Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent is on me


  • This topic is locked This topic is locked
2 replies to this topic

#1 Tharan-Marc

Tharan-Marc

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 26 March 2009 - 05:27 AM

Hello,
I have a problem and quite a story. Yesterday I had Trojan.Agent virus found with MAB and could not remove. I downloaded Combofix and the desaster was going on, it couldn't do the job, my system not allowed to reboot and is gone badly further, desktop cleaned up, not allowed to restart after reboot, etc, etc. Finally I got it in save mode system restored and it was running again, scanned with MAB found some files infected and was not able to remove them. I downloaded SmitfraudFix, run it in safe mode and normal mode - I guess of no success, I will post the file below, after I run MAB again in safe mode and was able to put virus in quarantine and removed later. Run MBA again and it shows all is clean. But I do not believe, something is fishy here, my IE starts with a different site and if I want to ping my connection it says:
windows\system32\ping.exe is not a valid win32 application :thumbup2:
Either something is still not ok or something is gone wrong, pls help me, here are the different log files:
1) MAB with Virus

Malwarebytes' Anti-Malware 1.34
Database version: 1894
Windows 5.1.2600 Service Pack 2

3/25/2009 7:20:21 PM
mbam-log-2009-03-25 (19-20-16).txt

Scan type: Quick Scan
Objects scanned: 61486
Time elapsed: 1 minute(s), 39 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN7.tmp (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Protect (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\c++.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\c++.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\c++.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\c++.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Sys\reader_s.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\temp\BN7.tmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> No action taken.

2.) Smitfraudfix

SmitFraudFix v2.405

Scan done at 7:07:16.70, Thu 03/26/2009
Run from C:\Documents and Settings\Sys\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\Sys\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sys


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Sys\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Sys\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SYS\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"DefaultDomainName"="SYSTEM"
"System"=""
"AltDefaultDomainName"="SYSTEM"


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 208.67.222.222
DNS Server Search Order: 208.67.220.220

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0A00BE83-DA9A-466D-A3BC-0F3D6F9C6F75}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0A00BE83-DA9A-466D-A3BC-0F3D6F9C6F75}: NameServer=208.67.222.222,208.67.220.220
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0A00BE83-DA9A-466D-A3BC-0F3D6F9C6F75}: NameServer=208.67.222.222,208.67.220.220


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


3.)MAB without virus

Malwarebytes' Anti-Malware 1.34
Database version: 1898
Windows 5.1.2600 Service Pack 2

3/26/2009 7:24:37 AM
mbam-log-2009-03-26 (07-24-37).txt

Scan type: Quick Scan
Objects scanned: 65193
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


4.)DDS


DDS (Ver_09-03-16.01) - FAT32x86
Run by Sys at 7:25:56.42 on Thu 03/26/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.586 [GMT 5.5:30]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Sys\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - f:\local disk c gigabyte\program files\flashget\jccatch.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
IE: &Download All with FlashGet - f:\local disk c gigabyte\program files\flashget\jc_all.htm
IE: &Download with FlashGet - f:\local disk c gigabyte\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
TCP: {0A00BE83-DA9A-466D-A3BC-0F3D6F9C6F75} = 208.67.222.222,208.67.220.220
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sys\applic~1\mozilla\firefox\profiles\1uk2ovhl.default\
FF - prefs.js: browser.startup.homepage - www.rediffmail.com
FF - component: c:\program files\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

