Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinCodecPro Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 chev77

chev77

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 19 April 2009 - 08:32 PM

Hi, just a few hours ago I got infected by a trojan that disabled all my sound extentions and created a lot of errors on start up. It displayed a cheap icon at the bottom warning of missing extentions, and when clicked, it directed to the WinCodecPro website. I then googled a bit and found a tutorial on you guys' website, http://www.bleepingcomputer.com/virus-remo...codecpro-trojan which unfortunally did not work. SmitfraudFix runs fine but does not remove the trojan. Then I downloaded Malwarebytes' Anti-Malware, and when I used it to scan it showed about 50 infected files. When trying to delete them, it is not successful either. I then tried running ComboFix, but it gives me the following error:

"!! ALERT !! It is NOT SAFE to continue!

The contents of the ComboFix package has been compromised.
Please download a fresh copy from:

Note: You may be infected with a file patching virus(Virut)"

So here I am. Not sure what to do next, so if any of you guys could lend me a hand, it would be appreciated.

Here is the log from DDS.

*Update: it seems that after a while of the computer being on, the trojan, lowers my video settings to 800x600 (I think?) and deletes ComboFix from my desktop. *sigh* :thumbup2:



DDS (Ver_09-03-16.01) - NTFSx86
Run by pRoX at 21:18:44,14 on dom 19/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.3327.2686 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\AlienGUIse\wbload.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Razer\DeathAdder\razerhid.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\trCLIStart.exe
C:\WINDOWS\System32\reader_s.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Documents and Settings\pRoX\Dados de aplicativos\pidle\pidle.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Arquivos de programas\Viewpoint\Common\ViewpointService.exe
C:\Arquivos de programas\Razer\DeathAdder\razertra.exe
C:\Arquivos de programas\Razer\DeathAdder\razerofa.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
svchost.exe
C:\Documents and Settings\pRoX\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {942c2a7c-1385-4955-a1c7-6693f84f94ad} - c:\windows\system32\zijigegu.dll
BHO: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
uRun: [MsnMsgr] "c:\arquivos de programas\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\arquivos de programas\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [Steam] "c:\arquivos de programas\steam\steam.exe" -silent
uRun: [DAEMON Tools] "c:\arquivos de programas\daemon tools\daemon.exe" -lang 1033
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [<NO NAME>] c:\docume~1\prox\config~1\temp\rphoutsg.exe
uRun: [pidle] "c:\documents and settings\prox\dados de aplicativos\pidle\pidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [reader_s] c:\documents and settings\prox\reader_s.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [StartCCC] "c:\arquivos de programas\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [DeathAdder] c:\arquivos de programas\razer\deathadder\razerhid.exe
mRun: [ISUSScheduler] "c:\arquivos de programas\arquivos comuns\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre6\bin\jusched.exe"
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [trCLIStart] c:\arquivos de programas\ati technologies\ati.ace\core-static\trCLIStart.exe
mRun: [trnologies\ATI.ACE\Core-Static\trCLIStart] c:\arquivos de programas\ati technologies\ati.ace\core-static\trCLIStart.exe
mRun: [jurunobufi] Rundll32.exe "c:\windows\system32\mijepubi.dll",s
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [svc] c:\program files\thunmail\testabd.exe
dRun: [<NO NAME>] c:\windows\temp\n00wji.exe
dRun: [Windows Resurections] c:\windows\temp\n00wji.exe
dRun: [Diagnostic Manager] c:\windows\temp\1035584740.exe
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\paltalk.lnk - c:\arquivos de programas\paltalk messenger\paltalk.exe
uPolicies-system: NoDispAppearancePage = 1 (0x1)
uPolicies-system: NoDispBackgroundPage = 1 (0x1)
uPolicies-system: NoDispSettingsPage = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\arquivos de programas\icq6\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {3A1D78E5-8A91-46BE-8C05-764364F67D69} = 68.87.44.162,68.87.68.162
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WB - c:\arquivos de programas\alienguise\fastload.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll ,c:\windows\system32\bawayeka.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\yaubfh983ind.dll: {a5af42a3-94f3-42bd-f634-0604832c897d} - c:\windows\system32\yaubfh983ind.dll
LSA: Notification Packages = scecli c:\windows\system32\bawayeka.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\prox\dadosd~1\mozilla\firefox\profiles\rjg0igli.default\
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\arquivos de programas\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\documents and settings\prox\dados de aplicativos\mozilla\firefox\profiles\rjg0igli.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - HiddenExtension: XUL Cache: {4D481DD2-D644-428A-B05E-80DD526E2AE1} - c:\documents and settings\prox\configurações locais\dados de aplicativos\{4D481DD2-D644-428A-B05E-80DD526E2AE1}
FF - HiddenExtension: XUL Cache: {86F69753-733E-4FB8-829A-7630790B9E7D} - c:\documents and settings\localservice\configurações locais\dados de aplicativos\{86f69753-733e-4fb8-829a-7630790b9e7d}\

