Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde, winfixer?, IE popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 pants123

pants123

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 29 April 2009 - 11:05 PM

Edit: Google search misdirects as well.

Did not scan a sketchy download and unzipped it. Pop ups commenced and prompts that my computer might be infected and click blah blah. Shutdown and went into safe mode, ran spy bot, and virtumonde.DLL was detected but I could not remove it during the safe mode scan, told spybot to clean comp after restart, restarted and spybot could not remove virtumonde and other infections. Spybot has also been asking for a lot of registry changes which I deny, but they started after the spybot clean.

Thanks in advance for your assistance!!! :thumbup2:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 23:49:21.25 on Wed 04/29/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.593 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\reader_s.exe
C:\windows\ld08.exe
C:\windows\pp06.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DL32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\Taskbar Eliminator.exe
c:\xipr.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\1443140288.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\yse7jzanp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SFCDisable=4 (0x4)
mWinlogon: Taskman=c:\recycler\s-1-5-21-5687359699-6031866764-624288746-5386\svchost.exe
BHO: {1d3056a8-746e-4881-8454-3d1c168ac47f} - c:\windows\system32\jkkHWNDS.dll
BHO: : {60710009-ec13-44e9-9711-74114aade12a} - c:\windows\system32\wquwhyt.dll
BHO: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {ED4BD629-C1B6-4399-8A34-02CCAA921DC9} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: My Search Bar Quick View: {014da6ce-189f-421a-88cd-07cfe51cff10} - c:\windows\system32\shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Systems Update] c:\program files\common files\services\s-1-5-21-1303342014-1704936951-537590071-0504\services.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Taskbar Hide] c:\progra~1\taskba~1\TaskBar.exe -Start
uRun: [Windows Resurections] c:\docume~1\owner\locals~1\temp\yse7jzanp.exe
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-7496359140-3272278998-179376105-5292\service.exe
uRun: [reader_s] c:\documents and settings\owner\reader_s.exe
uRun: [Diagnostic Manager] c:\docume~1\owner\locals~1\temp\1443140288.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [nwiz] nwiz.exe /install
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
dRun: [Diagnostic Manager] c:\windows\temp\4003096646.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
uExplorerRun: [Systems Update] c:\program files\common files\services\s-1-5-21-1303342014-1704936951-537590071-0504\services.exe
uExplorerRun: [ActiveNt] c:\windows\system32\nt update\nt32.exe
mExplorerRun: [ActiveNt] c:\windows\system32\nt update\nt32.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: DisableRegistryTools = 1 (0x1)
LSP: SpSubLSP.dll
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15028/CTPID.cab
Notify: uqlpgaks - wquwhyt.dll
AppInit_DLLs: wbsys.dll
STS: c:\windows\system32\sjg9s8guigjs.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\sjg9s8guigjs.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido anti-malware\shellhook.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll
SEH: {7a2c8f38-66cb-6cc9-8464-3496db3e72ba}: {ab27e3bd-6943-4648-9cc6-bc6683f8c2a7} - c:\windows\system32\itgltw.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkHWNDS

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\srjlijj0.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-2-14 10872]
R2 wwiupfvu;TCP/IP Protocol Helper;c:\windows\system32\svchost.exe -k netsvcs [2001-1-3 14336]
S2 Ytfbutno;Ytfbutno;c:\windows\system32\svchost.exe -k netsvcs [2001-1-3 14336]
S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
S4 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe [2005-11-30 13888]

