Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-Downloader.Win32.FraudLoad.vmrj


  • This topic is locked This topic is locked
6 replies to this topic

#1 nidhal2

nidhal2

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 25 April 2009 - 07:49 AM

Hello,
My PC was infected with "Trojan-Downloader.Win32.FraudLoad.vmrj" virut/malware.
I've done few scan (using SDFix, AVP TOOL and MalwareBytes' Anti-Malware) guiding by someone how know what he is doing, but the virus not yet removed completely. Look at this pic
Posted Image

this is DDS log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrateur at 12:39:32,90 on 25/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.248.68 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lexpps.exe
C:\Documents and Settings\Administrateur.Admin\Bureau\MF\procexp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrateur.Admin\Bureau\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mLocal Page = hxxp://uds2k.cjb.net
mStart Page = hxxp://fr.yahoo.com
mWindow Title = TopNet
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {0a87e45f-537a-40b4-b812-e2544c21a09f} - SpywareBlock Class
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: : {a6984c00-c6eb-11d4-b4a4-080000180323} - c:\progra~1\rapidown\rapi310.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmesfr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\utilit~1.lnk - c:\program files\sagem wifi manager\WLANUTL.exe
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Download All by FlashGet - c:\progra~1\flashget\jc_all.htm
IE: Download all by Rapidown... - c:\program files\rapidown\rapidownGetAll.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download by Rapidown... - c:\program files\rapidown\rapidownGet.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download using FlashGet - c:\progra~1\flashget\jc_link.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Outil de d?©monstration Google AdSense
IE: Outil de d?©monstration Google AdSense - http://pagead2.googlesyndication.com/pagea...fr/preview.html
IE: Sothink SWF Catcher - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: Télécharger avec IDM - c:\program files\internet download manager\IEExt.htm
IE: Télécharger le contenu de video FLV avec IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Télécharger tous les liens avec IDM - c:\program files\internet download manager\IEGetAll.htm
IE: {57E91B47-F40A-11D1-B792-444553540011} - c:\program files\rapidown\rapidown.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm
IE: {ECC5777A-6E88-BFCE-13CE-81F134789E7B}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmesfr.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {091CDD73-1401-4643-9B9C-65B091C88685} - hxxp://ccmlove.contents.mylinker.co.kr/module/MyLinker.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://webscanner.kaspersky.fr/kavwebscan_unicode.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} - hxxp://download.howudodat.com/chatterbox/download/appdl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220575106621
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://metaboli.clubic.com/components/Metaboli.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192030426703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_09-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.adm\applic~1\mozilla\firefox\profiles\vgltgntk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Godaddy.com
FF - prefs.js: browser.startup.homepage - hxxp://fr.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\documents and settings\administrateur.admin\application data\mozilla\firefox\profiles\vgltgntk.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2008-4-14 24786]
R1 klif;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-10-27 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088]
R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2005-12-1 17072]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
S2 Vcs;Vcs support;\??\c:\windows\system32\drivers\vcs.sys --> c:\windows\system32\drivers\Vcs.sys [?]
S3 DIGIRPS;Pilote PortServer Digi;c:\windows\system32\drivers\digirlpt.sys [2007-3-26 42656]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [2008-4-14 45534]
S3 Gizmo Plugin;Gizmo VoIP Service;c:\program files\gizmoplugin\GizmoPlugin.exe [2007-7-1 962048]
S3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328]
S3 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
S3 PAC207;VideoCAM GF112;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2007-11-3 402432]
S3 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-1 603904]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\drivers\xantiarp.sys --> c:\windows\system32\drivers\xAntiArp.sys [?]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]
S4 DS;RA Directory Server; [x]
S4 GuiHook;GuiHook; [x]
S4 gupdate1c98571f4eac016;Google Update Service (gupdate1c98571f4eac016);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S4 mchInjDrv;mchInjDrv; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-21 20:28 161,792 a------- c:\windows\SWREG.exe
2009-04-21 20:28 98,816 a------- c:\windows\sed.exe
2009-04-21 19:32 82,944 a------- c:\windows\system32\drivers\wdmaud.sys
2009-04-21 12:58 <DIR> --d----- C:\Regsearch
2009-04-21 12:06 <DIR> --d----- C:\_OTMoveIt
2009-04-20 18:51 <DIR> --d----- c:\docume~1\admini~1.adm\applic~1\Malwarebytes
2009-04-20 18:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-20 18:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 18:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-19 08:54 <DIR> --d----- c:\windows\system32\Kaspersky Lab
2009-04-19 06:01 <DIR> --d----- c:\windows\system32\xircom
2009-04-18 21:05 578,048 a------- c:\windows\system32\dllcache\user32.dll
2009-04-18 20:57 <DIR> --d----- c:\windows\ERUNT
2009-04-18 20:50 <DIR> --d----- C:\SDFix
2009-04-18 19:14 <DIR> --d----- c:\program files\Trend Micro
2009-04-08 09:01 2,944 a------- c:\windows\system32\WSSPOOL.TMP
2009-04-07 20:11 10,114,080 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-07 20:11 712,736 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-07 20:11 81,144 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-07 20:11 4,564 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-07 19:28 <DIR> --d----- c:\docume~1\admini~1.adm\applic~1\Kaspersky_Key_Finder_(KKF
2009-04-07 19:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-04-07 17:34 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-07 17:32 0 a--shr-- C:\khq
2009-04-03 15:58 <DIR> --d----- c:\program files\TeamViewer
2009-04-03 14:59 <DIR> --d----- c:\docume~1\admini~1.adm\applic~1\TeamViewer
2009-04-03 14:58 <DIR> --d----- c:\documents and settings\administrateur.admin\temp

