Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Virus infection, logs posted


  • This topic is locked This topic is locked
8 replies to this topic

#1 Collo

Collo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 29 April 2009 - 09:51 PM

Please Help me! On start up all the applications that normally start are not visible in the task bar in the bottom right hand corner. Internet explorer is slow and i occasionally receive error msgs saying it needs to close. I have to manually connect to the internet and sometimes when i open up internet explorer it just closes with no warnings, I also sometimes get a casino msg and it goes to a casino website. Ive posted the DDS log and atached the attachment file

DDS (Ver_09-03-16.01) - NTFSx86
Run by brad at 12:42:43.75 on Thu 30/04/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1270.690 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\brad\Local Settings\Temporary Internet Files\Content.IE5\64IUJMEV\dds[1].scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunServices: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
uRunServicesOnce: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
mRun: [7623] c:\jgxxsfa.exe
mRun: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
mRun: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
mRunServices: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
mRunServicesOnce: [Hotfix-KB429492032402] c:\windows\system\ect\scvhost.exe
StartupFolder: c:\windows\system\ect\scvhost.exe\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://124.176.254.254/ConnectComputer/nshelp.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234231453250
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: xtivbqie - zuuzffu.dll
AppInit_DLLs: c:\windows\system32\jebikono.dll,c:\windows\system32\bobitudo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\nakakoye.dll c:\windows\system32\bobitudo.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-11 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-11 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-11 107272]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-11 298264]
R3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S2 3D265850F0A3AB20;3D265850F0A3AB20;c:\windows\system32\3d265850f0a3ab20\3D265850F0A3AB20 [2009-4-23 20992]
S2 lirhfsrq;NDIS System Helper;c:\windows\system32\svchost.exe -k netsvcs [2005-12-22 34816]

=============== Created Last 30 ================

2009-04-30 11:07 61,440 a------- c:\windows\system32\drivers\eitvbt.sys
2009-04-29 19:06 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-29 19:04 <DIR> --d----- c:\windows\ERUNT
2009-04-29 18:59 <DIR> --d----- C:\SDFix
2009-04-29 18:49 1,380 a------- c:\windows\system32\tmp.reg
2009-04-28 18:01 125,440 ac------ c:\windows\system32\dllcache\userinit.exe
2009-04-28 18:00 931 a------- c:\windows\system32\test.ttt
2009-04-28 18:00 1 a------- c:\windows\system32\uniq.tll
2009-04-26 22:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-26 22:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-26 22:36 <DIR> --d----- c:\docume~1\brad\applic~1\SUPERAntiSpyware.com
2009-04-26 22:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-26 10:17 <DIR> --d----- c:\docume~1\brad\applic~1\Malwarebytes
2009-04-26 10:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-26 10:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-26 10:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-26 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-25 15:13 1,402,334 ---sh--- c:\windows\system32\iverukah.ini
2009-04-23 22:12 300 a------- c:\windows\Xwafacu.dat
2009-04-23 22:12 0 a------- c:\windows\Bvita.bin
2009-04-23 20:32 <DIR> --d----- c:\windows\system\ect
2009-04-23 08:38 <DIR> --d----- c:\docume~1\brad\applic~1\jvrbketf
2009-04-23 06:40 <DIR> --d----- c:\windows\system32\3361
2009-04-23 06:40 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-04-23 06:40 <DIR> --d----- c:\windows\dhcp
2009-04-23 06:39 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-23 06:39 103,036 a------- c:\windows\system32\drivers\c1aaf216.sys
2009-04-23 06:38 <DIR> --dsh--- c:\windows\system32\3D265850F0A3AB20
2009-04-23 06:13 30,720 a------- C:\cpjopaid.exe
2009-04-23 06:13 <DIR> --dsh--- c:\windows\system32\B6E4370045C44900
2009-04-23 05:30 121 ---sh--- c:\windows\system32\ahefowez.ini
2009-04-23 05:07 121 ---sh--- c:\windows\system32\adekahip.ini
2009-04-23 04:45 121 ---sh--- c:\windows\system32\ajojimay.ini
2009-04-23 04:22 121 ---sh--- c:\windows\system32\ufatebab.ini
2009-04-23 03:59 121 ---sh--- c:\windows\system32\ajiloron.ini
2009-04-23 03:36 121 ---sh--- c:\windows\system32\ivojabum.ini
2009-04-23 03:14 121 ---sh--- c:\windows\system32\ugewitiw.ini
2009-04-16 22:05 155 a------- c:\windows\system32\SelfDel.bat
2009-04-15 20:43 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-15 20:43 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 20:43 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-15 20:43 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-15 20:43 248,320 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 20:43 131,072 -c------ c:\windows\system32\dllcache\services.exe
2009-04-15 20:43 55,808 -c------ c:\windows\system32\dllcache\sc.exe
2009-04-15 20:43 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 20:43 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-15 20:43 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-15 20:38 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 20:38 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 20:38 236,032 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-15 19:13 84 a------- c:\windows\dellstat.ini
2009-04-15 19:13 240 a------- c:\windows\lexstat.ini
2009-04-15 19:12 87,040 ac------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-04-15 19:11 320,000 a------- c:\windows\uninst.exe
2009-04-15 19:11 <DIR> --d----- C:\Lexmark
2009-04-15 18:52 <DIR> --d----- c:\docume~1\brad\applic~1\DriverCure
2009-04-15 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic
2009-04-15 18:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DriverCure
2009-04-10 19:59 <DIR> --d----- c:\program files\iPod
2009-04-10 19:59 <DIR> --d----- c:\program files\iTunes
2009-04-10 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-02 12:48 <DIR> --d----- c:\program files\iPhoneBrowser
2009-04-01 10:06 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-01 10:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-01 09:25 135,168 a------- c:\windows\system32\igfxres.dll
2009-03-31 15:41 <DIR> --d----- c:\temp\display
2009-03-31 15:41 <DIR> --d----- C:\temp
2009-03-31 13:59 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-03-31 13:59 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-30 12:28 2,189,056 ----h--- c:\windows\system32\ntoskrnl.exe
2009-04-23 06:39 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 22:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 04:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-11 23:01 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-10 16:40 150,880 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-02-10 16:40 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 22:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 22:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 22:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 22:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 21:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 21:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 20:39 55,808 a------- c:\windows\system32\sc.exe
2009-02-04 05:59 56,832 a------- c:\windows\system32\secur32.dll
2008-09-14 23:21 492,544 a------- c:\program files\SetupiPhoneBrowser.msi

