Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/virut attached to netstat.exe and osx.exe file


  • Please log in to reply
3 replies to this topic

#1 amerigo

amerigo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 08 April 2009 - 03:00 PM

Hi ,
I've AVG antivirus installed and updated on daily basis . I also scheduled a full scan . In full scan details I found that two my critical syaytem files are infected with WIN32/VIRUT virus .

"D:\WINDOWS\system32\netstat.exe";"Virus found Win32/Virut";"Object is white-listed (critical/system file that should not be removed)"
"D:\WINDOWS\system32\osk.exe";"Virus found Win32/Virut";"Object is white-listed (critical/system file that should not be removed)"

I trid running netstat through dos and find that many connections are open to this site JL.CHURA.PL

here is the details of netstat report

Active Connections

Proto Local Address Foreign Address State PID
TCP alexander:1709 ti-in-f19.google.com:https ESTABLISHED 1040
[firefox.exe]

TCP alexander:1728 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1730 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1732 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1735 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1736 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1738 wonderhowto.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1740 208.117.236.74:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1788 74.125.98.95:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1803 ABTS-North-Static-209.216.23.125.airtelbroadband.in:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1808 ABTS-North-Static-208.216.23.125.airtelbroadband.in:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1810 im-in-f154.google.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1812 im-in-f154.google.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1815 im-in-f164.google.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1816 im-in-f164.google.com:http ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1043 jL.chura.pl:1044 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1044 jL.chura.pl:1043 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1045 jL.chura.pl:1046 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1046 jL.chura.pl:1045 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1727 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1729 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1731 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1733 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1734 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1737 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1739 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1785 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1801 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1807 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1809 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1811 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1813 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:1814 jL.chura.pl:10080 ESTABLISHED 1040
[firefox.exe]

TCP alexander:10080 jL.chura.pl:1809 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1785 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1801 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1814 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1734 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1733 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1739 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1813 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1727 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1731 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1807 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1811 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1729 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:10080 jL.chura.pl:1737 ESTABLISHED 1916
[avgnsx.exe]

TCP alexander:1712 im-in-f104.google.com:http TIME_WAIT 0
TCP alexander:1776 media.fastclick.net:http TIME_WAIT 0
TCP alexander:1778 media.fastclick.net:http TIME_WAIT 0
TCP alexander:1804 74.201.94.127:http TIME_WAIT 0
TCP alexander:1743 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1753 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1755 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1759 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1761 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1762 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1765 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1771 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1775 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1777 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1779 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1782 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1786 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1789 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1802 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:1805 jL.chura.pl:10080 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1769 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1781 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1793 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1746 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1750 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1714 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1745 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1721 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1766 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1773 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1797 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1741 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1724 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1719 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1791 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1749 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:pptp TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1795 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1799 TIME_WAIT 0
TCP alexander:10080 jL.chura.pl:1717 TIME_WAIT 0


My computer is not that slowdown , but my concern is the site jL.chura.pl . I also use avg rmvirt tool remove win32/virut virus . It removes this virus from every where except netstat.exe and osx.ex . I think of deleting two files but not sure it helps or it may ause some syaytem damage.

Here is DDS report


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 1:05:04.51 on Thu 04/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.34 [GMT 5.5:30]


============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\AVG\AVG8\avgui.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Administrator.ALEXANDER\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [googletalk] "d:\program files\google\google talk\googletalk.exe" /autostart
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroCheck] d:\windows\system32\NeroCheck.exe
mRun: [googletalk] d:\program files\google\google talk\googletalk.exe /autostart
mRunOnce: [Malwarebytes' Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {C94F5F69-625B-4B96-932B-DCE0500712FF} = 202.56.215.55 202.56.215.54
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\admini~1.ale\applic~1\mozilla\firefox\profiles\1w6to3qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;d:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-3-30 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27656]
R1 AvgTdiX;AVG8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-4-1 908056]
R2 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-1 298264]
R3 iadusb;USB IAD LAN Modem;d:\windows\system32\drivers\glauiad.sys [2009-3-30 30336]