==================== Find3M ====================

2009-04-17 18:47 470,894 a------- c:\windows\system32\perfh00C.dat
2009-04-17 18:47 76,248 a------- c:\windows\system32\perfc00C.dat
2009-04-07 20:03 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-04-07 20:03 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-07 20:03 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-07 17:34 182,912 a------- c:\windows\system32\drivers\ndis.sys
2008-08-04 22:20 3,225 a------- c:\program files\fichiers communs\cfgbak.tgb
2007-08-17 12:31 25,937,136 a------- c:\program files\Valve.rar

============= FINISH: 12:41:02,59 ===============



and please download this attachment (Gmer.log , DDS.txt, Attach.txt , hijackthis.log)




Please help

Attached Files

  • Attached File  logs.zip   14.07KB   0 downloads


BC AdBot (Login to Remove)

 


#2 nidhal2

nidhal2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 07 May 2009 - 02:35 PM

Please help, I can't stay offline all the time ....

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:07 AM

Posted 07 May 2009 - 08:42 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 nidhal2

nidhal2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 08 May 2009 - 02:13 PM

Hello KoanYorel and thanks for your replay

Here is the situation before using SDfix

1/process reader_s.exe starts running after logging in and a copy of the file reader_s.exe is found in 'c:\documents and settings\user\' and 'c:\windows\system32\' and a file called restore.sys created in 'C:\WINDOWS\system32\drivers\'. these file come back even when kaspersky delete them, when I connect to the Internet

2/Processes called A.tmp, 2.tmp, 3.tmp, 6.tmp, 8.tmp, 9.tmp, VRT4.tmp etc run in random from the 'system32' folder and the 'temp' folder.

3/ 4 Svchost.exe start running just after my connection to the Internet

--------------------------------------------------------------------------------------------------------------------------------------------------

Now after using SDF there is no more reader_s.exe/restore.sys and no more tmp file running

But till now 4 process svchost.exe start running when I connect, they lag the pc because they use much memory.


