Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with win32\heur


  • This topic is locked This topic is locked
3 replies to this topic

#1 techmor

techmor

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 19 May 2009 - 02:38 AM

My laptop became infected approx. 5 days ago. I've run many malware removers, including: SUPERAntiSpyware Free Edition, SDFix.exe, Hijackthis.exe, cureit.exe, and can not seem to clear it up. All the above programs have reported no infections at one time or another. So I'm becoming frustrated and confused.

the following is the DDS.txt log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by J. Benavides at 2:01:09.85 on Tue 05/19/2009
Microsoft Windows XP Professional [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\sopidkc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\J. Benavides\Desktop\dds.scr

============== Pseudo HJT Report ===============

StartupFolder: c:\docume~1\j583f~1.ben\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-20 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-20 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-14 394192]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-20 298264]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-5-11 70016]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 145920]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S1 etheqyrp;etheqyrp;c:\windows\system32\drivers\etheqyrp.sys [2009-5-13 136160]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 34816]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2007-12-16 18864]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-6 33176]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-4-15 28672]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]

=============== Created Last 30 ================

2009-05-19 01:32 <DIR> --d----- c:\program files\Cobian Backup 8
2009-05-19 00:33 <DIR> --d----- c:\documents and settings\j. benavides\DoctorWeb
2009-05-18 23:57 <DIR> --d----- c:\windows\dhcp
2009-05-18 23:57 177,664 a------- c:\windows\system32\tpsaxyd.exe
2009-05-18 23:57 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-05-18 23:57 8 a------- c:\windows\system32\comsa32.sys
2009-05-18 17:59 <DIR> --d----- c:\docume~1\j583f~1.ben\applic~1\Malwarebytes
2009-05-18 17:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-18 17:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-18 17:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-18 17:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-18 13:17 <DIR> --d----- C:\SDFix
2009-05-17 21:11 800 a------- c:\windows\wininit.ini
2009-05-17 17:34 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-17 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-17 16:17 3,976,714 a------- c:\windows\system32\uactmp.db
2009-05-17 15:57 1,110,399 a------- c:\windows\system32\UACthycalbriptifth.db
2009-05-17 15:57 244,224 a------- c:\windows\system32\wscsvc32.exe
2009-05-17 15:57 82,432 a------- c:\windows\system32\resdll.dll
2009-05-17 14:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-17 14:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-17 14:17 <DIR> --d----- c:\docume~1\j583f~1.ben\applic~1\SUPERAntiSpyware.com
2009-05-15 15:11 <DIR> --d----- c:\program files\Trend Micro
2009-05-15 15:04 812,344 a------- c:\program files\HJTInstall.exe
2009-05-15 04:27 <DIR> --d----- c:\windows\ERUNT
2009-05-14 18:11 75,512 a------- c:\windows\zllsputility.exe
2009-05-14 18:10 1,087,216 a------- c:\windows\system32\zpeng24.dll
2009-05-14 18:10 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-05-14 18:10 49,617 a------- c:\windows\system32\vsconfig.xml
2009-05-13 12:46 136,160 a------- c:\windows\system32\drivers\etheqyrp.sys
2009-05-13 12:45 0 a------- c:\windows\system32\37.tmp
2009-05-13 12:41 124 a------- c:\windows\system32\34.tmp
2009-05-13 11:05 0 a------- c:\windows\system32\32.tmp
2009-05-13 09:36 0 a------- c:\windows\system32\4A.tmp
2009-05-13 09:36 120 a------- c:\windows\system32\47.tmp
2009-05-12 02:45 <DIR> --d----- c:\program files\png2ico
2009-05-12 02:25 <DIR> --d----- c:\docume~1\j583f~1.ben\applic~1\Inkscape
2009-05-12 01:58 35,074,836 a------- c:\program files\Inkscape-0.46.win32.exe
2009-05-09 03:42 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-06 02:08 1,277,680 a------- c:\program files\couponprinter.exe
2009-04-29 04:36 <DIR> --d----- c:\program files\hp photosmart
2009-04-26 04:32 <DIR> --d----- c:\program files\Compaq
2009-04-26 04:32 <DIR> --d----- C:\CPQSYSTEM
2009-04-26 04:23 47,277,728 a------- c:\program files\cp006049.exe
2009-04-24 11:42 334,842 a------- c:\windows\gravure.ico
2009-04-24 11:34 284,867 a------- c:\windows\bobines-video.ico
2009-04-24 11:30 355,574 a------- c:\windows\Movie.ico
2009-04-24 01:46 421,346 a------- c:\program files\Lame_v3.98.2_for_Audacity_on_Windows.exe
2009-04-21 12:55 <DIR> --d----- c:\program files\Windows Media Components
2009-04-21 12:51 <DIR> --d----- c:\program files\Corel
2009-04-21 03:58 <DIR> --d----- c:\docume~1\j583f~1.ben\applic~1\PgcEdit