=============== Created Last 30 ================

2009-04-09 00:35 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\Malwarebytes
2009-04-09 00:34 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-04-09 00:34 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-08 23:59 <DIR> --d-h--- d:\windows\system32\GroupPolicy
2009-04-08 10:22 <DIR> --d----- D:\Blindman 1971
2009-04-06 22:46 <DIR> --d----- d:\program files\Computer Zone
2009-04-03 00:41 89,184 a------- d:\windows\system32\drivers\imagedrv.sys
2009-04-03 00:41 57,344 a------- d:\windows\system32\ImageDrive.cpl
2009-04-03 00:40 38,912 a------- d:\windows\system32\picn20.dll
2009-04-03 00:40 544,768 a------- d:\windows\system32\imagx5.dll
2009-04-03 00:40 569,344 a------- d:\windows\system32\imagr5.dll
2009-04-03 00:40 283,920 a------- d:\windows\system32\ImagXpr5.dll
2009-04-03 00:40 155,648 a------- d:\windows\system32\NeroCheck.exe
2009-04-02 08:43 25,600 ac------ d:\windows\system32\dllcache\routemon.exe
2009-04-02 08:43 25,600 a------- d:\windows\system32\routemon.exe
2009-04-02 08:43 131,584 ac------ d:\windows\system32\dllcache\sndrec32.exe
2009-04-02 08:43 131,584 a------- d:\windows\system32\sndrec32.exe
2009-04-02 08:43 77,312 ac------ d:\windows\system32\dllcache\rtcshare.exe
2009-04-02 08:43 77,312 a------- d:\windows\system32\rtcshare.exe
2009-04-02 08:43 117,248 ac------ d:\windows\system32\dllcache\mqtgsvc.exe
2009-04-02 08:43 117,248 a------- d:\windows\system32\mqtgsvc.exe
2009-04-02 08:42 169,984 ac------ d:\windows\system32\dllcache\msconfig.exe
2009-03-31 21:27 7,680 a--sh--- d:\windows\Thumbs.db
2009-03-31 11:23 6,272 a------- d:\windows\system32\drivers\splitter.sys
2009-03-31 11:23 83,072 a------- d:\windows\system32\drivers\wdmaud.sys
2009-03-31 11:23 52,864 a------- d:\windows\system32\drivers\DMusic.sys
2009-03-31 11:23 56,576 a------- d:\windows\system32\drivers\swmidi.sys
2009-03-31 11:23 142,592 a------- d:\windows\system32\drivers\aec.sys
2009-03-31 11:23 172,416 a------- d:\windows\system32\drivers\kmixer.sys
2009-03-31 11:23 2,944 a------- d:\windows\system32\drivers\drmkaud.sys
2009-03-31 11:22 60,800 a------- d:\windows\system32\drivers\sysaudio.sys
2009-03-31 11:22 7,552 a------- d:\windows\system32\drivers\MSKSSRV.sys
2009-03-31 11:22 4,992 a------- d:\windows\system32\drivers\MSPQM.sys
2009-03-31 11:22 5,376 a------- d:\windows\system32\drivers\MSPCLOCK.sys
2009-03-31 11:22 146,048 a------- d:\windows\system32\drivers\portcls.sys
2009-03-31 11:22 4,096 a------- d:\windows\system32\ksuser.dll
2009-03-31 11:22 129,536 a------- d:\windows\system32\ksproxy.ax
2009-03-31 11:22 60,160 a------- d:\windows\system32\drivers\drmk.sys
2009-03-31 11:22 179,664 a------- d:\windows\system32\drivers\STAC97.sys
2009-03-31 10:12 22,608 a------- d:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-30 21:43 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\uTorrent
2009-03-30 15:50 3,072 a------- d:\windows\system32\drivers\audstub.sys
2009-03-30 15:50 57,600 a------- d:\windows\system32\drivers\redbook.sys
2009-03-30 15:49 5,504 a------- d:\windows\system32\drivers\intelide.sys
2009-03-30 15:49 74,240 ac------ d:\windows\system32\dllcache\usbui.dll
2009-03-30 15:49 74,240 a------- d:\windows\system32\usbui.dll
2009-03-30 15:46 <DIR> --d--r-- d:\documents and settings\all users.windows\Documents
2009-03-30 15:46 144,484 ac------ d:\windows\system32\dllcache\netfx.cat
2009-03-30 15:45 613 a------- d:\windows\system32\$winnt$.inf
2009-03-30 11:20 12,552 a------- d:\windows\system32\drivers\avgrkx86.sys
2009-03-30 11:20 10,520 a------- d:\windows\system32\avgrsstx.dll
2009-03-30 11:20 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\AVGTOOLBAR
2009-03-30 11:20 108,552 a------- d:\windows\system32\drivers\avgtdix.sys
2009-03-30 11:20 325,640 a------- d:\windows\system32\drivers\avgldx86.sys