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 hah9416;hah9416;c:\windows\system32\drivers\hah9416.sys [2009-4-19 17376]
R2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe [2009-4-19 255488]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\arquivos de programas\viewpoint\common\ViewpointService.exe [2008-7-25 45132]
R3 AGR1310_51;Agere Systems ET-13xx PCI-E Ethernet Adapter XP Driver;c:\windows\system32\drivers\AGR1310_51.sys [2007-12-28 75648]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\system32\drivers\dadder.sys [2008-1-1 22144]
R3 win32x;win32x;c:\windows\system32\drivers\win32x.sys []
S1 jbj8f03;jbj8f03;c:\windows\system32\drivers\jbj8f03.sys [2009-4-19 17376]
S2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\arquivos de programas\arquivos comuns\nero\nero backitup 4\nbservice.exe --> c:\arquivos de programas\arquivos comuns\nero\nero backitup 4\NBService.exe [?]
S3 mbamswissarmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-2 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 RTL8187B;TRENDnet TEW-424UB 54M USB Dongle;c:\windows\system32\drivers\rtl8187b.sys --> c:\windows\system32\drivers\RTL8187B.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\system32\drivers\sjypkt.sys --> c:\windows\system32\drivers\SjyPkt.sys [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\arquivos de programas\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\arquivos de programas\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]

