Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unidentified malware/spyware


  • This topic is locked This topic is locked
15 replies to this topic

#1 fretfret

fretfret

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 03 April 2009 - 02:50 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:06, on 03/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Paul.D\Application Data\svchost.exe
C:\Program Files\Belkin\F5D7050v5\Belkinwcui.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\WINDOWS\system32\afisicx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\tdctxte.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKLM\..\Run: [*ctfmon32] "C:\Documents and Settings\Paul.D\Application Data\svchost.exe"
O4 - HKLM\..\Run: [WinProx32_1] C:\Documents and Settings\Paul.D\Application Data\psvrr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\svchost.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinProx32_1] C:\Documents and Settings\Paul.D\Application Data\psvrr.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless G USB Adapter Client Utility.lnk = ?
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (arrakis3) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (livesrv) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: tdctxte Service (tdctxte) - Unknown owner - C:\WINDOWS\system32\tdctxte.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: BitDefender Virus Shield (vsserv) - Unknown owner - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 8218 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 03 April 2009 - 03:38 PM

Hi,

Is there any reason why you don't have an Antivirus installed?

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 04 April 2009 - 09:16 AM

i have adaware installed? are they not good antivirus? what is a good antivirus to have?

em, i got malwarebytes but when i try to install it, it shows a message like "runtime error(0);" or "installer could not be started" they are not in normal xp windows, more like cheaply quickly made pop-up boxes.

i cant do any updates on my adaware because my internet has been re-routed to an address "filesearch" or "filehost" but it does not go to these pages it just gives me an error saying that these pages cannot be found, and i cannot go to google or anything like that ...

i also sometimes get a messages saying something like "Svc.host could not be found"
oh yeah, when i boot up my computer i get some strange blue screen which says "boot cleaner starting ... " so i know that is not supposed to be there... and this will make my computer takes 10 minutes to start up.

if you wish i can post some screenshots of these screen things or a screenshot of my desktop? i am not aware of how to get a screenshot of the boot screen for you though

i cant run malwarebytes or even install it :thumbup2:

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 04 April 2009 - 09:23 AM

Hi,

Adaware is an Antispywarescanner and no Antivirus.
Looks like your Computer is already seriously hosed by the malware (your HijackThislog already shows it being crippled with malware).
No need to post screenshots, I can already imagine how it looks - severly damaged and it smells like a file infector is also involved here.

We can still try a few things, but if it's too much of a hassle to even get a scanner or tools running, or your Windows is having HUGE problems, then it's a lost case and a format and reinstall may be the fastest and especially the safest solution.

Anyway, let's install an Antivirus first.

* Please install Avira Antivirus: http://www.free-av.com/

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog

Edited by miekiemoes, 04 April 2009 - 09:23 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 09:14 AM

hey,

i could not get the avira to install either. it seems that any usefull program has been blocked from being installed :thumbup2: .

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 05 April 2009 - 09:30 AM

Ok, we can still try something else first and if that fails as well, then it's time for the format and reinstall, because I actually really see no point in cleaning this up manually. It's too severly infected/damaged.

Anyway, try next and pray it will run:

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 09:47 AM

i cannot access the internet on the infected computer and i need to do so to download the recovery console for combofix. is there a site that i can download the recovery console from this computer i am using and transfer it onto the infected computer using pen drive?
thank you :thumbup2:

#8 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 10:09 AM

do i need the revovery console installed or can i just skip this step and let the combofix run anyways? :thumbup2:

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 05 April 2009 - 10:14 AM

Yes, you need the recovery console
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 10:35 AM

i cant get it without the internet though :thumbup2:. so i guess it is maybe time to format and re-install windows then yes?

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 05 April 2009 - 10:51 AM

Are you posting from another computer? Because you say you can't do it without the internet, so I assume you are transferring tools and logs?
In that case, please read this link again: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
look below where it says: How to install and use the Windows XP Recovery Console and then: If you use Windows XP and do not have the Windows CD... start to read from there. That's the other method to install the recovery console with the use of Combofix
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 11:42 AM

yes my internet was disabled somehow, so i was using a different computer to transfer all the files :thumbup2:
here is my combo-fix log.


ComboFix 09-04-04.01 - Paul.D 2009-04-05 17:23:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.665 [GMT 1:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\vlc-0.9.4-win32.exe
c:\documents and settings\Paul.D\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\autorun.inf
c:\windows\dhcp\svchost.exe
c:\windows\Install.txt
c:\windows\system32\6to4v32.dll
c:\windows\system32\afisicx.exe
c:\windows\system32\at1394.sys
c:\windows\system32\comsa32.sys
c:\windows\system32\crypts.dll
c:\windows\system32\ffo43928122.dll
c:\windows\system32\sopidkc.exe
c:\windows\system32\tdctxte.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\w.exe
c:\windows\system32\w31416433390.dll
O:\copy.exe
O:\host.exe

