Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ntos.exe and friends. Help!


  • This topic is locked This topic is locked
6 replies to this topic

#1 peateargriffin

peateargriffin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 29 April 2009 - 12:13 PM

Hello,

I've been infected with multiple bugs. I've run the latest version of Malwarebytes' anti-malware and have also run superantispyware (though in safemode it won't let me update) and Spybot S&D. Before, the anti-malware found the Vundo trojan but now, an older bug that I've left ignored has started to act up.

There is an iexplore.exe process that is not legit and recently it's started to double up on me, running two of itself at the same time. My internet connection is also being affected as it starts and stops my bandwidth although my modem is working fine. Please help!

- Thanks


DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Administrator at 10:00:54.26 on Wed 04/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.188 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\uw0w217ah.exe
C:\WINDOWS\TEMP\uw0w217ah.exe
C:\WINDOWS\TEMP\3761043586.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.windowsecurity.com/trojanscan/checksystem.asp
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Alcohol Toolbar: {ed4bd629-c1b6-4399-8a34-02ccaa921dc9} - c:\program files\alcohol toolbar\v3.2.0.0\Alcohol_Toolbar.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.8.0\IEViewBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB7311] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\chrome.manifest"
uRunOnce: [SpybotDeletingD7195] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\chrome.manifest"
uRunOnce: [SpybotDeletingB6364] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\install.js"
uRunOnce: [SpybotDeletingD5594] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\install.js"
uRunOnce: [SpybotDeletingB1014] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\install.rdf"
uRunOnce: [SpybotDeletingD8158] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\install.rdf"
uRunOnce: [SpybotDeletingB4733] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\vssver2.scc"
uRunOnce: [SpybotDeletingD2644] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\vssver2.scc"
uRunOnce: [SpybotDeletingB9367] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\IMeMedia_FF.xpt"
uRunOnce: [SpybotDeletingD4725] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\IMeMedia_FF.xpt"
uRunOnce: [SpybotDeletingB6463] command.com /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\MeMedia_FF.dll"
uRunOnce: [SpybotDeletingD6516] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{a89aed22-9133-424c-88e7-c8235c5ff302}\components\MeMedia_FF.dll"
uRunOnce: [SpybotDeletingB4686] command.com /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\chrome\whenu_ff.jar"
uRunOnce: [SpybotDeletingD9966] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\chrome\whenu_ff.jar"
uRunOnce: [SpybotDeletingB9894] command.com /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\components\Iwhenu_ff.xpt"
uRunOnce: [SpybotDeletingD6475] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\components\Iwhenu_ff.xpt"
uRunOnce: [SpybotDeletingB747] command.com /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\components\whenu_ff.dll"
uRunOnce: [SpybotDeletingD1672] cmd.exe /c del "c:\program files\mozilla firefox\extensions\{bee3e87e-e1c6-4bfe-be9d-48e84271ab34}\components\whenu_ff.dll"
uRunOnce: [SpybotDeletingB8058] command.com /c del "c:\windows\system32\wsnpoem\video.dll"
uRunOnce: [SpybotDeletingD5903] cmd.exe /c del "c:\windows\system32\wsnpoem\video.dll"
uRunOnce: [SpybotDeletingB3210] command.com /c del "c:\windows\system32\ntos.exe"
uRunOnce: [SpybotDeletingD940] cmd.exe /c del "c:\windows\system32\ntos.exe"
uRunOnce: [SpybotDeletingB8247] command.com /c del "c:\windows\system32\wsnpoem\audio.dll"
uRunOnce: [SpybotDeletingD7801] cmd.exe /c del "c:\windows\system32\wsnpoem\audio.dll"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [<NO NAME>] c:\windows\temp\uw0w217ah.exe
dRun: [Windows Resurections] c:\windows\temp\uw0w217ah.exe
dRun: [Diagnostic Manager] c:\windows\temp\3761043586.exe
