Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with HTML/Framer...

  • This topic is locked This topic is locked
6 replies to this topic

#1 HazRPG


  • Members
  • 6 posts
  • Local time:06:13 PM

Posted 10 May 2009 - 05:50 PM

Hi, I hope you can help me.

I was recently performing some recovery tools to recover data off a USB flash drive. Afterwards, I noticed AVG started saying I was infected with HTML/Framer. Which appears to add an IFRAME to .html or .htm files all over the computer (even needed help or chrome files for applications). I also noticed after performing a scan that I was infected with virut, and that Windows Firewall was disabled. First reaction was to update everything (SUPERAntiSpyware, MalwareBtyes' Anti-Malware, AVG and Spybot Search & Destroy) and then disable the internet. Restart into safe-mode, and run Firefox to seek advice. I ran scans on all, and removed everything (I kept logs). I then found an AVG virut removal application and ran that. Afterwards I restarted and booted Windows XP, and AVG is still saying files are infected with HTML/Framer. I seem to have gotten rid of everything else that resulted from virut though.

Is there anything I can do that will heal/remove the injected IFRAME's? I'd do it manually... but well there's too many of them, plus I'm unsure if anything else was affected by either virut or HTML/Framer.

Thanks in advance,


DDS (Ver_09-03-16.01) - NTFSx86
Run by Haz at 23:23:19.12 on 10/05/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1461 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\System32\svchost.exe -k HTTPFilter
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Sandboxie\SbieSvc.exe
D:\WINDOWS\System32\svchost.exe -k imgsvc
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
D:\Program Files\Cyberlink\Shared Files\brs.exe
D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
D:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Sandboxie\SbieCtrl.exe
D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
D:\Program Files\Windows Media Player\WMPNSCFG.exe
D:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
D:\Program Files\Launchy\Launchy.exe
D:\Program Files\PowerMenu\PowerMenu.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Documents and Settings\Haz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] d:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SandboxieControl] "d:\program files\sandboxie\SbieCtrl.exe"
uRun: [AlcoholAutomount] "d:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [AnyDVD] d:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [\\TYRANDE\EPSON Stylus DX5000 Series] d:\windows\system32\spool\drivers\w32x86\3\e_fatibve.exe /fu "d:\docume~1\haz\locals~1\temp\E_S86.tmp" /EF "HKCU"
uRun: [Auto EPSON Stylus DX5000 Series on TYRANDE] d:\windows\system32\spool\drivers\w32x86\3\e_fatibve.exe /fu "d:\windows\temp\E_S60.tmp" /EF "HKCU"
uRun: [WMPNSCFG] d:\program files\windows media player\WMPNSCFG.exe
mRun: [AVG8_TRAY] d:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AdobeCS4ServiceManager] "d:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [SMSERIAL] d:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RemoteControl8] "d:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [reader_s] d:\windows\system32\reader_s.exe
mRun: [PDVD8LanguageShortcut] "d:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [BDRegion] d:\program files\cyberlink\shared files\brs.exe
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "d:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE
dRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: d:\docume~1\haz\startm~1\programs\startup\onenot~1.lnk - d:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: d:\docume~1\haz\startm~1\programs\startup\powerm~1.lnk - d:\program files\powermenu\PowerMenu.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - d:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - d:\program files\launchy\Launchy.exe
IE: Append Link Target to Existing PDF - d:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - d:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - d:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - d:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - d:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - d:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - d:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
STS: Fences: {ec654325-1273-c2a9-2b7c-45a29bce2fbd} - d:\program files\stardock\fences\DesktopDock.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\haz\applic~1\mozilla\firefox\profiles\v0h29de4.virus & malware removal only!\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: d:\program files\download manager\npfpdlm.dll
FF - plugin: d:\program files\mozilla firefox\plugins\np32dsw.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPOFF12.DLL
FF - plugin: d:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: d:\program files\mozilla firefox\plugins\nppdf32.dll

d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
d:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
d:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-2-16 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-2-16 27784]
R1 IfsMount;IfsMount;d:\windows\system32\drivers\ifsmount.sys [2009-3-2 51072]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};d:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-16 298776]
R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2008-1-13 92160]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]

