Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by viruses, google wont work etc


  • This topic is locked This topic is locked
2 replies to this topic

#1 Lord Snooty

Lord Snooty

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow
  • Local time:03:33 PM

Posted 28 May 2009 - 09:18 AM

Hi there

Been badly infected with malware/spyware etc. Have noticed a few topics with the same issue as mine. Topic 228848 was one which talked about redirection to other search sites plus now when I use mozilla it tells me "Proxy server refused connection.
Also I'm unable to access my Win XP firewall as the settings are controlled by Group policy.

My Antivirus program (Stopzilla) picks up the viruses and removes them but they come back.
I've also noticed my router online light is flashing rapidly now!!!!

I think I'm up the swanee! Please help..

Copy of DDS repot:

DDS (Ver_09-05-14.01) - NTFSx86
Run by PC World at 16:48:42.42 on 25/05/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.1023.358 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\GEARSec.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\avast!Antivirus.exe
c:\windows\ld08.exe
c:\program Files\ThunMail\testabd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tpsaxyd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\System32\SYSDLL.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\STOPzilla!\SZOptions.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\AUTMGR.EXE
C:\WINDOWS\system32\dncyool64.sys
C:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.guarddog2009.com/start/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: UIHost=d:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Power2GoExpress]
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [12CFG515-K641-55SF-N66P] c:\recycler\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-5278511027-8000678282-018249763-2257\service.exe
uRunOnce: [<NO NAME>] c:\progra~1\mozilla firefox\firefox.exe http://www.symantec.com/techsupp/servlet/P...000097.000001cd
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [<NO NAME>] c:\windows\temp\e7fh9el.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\e7fh9el.exe
dRun: [SYSDLL] SYSDLL
dRun: [svc] c:\program files\thunmail\testabd.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mystery%20P.I.%20-%20The%20Lottery%20Ticket/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\pcworl~1\applic~1\mozilla\firefox\profiles\hnt5wjxa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1

============= SERVICES / DRIVERS ===============

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2009-2-16 10368]
R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2008-2-5 244736]
R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\cinemsup.sys [2003-12-19 6656]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [2009-2-16 164608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-10-5 799744]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2007-6-20 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-6-20 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-6-20 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-6-20 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-6-20 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2007-6-20 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-6-20 90800]
S3 sndintd;sndintd;c:\windows\system32\sndintd.sys [2004-8-10 2304]