DDS.txt logs


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrateur at 19:16:26,46 on 08/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professionnel 5.1.2600.2.1256.216.1036.18.248.64 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM WiFi manager\WLANUTL.exe
C:\Documents and Settings\Administrateur.Admin\Bureau\MF\procexp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrateur.Admin\Bureau\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mLocal Page = hxxp://uds2k.cjb.net
mStart Page = hxxp://fr.yahoo.com
mWindow Title = TopNet
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {0a87e45f-537a-40b4-b812-e2544c21a09f} - SpywareBlock Class
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: : {a6984c00-c6eb-11d4-b4a4-080000180323} - c:\progra~1\rapidown\rapi310.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: : {fffffef0-5b30-21d4-945d-000000000000} - c:\progra~1\stardo~1\SDIEInt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmesfr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [TkBellExe] "c:\program files\fichiers communs\real\update_ob\realsched.exe" -osboot
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\menudm~1\progra~1\dmarra~1\utilit~1.lnk - c:\program files\sagem wifi manager\WLANUTL.exe
uPolicies-explorer: MemCheckBoxInRunDlg = 0 (0x0)
uPolicies-explorer: NoStrCmpLogical = 0 (0x0)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Download All by FlashGet - c:\progra~1\flashget\jc_all.htm
IE: Download all by Rapidown... - c:\program files\rapidown\rapidownGetAll.htm
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download by Rapidown... - c:\program files\rapidown\rapidownGet.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download using FlashGet - c:\progra~1\flashget\jc_link.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Download with Star Downloader - c:\program files\star downloader\sdie.htm
IE: E&xporter vers Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: Outil de d?©monstration Google AdSense
IE: Outil de d?©monstration Google AdSense - http://pagead2.googlesyndication.com/pagea...fr/preview.html
IE: Sothink SWF Catcher - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: Télécharger avec IDM - c:\program files\internet download manager\IEExt.htm
IE: Télécharger le contenu de video FLV avec IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Télécharger tous les liens avec IDM - c:\program files\internet download manager\IEGetAll.htm
IE: {57E91B47-F40A-11D1-B792-444553540011} - c:\program files\rapidown\rapidown.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\fichiers communs\sourcetec\swf catcher\InternetExplorer.htm
IE: {ECC5777A-6E88-BFCE-13CE-81F134789E7B}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - c:\program files\winhttrack\WinHTTrackIEBar.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmesfr.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {091CDD73-1401-4643-9B9C-65B091C88685} - hxxp://ccmlove.contents.mylinker.co.kr/module/MyLinker.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://webscanner.kaspersky.fr/kavwebscan_unicode.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} - hxxp://download.howudodat.com/chatterbox/download/appdl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220575106621
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - hxxp://metaboli.clubic.com/components/Metaboli.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192030426703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1_09-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_16-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-0000-0000-000000000000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - hxxp://chat.msn.com/controls/msnchat45.cab
Notify: igfxcui - igfxsrvc.dll
Notify: klogon - c:\windows\system32\klogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.adm\applic~1\mozilla\firefox\profiles\vgltgntk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Godaddy.com
FF - prefs.js: browser.startup.homepage - hxxp://fr.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:fr:official
FF - component: c:\documents and settings\administrateur.admin\application data\mozilla\firefox\profiles\vgltgntk.default\extensions\mozilla_cc@internetdownloadmanager.com\components\idmmzcc.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.switch.threshold - 600000

