Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

w32 virus help! w/dds and hjt logs


  • This topic is locked This topic is locked
2 replies to this topic

#1 mikeflavaz

mikeflavaz

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 22 March 2009 - 06:34 PM

I have battled off some pretty ugly viruses in my time but nothing ever like this one. I have xp office professional pc which is built as a turn key audio production/recording pc. I have been infected by win32, maybe something else and contracted from either facebook or a corrupted email. Here are my problems:

-I can only use internet explorer. I can install mozilla or even netscape but it will not run, and when I do click to run these browsers, the process cannot be ended.

-I cannot use windows media player. when I click to play a file, it boots up as if I am installing it but when I click finish to install, it simply starts over again.

-I cannot download anything from the internet, not an update, antivirus, mp3, anything. The download window opens and after sitting there for a minute it states, "Internet Explorer was not able to open this internet site. The requested site is either unavailable or cannot be found. Please try again later."

-Cannot save any system or internet settings. When I try to save any settings in internet options for ie, it just resets after i apply, close and reopen. Another example is when I go to system properties>advanced>performace, I can change those settings but when I apply, close and reopen, they are back to the original settings. When I use Ventrillo, which is an online communication software, my password never saves, after I type it in and log in then out, it says, "unable to create system registry key to save data." In certain softwares I use, I have to reconfigure settings everytime I run the software. Nothing saves.

-Recycly bin is on my desktop but doesn't work or open. when i click properties it says "the process for this utility is not available."

-There is no recovery console in my xp anymore.

My assumptions are that there is seriously something wrong with my registry as well other things. I do not believe I can update/change my registry. I also think there is something wrong with either reading digital signatures, with my current pcs digital authentication signature or both.

The problems I've fixed are: my pc was unable to retrieve ip address so I unistalled my driver and reset my ip settings using cmd. Within a day of doing that, I had a serious corruption error with iertutil.dll and was not able to startup explorer.exe. I ran a repair from my xp disc and was able to log back on, use programs(for the most part and use internet explorer.) Every problem above are the problems still at hand. I am out of ideas and answers. If someone could please help, that would be greatly appreciate. I ran combofix a few times. The 1st time I ran it, it removed a crap load of tmp.dll files from system 32 as well as other harmful files. I ran again today and it removed another tmp.dll file so the dropper is still in my system. My combofix will not save logs. Here is a Hijack this log however:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:18 AM, on 3/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - (no file)
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF23474.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF23474.exe /c C:\ComboFix\Combobatch.bat
O4 - HKUS\S-1-5-18\..\Run: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe (User 'Default user')
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208457209359
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: fcccaaay - fcccaaay.dll (file missing)
O20 - Winlogon Notify: khfEVOgG - khfEVOgG.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe


DDS.TXT LOG:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Workstation 06 at 7:21:09.73 on Mon 03/23/2009
Internet Explorer: 6.0.2900.2180

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - Google Gears Helper
mRun: [DeltTray] DeltTray.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [DigidesignMMERefresh] c:\program files\digidesign\drivers\MMERefresh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [combofix] c:\windows\system32\cf9969.exe /c c:\combofix\Combobatch.bat
mRunOnce: [combofix] c:\windows\system32\cf9969.exe /c c:\combofix\Combobatch.bat
dRun: [Java S1] \\?\globalroot\systemroot\system32\mschr.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208457209359
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: fcccaaay - fcccaaay.dll
Notify: igfxcui - igfxdev.dll
Notify: khfEVOgG - khfEVOgG.dll
LSA: Authentication Packages = msv1_0 relog_ap