=============== Created Last 30 ================

2009-05-10 19:16 <DIR> --d-h--- d:\windows\system32\GroupPolicy
2009-05-10 19:03 69,120 ac------ d:\windows\system32\dllcache\notepad.exe
2009-05-10 19:03 69,120 a------- d:\windows\notepad.exe
2009-05-10 16:37 182,656 ac------ d:\windows\system32\dllcache\ndis.sys
2009-05-10 16:04 0 a------- d:\windows\system32\27D.tmp
2009-05-10 16:03 120 a------- d:\windows\system32\278.tmp
2009-05-10 14:23 <DIR> --d----- d:\windows\system32\NtmsData
2009-05-01 17:29 <DIR> --d----- d:\program files\UltraVNC
2009-04-28 10:19 <DIR> --d----- d:\docume~1\haz\applic~1\fretsonfire
2009-04-26 09:50 <DIR> --d----- d:\program files\Mozilla Firefox 3.5 Beta 4
2009-04-24 14:46 <DIR> --d----- d:\docume~1\alluse~1\applic~1\EPSON
2009-04-23 16:48 8 a------- d:\windows\system32\nvModes.dat
2009-04-23 13:45 401,408 -c------ d:\windows\system32\dllcache\rpcss.dll
2009-04-23 13:45 284,160 -c------ d:\windows\system32\dllcache\pdh.dll
2009-04-23 13:45 729,088 -c------ d:\windows\system32\dllcache\lsasrv.dll
2009-04-23 13:45 714,752 -c------ d:\windows\system32\dllcache\ntdll.dll
2009-04-23 13:45 617,472 -c------ d:\windows\system32\dllcache\advapi32.dll
2009-04-23 13:45 473,600 -c------ d:\windows\system32\dllcache\fastprox.dll
2009-04-23 13:45 453,120 -c------ d:\windows\system32\dllcache\wmiprvsd.dll
2009-04-23 13:45 227,840 -c------ d:\windows\system32\dllcache\wmiprvse.exe
2009-04-23 13:45 110,592 -c------ d:\windows\system32\dllcache\services.exe
2009-04-23 13:42 1,203,922 -c------ d:\windows\system32\dllcache\sysmain.sdb
2009-04-23 13:42 215,552 -c------ d:\windows\system32\dllcache\wordpad.exe
2009-04-23 13:42 2,560 -------- d:\windows\system32\xpsp4res.dll
2009-04-23 13:37 12,160 ac------ d:\windows\system32\dllcache\mouhid.sys
2009-04-23 13:37 12,160 a------- d:\windows\system32\drivers\mouhid.sys
2009-04-23 13:36 10,368 ac------ d:\windows\system32\dllcache\hidusb.sys
2009-04-23 13:36 10,368 a------- d:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-05-10 17:50 2,168,832 a------- d:\windows\MicCal.exe
2009-05-10 17:47 1,197,964 a------- d:\windows\RtlUpd.exe
2009-05-10 17:46 1,414,656 a------- d:\windows\system32\mmc.exe
2009-05-10 17:46 86,016 a------- d:\windows\system32\netsh.exe
2009-05-10 17:46 33,280 a------- d:\windows\system32\rundll32.exe
2009-05-10 17:45 389,120 a------- d:\windows\system32\cmd.exe
2009-05-10 16:37 182,656 a------- d:\windows\system32\drivers\ndis.sys
2009-05-02 15:18 11,952 a------- d:\windows\system32\avgrsstx.dll
2009-05-02 15:18 325,896 a------- d:\windows\system32\drivers\avgldx86.sys
2009-04-06 15:32 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-03-20 13:21 84,910,450 -------- D:\xampp-win32-1.7.0.zip
2009-03-06 15:22 284,160 a------- d:\windows\system32\pdh.dll
