Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Doctor


  • This topic is locked This topic is locked
4 replies to this topic

#1 wkduncan

wkduncan

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 28 May 2009 - 03:09 PM

Hello and Thank you in advance to the great folks at bleepingcomputer.com!
Someone under the user name Kronik is having the exact problem I'm having but it sounds like he is having more problems than I am. Basically what is happening is I have a popup acting like a scan but wants me to register in order for it to "Heal" my spyware/malware, which I have not done of course. I keep getting random website pop-ups, and my task manager has been locked. when I try to open task manager I get an error that says it has been locked by my administrator.

I use Windows XP pro Version 2002 Service Pack 3, and I use firefox for my browser.



DDS (Ver_09-05-14.01) - NTFSx86
Run by William at 14:56:43.84 on Thu 05/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.237 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\LocalService\Application Data\691447002.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
"C:\Documents and Settings\William\Application Data\svchost.exe"
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe
C:\DOCUME~1\William\LOCALS~1\Temp\2481061118.exe
C:\Documents and Settings\William\Desktop\dds.scr
svchost.exe -m

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll
BHO: Microsoft copyright: {f30b5e7e-cfbb-44fb-a947-226e5a7a4290} - jhxm32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [A00F53DDC3C.exe] c:\docume~1\william\locals~1\temp\_A00F53DDC3C.exe
uRun: [A00F53ED031.exe] c:\docume~1\william\locals~1\temp\_A00F53ED031.exe
uRun: [A00F172DB7.exe] c:\docume~1\william\locals~1\temp\_A00F172DB7.exe
uRun: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] c:\recycler\s-1-5-21-3519057007-3696626641-771805701-3139\service.exe
uRun: [Malware Doctor] c:\documents and settings\localservice\application data\691447002.exe
uRun: [Diagnostic Manager] c:\docume~1\william\locals~1\temp\2481061118.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [explore] c:\windows\system32\explore.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_03\bin\jusched.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [*ctfmon32] "c:\documents and settings\william\application data\svchost.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Malware Doctor] c:\documents and settings\localservice\application data\691447002.exe
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
TCP: {4FC48E60-025C-4CE1-8BC6-0364B20D7AE0} = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: __c0012dff - c:\windows\system32\__c0012DFF.dat
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
STS: c:\windows\system32\yhafd78auhd.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\yhafd78auhd.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\william\applic~1\mozilla\firefox\profiles\8rufz2f7.default\
FF - component: c:\documents and settings\william\application data\mozilla\firefox\profiles\8rufz2f7.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-28 13:46 <DIR> --d----- c:\program files\trend micro
2009-05-28 10:29 221,184 a------- c:\windows\system32\wmpns.dll
2009-05-28 09:17 99,422 a------- c:\windows\system32\drivers\26f7d156.sys
2009-05-28 09:14 99,422 a------- c:\windows\system32\drivers\b5f88a41.sys
2009-05-28 00:43 69 a------- c:\windows\NeroDigital.ini
2009-05-28 00:26 99,422 a------- c:\windows\system32\drivers\173554d3.sys
2009-05-28 00:23 99,422 a------- c:\windows\system32\drivers\62c316c0.sys
2009-05-28 00:21 99,422 a------- c:\windows\system32\drivers\73821b8f.sys
2009-05-28 00:19 99,422 a------- c:\windows\system32\drivers\24847044.sys