----- BITS: Possible infected sites -----

hxxp://codecs.sytes.net
c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\svchost.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_afisicx
-------\Legacy_at1394
-------\Legacy_defaultlib
-------\Legacy_dhcpsrv
-------\Legacy_softyinforwow1
-------\Legacy_sopidkc
-------\Legacy_tdctxte
-------\Service_6to4
-------\Service_afisicx
-------\Service_at1394
-------\Service_defaultlib
-------\Service_softyinforwow1
-------\Service_sopidkc
-------\Service_tdctxte


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 17:21 . 2009-04-05 17:24 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2009-04-05 15:41 . 2009-04-05 15:41 3,067,803 -ra------ C:\ComboFix.exe
2009-04-03 19:57 . 2009-04-03 19:57 <DIR> d-------- c:\program files\Trend Micro
2009-04-03 15:32 . 2009-04-03 15:32 6,144 --ahs---- c:\windows\system32\Thumbs.db
2009-04-03 14:31 . 2009-04-03 14:31 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-03 14:18 . 2009-04-03 14:18 <DIR> d-------- c:\documents and settings\Administrator
2009-04-03 07:00 . 2009-04-03 07:00 <DIR> d-------- c:\windows\SxsCaPendDel
2009-04-03 06:22 . 2009-04-03 06:22 <DIR> d-------- c:\documents and settings\Paul.D\Application Data\nidle
2009-04-03 06:22 . 2009-04-03 06:22 465,874 --a------ c:\documents and settings\Paul.D\Application Data\psvrr.exe
2009-04-03 06:22 . 2008-06-20 12:51 361,600 --a------ c:\windows\system32\drivers\tcpip.original
2009-04-03 06:21 . 2009-04-03 06:21 32 --a------ c:\documents and settings\Paul.D\Application Data\__t.bin
2009-04-03 06:20 . 2009-04-03 06:22 <DIR> d-------- c:\documents and settings\Paul.D\Application Data\_154d1688bccb1d1d883bd1259b5ada76
2009-04-03 06:20 . 2009-04-01 15:22 921,387 --a------ c:\documents and settings\Paul.D\Application Data\svchost.exe
2009-04-03 06:14 . 2009-04-03 06:14 <DIR> d-------- c:\windows\system32\logs
2009-04-03 06:14 . 2009-04-05 17:31 <DIR> d-------- c:\windows\system32\3361
2009-04-03 06:14 . 2009-04-05 17:23 <DIR> d-------- c:\windows\dhcp
2009-04-03 06:14 . 2009-04-03 06:14 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-04-03 06:14 . 2009-04-03 00:37 21,704 --a------ c:\windows\system32\cc.exe
2009-04-03 06:13 . 2009-04-05 17:32 103,790 --a------ c:\windows\system32\drivers\877849bb.sys
2009-04-01 01:27 . 2009-04-01 01:27 <DIR> d--h----- c:\windows\PIF
2009-03-13 16:10 . 2009-03-13 16:10 <DIR> d-------- c:\program files\Pianoteq 3.0 Trial
2009-03-13 16:10 . 2009-03-13 16:10 <DIR> d-------- c:\program files\Common Files\Digidesign
2009-03-13 16:10 . 2009-03-13 16:17 <DIR> d-------- c:\documents and settings\Paul.D\Application Data\Modartt
2009-03-13 15:38 . 2009-04-01 01:18 <DIR> d-------- c:\program files\PianoFX
2009-03-13 15:38 . 2000-05-22 01:00 140,488 --a------ c:\windows\system32\COMDLG32.OCX
2009-03-13 15:38 . 2000-05-22 01:00 115,920 --a------ c:\windows\system32\MSINET.OCX
2009-03-13 00:31 . 2009-03-11 17:08 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-11 17:08 . 2009-03-11 17:08 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-11 17:00 . 2009-03-11 17:00 <DIR> d-------- c:\program files\Lavasoft
2009-03-11 17:00 . 2009-03-11 17:00 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-10 17:44 . 2009-03-10 18:01 <DIR> d-------- C:\Casino
2009-03-10 15:10 . 2007-06-01 06:13 238,848 -r------- c:\windows\system32\drivers\BLKWGU.sys
2009-03-10 15:09 . 2009-03-10 15:09 <DIR> d-------- c:\program files\Belkin
2009-03-10 15:09 . 2009-03-10 15:09 <DIR> d-------- c:\documents and settings\Paul.D\Application Data\InstallShield
2009-03-10 15:09 . 2007-08-07 11:38 13,768 --a------ c:\windows\system32\drivers\string.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 19:09 --------- d-----w c:\documents and settings\Paul.D\Application Data\uTorrent
2009-04-03 13:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 05:38 --------- d-----w c:\program files\PokerTracker 3
2009-04-03 01:44 --------- d-----w c:\program files\Full Tilt Poker
2009-03-26 15:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 15:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-13 21:32 --------- d-----w c:\program files\PokerStars
2009-03-13 15:10 --------- d-----w c:\program files\VstPlugins
2009-03-10 14:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-04 14:59 --------- d-----w c:\program files\PacificPoker
2009-03-04 14:59 --------- d-----w c:\documents and settings\Paul.D\Application Data\PacificPoker
2009-03-02 21:49 --------- d-----w c:\program files\PKR
2009-03-02 21:49 --------- d-----w c:\program files\DivX
2009-02-26 04:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 04:30 --------- d-----w c:\program files\PostgreSQL
2009-02-21 22:03 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-19 01:06 --------- d-----w c:\documents and settings\Paul.D\Application Data\DivX
.