=============== Created Last 30 ================

2009-04-19 20:58 36,352 a------- c:\windows\system32\reader_s.exe
2009-04-19 20:58 36,352 a------- c:\documents and settings\prox\reader_s.exe
2009-04-19 20:58 17,376 a------- c:\windows\system32\drivers\jbj8f03.sys
2009-04-19 20:58 80 a------- c:\windows\system32\7.tmp
2009-04-19 20:41 3,514 a------- c:\windows\system32\tmp.reg
2009-04-19 19:46 0 a------- c:\windows\system32\56.tmp
2009-04-19 19:46 17,376 a------- c:\windows\system32\drivers\hah9416.sys
2009-04-19 19:46 80 a------- c:\windows\system32\53.tmp
2009-04-19 19:28 61,440 a------- c:\windows\system32\drivers\pksb.sys
2009-04-19 19:11 <DIR> --d----- c:\windows\LastGood.Tmp
2009-04-19 19:10 3 a------- c:\windows\system32\bversion.dll
2009-04-19 19:10 <DIR> --d----- c:\arquivos de programas\LanqiEngine
2009-04-19 19:10 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-19 19:10 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-04-19 19:10 1,308 a------- c:\windows\system32\TRSOCR.ini
2009-04-19 19:10 1,308 a------- c:\windows\system32\TRSOCR.dat
2009-04-19 19:09 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-19 19:04 420,864 a------- c:\windows\system32\CF18098.exe
2009-04-19 19:04 <DIR> --d----- C:\ComboFix
2009-04-19 18:58 15,000 a------- c:\windows\system32\yaubind.dll
2009-04-19 18:55 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-19 18:53 87,804 a------- c:\windows\system32\drivers\5efda48b.sys
2009-04-19 18:53 15,000 -------- c:\windows\system32\zfgh83jg3.dll
2009-04-19 18:53 15,000 -------- c:\windows\system32\oseknf83kd.dll
2009-04-19 18:53 <DIR> --d----- c:\docume~1\prox\dadosd~1\pidle
2009-04-19 18:53 28,672 a------- c:\windows\system32\inqby.sr
2009-04-19 18:53 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-19 18:53 32,768 a------- c:\windows\system32\fairy.an
2009-04-19 18:53 79,360 a------- c:\windows\system32\ashl.nq
2009-04-19 18:53 28,672 a------- c:\windows\system32\dolman.zt
2009-04-19 18:52 262,144 a------- c:\windows\system32\nvrsk.dll
2009-04-19 18:52 15,000 -------- c:\windows\system32\sdfgerfgf3f.dll
2009-04-12 00:51 430,080 a------- c:\windows\system32\cmcs21.ocx
2009-04-12 00:51 115,920 a------- c:\windows\system32\msinet.ocx
2009-04-12 00:51 103,744 a------- c:\windows\system32\mscomm32.ocx
2009-04-12 00:51 53,248 a------- c:\windows\system32\zlib.dll
2009-04-11 18:44 <DIR> --d----- c:\documents and settings\prox\.idlerc
2009-04-11 17:44 327,680 a------- c:\windows\system32\pythoncom25.dll
2009-04-11 17:44 102,400 a------- c:\windows\system32\pywintypes25.dll
2009-04-11 17:42 196,608 a------- c:\windows\system32\libssl32.dll
2009-04-11 17:42 1,040,384 a------- c:\windows\system32\libeay32.dll
2009-04-11 17:42 196,608 a------- c:\windows\system32\ssleay32.dll
2009-04-09 15:05 50,200 a------- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-04-09 15:04 79,896 a------- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-04-09 15:04 <DIR> --d----- c:\windows\system32\RsFx
2009-04-09 15:03 <DIR> --d----- c:\arquivos de programas\MSXML 6.0
2009-04-09 14:57 <DIR> --d----- c:\arquivos de programas\Microsoft SQL Server
2009-04-09 14:57 <DIR> --d----- c:\arquivos de programas\Microsoft Synchronization Services
2009-04-09 14:57 <DIR> --d----- c:\arquivos de programas\Microsoft SQL Server Compact Edition
2009-04-06 14:52 1,191,936 -------- c:\windows\Unnero.exe
2009-04-06 14:52 72,068 -------- c:\windows\Unnero.cfg
2009-04-06 14:52 49,152 -------- c:\windows\system32\MultiSZ.dll
2009-04-06 14:52 106,496 a----r-- c:\windows\system32\TwnLib20.dll
2009-04-06 14:52 35,328 a----r-- c:\windows\system32\picn20.dll
2009-04-06 14:52 532,480 a----r-- c:\windows\system32\imagx5.dll
2009-04-06 14:52 507,904 a----r-- c:\windows\system32\imagr5.dll
2009-04-06 14:52 275,312 a----r-- c:\windows\system32\ImagXpr5.dll
2009-04-06 14:52 176,128 a----r-- c:\windows\system32\NeroCheck.exe
2009-04-05 02:36 <DIR> --d----- c:\docume~1\prox\dadosd~1\GarageGames
2009-04-05 02:36 4,096 a------- c:\windows\d3dx.dat
2009-04-05 02:33 <DIR> --d----- c:\arquivos de programas\GarageGames
2009-04-05 02:17 <DIR> --d----- c:\arquivos de programas\Basic 2D Character Sprite Kit
2009-04-05 02:17 93,696 a------- c:\windows\ST6UNST.EXE
2009-04-05 02:17 307,200 -------- c:\windows\Setup1.exe
2009-04-05 02:10 <DIR> --d----- c:\arquivos de programas\Platform Studio
2009-04-03 00:03 <DIR> --d----- c:\arquivos de programas\PhaseRO
2009-04-02 23:36 40,128 a------- c:\windows\DIIUnin.dat
2009-04-02 23:36 114,688 a------- c:\windows\DIIUnin.exe
2009-04-02 23:36 2,829 a------- c:\windows\DIIUnin.pif
2009-04-02 23:31 <DIR> --d----- c:\arquivos de programas\Diablo II
2009-04-02 23:19 <DIR> --d----- c:\arquivos de programas\PatchClient
2009-04-02 23:19 <DIR> --d----- c:\arquivos de programas\Extra
2009-04-02 23:19 <DIR> --d----- c:\arquivos de programas\AI
2009-04-02 14:29 <DIR> --d----- c:\docume~1\prox\dadosd~1\Tibia
2009-04-01 22:28 <DIR> --d----- c:\arquivos de programas\Asprate
2009-03-31 13:01 34 a------- c:\documents and settings\prox\jagex_runescape_preferences.dat
2009-03-31 13:01 <DIR> --d----- c:\windows\.jagex_cache_32
2009-03-30 11:30 <DIR> --d----- c:\arquivos de programas\Tibia
2009-03-28 22:02 <DIR> --d----- c:\docume~1\prox\dadosd~1\Nexon
2009-03-28 21:52 <DIR> --d----- C:\Nexon
2009-03-28 21:13 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\PMB Files
2009-03-28 21:13 <DIR> --d----- c:\arquivos de programas\Pando Networks
2009-03-26 13:08 <DIR> --d----- c:\temp\MTGOInstall
2009-03-26 13:05 <DIR> --d----- c:\docume~1\prox\dadosd~1\Wizards of the Coast
2009-03-26 13:05 <DIR> --d----- c:\arquivos de programas\Wizards of the Coast

