Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde infection


  • This topic is locked This topic is locked
4 replies to this topic

#1 RWFBreen

RWFBreen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 April 2009 - 11:00 AM

I had a Virtumonde infection which AVG claims to have fixed. However I am still not able to access 'folder options' in my explorer windows, nor am I able to open regedit (I get the message "Registry editing has been disabled by your administrator"). I have included the DDS report below and attached the attach.txt.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Richard at 16:58:20.65 on 19/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.353 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\PS3 Media Server\win32\service\wrapper.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT4.tmp
C:\WINDOWS\System32\reader_s.exe
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\TEMP\rtv_winupd.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\uICE\uICE.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Documents and Settings\Richard\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\dhcp\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\3361\SVCHOST.exe -sysrun
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\tcpd.exe
C:\Documents and Settings\Richard\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 192.168.0.*;*.local
uInternet Settings,ProxyServer = wwwcache.bris.ac.uk:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\sdfgerfgf3f.dll: {e2ba40a2-74f3-42bd-f434-2604812c8953} - c:\windows\system32\sdfgerfgf3f.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [Universal Infrared Control Engine] c:\program files\uice\uICE.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [Google Update] "c:\documents and settings\richard\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Diagnostic Manager] c:\docume~1\richard\locals~1\temp\2360446566.exe
uRun: [reader_s] c:\documents and settings\richard\reader_s.exe
mRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [sclauncher] c:\program files\simplecenter\bin\win\sclauncher.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [bedesedohe] Rundll32.exe "c:\windows\system32\jokofumo.dll",s
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
mRunOnce: [svchost.exe] "c:\windows\system32\3361\SVCHOST.exe"
dRun: [Windows Resurections] c:\windows\temp\qfs1c.exe
dRun: [Diagnostic Manager] c:\windows\temp\1769494504.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\client.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digigu~1.lnk - c:\program files\digiguide tv guide\client.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
IE: &Google Search
IE: &Translate English Word
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53}
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {4B48D5DF-9021-45F7-A240-60304302A215}
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://www.bitdefender.com/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - hxxp://arcade.icq.com/multiplayer/odyssey_web8.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://utu.popcap.com/games/popcaploader_v5.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup144.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6}
DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - hxxp://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\wujeluhe.dll c:\windows\system32\sijoyasu.dll c:\windows\system32\pezeyuyi.dll c:\windows\system32\pulemebo.dll c:\windows\system32\ c:\progra~1\thunmail\testabd.dll c:\windows\system32\vowowono.dll,c:\windows\system32\toyuwipi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vowowono.dll
STS: c:\windows\system32\sdfgerfgf3f.dll: {e2ba40a2-74f3-42bd-f434-2604812c8953} - c:\windows\system32\sdfgerfgf3f.dll
STS: c:\windows\system32\jh9fgo4ksdgf.dll: {d7bf4552-94f1-42bd-f434-3604812c856d} - c:\windows\system32\jh9fgo4ksdgf.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\vowowono.dll
LSA: Notification Packages = scecli scecli scecli c:\windows\system32\wujeluhe.dll c:\windows\system32\sijoyasu.dll c:\windows\system32\pezeyuyi.dll c:\windows\system32\pulemebo.dll c:\windows\system32\toyuwipi.dll pavand1.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\richard\applic~1\mozilla\firefox\profiles\pbq9plxl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\richard\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-1-8 20616]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-1 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-1 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-7-1 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-1 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-1 298264]
R2 DhcpSrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-19 216064]
R2 Ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R2 PS3 Media Server;PS3 Media Server;c:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]
R2 taskmon;taskmon;c:\program files\uice\TaskMon.sys [2002-11-16 10018]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-3-18 92008]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-8-5 6016]
R3 dcddrv;dcddrv;c:\program files\uice\devices\dcddrv.sys [2002-11-16 14336]
R3 HCWBT8XX;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8xx.sys [2004-10-28 458820]
S3 at1394;at1394;c:\windows\system32\at1394.sys [2001-8-23 2304]
S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetbus.sys --> c:\windows\system32\drivers\btnetBus.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [2006-10-15 17149]
S3 DTV_Capture_2X0;DVB-T Receiver;c:\windows\system32\drivers\DTV_Capture_2X0.sys [2005-10-14 18432]
S3 DTV_Loader_2X1;DVB-T Loader;c:\windows\system32\drivers\DTV_Loader_2X1.sys [2005-10-14 19328]
S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]
S3 PAC7311;VGA SoC PC-Camer@;c:\windows\system32\drivers\PA707UCM.SYS [2005-9-16 150272]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]
S3 SBExtigyIR;SBExtigyIR;c:\windows\system32\drivers\sbextigy.sys [2002-11-17 7143]
S3 WDM_Capture_220A;DVB-T TV Receiver;c:\windows\system32\drivers\WDM_Capture_220A.sys [2006-3-20 19328]
S3 WDM_Loader_220A;DVB-T TV Loader;c:\windows\system32\drivers\WDM_Loader_220A.sys [2006-6-12 16000]
S4 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2005-10-1 102463]