==================== Find3M ====================

2009-05-18 13:42 94,208 a------- c:\windows\DUMP5b9d.tmp
2009-05-18 13:42 94,208 a------- c:\windows\DUMP6a14.tmp
2009-05-18 13:00 94,208 a------- c:\windows\DUMP55e0.tmp
2009-05-18 12:51 94,208 a------- c:\windows\DUMP57a5.tmp
2009-05-18 12:50 94,208 a------- c:\windows\DUMP687e.tmp
2009-05-18 12:49 94,208 a------- c:\windows\DUMP68eb.tmp
2009-05-18 12:48 94,208 a------- c:\windows\DUMP6b7b.tmp
2009-05-18 12:47 94,208 a------- c:\windows\DUMP7157.tmp
2009-05-17 21:57 94,208 a------- c:\windows\DUMP64c4.tmp
2009-05-17 16:30 94,208 a------- c:\windows\DUMP6205.tmp
2009-05-17 16:23 94,208 a------- c:\windows\DUMP5bfa.tmp
2009-05-17 16:23 94,208 a------- c:\windows\DUMP6ab0.tmp
2009-05-17 16:14 94,208 a------- c:\windows\DUMP5e7b.tmp
2009-05-14 18:13 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-02-24 14:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 14:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 14:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 14:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 14:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 14:34 684,032 a------- c:\windows\system32\DivX.dll
2009-01-25 07:09 5,632 a--sh--- c:\program files\Thumbs.db
2009-01-19 03:26 16,070,041 a------- c:\program files\Trickshot.exe
2008-12-17 17:21 12,354,032 a------- c:\program files\eDrawingsEnglish.exe
2008-12-16 03:24 5,097,120 a------- c:\program files\SetupCloneDVD2920Slysoft.exe
2008-08-13 14:06 318,904 a------- c:\program files\wmpfirefoxplugin.exe
2008-07-25 00:09 655,360 a------- c:\program files\SynDrumPad.exe
2008-01-09 20:13 1,524,079 a------- c:\program files\CDCheckSetup.exe
2007-05-10 15:13 330,930 a------- c:\program files\dvdgn410.exe
2007-04-23 20:19 951,395 a------- c:\program files\Install-3.0-3.54b4.exe
2007-04-21 09:50 1,035,271 a------- c:\program files\wrar362.exe

============= FINISH: 2:01:31.00 ===============

Attached Files


Edited by techmor, 19 May 2009 - 03:18 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:34 AM

Posted 20 May 2009 - 11:54 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.



=============


The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 techmor

techmor
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 22 May 2009 - 07:52 AM

Hello, Sam.

I apologize but I have since formatted HDD and reinstalled XP. It was fairly painless and I'm pretty sure my machine is running ok. You guys provide a very necessary service and are gracious about it. I thank you for your time, (hope I didn't waste any of it, as it appears you guys are very busy.) Keep up the excellent work, you rock!




Thanks again.



Techmor.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:34 AM

Posted 22 May 2009 - 03:58 PM

Thanks for letting me know. :thumbup2:

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users