==================== Find3M ====================

2009-04-19 18:54 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-19 18:54 22,016 a------- c:\windows\system32\AUTMGR.EXE
2009-04-19 18:54 1,023,488 a------- c:\windows\system32\kernel32_check.dll
2009-04-19 18:54 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-19 18:54 10,240 a------- c:\windows\system32\Packer.dll
2009-04-19 18:53 49,152 a--sh--- c:\windows\system32\tobirugo.dll
2009-04-19 18:53 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-19 18:52 75,776 a--sh--- c:\windows\system32\nehafote.exe
2009-04-19 18:52 578,048 a------- c:\windows\system32\user32.DLL
2009-04-19 18:52 146,944 a------- c:\windows\oyovegukoge.dll
2009-04-19 14:21 221,184 a------- c:\windows\system32\COMSocketServer.dll
2009-04-19 14:21 178,609 a------- c:\windows\system32\SCRIPTLE.DLL
2009-04-19 14:21 57,856 a------- c:\windows\system32\scripto.dll
2009-04-19 14:21 57,392 a------- c:\windows\system32\wshnl.dll
2009-04-19 14:21 24,626 a------- c:\windows\system32\scrrnnl.dll
2009-04-19 14:21 55,808 a------- c:\windows\system32\zlib1.dll
2009-04-09 15:05 542,102 a------- c:\windows\system32\perfh016.dat
2009-04-09 15:05 107,332 a------- c:\windows\system32\perfc016.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-03 14:58 21,840 ac-----t c:\windows\system32\SIntfNT.dll
2009-04-03 14:58 17,212 ac-----t c:\windows\system32\SIntf32.dll
2009-04-03 14:58 12,067 ac-----t c:\windows\system32\SIntf16.dll
2009-03-19 20:54 87,932 ac------ c:\windows\War3Unin.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-26 21:33 17,353,459 a------- c:\arquivos de programas\ndata.grf
2009-01-26 21:32 3,436,544 a------- c:\arquivos de programas\PRO.exe
2009-01-26 21:32 53,248 a------- c:\arquivos de programas\internal.dll
2009-01-26 21:32 4 a------- c:\arquivos de programas\patch.inf
2009-01-05 00:41 184,320 a------- c:\arquivos de programas\Launcher.exe
2008-12-28 04:39 655,872 a------- c:\arquivos de programas\msvcr90.dll
2008-12-28 04:39 568,832 a------- c:\arquivos de programas\msvcp90.dll
2008-12-28 04:39 224,768 a------- c:\arquivos de programas\msvcm90.dll
2007-12-29 02:49 22,328 ac------ c:\docume~1\prox\dadosd~1\PnkBstrK.sys
2006-05-16 21:08 28,944 a------- c:\arquivos de programas\psapi.dll
2005-02-01 19:55 233,555 a------- c:\arquivos de programas\npkcrypt.dll
2005-02-01 19:55 53,248 a------- c:\arquivos de programas\npkpdb.dll
2005-02-01 19:55 37,009 a------- c:\arquivos de programas\npkcusb.sys
2005-02-01 19:55 21,442 a------- c:\arquivos de programas\npkcrypt.sys
2005-02-01 19:55 18,562 a------- c:\arquivos de programas\npkcrypt.vxd
2004-12-28 17:35 401,462 a------- c:\arquivos de programas\msvcp60.dll
2003-06-17 18:33 126,976 a------- c:\arquivos de programas\NPX.DLL
2003-05-20 21:04 81,920 a------- c:\arquivos de programas\npkeysdk.dll
2003-04-23 18:37 164,864 a------- c:\arquivos de programas\NPUPDATE0.DLL
2003-04-23 18:37 55,296 a------- c:\arquivos de programas\NPCIPHER.DLL
2002-10-02 03:11 358,963 a------- c:\arquivos de programas\binkw32.dll
2002-10-02 03:11 230,455 a------- c:\arquivos de programas\granny2.dll
2002-07-06 16:16 125,952 a------- c:\arquivos de programas\Mp3dec.asi
2002-06-22 04:39 31,744 a------- c:\arquivos de programas\NPPSK.DLL
2002-06-22 04:39 61,952 a------- c:\arquivos de programas\NPCHK.DLL
2002-06-18 17:11 163,088 a------- c:\arquivos de programas\dbghelp.dll
2001-04-15 15:20 156,672 a------- c:\arquivos de programas\npupdate.dll
2001-03-31 15:41 346,624 a------- c:\arquivos de programas\Mss32.dll
2001-03-21 13:35 372,736 a------- c:\arquivos de programas\ijl15.dll
2008-09-29 05:05 2,048 a--sh--- c:\windows\system32\dijepahu.dll
2008-12-29 06:05 61,216 a--sh--- c:\windows\system32\fuvayove.dll
2009-01-02 15:35 2,604 ---sh--- c:\windows\system32\huhevita.dll
2008-12-31 15:34 2,604 ---sh--- c:\windows\system32\kahenabu.dll
2009-01-01 03:34 2,604 ---sh--- c:\windows\system32\lisubuni.dll
2008-12-31 03:34 2,604 ---sh--- c:\windows\system32\lumejeji.dll
2008-12-31 15:34 2,605 ---sh--- c:\windows\system32\nesahuku.dll
2009-01-02 03:35 2,604 ---sh--- c:\windows\system32\pupatiyu.dll
2008-12-29 18:05 2,605 ---sh--- c:\windows\system32\rigivika.dll
2008-12-31 03:34 2,604 ---sh--- c:\windows\system32\rupegivo.dll
2008-12-30 15:34 2,604 ---sh--- c:\windows\system32\tupurevo.dll
2008-12-29 05:05 62,094 a--sh--- c:\windows\system32\wegabalu.dll
2008-09-29 05:06 62,094 a--sh--- c:\windows\system32\wusifage.dll
2009-01-01 03:34 2,604 ---sh--- c:\windows\system32\yudovulu.dll

