Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ravaged system by the attacks of the notorious Anti virus 2009 VIRUS

  • This topic is locked This topic is locked
5 replies to this topic

#1 Ipshita


  • Members
  • 2 posts
  • Gender:Female
  • Location:connecticut, US
  • Local time:09:52 PM

Posted 18 March 2009 - 08:50 AM


Recently while happily working and listening to an online radio station my system just jammed with the cursor showing the processing symbol. I thought it a small abberation and continued working as songs still played in the background.

Then I was attacked!

The virus disabled the pictures on the internet, my anti virus on the system and the speeds became very slow. Searching for help I found you. on your website i was instructed to use the malware software. The malware removal has been successful to a certain extent but not completely. I am still not able to activate my windows update. and my task manager has many new .exe files. [I have uploaded a picture of how my task manager looks like]

Please help!

Yours truly

DDS (Ver_09-03-16.01) - NTFSx86
Run by Chairperson at 9:37:23.23 on Wed 18/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.758.333 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chairperson\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\Chairperson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyServer = www-cache5.usyd.edu.au:8085
uInternet Settings,ProxyOverride = *.local;<local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\\IPSBHO.DLL
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\\coIEPlg.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [vudn63xkdz6pq8jpgmfnx7] c:\docume~1\chairp~1\locals~1\temp\t20pkllp.exe
uRun: [kwptwvxcun22ri2fh88wf8tkjsh6e6hhlduq0rw2imbunrxb] c:\docume~1\chairp~1\locals~1\temp\iqr4kf2im.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6a344d34-5231-452a-8a57-d064ac9b7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\\CoIEPlg.dll
handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\nijonina.dll c:\windows\system32\morugawe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\nijonina.dll

============= SERVICES / DRIVERS ===============

R0 symefa;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1002000.007\SymEFA.sys [2009-3-17 309296]
R1 bhdrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1002000.007\BHDrvx86.sys [2009-3-17 255536]
R1 cchp;Symantec Hash Provider;c:\windows\system32\drivers\nis\1002000.007\cchpx86.sys [2009-3-17 362544]
R1 idsxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090310.003\IDSxpx86.sys [2009-3-17 276344]
R2 norton internet security;Norton Internet Security;c:\program files\norton internet security\engine\\ccSvcHst.exe [2009-3-17 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-16 101936]
R3 naveng;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090317.053\NAVENG.SYS [2009-3-18 89104]
R3 navex15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090317.053\NAVEX15.SYS [2009-3-18 876144]
S1 7427a664;7427a664;c:\windows\system32\drivers\7427a664.sys [2009-3-13 0]
S2 gupdate1c96017ed0d9758;Google Update Service (gupdate1c96017ed0d9758);c:\program files\google\update\GoogleUpdate.exe [2008-12-17 133104]
S2 meiba;meiba;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 usbvm328;HP Camera;c:\windows\system32\drivers\usbvm326.sys [2008-3-29 219648]
S3 vmfilter323;VC0326 filter service for Serome;c:\windows\system32\drivers\vmfilter323.sys [2008-3-29 475264]

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
scrfile="%1" %*

=============== Created Last 30 ================

2009-03-17 07:52 <DIR> --d----- c:\docume~1\chairp~1\applic~1\IObit
2009-03-17 07:52 <DIR> --d----- c:\program files\IObit
2009-03-17 07:07 <DIR> --d----- c:\program files\WOT
2009-03-17 00:50 36,272 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-17 00:50 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-17 00:50 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-17 00:50 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-17 00:50 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-17 00:50 <DIR> --d----- c:\program files\Symantec
2009-03-17 00:49 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-03-17 00:49 <DIR> --d----- c:\program files\Norton Internet Security
2009-03-17 00:49 <DIR> --d----- c:\program files\NortonInstaller
2009-03-17 00:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-17 00:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-17 00:33 <DIR> --d----- c:\documents and settings\all users\Symantec Temporary Files
2009-03-15 22:11 <DIR> --d----- C:\e6dfff9382d588802f85523aa07a94
2009-03-14 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kodak
2009-03-14 13:56 1,714,486 ---sh--- c:\windows\system32\aneditiy.tmp
2009-03-14 13:39 <DIR> --d----- c:\docume~1\chairp~1\applic~1\Malwarebytes
2009-03-14 13:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-14 13:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-14 12:37 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-14 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-13 16:10 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-13 16:09 0 a------- c:\windows\system32\drivers\7427a664.sys
2009-03-11 12:36 <DIR> --d----- c:\windows\Chocolatier Decadence by Design
2009-03-11 12:36 <DIR> --d----- c:\program files\Chocolatier Decadence by Design
2009-03-09 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2009-03-09 19:08 <DIR> --d----- c:\program files\Yahoo! Games
2009-02-21 01:32 7,552 ac------ c:\windows\system32\dllcache\sonypvu1.sys
2009-02-21 01:32 7,552 a------- c:\windows\system32\drivers\SONYPVU1.SYS
2009-02-17 13:31 <DIR> --d----- c:\program files\Catan GmbH
2009-02-16 12:41 <DIR> --d----- c:\program files\uTorrent
2009-02-16 12:41 <DIR> --d----- c:\docume~1\chairp~1\applic~1\uTorrent

==================== Find3M ====================

2009-03-13 16:09 101,888 a--sh--- c:\windows\system32\puzominu.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-04 23:08 170,942 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-09-07 08:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090720080908\index.dat
2008-09-01 10:35 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-09-01 10:35 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-09-01 10:35 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:37:53.09 ===============

Attached Files

BC AdBot (Login to Remove)


#2 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:10:52 PM

Posted 18 March 2009 - 11:43 AM

Hello Ipbleepa :thumbup2: Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in the cleanup of your system.

I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

Please perform the following:

Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

When completed please both both logs fromRSIT as well as the one from Kaspersky.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:10:52 PM

Posted 22 March 2009 - 01:14 PM

:thumbup2: Just a reminder if this topic is not replied to shortly we will be closing it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#4 Ipshita

  • Topic Starter

  • Members
  • 2 posts
  • Gender:Female
  • Location:connecticut, US
  • Local time:09:52 PM

Posted 24 March 2009 - 08:22 AM

Hi Mr Wall,

thanks a tonne for the update.

I am sorry it took so long. Saw your previous reply and felt content that solution was here, only application of the solution was left. Which is done. now :)

Everything is squeaky clean. My computer works like a dream!

kudos and heartfelt thanks yet agaiin,

IPbleepA :thumbup2:

#5 thewall


  • Malware Response Team
  • 6,425 posts
  • Gender:Male
  • Location:Florida
  • Local time:10:52 PM

Posted 24 March 2009 - 10:00 AM

That's good news. :thumbup2: Thanks for letting me know. Glad you got everything cleared up and good luck to you in the future.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 Baabiouz


    Finnish Malware Fighter

  • Members
  • 3,355 posts
  • Gender:Male
  • Location:Finland
  • Local time:05:52 AM

Posted 24 March 2009 - 11:40 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users