2009-05-28 00:17 99,422 a------- c:\windows\system32\drivers\b108c4d2.sys
2009-05-28 00:15 99,422 a------- c:\windows\system32\drivers\17a24c51.sys
2009-05-28 00:13 99,422 a------- c:\windows\system32\drivers\3313d615.sys
2009-05-28 00:11 99,422 a------- c:\windows\system32\drivers\b266bcc3.sys
2009-05-28 00:09 99,422 a------- c:\windows\system32\drivers\b5bd081b.sys
2009-05-28 00:07 99,422 a------- c:\windows\system32\drivers\e429dc85.sys
2009-05-28 00:05 99,422 a------- c:\windows\system32\drivers\1482798c.sys
2009-05-27 23:54 99,422 a------- c:\windows\system32\drivers\46c626ce.sys
2009-05-27 23:44 <DIR> --d----- c:\program files\Nero
2009-05-27 23:43 <DIR> --d----- c:\windows\RegisteredPackages
2009-05-27 23:43 <DIR> --d----- c:\windows\LastGood.Tmp
2009-05-27 23:38 229 a------- c:\windows\wininit.ini
2009-05-27 22:51 27,648 a------- c:\windows\system32\__c00BA307.dat
2009-05-27 22:27 99,422 a------- c:\windows\system32\drivers\d630b794.sys
2009-05-27 22:27 27,648 a------- c:\windows\system32\__c00F331A.dat
2009-05-27 22:14 29,184 a------- c:\windows\system32\lklf32.dll
2009-05-27 21:16 0 a------- c:\docume~1\william\applic~1\__t.bin
2009-05-27 21:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-05-27 21:16 917,291 a------- c:\docume~1\william\applic~1\svchost.exe
2009-05-27 21:16 <DIR> --d----- c:\docume~1\william\applic~1\_4b75d3a5c89138d2ae948c120ef597bd
2009-05-27 21:16 <DIR> --d----- c:\windows\dhcp
2009-05-27 21:16 16,384 a------- C:\jotvxhh.exe
2009-05-27 21:16 708 a------- c:\windows\system32\sft.res
2009-05-27 21:15 29,184 a------- c:\windows\system32\jhxm32.dll
2009-05-27 21:15 27,648 a------- c:\windows\system32\__c00C5249.dat
2009-05-27 21:14 39,424 a------- C:\hcpjmkup.exe
2009-05-27 21:14 158,720 a------- c:\windows\system32\tpsaxyd.exe
2009-05-27 21:14 36,864 a------- c:\windows\system32\dpcxool64.sys
2009-05-27 21:14 32,768 a------- c:\windows\system32\avast!Antivirus.exe
2009-05-27 21:14 <DIR> --dshr-- c:\program files\ThunMail
2009-05-27 21:14 107,212 a------- c:\windows\system32\drivers\c1a6722c.sys
2009-05-27 21:14 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-05-27 21:14 16,384 a------- C:\hjub.exe
2009-05-27 21:13 2 a------- C:\1761049572
2009-05-27 21:13 15,000 a------- c:\windows\system32\yhafd78auhd.dll
2009-05-27 21:13 39,424 a------- C:\sdyrxhme.exe
2009-05-26 19:19 <DIR> --d----- c:\docume~1\william\applic~1\Red Kawa
2009-05-26 19:17 <DIR> --d----- c:\program files\AC3Filter
2009-05-26 19:17 <DIR> --d----- c:\program files\Regensoft
2009-05-26 19:17 <DIR> --d----- c:\program files\AviSynth 2.5
2009-05-26 19:17 <DIR> --d----- c:\program files\Red Kawa
2009-05-26 18:44 <DIR> --d----- c:\program files\DivX
2009-05-26 18:44 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-19 21:29 <DIR> --d----- c:\program files\uTorrent
2009-05-19 21:29 <DIR> --d----- c:\docume~1\william\applic~1\uTorrent
2009-05-07 12:45 <DIR> --d----- c:\program files\iPod
2009-05-07 12:45 <DIR> --d----- c:\program files\iTunes
2009-05-07 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-07 12:44 <DIR> --d----- c:\program files\Bonjour
2009-05-07 12:41 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-05-07 12:34 <DIR> --d----- c:\program files\LimeWire
2009-05-07 12:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 12:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-06 10:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-05-06 10:06 <DIR> --d----- c:\docume~1\william\applic~1\AVS4YOU
2009-05-06 10:06 <DIR> --d----- c:\program files\common files\AVSMedia
2009-05-06 10:06 24,576 a------- c:\windows\system32\msxml3a.dll
2009-05-06 10:06 <DIR> --d----- c:\program files\AVS4YOU
2009-05-06 00:29 <DIR> --d----- c:\program files\Yahoo!