============= FINISH: 21:19:04,18 ===============

Attached Files


Edited by chev77, 19 April 2009 - 09:10 PM.


BC AdBot (Login to Remove)

 


#2 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 April 2009 - 05:31 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why: Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: [url=http://web.mit.edu/ist/products/winxp/advanced/reinstall-format.html]http://web.mit.edu/ist/products/winxp/adva...all-format.html

#3 chev77

chev77
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 April 2009 - 11:46 AM

Heh, that's fine. I was going to do it one way or another anyway. However, do you have any tips on how to diagnose this early on so it doesn't happen again?

Also, I have my drive partioned. Should I purge my media drive of .exe/.scr/.htm/.html/.xml/.zip/.rar etc?

Thanks for all the help. :thumbup2:

Edited by chev77, 20 April 2009 - 11:50 AM.


#4 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 20 April 2009 - 01:34 PM

Virut is spread via warez and kegens sites and also from P2P software like limewire and utorrent, so avoid all those and only download software from legitimate sites. Prevention is the key so make sure your antivirus is up to date and active.

You can backup music, movies, documents and other data files everything else needs to be nuked.

The following are some programs and tips that may help reinfection.



Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you can follow any steps that you have not already implemented
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
    Two good antivirus programs free for non-commercial home use are Avast and Antivir
    Two good paid for antivirus programs are NOD32 and Kaspersky
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.
  • Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  • Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  • Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Install a Hosts File
    I recommend MVPS Hosts File
    Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
    On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
    • Click Start > Run
    • Type services.msc & click OK
    • In the list, find the service called DNS Client & double click on it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click OK & then close the Services window
    For a more detailed explanation of the HOSTS file, click here
  • Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
  • Install Malwarebytes & update and scan with it regularly
    Malwarebytes is a free for personal use on demand scanner which is developed by active members of the Malware Removal community. It detects and removes many modern infections. The paid version offers realtime protection.
  • The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
    If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
    Malware changes on a day to day basis. You should update every week at the very least.
Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miekiem...prevention.html

#5 Rodav

Rodav

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 26 April 2009 - 10:17 AM

This Topic is now closed.

If you need this topic reopened, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users