- c:\program files\ffdshow
2009-03-10 07:53 <DIR> --d----- c:\program files\Windows Plus
2009-03-10 07:53 1,742,336 a------- c:\windows\system32\mypixdx.scr
2009-03-10 07:53 11,452 a------- c:\windows\system32\mypixdx.chm
2009-03-10 07:53 3,343,360 a------- c:\windows\system32\nature.scr
2009-03-10 07:53 5,068,800 a------- c:\windows\system32\davinci.scr
2009-03-10 07:53 7,093,760 a------- c:\windows\system32\space.scr
2009-03-10 07:53 4,396,544 a------- c:\windows\system32\wpgldfsh.scr
2009-03-10 07:53 19,840 a------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-10 07:50 <DIR> --d----- c:\program files\ESTsoft
2009-03-10 07:47 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-03-10 07:46 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-10 07:37 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-10 07:37 69,632 a------- c:\windows\system32\javacpl.cpl
2009-03-10 07:35 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-03-10 07:35 <DIR> --d----- c:\program files\Alky for Applications
2009-03-10 07:35 <DIR> --dshr-- C:\cmdcons
2009-03-10 07:32 <DIR> --dsh--- c:\users\all users\DRM
2009-03-10 07:32 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-10 07:32 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-10 07:32 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-10 07:32 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-10 07:32 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-10 07:32 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-10 07:32 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-10 07:32 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-10 07:31 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-10 07:31 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-10 07:28 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-10 07:28 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-10 07:27 <DIR> --d----- c:\program files\Windows NT
2009-03-09 23:17 <DIR> --d----- c:\program files\common files\ODBC
2009-03-09 23:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-09 23:16 <DIR> --d--r-- c:\users\all users\Documents

==================== Find3M ====================

2009-03-10 08:08 2,189,568 a------- c:\windows\system32\ntoskrnl.exe
2009-03-10 07:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-10 07:29 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 4:51:32.64 ===============

Attached Files


Edited by Jade Jean, 11 March 2009 - 11:17 AM.


- Jadey Jean

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:50 AM

Posted 11 March 2009 - 04:27 PM

Hello Jade Jean ,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:50 AM

Posted 12 March 2009 - 08:59 AM

Hello Jade Jean,

1.
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named.

---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    Posted Image
  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt and new HiJAckThis log in your next reply.

2.
I see you have Avg7.5 installed on your computer it is out of date. You can download the new version here:
http://free.avg.com/

3.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
4.
We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
Things to include in your next reply:
Combofix txt
Rsit logs
Blue screen error if it happens again

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:50 AM

Posted 14 March 2009 - 10:31 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:50 AM

Posted 19 March 2009 - 11:46 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users