2009-03-30 11:20 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\avg8
2009-03-30 10:59 151,552 a------- d:\windows\system32\igfxres.dll
2009-03-30 10:53 38,400 a------- d:\windows\system32\CoInst.dll
2009-03-30 10:53 30,336 a------- d:\windows\system32\drivers\glauiad.sys
2009-03-30 10:53 19,129 -------- d:\windows\wwdslcfg.ini
2009-03-30 10:47 <DIR> --d----- d:\documents and settings\Administrator.ALEXANDER
2009-03-30 10:40 8,192 a------- d:\windows\REGLOCS.OLD
2009-03-30 10:37 16,896 ac------ d:\windows\system32\dllcache\status.dll
2009-03-30 10:36 7,700 ac------ d:\windows\system32\dllcache\migregdb.exe
2009-03-30 10:35 24,632 ac------ d:\windows\system32\dllcache\fpadmcgi.exe
2009-03-30 10:34 76,800 ac------ d:\windows\system32\dllcache\logui.ocx
2009-03-30 10:31 <DIR> --dsh--- d:\documents and settings\all users.windows\DRM
2009-03-30 10:31 488 a---hr-- d:\windows\system32\WindowsLogon.manifest
2009-03-30 10:31 488 a---hr-- d:\windows\system32\logonui.exe.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\WindowsShell.Manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\wuaucpl.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\sapi.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\nwc.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\ncpa.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\cdplayer.exe.manifest
2009-03-30 10:29 565,248 ac------ d:\windows\system32\dllcache\msobmain.dll
2009-03-30 10:28 21,640 a------- d:\windows\system32\emptyregdb.dat
2009-03-30 10:28 37 a------- d:\windows\vbaddin.ini
2009-03-30 10:28 36 a------- d:\windows\vb.ini
2009-03-30 10:26 184,404 ac------ d:\windows\system32\dllcache\accwiz.exe
2009-03-27 03:13 <DIR> --d----- d:\program files\PowerISO
2009-03-27 03:07 <DIR> --d----- d:\program files\driver
2009-03-27 00:29 <DIR> --d-h--- d:\windows\ShellNew
2009-03-26 01:07 <DIR> --d----- d:\windows\Profiles
2009-03-26 01:07 <DIR> --d----- d:\windows\system32\Adobe
2009-03-25 11:00 <DIR> --d-h--- D:\$AVG8.VAULT$
2009-03-25 10:55 <DIR> --d----- d:\windows\system32\appmgmt
2009-03-25 10:47 <DIR> --d----- d:\windows\system32\drivers\Avg
2009-03-25 10:46 <DIR> --d----- d:\program files\AVG
2009-03-25 03:58 <DIR> --dsh--- d:\windows\Installer
2009-03-25 03:58 <DIR> --d----- d:\program files\common files\ODBC
2009-03-25 03:58 77,824 ac------ d:\windows\system32\dllcache\spcommon.dll
2009-03-25 03:58 61,440 ac------ d:\windows\system32\dllcache\spcplui.dll
2009-03-25 03:58 1,685,606 ac------ d:\windows\system32\dllcache\sam.spd
2009-03-25 03:58 774,144 ac------ d:\windows\system32\dllcache\spttseng.dll
2009-03-25 03:58 605,050 ac------ d:\windows\system32\dllcache\r1033tts.lxa
2009-03-25 03:58 888 ac------ d:\windows\system32\dllcache\sam.sdf
2009-03-25 03:58 741,376 ac------ d:\windows\system32\dllcache\sapi.dll
2009-03-25 03:58 643,717 ac------ d:\windows\system32\dllcache\ltts1033.lxa
2009-03-25 03:58 155,648 ac------ d:\windows\system32\dllcache\sapi.cpl
2009-03-25 03:58 <DIR> --d----- d:\program files\common files\SpeechEngines
2009-03-25 03:58 <DIR> --d--r-- D:\Program Files
2009-03-25 03:57 <DIR> --d----- d:\windows\system32\CatRoot2
2009-03-25 03:57 <DIR> --d----- d:\windows\system32\CatRoot
2009-03-25 03:57 <DIR> --d----- D:\Documents and Settings
2009-03-25 00:39 <DIR> --d----- d:\program files\uTorrent
2009-03-24 22:38 <DIR> --d-h--- d:\program files\WindowsUpdate
2009-03-24 22:37 <DIR> --d----- d:\program files\common files\MSSoap
2009-03-24 22:35 <DIR> --d----- d:\program files\Online Services
2009-03-24 22:35 <DIR> --d----- d:\program files\Windows Media Connect 2
2009-03-24 22:35 <DIR> --d----- d:\program files\Messenger
2009-03-24 22:35 <DIR> --d----- d:\program files\MSN Gaming Zone
2009-03-24 22:34 <DIR> --d----- d:\program files\Windows NT