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 eusk2par;EUTRON SmartKey Parallel Driver;c:\windows\system32\drivers\eusk2par.sys [2008-4-14 24786]
R1 klif;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2008-10-27 226832]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 206088]
R2 PWSYSDRV;PWSYSDRV;c:\windows\system32\drivers\pwsysdrv.sys [2005-12-1 17072]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]
S0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
S2 gupdate1c98571f4eac016;Google Update Service (gupdate1c98571f4eac016);c:\program files\google\update\GoogleUpdate.exe [2009-2-2 133104]
S2 Vcs;Vcs support;\??\c:\windows\system32\drivers\vcs.sys --> c:\windows\system32\drivers\Vcs.sys [?]
S3 DIGIRPS;Pilote PortServer Digi;c:\windows\system32\drivers\digirlpt.sys [2007-3-26 42656]
S3 eusk3usb;SmartKey 3 USB;c:\windows\system32\drivers\eusk3usb.sys [2008-4-14 45534]
S3 Gizmo Plugin;Gizmo VoIP Service;c:\program files\gizmoplugin\GizmoPlugin.exe [2007-7-1 962048]
S3 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328]
S3 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-9-11 596328]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-6-1 34064]
S3 PAC207;VideoCAM GF112;c:\windows\system32\drivers\PFC027.sys [2005-4-8 162176]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SG762_XP;SAGEM 802.11g XG762 1211B Driver;c:\windows\system32\drivers\WlanBZXP.sys [2007-11-3 402432]
S3 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-1 603904]
S3 xAntiArp;xAntiArpSpoof Service;c:\windows\system32\drivers\xantiarp.sys --> c:\windows\system32\drivers\xAntiArp.sys [?]
S3 ZDCndis5;ZDCndis5 Protocol Driver;\??\c:\windows\system32\zdcndis5.sys --> c:\windows\system32\ZDCndis5.SYS [?]
S4 DS;RA Directory Server; [x]
S4 GuiHook;GuiHook; [x]
S4 mchInjDrv;mchInjDrv; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-01 14:51 26,624 a------- C:\userinit.exe
2009-04-21 20:28 161,792 a------- c:\windows\SWREG.exe
2009-04-21 20:28 98,816 a------- c:\windows\sed.exe
2009-04-21 19:32 82,944 a------- c:\windows\system32\drivers\wdmaud.sys
2009-04-21 12:58 <DIR> --d----- C:\Regsearch
2009-04-21 12:06 <DIR> --d----- C:\_OTMoveIt
2009-04-20 18:51 <DIR> --d----- c:\docume~1\admini~1.adm\applic~1\Malwarebytes
2009-04-20 18:51 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-20 18:51 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-20 18:51 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-19 08:54 <DIR> --d----- c:\windows\system32\Kaspersky Lab
2009-04-19 06:01 <DIR> --d----- c:\windows\system32\xircom
2009-04-18 21:05 578,048 a------- c:\windows\system32\dllcache\user32.dll
2009-04-18 20:57 <DIR> --d----- c:\windows\ERUNT
2009-04-18 20:50 <DIR> --d----- C:\SDFix
2009-04-18 19:14 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-05-08 18:52 1,310,752 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-05-08 18:52 92,596 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-05-08 18:52 6,608 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-05-08 18:52 11,579,936 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-17 18:47 470,894 a------- c:\windows\system32\perfh00C.dat
2009-04-17 18:47 76,248 a------- c:\windows\system32\perfc00C.dat
2009-04-08 09:01 2,944 a------- c:\windows\system32\WSSPOOL.TMP
2009-04-07 20:03 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-04-07 20:03 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-04-07 20:03 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-04-07 17:34 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-07 17:34 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2008-08-04 22:20 3,225 a------- c:\program files\fichiers communs\cfgbak.tgb
2007-08-17 12:31 25,937,136 a------- c:\program files\Valve.rar

============= FINISH: 19:17:50,31 ===============



Attach.txt + sysinfo.zip(created by kaspersky, may help) attached.

Attached Files



#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:07 AM

Posted 08 May 2009 - 08:48 PM

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut
This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgĺsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:


If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#6 nidhal2

nidhal2
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 09 May 2009 - 11:58 AM

Hello,

Can we skip the "Rescue System" step please? they maybe delete windows system file and I will be unable to use windows.

Shall I post ComboFix.txt logs?

#7 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:10:07 AM

Posted 09 May 2009 - 12:07 PM

No ComboFix.txt logs.

We cannot help you. Sorry.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users