------- Sigcheck -------

2004-08-04 13:00 33280 ffb42fd4850905dd4f8f155b5a1afd1f c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 01:12 33280 6fd6f00c3fffce47b2f099d2b06ff438 c:\windows\ServicePackFiles\i386\svchost.exe
2008-04-14 01:12 33280 b7fc4b736744b24210a180c46d34c2c3 c:\windows\system32\svchost.exe
2009-04-03 06:14 86016 d25f0022d1077c6ad82ab238b744cce4 c:\windows\system32\3361\SVCHOST.EXE

2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2008-06-20 12:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 c:\windows\$NtServicePackUninstall$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 20:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 12:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\system32\dllcache\tcpip.sys
2007-03-25 08:25 802816 8828315f2976c705d5a668de1aa58555 c:\windows\system32\drivers\tcpip.sys

2008-04-14 01:12 1052672 ebc6b498d7b02aa3e6ecbdb33166192f c:\windows\explorer.exe
2004-08-04 13:00 1051136 eb6f8fb8af3aaa7656556edb8f36d433 c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 01:12 1052672 a17787b638fff2dadc533396caefb5c9 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 13:00 34304 b7c89b3932f582db2d026a569a26213e c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 01:12 34304 0a4debff565cde16c86a334db9bb70d2 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 01:12 34304 36a81de7de2157f5b879007059df5689 c:\windows\system32\ctfmon.exe

2005-06-11 01:17 76800 a993c76527dfa5e72733cd06bc973161 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-11 00:53 76800 b99fcca085dd006113d67dbfe4497943 c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 01:12 76800 b956eab55469cbca593277297c8eb472 c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 01:12 76800 143c9c18c20979912b209021da33d4b4 c:\windows\system32\spoolsv.exe

2004-08-04 13:00 43520 7895153daae757a9170fcf9c689719fd c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 01:12 45056 1cca938d7117513f37eff71dc359ade5 c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 01:12 45056 11a7bd286c14f6cb73c173f64210758b c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 34304]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"WinProx32_1"="c:\documents and settings\Paul.D\Application Data\psvrr.exe" [2009-04-03 465874]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 434176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-11 515416]
"*ctfmon32"="c:\documents and settings\Paul.D\Application Data\svchost.exe" [2009-04-01 921387]
"WinProx32_1"="c:\documents and settings\Paul.D\Application Data\psvrr.exe" [2009-04-03 465874]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"svchost.exe"="c:\windows\system32\3361\svchost.exe" [2009-04-03 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 34304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G USB Adapter Client Utility.lnk - c:\program files\Belkin\F5D7050v5\Belkinwcui.exe [2009-03-10 1585152]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2008-07-01 2347008]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\3361\\svchost.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-11 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 bdvedisk;BDVEDISK;\??\c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys --> c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [?]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2008-09-19 84480]
S3 arrakis3;BitDefender Arrakis Server;"c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe" --> c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [?]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys --> c:\windows\system32\drivers\bdfm.sys [?]
S3 bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\bdfndisf.sys --> c:\windows\system32\DRIVERS\bdfndisf.sys [?]
S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\BLKWGU.sys [2009-03-10 238848]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-04-23 287232]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-12-11 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-12-11 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-12-11 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-12-11 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-12-11 86368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-11 17:08]

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BDAgent - c:\program files\BitDefender\BitDefender 2009\bdagent.exe
HKLM-Run-BitDefender Antiphishing Helper - c:\program files\BitDefender\BitDefender 2009\IEShow.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Paul.D\Application Data\Mozilla\Firefox\Profiles\wxxsm3qg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www2.firesearch.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2206988&SearchSource=2&q=
FF - component: c:\documents and settings\Paul.D\Application Data\Mozilla\Firefox\Profiles\wxxsm3qg.default\extensions\{ce5aa545-e250-4a05-939d-b1995a5251dd}\components\FFAlert.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 17:31:34
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\877849bb]
"ImagePath"="\SystemRoot\System32\drivers\877849bb.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(364)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-05 17:36:14 - machine was rebooted [Paul.D]
ComboFix-quarantined-files.txt 2009-04-05 16:36:11

Pre-Run: 124,160,741,376 bytes free
Post-Run: 124,979,519,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

261 --- E O F --- 2009-03-14 03:03:37

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 05 April 2009 - 11:48 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case (as I already suspected anyway) - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 fretfret

fretfret
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 05 April 2009 - 12:06 PM

ok. I didnt want to format and re-install, that why i came here. but looks as though i will have to now...
after i have fresh installed and got all my drivers and hardware properly installed, what should i do to maybe prevent this from happening again?
thank you for your help :thumbup2:

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:51 AM

Posted 05 April 2009 - 12:09 PM

Well, as you see, you really have no other choice. You'll be glad afterwards that you didn't waste your time in cleaning this up and that a format and reinstall is really the fastest and safest solution in this case. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users