==================== Find3M ====================

2009-03-31 11:05 86,327 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 1:05:59.85 ===============


Any help will be highly appreciated .

Thanks in advance !!!!

Attached Files


Edited by amerigo, 08 April 2009 - 03:02 PM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:39 AM

Posted 20 April 2009 - 05:01 PM

Hi,

sorry for delay, no shortage of posters. Bad news for you: Win32/Virut is a virus that attaches itself to your exe and scr files. Can be difficult to remove the virus from all the files. Could also leave behind damaged exe, causing more problems later. a compromised machine to this extent can no longer be trusted.
Recommended to reformat windows. Can also spread via USB flash drives. also has additional backdoor payload. those quires you see in netstat.

this dosnt look good either:

[nltide_2] regsvr32 /s /n /i:U shell32

How Can I Reduce My Risk to Malware?


#3 amerigo

amerigo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:09 PM

Posted 23 April 2009 - 04:07 PM

Hi Shelf life ,

Thanks for your advice . I deleted these two file i.e net stat and osx file . Now i got my virus scnner green i.e no infection found anywhere . I don't want to format my sysytem right now . As it has .Net , oracle and Microd focus installed on it . So my questin is that as my virus scanner reveal hat there is no virus on system . so is it safe now . I also run the malaware byte it also clean system .I'm not able to run the netstat as I deleted it . So not able to check whether it is sill looking for jL.chura.pl or not .
here is the new DDS log

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 2:33:47.40 on Fri 04/24/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.638.177 [GMT 5.5:30]