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-23 02:15 32 a------- c:\windows\system32\msvcsv60.dll
2009-03-23 02:00 388,608 a------- c:\windows\system32\CF9969.exe
2009-03-23 02:00 <DIR> --d----- C:\ComboFix
2009-03-23 01:59 388,608 a------- c:\windows\system32\CF9774.exe
2009-03-23 00:21 388,608 a------- c:\windows\system32\CF23474.exe
2009-03-22 00:42 2,804,224 a------- c:\windows\system32\msi.dll
2009-03-22 00:42 2,804,224 a------- c:\windows\system32\dllcache\msi.dll
2009-03-22 00:42 884,736 a------- c:\windows\system32\msimsg.dll
2009-03-22 00:42 884,736 a------- c:\windows\system32\dllcache\msimsg.dll
2009-03-22 00:42 331,264 a------- c:\windows\system32\msihnd.dll
2009-03-22 00:42 331,264 a------- c:\windows\system32\dllcache\msihnd.dll
2009-03-22 00:42 77,312 a------- c:\windows\system32\msiexec.exe
2009-03-22 00:42 77,312 a------- c:\windows\system32\dllcache\msiexec.exe
2009-03-22 00:42 44,032 a------- c:\windows\system32\msisip.dll
2009-03-22 00:42 44,032 a------- c:\windows\system32\dllcache\msisip.dll
2009-03-22 00:26 161,792 a------- c:\windows\SWREG.exe
2009-03-22 00:26 98,816 a------- c:\windows\sed.exe
2009-03-20 17:24 <DIR> --d----- c:\program files\Netscape
2009-03-20 17:23 1,122,304 a------- c:\windows\system32\deltapnl.exe
2009-03-20 17:23 302,336 a------- c:\windows\system32\drivers\delta.sys
2009-03-20 17:23 154,112 a------- c:\windows\system32\M-AudioTaskBarIcon.exe
2009-03-20 17:23 46,592 a------- c:\windows\system32\deltapnl.dll
2009-03-20 17:23 22,528 a------- c:\windows\system32\deltasio.dll
2009-03-20 17:23 19,456 a------- c:\windows\system32\DeltaCPL.cpl
2009-03-20 17:23 <DIR> --d----- c:\program files\M-Audio
2009-03-20 17:23 2,502,633 a------- c:\windows\system32\pcifmdio.dll
2009-03-20 16:59 172,032 a------- c:\windows\system32\igfxres.dll
2009-03-20 15:23 249,856 a------- c:\windows\system32\igfxsrvc.exe
2009-03-20 15:23 176,128 a------- c:\windows\system32\igfxrsky.lrc
2009-03-20 15:23 172,032 a------- c:\windows\system32\igfxrslv.lrc
2009-03-20 15:23 147,456 a------- c:\windows\system32\igfxCoIn_v4926.dll
2009-03-20 15:23 <DIR> --d----- C:\Intel
2009-03-20 15:23 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-20 15:22 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-20 15:22 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-20 15:22 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-20 15:22 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-20 15:22 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-20 15:20 13,646 a------- c:\windows\system32\wpa.bak
2009-03-20 15:13 79,872 ac------ c:\windows\system32\dllcache\rwia330.dll
2009-03-20 15:12 307,257 ac------ c:\windows\system32\dllcache\imjpdct.exe
2009-03-20 15:11 82,172 ac------ c:\windows\system32\dllcache\bopomofo.nls
2009-03-20 15:09 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-20 15:09 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-20 15:09 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-20 15:09 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-20 15:09 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-20 15:09 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-20 14:56 13,753 a----r-- c:\windows\SET57.tmp
2009-03-20 14:56 1,086,058 a----r-- c:\windows\SET4B.tmp
2009-03-20 14:56 1,042,903 a----r-- c:\windows\SET48.tmp
2009-03-19 17:41 141,702 ac------ c:\windows\system32\dllcache\netfx.cat
2009-03-19 04:31 44,304 a------- c:\windows\setupapi.old
2009-03-19 03:04 143,104 a------- c:\windows\system32\guard32.dll
2009-03-19 03:04 87,056 a------- c:\windows\system32\drivers\cmdguard.sys
2009-03-19 03:04 24,208 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-03-19 03:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2009-03-19 02:26 <DIR> --d----- C:\35b9c94d7e15af7db5976766ce0b
2009-03-19 02:07 18,432 ac------ c:\windows\system32\dllcache\iedw.exe
2009-03-19 02:04 10,240 a------- c:\windows\system32\drivers\sffp_mmc.sys
2009-03-15 18:09 <DIR> --d----- c:\program files\common files\Softwin
2009-03-15 10:13 <DIR> --d----- c:\docume~1\workst~1\applic~1\Comodo
2009-03-15 10:13 <DIR> --d----- c:\program files\COMODO
2009-03-15 09:45 <DIR> --d----- c:\docume~1\workst~1\applic~1\AVGTOOLBAR
2009-03-14 13:47 <DIR> --d----- c:\windows\Desktop

==================== Find3M ====================

2009-03-20 15:07 23,348 ac------ c:\windows\system32\emptyregdb.dat
2009-03-18 20:07 219,368 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-09-03 17:55 56,912 a------- c:\documents and settings\workstation 06\g2mdlhlpx.exe

============= FINISH: 7:21:36.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mikeflavaz

mikeflavaz
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 25 March 2009 - 03:07 PM

close topic please

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:32 PM

Posted 29 March 2009 - 07:16 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users