=============== Created Last 30 ================

2009-04-29 22:31 100,860 a------- c:\windows\system32\drivers\b3d5147b.sys
2009-04-29 22:29 24,064 a--sh--- c:\documents and settings\owner\protect.dll
2009-04-29 22:29 10,376 a--sh--- c:\windows\system32\SDNWHkkj.ini2
2009-04-29 21:04 101,884 a------- c:\windows\system32\drivers\a23f39e2.sys
2009-04-29 17:46 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-29 17:40 <DIR> --d----- c:\docume~1\owner\applic~1\gltdxtno
2009-04-29 14:49 93,180 a------- c:\windows\system32\drivers\b0470ece.sys
2009-04-29 14:49 14,848 a------- c:\windows\st_1241051576.exe
2009-04-29 14:40 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-29 14:25 46 a------- c:\windows\system32\p2hhr.bat
2009-04-29 14:25 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-29 14:25 21,504 a------- c:\windows\system32\ak1.exe
2009-04-29 14:15 98,816 a------- c:\windows\system32\itgltw.dll
2009-04-29 14:15 98,816 a------- c:\windows\system32\cntaslig.dll
2009-04-29 14:14 10,376 a--sh--- c:\windows\system32\SDNWHkkj.ini
2009-04-29 14:14 237,568 a------- c:\windows\system32\jkkHWNDS.dll
2009-04-29 14:13 101,888 a------- C:\ohkbrkoo.exe
2009-04-29 14:13 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-04-29 14:13 10,752 ----h--- c:\windows\pp06.exe
2009-04-29 14:13 205,824 a------- C:\xmrgycj.exe
2009-04-29 14:13 2 ----h--- c:\windows\t55ft2692f44.dat
2009-04-29 14:13 113,664 a------- C:\xipr.exe
2009-04-29 14:13 14,848 a------- c:\windows\system32\DL32.exe
2009-04-29 14:12 <DIR> --d----- c:\windows\system32\796525
2009-04-29 14:12 16,384 ----h--- c:\windows\ld08.exe
2009-04-29 14:11 24,576 a------- c:\documents and settings\owner\reader_s.exe
2009-04-29 14:11 24,576 a------- c:\windows\system32\reader_s.exe
2009-04-29 14:11 101,888 a------- C:\wixg.exe
2009-04-29 14:11 93,180 a------- c:\windows\system32\drivers\e2ec1072.sys
2009-04-29 14:11 205,824 a------- C:\rtst.exe
2009-04-29 14:11 <DIR> --d----- c:\windows\system32\nt update
2009-04-29 14:10 113,664 a------- c:\windows\system32\azton.mt
2009-04-29 14:10 113,664 a------- C:\gjdaw.exe
2009-04-29 14:10 15,000 a------- c:\windows\system32\sjg9s8guigjs.dll
2009-04-29 14:10 33,792 a------- c:\docume~1\owner\applic~1\nmlebjhe.dll
2009-04-29 14:06 <DIR> --d----- c:\program files\common files\Microsoft Update Engine
2009-04-17 00:14 284,160 ac------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:14 473,600 ac------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:14 401,408 ac------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:14 227,840 ac------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:14 110,592 ac------ c:\windows\system32\dllcache\services.exe
2009-04-17 00:14 729,088 ac------ c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:14 453,120 ac------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:14 714,752 ac------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:14 617,472 ac------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:12 2,560 a------- c:\windows\system32\xpsp4res.dll
2009-04-17 00:12 215,552 ac------ c:\windows\system32\dllcache\wordpad.exe
2009-04-07 15:01 202,763 a------- c:\windows\system32\uxtheme.backup
2009-04-07 14:41 0 a------- c:\windows\WB.ini
2009-04-07 14:36 42,672 a------- c:\windows\system32\wbsys.dll
2009-04-07 14:36 <DIR> --d----- c:\program files\Stardock
2009-04-06 23:43 11,578 a----r-- c:\windows\system32\Replacer.cmd
2009-04-06 22:52 218,624 ac------ c:\windows\system32\dllcache\uxtheme.dll