============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Micro Focus\Net Express 5.1\WCS\Bin\ELService.exe
D:\Program Files\Micro Focus\Net Express 5.1\Base\Bin\mfauditmgr.exe
D:\Program Files\Micro Focus\Net Express 5.1\Base\Bin\MFDS.EXE
D:\Program Files\Micro Focus\Net Express 5.1\MFSQL\Bin\XSRVNX.EXE
D:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\PROGRA~1\AVG\AVG8\avgam.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
D:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
D:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\AVG\AVG8\avgscanx.exe
D:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\AVG\AVG8\avgui.exe
D:\Documents and Settings\Administrator.ALEXANDER\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - d:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [googletalk] "d:\program files\google\google talk\googletalk.exe" /autostart
mRun: [IgfxTray] d:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [NeroCheck] d:\windows\system32\NeroCheck.exe
mRun: [googletalk] d:\program files\google\google talk\googletalk.exe /autostart
mRun: [KE9801] d:\progra~1\t-media\MMHotKey.EXE
mRun: [PWRISOVM.EXE] d:\program files\poweriso\PWRISOVM.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office12\REFIEBAR.DLL
TCP: {C94F5F69-625B-4B96-932B-DCE0500712FF} = 202.56.215.55 202.56.215.54
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\admini~1.ale\applic~1\mozilla\firefox\profiles\1w6to3qp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.in/webhp?client=firefox-a&rls=org.mozilla:en-US:official&channel=s&hl=en&btnG=Google+Search

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;d:\windows\system32\drivers\avgrkx86.sys [2009-3-30 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-3-30 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-3-30 27656]
R1 AvgTdiX;AVG8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8emc;AVG8 E-mail Scanner;d:\progra~1\avg\avg8\avgemc.exe [2009-4-1 908056]
R2 avg8wd;AVG8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-1 298264]
R2 mf_CCITCP2;Micro Focus Directory Server;d:\program files\micro focus\net express 5.1\base\bin\MFDS.EXE [2008-6-13 1462272]
R2 mfauditmgr;Micro Focus Audit Manager;d:\program files\micro focus\net express 5.1\base\bin\mfauditmgr.exe [2008-6-13 36955]
R2 Micro Focus XDB Server for NX 5.1;Micro Focus XDB Server for NX 5.1;d:\program files\micro focus\net express 5.1\mfsql\bin\XSRVNX.EXE [2008-6-13 24576]
R3 iadusb;USB IAD LAN Modem;d:\windows\system32\drivers\glauiad.sys [2009-3-30 30336]