2009-03-03 20:41 1,682 a--sh--- d:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-27 12:01 80,007 a------- d:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-26 20:51 505,128 a------- d:\windows\system32\msvcp71.dll
2009-02-26 20:51 353,576 a------- d:\windows\system32\msvcr71.dll
2009-02-26 20:51 29,480 a------- d:\windows\system32\msxml3a.dll
2009-02-22 15:27 88 ---shr-- d:\docume~1\alluse~1\applic~1\475FD71464.sys
2009-02-16 17:18 196,608 a------- d:\windows\system32\sm56co6a.dll
2009-02-16 16:33 410,984 a------- d:\windows\system32\deploytk.dll
2009-02-16 15:54 21,640 a------- d:\windows\system32\emptyregdb.dat
2009-02-15 15:40 73,728 a------- d:\windows\system32\RtNicProp32.dll
2009-02-15 15:40 2,756,608 a------- d:\windows\system32\NETw5r32.dll
2009-02-15 15:40 659,456 a------- d:\windows\system32\NETw5c32.dll
2009-02-15 13:56 32,256 a------- d:\windows\system32\wupdmgr.exe
2009-02-15 13:55 11,776 a------- d:\windows\system32\wshisn.dll
2009-02-15 13:55 7,168 a------- d:\windows\system32\wshnetbs.dll
2009-02-15 13:55 9,216 a------- d:\windows\system32\wshatm.dll
2009-02-15 13:55 5,632 a------- d:\windows\system32\write.exe
2009-02-15 13:55 10,368 a------- d:\windows\system32\wowexec.exe
2009-02-15 13:55 2,736 a------- d:\windows\system32\wowdeb.exe
2009-02-15 13:55 446,464 a------- d:\windows\system32\wmvdmoe.dll
2009-02-15 13:55 1,677,312 a------- d:\windows\system32\wmvcore2.dll
2009-02-15 13:55 311,327 a------- d:\windows\system32\wmv8dmod.dll
2009-02-15 13:55 77,824 a------- d:\windows\system32\wmpstub.exe
2009-02-15 13:55 55,808 a------- d:\windows\system32\wmiscmgr.dll
2009-02-15 13:55 18,944 a------- d:\windows\system32\wmiprop.dll
2009-02-15 13:53 22,016 a------- d:\windows\system32\w32topl.dll
2009-02-15 13:53 49,664 a------- d:\windows\system32\w32tm.exe
2009-02-15 13:53 19,456 a------- d:\windows\system32\vwipxspx.dll
2009-02-15 13:53 16,896 a------- d:\windows\system32\vss_ps.dll
2009-02-15 13:53 33,792 a------- d:\windows\system32\vssadmin.exe
2009-02-15 13:52 18,944 a------- d:\windows\vmmreg32.dll
2009-02-15 13:52 4,608 a------- d:\windows\system32\vjoy.dll
2009-02-15 13:52 18,176 a------- d:\windows\system32\vga64k.dll
2009-02-15 13:52 51,456 a------- d:\windows\system32\vga256.dll
2009-02-15 13:52 2,176 a------- d:\windows\system32\vga.drv
2009-02-15 13:52 9,344 a------- d:\windows\system32\vga.dll
2009-02-15 13:52 20,535 a------- d:\windows\system32\vfpodbc.dll
2009-02-15 13:52 98,304 a------- d:\windows\system32\verifier.exe
2009-02-15 13:52 9,008 a------- d:\windows\system32\ver.dll
2009-02-15 13:52 7,680 a------- d:\windows\system32\vcdex.dll
2009-02-15 13:51 25,600 a------- d:\windows\system32\utildll.dll
2009-02-15 13:51 47,872 a------- d:\windows\system32\user.exe
2009-02-15 13:50 17,920 a------- d:\windows\system32\ureg.dll