dRun: [reader_s] c:\documents and settings\james\reader_s.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144433288826
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: hmbdkint - wummafu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\kjsdiowq8oikf.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli sbdbd32.dll c:\windows\system32\jukajeyi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\n2bf3533.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\components\dfff.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R0 lffycjtc;lffycjtc;c:\windows\system32\drivers\lffycjtc.sys [2001-8-23 23424]
R0 protect;protect;c:\windows\system32\drivers\protect.sys --> c:\windows\system32\drivers\protect.sys [?]
S0 hzusefk;hzusefk;c:\windows\system32\drivers\nmsf.sys --> c:\windows\system32\drivers\nmsf.sys [?]
S1 crr99a4;crr99a4;c:\windows\system32\drivers\crr99a4.sys [2009-4-28 17376]
S1 dss9045;dss9045;c:\windows\system32\drivers\dss9045.sys [2009-4-28 17376]
S1 ihccded;ihccded;c:\windows\system32\drivers\ihccded.sys [2009-4-28 17376]
S1 jjdf8be;jjdf8be;c:\windows\system32\drivers\jjdf8be.sys [2009-4-29 17376]
S1 oii9ba3;oii9ba3;c:\windows\system32\drivers\oii9ba3.sys [2009-4-28 17376]
S1 oon5864;oon5864;c:\windows\system32\drivers\oon5864.sys [2009-4-28 17376]
S1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
S1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
S1 ssr6c2c;ssr6c2c;c:\windows\system32\drivers\ssr6c2c.sys [2009-4-28 17376]
S2 ceagovhn;Microsoft HID Class Support;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 34816]
S2 mediacenter;MS Media Control Center;c:\windows\system32\svchost.exe -k krnlsrvc [2001-8-23 34816]
S3 BEFCMU10V4XP;Linksys BEFCMU10 ver. 4 Cable Modem;c:\windows\system32\drivers\BEFCMU10V4XP.sys [2006-12-11 14336]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-29 09:38 38 a------- C:\2C.tmp
2009-04-29 09:38 0 a------- C:\2B.tmp
2009-04-29 09:38 0 a------- C:\2A.tmp
2009-04-29 09:38 0 a------- C:\28.tmp
2009-04-29 09:38 0 a------- C:\27.tmp
2009-04-29 09:38 0 a------- C:\25.tmp
2009-04-29 09:38 0 a------- C:\24.tmp
2009-04-29 09:38 0 a------- C:\22.tmp
2009-04-29 09:38 0 a------- C:\21.tmp
2009-04-29 09:38 36,004 a------- C:\1E.tmp
2009-04-29 09:38 54,784 a------- C:\1C.tmp
2009-04-29 09:34 61,440 a------- c:\windows\system32\4A.tmp
2009-04-29 09:34 17,376 a------- c:\windows\system32\drivers\jjdf8be.sys
2009-04-29 09:34 124 a------- c:\windows\system32\45.tmp
2009-04-29 08:54 38 a------- C:\35.tmp
2009-04-29 08:54 0 a------- C:\2D.tmp
2009-04-29 08:54 0 a------- C:\29.tmp
2009-04-29 08:54 0 a------- C:\26.tmp
2009-04-29 08:54 0 a------- C:\23.tmp
2009-04-29 08:54 0 a------- C:\20.tmp
2009-04-29 08:54 0 a------- C:\1F.tmp
2009-04-29 08:54 0 a------- C:\1D.tmp
2009-04-29 08:54 0 a------- C:\1B.tmp
2009-04-29 08:54 33,237 a------- C:\1A.tmp
2009-04-29 08:54 54,784 a------- C:\19.tmp
2009-04-29 07:57 1 a------- c:\windows\system32\1F.tmp
2009-04-29 07:57 84 a------- c:\windows\system32\1D.tmp
2009-04-29 07:56 38 a------- C:\18.tmp
2009-04-29 07:56 0 a------- C:\17.tmp
2009-04-29 07:56 0 a------- C:\16.tmp
2009-04-29 07:56 0 a------- C:\15.tmp
2009-04-29 07:56 0 a------- C:\14.tmp
2009-04-29 07:56 0 a------- C:\13.tmp
2009-04-29 07:56 0 a------- C:\12.tmp
2009-04-29 07:56 0 a------- C:\11.tmp
2009-04-29 07:56 0 a------- C:\10.tmp
2009-04-29 07:56 36,044 a------- C:\A.tmp
2009-04-29 07:56 54,784 a------- C:\3.tmp
2009-04-29 07:54 94,208 a------- c:\windows\system32\6.tmp
2009-04-29 07:54 1 a------- c:\windows\system32\5.tmp
2009-04-29 07:54 84 a------- c:\windows\system32\3.tmp
2009-04-28 22:39 <DIR> --d----- c:\windows\ERUNT
2009-04-28 22:39 <DIR> --d----- C:\SDFix
2009-04-28 22:19 61,440 a------- c:\windows\system32\63.tmp
2009-04-28 22:19 17,376 a------- c:\windows\system32\drivers\dss9045.sys
2009-04-28 22:19 124 a------- c:\windows\system32\5E.tmp
2009-04-28 22:18 38 a------- C:\5B.tmp
2009-04-28 22:18 0 a------- C:\5A.tmp
2009-04-28 22:18 0 a------- C:\59.tmp
2009-04-28 22:18 0 a------- C:\58.tmp
2009-04-28 22:18 0 a------- C:\57.tmp
2009-04-28 22:18 0 a------- C:\56.tmp
2009-04-28 22:18 0 a------- C:\55.tmp
2009-04-28 22:18 0 a------- C:\54.tmp
2009-04-28 22:18 0 a------- C:\53.tmp