=============== Created Last 30 ================

2009-04-23 00:56 129,024 a------- d:\windows\system32\AVERM.dll
2009-04-23 00:56 28,672 a------- d:\windows\system32\AVEQT.dll
2009-04-23 00:56 <DIR> --d----- d:\program files\Ultra Video Splitter
2009-04-23 00:40 14 a------- d:\windows\system32\systeminfo.dll
2009-04-23 00:40 <DIR> --d----- d:\program files\DVD X Studios
2009-04-20 23:34 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\Micro Focus
2009-04-20 23:31 <DIR> --d----- d:\windows\ADAM
2009-04-20 23:31 <DIR> -cd-h--- d:\windows\$ADAMUninstallADAM$
2009-04-20 23:28 <DIR> --d----- d:\program files\common files\Micro Focus
2009-04-20 23:27 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Micro Focus
2009-04-20 23:26 <DIR> --d----- d:\program files\Micro Focus
2009-04-20 22:55 406 a------- d:\windows\ODBC.INI
2009-04-20 22:54 <DIR> --d----- d:\windows\system32\js
2009-04-20 22:54 <DIR> --d----- d:\windows\system32\images
2009-04-20 22:54 <DIR> --d----- d:\windows\system32\html
2009-04-20 22:54 <DIR> --d----- d:\windows\system32\css
2009-04-20 22:54 <DIR> --d----- d:\program files\Business Objects
2009-04-20 22:48 <DIR> --d----- d:\program files\MSXML 6.0
2009-04-20 22:45 <DIR> --d----- d:\program files\Microsoft SQL Server
2009-04-20 22:45 <DIR> --d----- d:\program files\Microsoft Device Emulator
2009-04-20 22:44 <DIR> --d----- d:\program files\Windows Mobile 5.0 SDK R2
2009-04-20 22:43 <DIR> --d----- d:\program files\Microsoft Synchronization Services
2009-04-20 22:43 <DIR> --d----- d:\program files\Microsoft SQL Server Compact Edition
2009-04-20 22:33 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\PreEmptive Solutions
2009-04-20 22:26 <DIR> --d----- d:\program files\HTML Help Workshop
2009-04-20 22:26 <DIR> --d----- d:\program files\common files\Merge Modules
2009-04-20 22:26 <DIR> --d----- d:\program files\CE Remote Tools
2009-04-20 22:24 <DIR> --d----- d:\program files\Microsoft Web Designer Tools
2009-04-20 21:49 <DIR> --d----- d:\program files\PowerISO
2009-04-20 11:56 80,602,577 a------- d:\windows\system32\xa2763109.exe
2009-04-20 11:56 80,602,577 a------- d:\windows\system32\xa2758375.exe
2009-04-19 01:16 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Protexis
2009-04-19 00:46 <DIR> --d----- d:\windows\system32\XPSViewer
2009-04-19 00:44 22,752 a------- d:\windows\system32\spupdsvc.exe
2009-04-19 00:44 14,048 -------- d:\windows\system32\spmsg2.dll
2009-04-18 08:47 76 a------- d:\windows\KE9801.UNI
2009-04-18 08:47 <DIR> --d----- d:\program files\T-Media
2009-04-16 01:58 <DIR> --d----- d:\windows\system32\NtmsData
2009-04-16 01:40 15,504 ac------ d:\windows\system32\drivers\mbam.sys
2009-04-16 01:40 38,496 ac------ d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 01:40 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-04-16 00:05 <DIR> --d-h--- D:\$AVG8.VAULT$
2009-04-09 00:35 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\Malwarebytes
2009-04-09 00:34 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-04-08 23:59 <DIR> --d-h--- d:\windows\system32\GroupPolicy
2009-04-06 22:46 <DIR> --d----- d:\program files\Computer Zone
2009-04-03 00:41 89,184 ac------ d:\windows\system32\drivers\imagedrv.sys
2009-04-03 00:41 57,344 a------- d:\windows\system32\ImageDrive.cpl
2009-04-03 00:40 38,912 a------- d:\windows\system32\picn20.dll
2009-04-03 00:40 544,768 a------- d:\windows\system32\imagx5.dll
2009-04-03 00:40 569,344 a------- d:\windows\system32\imagr5.dll
2009-04-03 00:40 283,920 a------- d:\windows\system32\ImagXpr5.dll
2009-04-03 00:40 155,648 a------- d:\windows\system32\NeroCheck.exe