2009-02-15 13:50 4,096 a------- d:\windows\system32\unlodctr.exe
2009-02-15 13:50 13,312 a------- d:\windows\system32\umdmxfrm.dll
2009-02-15 13:50 82,432 a------- d:\windows\system32\ufat.dll
2009-02-15 13:50 36,352 a------- d:\windows\system32\typeperf.exe
2009-02-15 13:50 177,856 a------- d:\windows\system32\typelib.dll
2009-02-15 13:50 25,600 a------- d:\windows\twunk_32.exe
2009-02-15 13:50 49,680 a------- d:\windows\twunk_16.exe
2009-02-15 13:50 94,784 a------- d:\windows\twain.dll
2009-02-15 13:48 19,456 a------- d:\windows\system32\tcpsvcs.exe
2009-02-15 13:47 49,179 a------- d:\windows\system32\sqlwoa.dll
2009-02-15 13:47 24,603 a------- d:\windows\system32\sqlwid.dll
2009-02-15 13:47 24,661 a------- d:\windows\system32\spxcoins.dll
2009-02-15 13:47 9,728 a------- d:\windows\system32\sprestrt.exe
2009-02-15 13:46 1,744 a------- d:\windows\system32\sound.drv
2009-02-15 13:46 56,832 a------- d:\windows\system32\sol.exe
2009-02-15 13:46 5,632 a------- d:\windows\system32\softpub.dll
2009-02-15 13:46 138,752 a------- d:\windows\system32\sndvol32.exe
2009-02-15 13:46 14,848 a------- d:\windows\system32\slbrccsp.dll
2009-02-15 13:46 5,632 a------- d:\windows\system32\skdll.dll
2009-02-15 13:44 15,872 a------- d:\windows\system32\rwinsta.exe
2009-02-15 13:43 8,192 a------- d:\windows\system32\qosname.dll
2009-02-15 13:42 21,504 a------- d:\windows\system32\pathping.exe
2009-02-15 13:41 35,328 a------- d:\windows\pchealth\helpctr\binaries\notiflag.exe
2009-02-15 13:41 12,288 a------- d:\windows\system32\nmevtmsg.dll
2009-02-15 13:41 7,052 a------- d:\windows\system32\nlsfunc.exe
2009-02-15 13:41 2,656 a------- d:\windows\system32\netware.drv
2009-02-15 13:41 308,224 a------- d:\windows\system32\netui2.dll
2009-02-15 13:41 171,008 a------- d:\windows\system32\netmsg.dll
2009-02-15 13:41 253,952 a------- d:\windows\system32\neth.dll
2009-02-15 13:41 214,016 a------- d:\windows\system32\netevent.dll
2009-02-15 13:39 28,746 a------- d:\windows\system32\msrecr40.dll
2009-02-15 13:39 73,802 a------- d:\windows\system32\msrclr40.dll
2009-02-15 13:39 69,632 a------- d:\windows\system32\msr2c.dll
2009-02-15 13:39 60,416 a------- d:\windows\system32\msratelc.dll
2009-02-15 13:39 7,168 a------- d:\windows\system32\msr2cenu.dll
2009-02-15 13:39 41,984 a------- d:\windows\system32\msports.dll
2009-02-15 13:39 33,280 a------- d:\windows\system32\msobjs.dll
2009-02-15 13:39 368,710 a------- d:\windows\system32\msisam11.dll
2009-02-15 13:39 14,848 a------- d:\windows\system32\msidntld.dll
2009-02-15 13:39 126,976 a------- d:\windows\system32\mshearts.exe
2009-02-15 13:39 20,992 a------- d:\windows\system32\msg.exe
2009-02-15 13:39 94,282 a------- d:\windows\system32\msencode.dll
2009-02-15 13:37 2,032 a------- d:\windows\system32\mouse.drv
2009-02-15 13:36:46 A------- 50,176 d:\windows\system32\mdhcp.dll