=============== Created Last 30 ================

2009-04-19 16:58 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-19 16:58 10,240 a------- c:\windows\system32\Packer.dll
2009-04-19 16:55 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-19 16:55 44 a------- c:\windows\system32\5.tmp
2009-04-19 12:54 <DIR> --d----- c:\program files\Trend Micro
2009-04-19 04:49 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-04-19 04:49 95 a------- c:\windows\system32\TRSOCR.ini
2009-04-18 23:37 <DIR> --d----- c:\program files\LanqiEngine
2009-04-18 22:35 32,137,216 a------- c:\windows\system32\TRSOCR.dat
2009-04-18 22:34 3 a------- c:\windows\system32\bversion.dll
2009-04-18 22:33 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-18 21:23 155 a------- c:\windows\system32\SelfDel.bat
2009-04-18 21:08 102,766 a------- c:\windows\system32\drivers\b01ed199.sys
2009-04-18 21:07 46 a------- c:\windows\system32\p2hhr.bat
2009-04-18 21:07 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-18 21:03 986,112 a------- c:\windows\system32\kernel32_check.dll
2009-04-18 21:03 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-18 21:03 25 a------- c:\windows\system32\tcpd.dll
2009-04-18 21:03 9 a------- c:\windows\system32\riphy.dll
2009-04-18 21:03 9 a------- c:\windows\system32\iphy.dll
2009-04-18 21:03 3 a------- c:\windows\system32\fhpatch.dll
2009-04-18 21:03 0 a------- c:\windows\system32\fiplock.dll
2009-04-18 21:03 <DIR> --d----- c:\windows\system32\3361
2009-04-18 21:03 <DIR> --d----- c:\windows\dhcp
2009-04-18 21:02 <DIR> --dshr-- c:\program files\ThunMail
2009-04-18 21:02 0 a------- c:\windows\system32\75.tmp
2009-04-18 21:02 84 a------- c:\windows\system32\74.tmp
2009-04-18 21:02 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-18 21:02 <DIR> --d----- c:\program files\Jcore
2009-04-18 21:01 102,766 a------- c:\windows\system32\drivers\b9039228.sys
2009-04-18 21:01 <DIR> --d----- c:\docume~1\richard\applic~1\pidle
2009-04-18 21:01 2 a------- C:\807808587
2009-04-15 21:54 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-14 09:48 <DIR> --d----- c:\windows\system32\KB905474
2009-04-13 04:15 <DIR> --d----- c:\program files\Thumbs7
2009-03-31 21:20 <DIR> --d----- c:\program files\TomTom International B.V
2009-03-21 01:42 <DIR> --d----- c:\program files\PS3 Media Server

==================== Find3M ====================

2009-04-18 21:07 52,224 a--sh--- c:\windows\system32\dezogewi.exe
2009-04-18 21:02 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-18 09:34 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-18 09:34 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-18 09:34 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-19 22:49 189,784 a------- c:\windows\system32\PnkBstrB.exe
2009-03-18 03:36 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-18 03:28 22,328 a------- c:\docume~1\richard\applic~1\PnkBstrK.sys
2009-03-18 03:27 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-06 15:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 09:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 09:30 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-09 11:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 11:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 11:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 11:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 11:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-06 18:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 17:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 17:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 21:08 55,808 a------- c:\windows\system32\secur32.dll
2005-07-25 07:41 110,657 a------- c:\program files\common files\UninstallDrv.exe
2005-04-04 23:02 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:59:16.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 19 April 2009 - 12:11 PM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why: Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

#3 RWFBreen

RWFBreen
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:23 AM

Posted 19 April 2009 - 02:44 PM

Thanks,

I was afraid that might be my only available option

#4 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 19 April 2009 - 04:55 PM

Sorry to be the bearer of bad news, it is unfortunately the only option.

#5 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:01:23 AM

Posted 24 April 2009 - 07:39 AM

This Topic is now closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users