2009-04-02 08:43 25,600 ac------ d:\windows\system32\dllcache\routemon.exe
2009-04-02 08:43 25,600 a------- d:\windows\system32\routemon.exe
2009-04-02 08:43 131,584 ac------ d:\windows\system32\dllcache\sndrec32.exe
2009-04-02 08:43 131,584 a------- d:\windows\system32\sndrec32.exe
2009-04-02 08:43 77,312 ac------ d:\windows\system32\dllcache\rtcshare.exe
2009-04-02 08:43 77,312 a------- d:\windows\system32\rtcshare.exe
2009-04-02 08:43 117,248 ac------ d:\windows\system32\dllcache\mqtgsvc.exe
2009-04-02 08:43 117,248 a------- d:\windows\system32\mqtgsvc.exe
2009-04-02 08:42 169,984 ac------ d:\windows\system32\dllcache\msconfig.exe
2009-03-31 21:27 7,680 a--sh--- d:\windows\Thumbs.db
2009-03-31 11:23 6,272 a------- d:\windows\system32\drivers\splitter.sys
2009-03-31 11:23 83,072 a------- d:\windows\system32\drivers\wdmaud.sys
2009-03-31 11:23 52,864 a------- d:\windows\system32\drivers\DMusic.sys
2009-03-31 11:23 56,576 a------- d:\windows\system32\drivers\swmidi.sys
2009-03-31 11:23 142,592 a------- d:\windows\system32\drivers\aec.sys
2009-03-31 11:23 172,416 a------- d:\windows\system32\drivers\kmixer.sys
2009-03-31 11:23 2,944 a------- d:\windows\system32\drivers\drmkaud.sys
2009-03-31 11:22 60,800 a------- d:\windows\system32\drivers\sysaudio.sys
2009-03-31 11:22 7,552 ac------ d:\windows\system32\drivers\MSKSSRV.sys
2009-03-31 11:22 7,552 ac------ d:\windows\system32\dllcache\mskssrv.sys
2009-03-31 11:22 4,992 ac------ d:\windows\system32\drivers\MSPQM.sys
2009-03-31 11:22 4,992 ac------ d:\windows\system32\dllcache\mspqm.sys
2009-03-31 11:22 5,376 ac------ d:\windows\system32\drivers\MSPCLOCK.sys
2009-03-31 11:22 5,376 ac------ d:\windows\system32\dllcache\mspclock.sys
2009-03-31 11:22 146,048 a------- d:\windows\system32\drivers\portcls.sys
2009-03-31 11:22 4,096 a------- d:\windows\system32\ksuser.dll
2009-03-31 11:22 129,536 a------- d:\windows\system32\ksproxy.ax
2009-03-31 11:22 60,160 a------- d:\windows\system32\drivers\drmk.sys
2009-03-31 11:22 179,664 a------- d:\windows\system32\drivers\STAC97.sys
2009-03-31 10:12 25,600 a------- d:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-30 21:43 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\uTorrent
2009-03-30 15:50 3,072 a------- d:\windows\system32\drivers\audstub.sys
2009-03-30 15:50 57,600 a------- d:\windows\system32\drivers\redbook.sys
2009-03-30 15:49 5,504 ac------ d:\windows\system32\drivers\intelide.sys
2009-03-30 15:49 5,504 ac------ d:\windows\system32\dllcache\intelide.sys
2009-03-30 15:49 74,240 ac------ d:\windows\system32\dllcache\usbui.dll
2009-03-30 15:49 74,240 a------- d:\windows\system32\usbui.dll
2009-03-30 15:46 <DIR> --d--r-- d:\documents and settings\all users.windows\Documents
2009-03-30 15:46 144,484 ac------ d:\windows\system32\dllcache\netfx.cat
2009-03-30 15:45 613 a------- d:\windows\system32\$winnt$.inf
2009-03-30 11:20 12,552 ac------ d:\windows\system32\drivers\avgrkx86.sys
2009-03-30 11:20 10,520 a------- d:\windows\system32\avgrsstx.dll
2009-03-30 11:20 <DIR> --d----- d:\docume~1\admini~1.ale\applic~1\AVGTOOLBAR
2009-03-30 11:20 108,552 a------- d:\windows\system32\drivers\avgtdix.sys
2009-03-30 11:20 325,640 a------- d:\windows\system32\drivers\avgldx86.sys
2009-03-30 11:20 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\avg8
2009-03-30 10:59 151,552 ac------ d:\windows\system32\igfxres.dll
2009-03-30 10:53 38,400 a------- d:\windows\system32\CoInst.dll
2009-03-30 10:53 30,336 a------- d:\windows\system32\drivers\glauiad.sys
2009-03-30 10:53 19,129 -------- d:\windows\wwdslcfg.ini
2009-03-30 10:47 <DIR> --d----- d:\documents and settings\Administrator.ALEXANDER