============= FINISH: 23:23:48.34 ===============

Attached Files

BC AdBot (Login to Remove)


#2 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:13 PM

Posted 10 May 2009 - 06:27 PM

If your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut
This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 HazRPG

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:13 PM

Posted 11 May 2009 - 11:40 AM

Hmmm, I was hoping I didn't have to do a full format. Does this mean that all data on my hard drive cannot be backed up in-case it may still be infected? I think I've done a backup not so long ago, but i'm not sure if i did it for windows or just for ubuntu. This is why I wish I could just migrate to linux fully, there aren't many (if any) viruses for the linux operating system. I wish companies would make their programs and applications compatible for linux - but enough of me talking about linux...

How fast does virut do its infection? Like I said I was doing some recovery on a flash drive to retrieve information off it... somehow I think the virus might of been embedded inside the Windows PE boot disc (BartPE) I made with recovery software on it - as I think I had the virut virus before when I was going through and doing a format at the time anyways to remove vista. I might have to bin that CD just in case it is where the infection is.

The virut removal tool from AVG reports that the virus is no longer there, currently running Dr.Web CureIt! under ubuntu (using wine) so far it has found only 3 infected files.

What AntiVirus software would you recommend, before starting to use AVG 5 years ago I use to use Norton (which back then was reasonable - and also came free with my old laptop). But I no longer trust Norton or McAfee, because they have become so bloated and cause more problems with startup and running the system then its worth. Seems AVG is going down that route now too with it's free version (don't know about its professional one) in its most recent version (8.5).

Also, any firewall programs you could suggest? I use to use ZoneAlarm when it was free but it had a bug which caused my system to blue screen several years ago and have since been hesitant to try again.

Anything else you could recommend? Always great to further better my knowledge on antivirus/spyware/malware/bloatware and what software people think is best to use. If possible, free versions would be best, but if you highly recommend a paid one which won't slow my machine - then that would be great too. :thumbup2:

What is the world coming to when you need to have so many different pieces of software to run your machine without worry *sigh*. I can see from a programmers point of view why people would want to experiment and make applications that can evolve, or simulate artificial intelligence, or make a program which can create an executable if it can help with software development and make games or applications more intelligent... but to use it like this just seems so wrong and immoral. Let us all hope that the future of operating systems will help us stop all these types of activities without compromising our rights.

I will finish by saying thank you very much for you information and help, and I hope I don't have to contract any future viruses (not possible with windows, but i've lasted the last few years without having one).

Thanks in advance,

#4 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:13 PM

Posted 11 May 2009 - 11:51 AM

Haz, I cannot recommend anything else. All files/data may be infected?
I would not save anything.

Criminals are just that. Criminals.

Sorry we can't help and good luck.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 HazRPG

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:13 PM

Posted 11 May 2009 - 02:05 PM

Oh right, okay. Currently trying to find my previous backups to restore from, it'll be on one of my hard drives somewhere lol.

When I asked for some recommendations, I meant for future protection after I've formatted. I've been meaning to do one for a while anyways because I initially cleaned out one partition and installed windows XP (cos I hate vista with a passion), and then installed ubuntu afterwards, and then later thought I will never got back to vista and eventually wiped that partition... so my hard drive partitions are kind of a mess - this has just made it an excuse to getting round to doing what I should of done initially.

Like I said, I use AVG at the moment... but starting to hate the new "improvements" they're doing with their interface and what not. I prefered it when the interface was no so graphic and resource demanding. Any advice would be appreciated, I know its usually down to choice but any facts thats worth knowing is great.

Thanks in advance,

#6 KoanYorel


    Bleepin' Conundrum

  • Staff Emeritus
  • 19,461 posts
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:13 PM

Posted 11 May 2009 - 02:59 PM

You might be able to trust a very, very old save of data. But I wouldn't bet on it.

Good Luck.

I have a number of VISTA Toshibas and No problems with any.
May I direct you to read about the site about such problems?
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#7 HazRPG

  • Topic Starter

  • Members
  • 6 posts
  • Local time:06:13 PM

Posted 16 May 2009 - 09:45 AM

I had the backup stored on a Hard Drive that hadn't come into contact with the machine for over 4 months, so I was certain the data would be fine. I did some scans on it on a clean machine first though. I'm currently evaluating how to partition my drives and which operating systems to use. As I speak/type, I have Windows 7 RC disc loaded as I thought I'd give it a quick try first and then continue with my normal format/installing OS's afterwards.

Thanks for the help guys :thumbup2:. You may now close this thread if you wish.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users