============= FINISH: 12:43:15.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 30 April 2009 - 07:20 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 30 April 2009 - 08:15 PM

Hey mate, I try to download combofix from the links you gave me and when i try to open it i get an error message saying:
ALERT it is not safe to continue!!
The contents of the combofix package has been compromised.
Please download a fresh copy
Note. you may be infected with a file patching virus (Virut)

what do i do now?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 30 April 2009 - 11:11 PM

Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    • Now, go to Settings >> Change Settings
    • Go to Actions tab >> under Objects section, change the settings to below
      • Infected objects - Cure
        Incurable objects - Report
        Suspicious objects - Report
    • Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 01 May 2009 - 07:18 AM

I did this now I can't connect to the Internet on my computer. I first started the drweb then I left my computer doing the complete scan and it ran out of battery so it rebooted I then did the scan again and tryed to get on the me to post the log and couldn't connect so rebooted again and now says I don't have a wireless adapter installed. What do I do now?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 01 May 2009 - 10:40 AM

Always connect your laptop to its charger when doing any scan.. Don't leave them on batteries.. Its not realiable at all..

Does Dr.Web detects anything?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Collo

Collo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:07:23 PM

Posted 01 May 2009 - 06:32 PM

It deleted a Trojan some hacker tools and the fist scan detected virut infected files everywhere and cured them. There was a couple of backdoors that were incurable also

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 02 May 2009 - 05:37 AM

It deleted a Trojan some hacker tools and the fist scan detected virut infected files everywhere and cured them. There was a couple of backdoors that were incurable also


Sorry, but once it detected Virut, there's no cure whatsoever at least for right now.. Not even the mighty Dr.Web CureIt..

A quote from Malware Expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..


The only thing I can advice you is to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well


I'll let this topic open until you successfully reformat the computer..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 07 May 2009 - 07:22 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users