=============== Created Last 30 ================

2009-05-25 16:38 22,016 a------- c:\windows\system32\AUTMGR.EXE
2009-05-25 16:38 986,112 a------- c:\windows\system32\kernel32_check.dll
2009-05-25 16:38 172,032 a------- c:\windows\system32\tcpcon.dll
2009-05-25 16:38 10,240 a------- c:\windows\system32\Packer.dll
2009-05-25 16:38 9 a------- c:\windows\system32\iphy.dll
2009-05-25 16:38 3 a------- c:\windows\system32\fhpatch.dll
2009-05-25 16:38 0 a------- c:\windows\system32\fiplock.dll
2009-05-25 15:35 4,792 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-05-25 15:35 2,784 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-05-25 15:34 40,960 a------- c:\windows\system32\SYSDLL.exe
2009-05-25 15:34 <DIR> --d----- c:\windows\system32\sysloc
2009-05-25 15:34 38,400 ----h--- c:\windows\ld08.exe
2009-05-25 15:34 32,768 a------- c:\windows\system32\avast!Antivirus.exe
2009-05-21 17:17 16,896 a------- c:\windows\system32\tzfnvshu.dll
2009-05-21 17:14 <DIR> --dsh--- c:\windows\system32\lowsec
2009-05-21 17:14 1 a------- c:\windows\system32\2BC.tmp
2009-05-21 17:14 67,584 a------- c:\windows\system32\2BB.tmp
2009-05-21 17:14 104 a------- c:\windows\system32\2BA.tmp
2009-05-21 17:14 15,000 a------- c:\windows\system32\a73nhfdd.dll
2009-05-21 16:20 <DIR> --d----- c:\program files\YourWare Solutions
2009-05-19 14:08 <DIR> --d----- c:\windows\system32\3361
2009-05-19 14:08 <DIR> --d----- c:\windows\dhcp
2009-05-19 14:08 0 a------- c:\windows\system32\325.tmp
2009-05-19 14:08 70,144 a------- c:\windows\system32\323.tmp
2009-05-19 14:08 60,929 a------- d:\documents and settings\pc world\reader_s.exe
2009-05-19 14:08 44,544 a------- c:\windows\system32\322.tmp
2009-05-19 14:08 179,200 a------- c:\windows\system32\tpsaxyd.exe
2009-05-19 14:08 61,440 a------- c:\windows\system32\dpcxool64.sys
2009-05-19 14:08 8 a------- c:\windows\system32\comsa32.sys
2009-05-19 14:08 <DIR> --d----- c:\windows\system32\796525
2009-05-19 14:07 <DIR> --dshr-- c:\program files\ThunMail
2009-05-19 14:07 120 a------- c:\windows\system32\320.tmp
2009-05-19 14:07 102,220 a------- c:\windows\system32\drivers\541a5725.sys
2009-05-19 14:07 42,496 a------- C:\jynlvyg.exe
2009-05-19 14:07 2 a------- C:\888697177
2009-05-19 14:07 15,000 a------- c:\windows\system32\tya7hfd873f.dll
2009-04-30 17:38 <DIR> --d----- d:\docume~1\pcworl~1\applic~1\AdobeAUM
2009-04-30 15:20 24,832 a------- c:\windows\system32\drivers\lgusbmodem.sys
2009-04-30 15:20 19,968 a------- c:\windows\system32\drivers\lgusbdiag.sys
2009-04-30 15:20 13,056 a------- c:\windows\system32\drivers\lgusbbus.sys
2009-04-30 15:20 <DIR> --d----- c:\program files\LG Electronics
2009-04-30 15:19 1,164,728 a------- c:\windows\system32\NMSDVDXU.dll
2009-04-30 15:19 630,784 a------- c:\windows\system32\vsflex8u.ocx
2009-04-30 15:19 419,240 a------- c:\windows\system32\Vsflex7L.ocx
2009-04-30 15:19 244,416 a------- c:\windows\system32\Msflxgrd.ocx
2009-04-30 15:19 <DIR> --d----- d:\docume~1\pcworl~1\applic~1\LG Electronics
2009-04-30 15:19 <DIR> --d----- c:\program files\LG PC Suite II

==================== Find3M ====================

2009-05-19 14:07 182,912 ac------ c:\windows\system32\drivers\ndis.sys
2009-04-30 18:59 5,904 a------- d:\docume~1\pcworl~1\applic~1\wklnhst.dat
2009-04-18 11:44 53,760 a------- c:\windows\system32\zlib.dll
2009-04-18 11:30 4,608 a------- c:\windows\system32\drivers\symlcbrd.sys
2009-04-11 14:58 65,536 a------- c:\windows\system32\unsecapp.exe
2009-04-04 20:02 312,173 a------- c:\windows\system32\wuaumgr.exe
2009-04-01 10:37 1,384,479 a------- c:\windows\system32\wucltuip.dll
2009-03-31 14:57 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-03-31 14:56 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-03-31 14:55 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-03-27 10:56 126,976 a----r-- c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55 393,216 a----r-- c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55 372,736 a----r-- c:\windows\system32\IS3UI5.dll
2009-03-27 10:55 61,440 a----r-- c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54 23,040 a----r-- c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54 221,184 a----r-- c:\windows\system32\IS3Win325.dll
2009-03-27 10:54 94,208 a----r-- c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53 90,112 a----r-- c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50 716,800 a----r-- c:\windows\system32\IS3Base5.dll
2009-03-21 15:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 15:44 283,648 -------- c:\windows\system32\pdh.dll
2009-03-06 15:44 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-03 01:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 01:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 05:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2004-03-11 14:27 61,440 ac------ c:\program files\Uninstall_CDS.exe
2009-02-16 17:49 56 ---shr-- c:\windows\system32\FDBFA05165.sys
2009-02-16 17:49 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:50:30.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:33 PM

Posted 31 May 2009 - 06:02 PM

Hi Lord Snooty,

Welcome to BC HijackThis forum. I am farbar. I'm afraid I have got bad news.

Your computer is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.


The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

The only fast and safe answer to the virus is reformatting and reinstalling windows.
You may backup non-executable (data) files and reformat the entire hard drive.

Note that the files with the following extensions should not be backed up:exe/.scr/.htm/.html/.xml/.zip/.rar/.asp/.php

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:33 PM

Posted 07 June 2009 - 06:26 AM

This thread will now be closed.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users