==================== Find3M ====================

2009-04-29 23:07 212 a------- C:\delete.bat
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 04:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 04:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-05 11:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2008-12-26 16:07 214,539 ac------ c:\program files\uninstal.log
2008-03-10 18:33 64 a------- c:\documents and settings\owner\log.dat
2008-02-09 21:48 141,909,560 a------- c:\documents and settings\owner\WoW-2.3.3.7799-to-0.4.0.7897-enUS-patch.exe
2007-10-11 23:44 140,202,521 ac------ c:\documents and settings\owner\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
2007-05-20 16:28 43 ac------ c:\documents and settings\owner\RUNME.bat
2007-04-13 01:35 221,149,222 ac------ c:\documents and settings\owner\WoW-2.0.12.6546-to-0.1.0.6577-enUS-patch.exe
2004-12-24 08:00 0 ac-sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 23:53:20.59 ===============

Attached Files


Edited by pants123, 29 April 2009 - 11:09 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 30 April 2009 - 07:22 AM

Ok.. Looking at log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files... We are looking for possible Virut or Sality infection, and if it is.. Then you might have to wipe the machine clean..

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well



Please download Dr.Web CureIt to the Desktop:
  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    • Now, go to Settings >> Change Settings
    • Go to Actions tab >> under Objects section, change the settings to below
      • Infected objects - Cure
        Incurable objects - Report
        Suspicious objects - Report
    • Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 pants123

pants123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 30 April 2009 - 10:15 PM

I followed your directions to the point of posting the report in a reply which was halted by my computer having to be restarted because of non responsiveness and Firefox giving me a "proxy server refused connection" error message. Now I'm stuck posting from a labtop looking at my computer wondering wtf to do. Help!

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 30 April 2009 - 11:31 PM

First.. What does Dr.Web found.. Does it mentioned anything like Virut/Sality?

Have you backup your data as I mentioned before?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 pants123

pants123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 30 April 2009 - 11:46 PM

Yea all important data is backed up.

Some log entries: Virtumod, EzulaAd, Killwind, Terminator, Alupko, backdoor geck

Sorry I'm not able to post the log browser is hijacked.

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 01 May 2009 - 12:09 AM

C:\WINDOWS\System32\reader_s.exe


That file present in your log.. Its dropper for Win32.Virut..

So, the computer's internet doesn't working right?.. My sincere advices is just to wipe the machine clean.. There's no way to clean Virut 100% and even if we successfully do so, some important files might be corrupted and in the end you have to reformat the computer..


A quote from Malware Expert (sUBs)


Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..


I'll let this topic open until you successfully reformat the computer..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 pants123

pants123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 02 May 2009 - 05:57 PM

Reformatted and updated winxp home to current version. I went to install my video card via the nividia website and the selfextracting install file ran smoothly and confirmed that it had installed and that I needed to restart. I restarted and the video driver was NOT installed. I uninstalled the driver and reinstalled 3-4 times with no success. Hope you can work some magic

Thanks for your help :thumbup2:

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 02 May 2009 - 07:43 PM

Err.. what video card do you have?.. What brand/vendor/model?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 pants123

pants123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 04 May 2009 - 11:01 AM

Turns out my computer is so old the heat sink for a chip which resides above my video card somehow broke off, landed on my video card, which shorted it out. I replaced the card and reattached the heat sink and everything is working great. The reformat seems to have worked and my computer is running great. I was wondering what security programs I should have in order to maintain system integrity? Thanks for all your help: )

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:18 PM

Posted 04 May 2009 - 04:39 PM

There are a lot of security programs out there.. But here's a general rule..

One antivirus
One antispyware
One firewall..

That's all you need.. If you use something like "Internet Security Suite" or similar, you won't need anything else as it includes antivirus/antispyware/firewall, all-in-one solution..

If you have money to burn, I suggest Kaspersky Internet Security OR ESET Smart Security.. Just choose one of those..

If you wish for something free yet great, there's a lot of the program, but my personal recommendation is below..

Antivirus: Avira AntiVir Personal
Antispyware: Malwarebytes' Anti-Malware
Firewall: PC Tools Firewall Plus


Anymore question before I close this topic? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 pants123

pants123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:18 AM

Posted 04 May 2009 - 08:31 PM

Nope. Thank you very much for your time, it's greatly appreciated!!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users