S3 SetupNTGLM7X;SetupNTGLM7X;\??\g:\ntglm7x.sys --> g:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-03-25 23:39 1,630 a------- c:\windows\system32\tmp.reg
2009-03-25 22:00 <DIR> --dsh--- C:\FOUND.004
2009-03-25 19:34 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 18:08 <DIR> --dsh--- C:\FOUND.003
2009-03-25 15:52 <DIR> --dsh--- C:\FOUND.002
2009-03-25 12:41 1,990 a------- c:\windows\system32\65.tmp
2009-03-25 12:40 71,680 a------- c:\windows\system32\5F.tmp
2009-03-25 12:40 28,672 a------- c:\windows\system32\5E.tmp
2009-03-25 12:39 124 a------- c:\windows\system32\5B.tmp
2009-03-18 17:24 <DIR> --d----- c:\program files\HTML-Kit
2009-03-18 17:17 <DIR> --d----- c:\program files\Chami
2009-03-18 16:39 <DIR> --d----- c:\docume~1\sys\applic~1\FreshHTML
2009-03-17 16:40 7,168 a--sh--- c:\windows\Thumbs.db
2009-03-17 16:40 31 a------- c:\windows\system32\Days5.ini
2009-03-17 16:40 <DIR> --d----- c:\program files\Picture Resize Genius
2009-03-17 16:19 <DIR> --d----- c:\windows\Downloaded Installations
2009-03-17 14:34 <DIR> --d----- c:\program files\common files\PCSuite
2009-03-17 14:34 <DIR> --d----- c:\program files\common files\Nokia
2009-03-17 14:34 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-03-17 14:34 <DIR> --d----- c:\program files\PC Connectivity Solution
2009-03-17 14:33 91,136 a------- c:\windows\system32\nmwcdcls.dll
2009-03-17 14:33 <DIR> --d----- c:\program files\Nokia
2009-03-11 21:44 <DIR> --d----- c:\docume~1\sys\applic~1\Malwarebytes
2009-03-11 21:44 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-11 21:44 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-11 21:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-11 21:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-05 10:26 <DIR> --dsh--- C:\FOUND.001
2009-03-04 11:02 124,688 a------- c:\windows\system32\MSWINSCK.OCX
2009-03-04 11:02 10,752 a------- c:\windows\system32\aamd532.dll
2009-03-04 08:22 <DIR> --dsh--- C:\FOUND.000
2009-03-02 19:18 <DIR> --d----- c:\windows\system32\Logfiles
2009-03-02 19:18 <DIR> --d----- C:\Inetpub
2009-03-01 22:02 <DIR> --d----- c:\program files\Free WMA MP3 Converter
2009-03-01 21:03 <DIR> --d----- c:\program files\CCleaner
2009-03-01 20:17 <DIR> --d----- c:\program files\Audacity
2009-02-25 19:12 <DIR> --ds---- c:\documents and settings\sys\UserData

==================== Find3M ====================

2009-03-25 12:40 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-25 12:40 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-02-16 16:57 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-15 16:58 106,253 a------- c:\windows\hpoins07.dat
2009-02-15 16:26 16,608 a------- c:\windows\gdrv.sys
2009-02-15 16:16 155,995 a------- c:\windows\java\packages\S73RDZ1N.ZIP
2009-02-15 16:16 2,232 a------- c:\windows\java\packages\data\1RN3DN93.DAT
2009-02-15 16:16 2,678 a------- c:\windows\java\packages\data\CGVB71RR.DAT
2009-02-15 16:16 2,678 a------- c:\windows\java\packages\data\VD3BDN17.DAT
2009-02-15 16:16 2,678 a------- c:\windows\java\packages\data\J3TVJJJJ.DAT
2009-02-15 16:16 2,678 a------- c:\windows\java\packages\data\8PZJDBN5.DAT
2009-02-15 16:16 2,678 a------- c:\windows\java\packages\data\1B33HFPF.DAT
2009-02-15 15:47 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 7:26:05.82 ===============


