Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log


  • This topic is locked This topic is locked
6 replies to this topic

#1 arin1

arin1

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 18 April 2009 - 12:29 PM

I cant seem to get DDS to work. It just sits there and... doesnt do anything. I ran DSKCHK. Tried to do as much as I can before posting

A couple days ago my computer just started getting REALLY slow with intermittent popups that werent affiliated with the websites I was browsing. I have 2 IEXPLORE.EXE System processes that I havent had before, and I do not use IE. I have multiple new yvrosx5.exe processes. A couple that are just long numbers(403009022.exe). Well, hope you can help, my computer is nearly unusuable:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:50 PM, on 04/18/09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\Documents and Settings\HP_Owner\reader_s.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\4037009022.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HiJackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {d79bbd36-c419-428e-a6a0-32225550a2ed} - C:\WINDOWS\system32\tapusuye.dll
O2 - BHO: C:\WINDOWS\system32\sdfgerfgf3f.dll - {e2ba40a2-74f3-42bd-f434-2604812c8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Msuwiyu] rundll32.exe "C:\WINDOWS\Jzuwiseciy.dll",e
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Hdura] rundll32.exe "C:\WINDOWS\olixidet.dll",e
O4 - HKLM\..\Run: [sadufotobu] Rundll32.exe "C:\WINDOWS\system32\yusujapa.dll",s
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [74d31d7c] rundll32.exe "C:\WINDOWS\system32\lugumani.dll",b
O4 - HKLM\..\Run: [CPM77e02ee0] Rundll32.exe "c:\windows\system32\kiseluzo.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\bittorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
O4 - HKCU\..\Run: [Windows Resurections] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\yvrosx5.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\HP_Owner\reader_s.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\4037009022.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\142009022.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\wdbbbomp.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\wdbbbomp.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\sobamehu.dll C:\WINDOWS\system32\jowotizu.dll c:\windows\system32\reboyuti.dll c:\windows\system32\kiseluzo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sobamehu.dll
O22 - SharedTaskScheduler: sdfg54y54yhhgth6w4efvrg - {E2BA40A2-74F3-42BD-F434-2604812C8953} - C:\WINDOWS\system32\sdfgerfgf3f.dll
O22 - SharedTaskScheduler: as3iur98wajkef3wgf3 - {A5AF42A3-94F3-42BD-F634-0604832C897D} - C:\WINDOWS\system32\yaubfh983ind.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sobamehu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9572 bytes

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:05 AM

Posted 18 April 2009 - 03:44 PM

Hi arin1,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 arin1

arin1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 18 April 2009 - 07:52 PM

Alright. I'm ready to roll

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:05 AM

Posted 19 April 2009 - 09:25 AM

Hi arin1,

Your System is infected with Virut!! :thumbup2:

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

Sorry, there is no fix for Virut which Bleeping Computer recommends at present.

If you have any questions then post me a reply.

m0le
Posted Image
m0le is a proud member of UNITE

#5 arin1

arin1
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:05 AM

Posted 19 April 2009 - 12:07 PM

Well, I have reformatted before, but never had to back much up. Can I create another partition on my harddrive and backup everything on there, then reformat the original one?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:05 AM

Posted 20 April 2009 - 11:32 AM

Hi arin1

No you shouldn't do that. It would be best for you to do burn your non-infectable files to CD and rescan anything before putting it back on the new installation.

These files can be infectable:
(.EXE and .SCR files and possibly any of these may be infected: htm, html, asp and php)

They could also plug in an external hard drive and boot with a linux CD to recover files making it safer for the user since windows virus won't run on Linux.

A small tutorial can be found here:
http://www.howtogeek.com/howto/windows-vis...ndows-computer/
Posted Image
m0le is a proud member of UNITE

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:05 AM

Posted 24 April 2009 - 07:59 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users