2009-04-28 22:17 34,176 a------- C:\4D.tmp
2009-04-28 22:17 54,784 a------- C:\4C.tmp
2009-04-28 22:15 1,311 a------- c:\windows\wininit.ini
2009-04-28 21:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-28 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-28 21:29 61,440 a------- c:\windows\system32\52.tmp
2009-04-28 21:29 17,376 a------- c:\windows\system32\drivers\ssr6c2c.sys
2009-04-28 21:28 124 a------- c:\windows\system32\4E.tmp
2009-04-28 21:28 0 a------- C:\4B.tmp
2009-04-28 21:28 0 a------- C:\49.tmp
2009-04-28 21:28 0 a------- C:\48.tmp
2009-04-28 21:28 0 a------- C:\47.tmp
2009-04-28 21:28 0 a------- C:\42.tmp
2009-04-28 21:28 38 a------- C:\41.tmp
2009-04-28 21:28 34,276 a------- C:\4.tmp
2009-04-28 21:28 15,000 a------- c:\windows\system32\kjsdiowq8oikf.dll
2009-04-28 19:59 61,440 a------- c:\windows\system32\60.tmp
2009-04-28 19:59 17,376 a------- c:\windows\system32\drivers\crr99a4.sys
2009-04-28 19:58 124 a------- c:\windows\system32\5D.tmp
2009-04-28 18:08 17,376 a------- c:\windows\system32\drivers\oon5864.sys
2009-04-28 16:22 17,376 a------- c:\windows\system32\drivers\ihccded.sys
2009-04-28 14:56 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-04-28 13:58 0 a------- C:\52.tmp
2009-04-28 13:58 0 a------- C:\51.tmp
2009-04-28 13:56 0 a------- C:\50.tmp
2009-04-28 13:56 0 a------- C:\4F.tmp
2009-04-28 13:56 0 a------- C:\4E.tmp
2009-04-28 13:56 61,440 a------- c:\windows\system32\4D.tmp
2009-04-28 13:56 17,376 a------- c:\windows\system32\drivers\oii9ba3.sys
2009-04-28 13:56 0 a------- C:\4A.tmp
2009-04-28 13:56 124 a------- c:\windows\system32\48.tmp
2009-04-28 13:56 38 a------- C:\46.tmp
2009-04-28 13:56 0 a------- C:\45.tmp
2009-04-28 13:56 0 a------- C:\44.tmp
2009-04-28 13:56 34,176 a------- C:\43.tmp
2009-04-27 18:39 0 a------- C:\40.tmp
2009-04-27 08:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-27 08:27 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-04-27 08:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-27 08:21 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-27 07:58 44,544 a------- c:\windows\system32\loader266.exe
2009-04-27 02:01 36,334 a------- C:\F.tmp
2009-04-26 23:39 0 a------- C:\E.tmp
2009-04-26 23:39 0 a------- C:\D.tmp
2009-04-26 23:39 0 a------- C:\C.tmp
2009-04-26 23:39 38 a------- C:\B.tmp
2009-04-26 23:39 0 a------- C:\9.tmp
2009-04-26 23:39 0 a------- C:\8.tmp
2009-04-26 23:39 0 a------- C:\7.tmp
2009-04-26 23:39 0 a------- C:\6.tmp
2009-04-26 23:39 33,948 a------- C:\5.tmp
2009-04-26 23:27 184,361 ----h--- c:\windows\system32\VT100.EXE
2009-04-24 08:44 0 a------- c:\windows\system32\3F.tmp
2009-04-24 08:44 0 a------- c:\windows\system32\3E.tmp
2009-04-24 07:38 81,635 a------- c:\windows\system32\3D.tmp
2009-04-24 07:38 124 a------- c:\windows\system32\3C.tmp
2009-04-24 06:55 0 a------- c:\windows\system32\39.tmp
2009-04-24 06:55 61,440 a------- c:\windows\system32\38.tmp
2009-04-24 06:54 124 a------- c:\windows\system32\35.tmp
2009-04-24 06:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-04-24 06:53 <DIR> --d----- c:\documents and settings\Administrator
2009-04-24 05:26 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-24 05:26 1,409 a------- c:\windows\QTFont.for
2009-04-24 03:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 03:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 03:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-24 03:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 16:38 155 a------- c:\windows\system32\SelfDel.bat
2009-04-22 19:13 300 a------- c:\windows\Vvutazubijaxe.dat
2009-04-22 19:13 0 a------- c:\windows\Dkejadoyado.bin
2009-04-22 10:51 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-22 10:27 59,915 a------- C:\VETlog.dmp
2009-04-21 23:18 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-21 23:18 28,672 a------- c:\windows\system32\inqby.sr
2009-04-21 23:18 32,768 a------- c:\windows\system32\ferryl.cbv
2009-04-21 23:18 32,768 a------- c:\windows\system32\fairy.an
2009-04-21 23:18 79,360 a------- c:\windows\system32\ashl.nq
2009-04-21 23:18 28,672 a------- c:\windows\system32\dolman.zt
2009-04-21 23:18 290,304 a------- C:\yxly.exe
2009-04-21 19:07 <DIR> --d----- c:\program files\Full Tilt Poker