5.) DDS attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/15/2009 3:54:20 PM
System Uptime: 3/26/2009 7:06:31 AM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | 945GCM-S2L
Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 3000/200mhz
Processor: Intel® Pentium® D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 11.225 GiB free.
D: is FIXED (NTFS) - 19 GiB total, 18.265 GiB free.
E: is FIXED (NTFS) - 19 GiB total, 18.146 GiB free.
F: is FIXED (NTFS) - 19 GiB total, 7.083 GiB free.
G: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2/15/2009 3:56:37 PM - System Checkpoint
RP2: 2/15/2009 4:02:55 PM - Installed Realtek High Definition Audio Driver
RP3: 2/15/2009 4:03:21 PM - Installed Windows XP KB888111WXPSP2.
RP4: 2/15/2009 4:10:31 PM - Installed Microsoft Office Professional Edition 2003
RP5: 2/15/2009 4:28:08 PM - Installed REALTEK GbE & FE Ethernet PCI-E NIC Driver
RP6: 2/15/2009 4:34:30 PM - Installed Adobe Reader 8.1.1
RP7: 2/15/2009 5:21:00 PM - Installed AVG Free 8.0
RP8: 2/16/2009 6:18:03 PM - System Checkpoint
RP9: 2/17/2009 8:48:58 AM - Avg8 Update
RP10: 2/17/2009 8:56:06 AM - Avg8 Update
RP11: 2/18/2009 7:11:00 AM - Avg8 Update
RP12: 2/18/2009 7:53:00 AM - Installed SmartFTP Client
RP13: 2/19/2009 10:57:01 AM - System Checkpoint
RP14: 2/20/2009 12:41:16 PM - System Checkpoint
RP15: 2/24/2009 5:51:50 AM - System Checkpoint
RP16: 2/25/2009 6:35:03 AM - System Checkpoint
RP17: 2/26/2009 9:32:31 AM - System Checkpoint
RP18: 2/28/2009 2:51:37 PM - System Checkpoint
RP19: 3/1/2009 4:35:39 PM - System Checkpoint
RP20: 3/2/2009 5:42:23 PM - System Checkpoint
RP21: 3/2/2009 6:15:08 PM - Removed Adobe Reader 8.1.1
RP22: 3/3/2009 6:28:24 PM - System Checkpoint
RP23: 3/5/2009 8:45:48 AM - System Checkpoint
RP24: 3/5/2009 10:28:55 AM - Avg8 Update
RP25: 3/10/2009 11:20:04 AM - System Checkpoint
RP26: 3/11/2009 8:48:27 PM - System Checkpoint
RP27: 3/11/2009 9:42:36 PM - Removed AVG 8.0
RP28: 3/11/2009 9:43:09 PM - Installed AVG 8.0
RP29: 3/12/2009 9:48:42 PM - System Checkpoint
RP30: 3/13/2009 9:50:40 PM - System Checkpoint
RP31: 3/14/2009 10:26:40 PM - System Checkpoint
RP32: 3/15/2009 9:16:38 AM - Installed Windows Media Player Firefox Plugin
RP33: 3/16/2009 12:55:27 PM - System Checkpoint
RP34: 3/17/2009 1:38:35 PM - System Checkpoint
RP35: 3/17/2009 4:19:53 PM - Installed Image Resizer Powertoy for Windows XP
RP36: 3/17/2009 4:22:58 PM - Installed Calculator Powertoy for Windows XP
RP37: 3/18/2009 5:27:20 PM - Removed Calculator Powertoy for Windows XP
RP38: 3/18/2009 5:27:43 PM - Removed Image Resizer Powertoy for Windows XP
RP39: 3/18/2009 5:27:59 PM - Removed Nokia Connectivity Cable Driver
RP40: 3/19/2009 6:56:35 PM - System Checkpoint
RP41: 3/23/2009 11:59:48 AM - System Checkpoint
RP42: 3/24/2009 12:09:56 PM - System Checkpoint
RP43: 3/25/2009 12:21:06 PM - System Checkpoint
RP44: 3/25/2009 6:24:31 PM - ComboFix created restore point
RP45: 3/25/2009 10:46:09 PM - Restore Operation

==== Installed Programs ======================

Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
AiO_Scan
ALZip
Audacity 1.2.6
Cablenut 4.08
CCleaner (remove only)
Enterprise
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HP PSC & Officejet 5.3.B Corporate Edition
HTML-Kit
Intel® Graphics Media Accelerator Driver
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSVC80_x86
Nero 6 Ultra Edition
Nokia PC Suite
PC Connectivity Solution
Picture Resize Genius 2.9.4
PowerDVD
QFolder
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
SmartFTP Client
Total Video Converter 3.02
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Windows Media Player Firefox Plugin
WinRAR archiver

==== Event Viewer Messages From Past Week ========

3/25/2009 12:45:35 PM, error: Service Control Manager [7034] - The Service Eset service terminated unexpectedly. It has done this 1 time(s).
3/25/2009 3:27:00 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 aac2a49e.
3/25/2009 3:42:27 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/25/2009 3:44:53 PM, error: Service Control Manager [7034] - The afisicx Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2009 3:44:53 PM, error: Service Control Manager [7034] - The sopidkc Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2009 3:44:53 PM, error: Service Control Manager [7034] - The tdctxte Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2009 9:46:05 PM, error: Srv [2019] - The server was unable to allocate from the system nonpaged pool because the pool was empty.
3/25/2009 10:01:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/25/2009 10:01:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/25/2009 10:01:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/25/2009 10:01:43 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2009 10:01:43 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2009 10:01:43 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2009 10:01:43 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/25/2009 10:01:43 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
3/25/2009 10:10:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
3/25/2009 10:11:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
3/25/2009 10:31:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
3/25/2009 10:45:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}

==== End Of File ===========================

6.)Rootblog

Service Pack 2 3 26 2009 07:38:15.375
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver Fastfat.sys
Loaded driver KSecDD.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys
Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys
Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtenicxp.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Ntfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbscan.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbprint.sys
Loaded driver \SystemRoot\system32\DRIVERS\HPZius12.sys
Loaded driver \SystemRoot\system32\DRIVERS\HPZid412.sys
Loaded driver \SystemRoot\system32\DRIVERS\HPZipr12.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys


I'm not total unexpierenced, but I can not find something what is helping me. Hope somebody here can help.

Thanks

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:22 AM

Posted 29 March 2009 - 01:51 PM

Hello Tharan-Marc,

I downloaded Combofix and the desaster was going on, it couldn't do the job


You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.


Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:22 AM

Posted 11 April 2009 - 10:01 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users