Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast cant remove virus


  • This topic is locked This topic is locked
4 replies to this topic

#1 Azlan

Azlan

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 29 April 2009 - 06:00 AM

Ok, i have a Microsoft Virtual PC 2007. while browsing the internet on it, i accidently download something. then avast alerted me but cant delete or move to chest

Now, My task manager is disabled

MBAM always found different things

and please note. Microsoft virtual pc doesnt have a snapshot feature


DDS (Ver_09-03-16.01) - NTFSx86
Run by Azlan at 18:55:31.57 on Wed 04/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.899.633 [GMT 8:00]

AV: avast! antivirus 4.8.1335 [VPS 090428-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virtual Machine Additions\vmusrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Virtual Machine Additions\vmsrvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Virtual Machine Additions\vpcmap.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Azlan\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [setup.exe] c:\windows\system32\setup.exe
uRun: [Hotfix-KB5504305] c:\windows\system32\rundll96.exe
uRunServices: [Hotfix-KB5504305] c:\windows\system32\rundll96.exe
mRun: [VMUserServices] c:\program files\virtual machine additions\vmusrvc.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NiwradSoft Welcome] c:\windows\niwradsoft shell pack\tools\NS Welcome.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [setup.exe] c:\windows\system32\setup.exe
mRun: [Hotfix-KB5504305] c:\windows\system32\rundll96.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunServices: [Hotfix-KB5504305] c:\windows\system32\rundll96.exe
uPolicies-system: DisableTaskMgr = 10 (0xa)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R1 1-driver-vmsrvc;Virtual Machine Additions Services Driver;c:\windows\system32\drivers\vmsrvc.sys [2007-1-25 68488]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-14 114768]
R1 msvmmouf;Virtual Machine Additions Mouse Integration Filter Driver;c:\windows\system32\drivers\msvmmouf.sys [2005-11-17 5632]
R2 1-vmsrvc;Virtual Machine Additions Services Application;c:\program files\virtual machine additions\vmsrvc.exe [2007-1-25 91528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-14 138680]
R2 MRxVPC;Virtual Machine Additions Folder Sharing Driver;c:\windows\system32\drivers\mrxvpc.sys [2007-1-25 114568]
R2 VPCMap;Virtual Machine Additions Shared Folder Service;c:\program files\virtual machine additions\vpcmap.exe [2007-1-25 66952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-14 352920]
R3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [2008-12-22 96256]
R3 vpc-s3;vpc-s3;c:\windows\system32\drivers\vpc-s3.sys [2005-11-17 66560]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-12-22 65664]

=============== Created Last 30 ================

2009-04-29 18:32 <DIR> --dsh--- c:\documents and settings\azlan\IECompatCache
2009-04-29 18:31 <DIR> --dsh--- c:\documents and settings\azlan\PrivacIE
2009-04-29 18:29 <DIR> --dsh--- c:\documents and settings\azlan\IETldCache
2009-04-29 18:27 <DIR> --d----- c:\windows\ie8updates
2009-04-29 18:27 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-29 18:25 <DIR> -cd-h--- c:\windows\ie8
2009-04-28 18:53 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-28 18:32 <DIR> --d----- c:\program files\VideoLAN
2009-04-20 17:34 <DIR> --d----- c:\program files\common files\CodecS
2009-04-20 17:09 <DIR> --d----- c:\program files\VS Revo Group
2009-04-20 16:35 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-16 17:47 <DIR> --d----- c:\docume~1\azlan\applic~1\LimeWire
2009-04-16 17:46 <DIR> --d----- c:\program files\LimeWire
2009-04-16 17:23 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 16:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\01392330
2009-04-16 16:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\01391330
2009-04-16 14:09 35,328 ac------ c:\windows\system32\dllcache\pcntpci5.sys
2009-04-16 14:09 35,328 a------- c:\windows\system32\drivers\pcntpci5.sys
2009-04-15 10:38 <DIR> --d----- c:\windows\system32\KB905474
2009-04-13 18:11 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-04-13 18:11 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-04-13 18:11 4,178,264 a------- c:\windows\system32\D3DX9_41.dll
2009-04-13 18:11 517,448 a------- c:\windows\system32\XAudio2_4.dll
2009-04-13 18:11 69,448 a------- c:\windows\system32\XAPOFX1_3.dll
2009-04-13 18:11 235,352 a------- c:\windows\system32\xactengine3_4.dll
2009-04-13 18:11 22,360 a------- c:\windows\system32\X3DAudio1_6.dll
2009-04-13 18:11 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2009-04-13 18:11 452,440 a------- c:\windows\system32\d3dx10_40.dll
2009-04-13 18:09 3,426,072 a------- c:\windows\system32\d3dx9_32.dll
2009-04-13 17:46 <DIR> --d----- c:\windows\Logs
2009-04-13 17:45 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-04-13 17:45 <DIR> --d----- c:\program files\Utherverse Digital Inc

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-24 20:18 218,624 a------- c:\windows\system32\uxtheme.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 22:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 20:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 20:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 20:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 20:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 19:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 19:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 19:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 18:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-04 03:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 18:56:17.97 ===============

MBAM LOG


Malwarebytes' Anti-Malware 1.36
Database version: 2058
Windows 5.1.2600 Service Pack 3

4/29/2009 6:49:03 PM
mbam-log-2009-04-29 (18-49-03).txt

Scan type: Quick Scan
Objects scanned: 71469
Time elapsed: 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemz (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot.

Attached Files



BC AdBot (Login to Remove)

 


#2 Azlan

Azlan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 30 April 2009 - 03:10 AM

LATEST MBAM LOG

Malwarebytes' Anti-Malware 1.36
Database version: 2061
Windows 5.1.2600 Service Pack 3

4/30/2009 4:03:17 PM
mbam-log-2009-04-30 (16-03-17).txt

Scan type: Quick Scan
Objects scanned: 71591
Time elapsed: 16 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\securentm (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fips32cup (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hotfix-KB5504305 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hotfix-KB5504305 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Hotfix-KB5504305 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Hotfix-KB5504305 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Dropper) -> Data: digiwet.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-790525478-789336058-1060284298-1003\Dc32.exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 2 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 3 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 4 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 5 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 6 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 7 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 8 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\Temporary Directory 1 for Rootkit.zip\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temporary Internet Files\Content.IE5\30SUG0VA\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Azlan\Local Settings\Temporary Internet Files\Content.IE5\8LQFCHIB\dnfly[1].exe (Trojan.Dropper) -> Delete on reboot.
C:\Documents and Settings\Azlan\Local Settings\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Azlan\Local Settings\Temp\BN5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digiwet.dll (Trojan.Dropper) -> Quarantined and deleted successfully.

#3 Azlan

Azlan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 05 May 2009 - 05:00 AM

I need help here!!! Sality.Q virus is infecting the whole computer
==============
Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 06 May 2009 - 11:48 PM.


#4 Azlan

Azlan
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 07 May 2009 - 05:57 AM

Nevermind.. the virtual pc.. I already reformatter and installed Windows 7..

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:35 PM

Posted 11 May 2009 - 10:27 PM

Thank you for letting us know. I'm sorry that you had to resort to that measure. If you should experience new computer issues, please start a new topic. This topic is now closed. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users