==================== Find3M ====================

2009-05-27 21:14 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-15 15:25 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-15 15:25 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-04-15 15:25 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-15 15:25 43,528 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-04-15 15:25 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-04-15 15:25 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-04-15 15:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 15:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 15:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 15:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 15:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 15:24 684,032 a------- c:\windows\system32\DivX.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 15:00:00.62 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 wkduncan

wkduncan
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 28 May 2009 - 07:43 PM

KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 28, 2009 21:45:09
Records in database: 2267101
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Files scanned 90637
Threat name 26
Infected objects 129
Suspicious objects 0
Duration of the scan 01:34:57

File name Threat name Threats count
c:\windows\system32\ipripv32.dll//PE_Patch.UPX//UPX/c:\windows\system32\ipripv32.dll//PE_Patch.UPX//UPX Infected: Trojan.Win32.Obfuscated.afww 1
C:\WINDOWS\system32\lklf32.dll//UPX/C:\WINDOWS\system32\lklf32.dll//UPX Infected: Trojan.Win32.Agent.cimn 1
C:\WINDOWS\System32\avast!Antivirus.exe/C:\WINDOWS\System32\avast!Antivirus.exe Infected: Trojan-Downloader.Win32.Agent.cbad 1
C:\Documents and Settings\LocalService\Application Data\691447002.exe/C:\Documents and Settings\LocalService\Application Data\691447002.exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\William\Application Data\svchost.exe/C:\Documents and Settings\William\Application Data\svchost.exe Infected: Trojan-Downloader.Win32.Murlo.bbc 1
C:\Program Files\Mozilla Firefox\SETUPAPI.dll/C:\Program Files\Mozilla Firefox\SETUPAPI.dll Infected: Trojan.Win32.Agent.bzzx 1
C:\DOCUME~1\William\LOCALS~1\Temp\2481061118.exe/C:\DOCUME~1\William\LOCALS~1\Temp\2481061118.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\LocalService\Application Data\691447002.exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\492JSJYT\install_10[1].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\492JSJYT\install_10[2].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\f208[1].exe Infected: Trojan.Win32.Agent.cirp 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\f208[2].exe Infected: Trojan.Win32.Agent.cirp 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\install_10[1].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[10].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[1].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[2].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[3].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[4].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[5].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[6].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[7].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[8].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\mlw[9].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9YVZ2LL8\w[1].bin Infected: Trojan-Downloader.Win32.Delf.tyz 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[10].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[1].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[2].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[3].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[4].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[5].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[6].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[7].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[8].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KHWHWRK3\install_10[9].exe Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OJMNS1CF\mlw[1].exe Infected: not-a-virus:FraudTool.Win32.MalwareDoctor.an 1
C:\Documents and Settings\William\Application Data\svchost.exe Infected: Trojan-Downloader.Win32.Murlo.bbc 1
C:\Documents and Settings\William\Local Settings\Temp\1189458578.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\1240552328.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\135763136.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\193.exe Infected: Trojan.Win32.Agent2.hxw 1
C:\Documents and Settings\William\Local Settings\Temp\2481061118.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\3303364828.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\3459255150.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\418866282.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\439825636.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\486664242.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\755090914.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\903350354.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\923739178.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\Documents and Settings\William\Local Settings\Temp\949.exe Infected: Trojan.Win32.Agent2.hxw 1
C:\Documents and Settings\William\Local Settings\Temp\h44x2m.exe Infected: Trojan-Downloader.Win32.Wzhyk.ac 1
C:\Documents and Settings\William\Local Settings\Temp\xpfexi4w9r.exe Infected: Trojan-Downloader.Win32.Wzhyk.ac 1