==================== Find3M ====================

2009-04-27 18:34 102,400 a------- c:\windows\DUMP54d6.tmp
2009-04-27 09:19 102,400 a------- c:\windows\DUMP84df.tmp
2009-04-27 07:43 102,400 a------- c:\windows\DUMP83f5.tmp
2009-04-27 02:00 102,400 a------- c:\windows\DUMPacd5.tmp
2009-04-26 23:38 102,400 a------- c:\windows\DUMP8cfd.tmp
2009-04-21 23:23 74,240 a--sh--- c:\windows\system32\bepikize.exe
2009-04-21 23:18 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-21 23:18 577,536 a------- c:\windows\system32\user32.DLL
2004-08-17 18:00 74,752 ---sh--- c:\windows\system32\RdmutdC.dll

============= FINISH: 10:01:47.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 AM

Posted 29 April 2009 - 01:42 PM

Hello peateargriffin,

I am sorry to give you some very bad news. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 peateargriffin

peateargriffin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 29 April 2009 - 01:57 PM

Damn, I was really hoping it wouldn't have to come to this since I have no idea where my windows cd is...

Thanks so much for looking into my problem.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 AM

Posted 29 April 2009 - 02:04 PM

Your welcome. Sorry to give such bad news.

The major cause of the Virut infections is downloading cracks and keygens. Did you do download any?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 peateargriffin

peateargriffin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 29 April 2009 - 02:07 PM

I did a few years ago. I busted this PC out when my laptop stopped taking power from the adapter... I guess you reap what you sow right?

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 AM

Posted 29 April 2009 - 02:09 PM

Yes, I guess so.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:20 AM

Posted 22 May 2009 - 05:44 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users