2009-03-30 10:40 8,192 a------- d:\windows\REGLOCS.OLD
2009-03-30 10:37 16,896 ac------ d:\windows\system32\dllcache\status.dll
2009-03-30 10:36 7,700 ac------ d:\windows\system32\dllcache\migregdb.exe
2009-03-30 10:35 24,632 ac------ d:\windows\system32\dllcache\fpadmcgi.exe
2009-03-30 10:34 76,800 ac------ d:\windows\system32\dllcache\logui.ocx
2009-03-30 10:31 <DIR> --dsh--- d:\documents and settings\all users.windows\DRM
2009-03-30 10:31 488 a---hr-- d:\windows\system32\WindowsLogon.manifest
2009-03-30 10:31 488 a---hr-- d:\windows\system32\logonui.exe.manifest
2009-03-30 10:31 749 ac--hr-- d:\windows\system32\nwc.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\WindowsShell.Manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\wuaucpl.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\sapi.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\ncpa.cpl.manifest
2009-03-30 10:31 749 a---hr-- d:\windows\system32\cdplayer.exe.manifest
2009-03-30 10:29 565,248 ac------ d:\windows\system32\dllcache\msobmain.dll
2009-03-30 10:28 21,640 a------- d:\windows\system32\emptyregdb.dat
2009-03-30 10:28 37 a------- d:\windows\vbaddin.ini
2009-03-30 10:28 36 a------- d:\windows\vb.ini
2009-03-30 10:26 184,404 ac------ d:\windows\system32\dllcache\accwiz.exe
2009-03-27 03:07 <DIR> --d----- d:\program files\driver
2009-03-27 00:29 <DIR> --d-h--- d:\windows\ShellNew
2009-03-26 01:07 <DIR> --d----- d:\windows\Profiles
2009-03-26 01:07 <DIR> --d----- d:\windows\system32\Adobe
2009-03-25 10:55 <DIR> --d----- d:\windows\system32\appmgmt
2009-03-25 10:47 <DIR> --d----- d:\windows\system32\drivers\Avg
2009-03-25 10:46 <DIR> --d----- d:\program files\AVG
2009-03-25 03:58 <DIR> --dsh--- d:\windows\Installer
2009-03-25 03:58 <DIR> --d----- d:\program files\common files\ODBC
2009-03-25 03:58 77,824 ac------ d:\windows\system32\dllcache\spcommon.dll
2009-03-25 03:58 61,440 ac------ d:\windows\system32\dllcache\spcplui.dll
2009-03-25 03:58 1,685,606 ac------ d:\windows\system32\dllcache\sam.spd
2009-03-25 03:58 774,144 ac------ d:\windows\system32\dllcache\spttseng.dll
2009-03-25 03:58 605,050 ac------ d:\windows\system32\dllcache\r1033tts.lxa
2009-03-25 03:58 888 ac------ d:\windows\system32\dllcache\sam.sdf
2009-03-25 03:58 741,376 ac------ d:\windows\system32\dllcache\sapi.dll
2009-03-25 03:58 643,717 ac------ d:\windows\system32\dllcache\ltts1033.lxa
2009-03-25 03:58 155,648 ac------ d:\windows\system32\dllcache\sapi.cpl
2009-03-25 03:58 <DIR> --d----- d:\program files\common files\SpeechEngines
2009-03-25 03:58 <DIR> --d--r-- D:\Program Files
2009-03-25 03:57 <DIR> --d----- d:\windows\system32\CatRoot2
2009-03-25 03:57 <DIR> --d----- d:\windows\system32\CatRoot
2009-03-25 03:57 <DIR> --d----- D:\Documents and Settings

==================== Find3M ====================

2009-03-31 11:06 171,326 a------- d:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-31 11:05 86,327 ac------ d:\windows\pchealth\helpctr\offlinecache\index.dat

============= FINISH: 2:34:43.17 ===============



How can I verify that my computer is not looking for that site ?

Thanks in advance !!!!

Attached Files



#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:11:39 AM

Posted 23 April 2009 - 07:11 PM

ok. You can grab a copy of netstat off another Windows installation. Theres also sysinternals TCPview. I also like fport which is like netstat but provides more info. I would suggest a software firewall but these can be of little value on a compromised machine. Some malware can easily escape a FW.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users