C:\Documents and Settings\William\Local Settings\Temp\zjhufhdfe.exe Infected: Trojan-Downloader.Win32.Wzhyk.au 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\3WIUS1C9\ccsuper1[1].htm Infected: Trojan-GameThief.Win32.WOW.orc 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\3WIUS1C9\ioyymqerbo[2].htm Infected: Trojan.Win32.Agent2.hoc 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\3WIUS1C9\ipk[1].exe Infected: Trojan-Downloader.Win32.Agent.cazx 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\BLN6YSDJ\ccsuper3[1].htm Infected: Net-Worm.Win32.Koobface.ko 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\BLN6YSDJ\pqz[1].exe Infected: Trojan.Win32.Agent2.hxw 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\BLN6YSDJ\qzgiwaaobc[2].htm Infected: Trojan.Win32.Agent2.hoc 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\BLN6YSDJ\wcmznr[1].htm Infected: Trojan.Win32.Agent2.hoc 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\BLN6YSDJ\xqdrrfst[2].htm Infected: Trojan.Win32.Monder.chol 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\C03A849K\av[1].htm Infected: Trojan-GameThief.Win32.WOW.osl 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\P5123N76\506[1].exe Infected: Trojan-Dropper.Win32.Agent.arcq 1
C:\Documents and Settings\William\Local Settings\Temporary Internet Files\Content.IE5\P5123N76\pkqeiimnno[1].htm Infected: Trojan.Win32.Agent2.hoc 1
C:\hcpjmkup.exe Infected: Trojan.Win32.Monder.chol 1
C:\hjub.exe Infected: Trojan-GameThief.Win32.WOW.orc 1
C:\jotvxhh.exe Infected: Trojan-GameThief.Win32.WOW.orc 1
C:\Program Files\Internet Explorer\setupapi.dll Infected: Trojan.Win32.Agent.bzzx 1
C:\Program Files\Mozilla Firefox\setupapi.dll Infected: Trojan.Win32.Agent.bzzx 1
C:\Program Files\ThunMail\testabd.dll Infected: Trojan.Win32.Agent.ciel 1
C:\sdyrxhme.exe Infected: Trojan.Win32.Monder.chol 1
C:\WINDOWS\system32\6to4v32.dll Infected: Trojan.Win32.Obfuscated.afww 1
C:\WINDOWS\system32\avast!Antivirus.exe Infected: Trojan-Downloader.Win32.Agent.cbad 1
C:\WINDOWS\system32\dncyool64.sys Infected: Trojan.Win32.Agent2.kbz 1
C:\WINDOWS\system32\drivers\1482798c.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\17a24c51.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\24847044.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\3313d615.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\46c626ce.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\62c316c0.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\73821b8f.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\b108c4d2.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\b266bcc3.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\b5bd081b.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\b5f88a41.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\drivers\e429dc85.sys Infected: Backdoor.Win32.NewRest.z 1
C:\WINDOWS\system32\Iasv32.dll Infected: Trojan.Win32.Obfuscated.afww 1
C:\WINDOWS\system32\Ipripv32.dll Infected: Trojan.Win32.Obfuscated.afww 1
C:\WINDOWS\system32\jhxm32.dll Infected: Trojan.Win32.Agent.cimn 1
C:\WINDOWS\system32\lklf32.dll Infected: Trojan.Win32.Agent.cimn 1
C:\WINDOWS\system32\wtukd32.exe Infected: Trojan-Downloader.Win32.Delf.tyz 1
C:\WINDOWS\Temp\1124462246.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\12.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\1234945514.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\1256736964.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\147.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\151.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\152.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\187.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\1991784186.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\2.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\21.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\272532732.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\27931275.exe Infected: Trojan.Win32.Agent.bzwu 1
C:\WINDOWS\Temp\2875588700.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\2956228218.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\3.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\38E71BB6.exe Infected: Trojan.Win32.Agent.bzwu 1
C:\WINDOWS\Temp\4.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\435984750.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\5.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\6.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\7.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\8.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\871577046.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\9.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\903735510.exe Infected: Trojan-Downloader.Win32.Suurch.sw 1
C:\WINDOWS\Temp\A.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\B.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\B7.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\C.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\E.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\E1.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
C:\WINDOWS\Temp\F.tmp Infected: Trojan-Downloader.Win32.Boltolog.ewo 1
D:\Will's Stuff\misc. files\logger\logger.zip Infected: not-a-virus:Monitor.Win32.BFK.11 1
D:\Will's Stuff\papers\kidlogger.exe Infected: not-a-virus:Monitor.Win32.Kidlogger.a 4
The selected area was scanned.

#3 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:34 PM

Posted 09 June 2009 - 05:44 PM

Hello wkduncan,

Welcome to Bleeping Computer.

My name is Tokek and I will be helping you with your Malware problem.

I apologize for the delay in replying to your post, the forum have been extremely busy.

There may be a delay in my response to your posts as I am still currently in training. I will be helping you with supervision of the teachers and they will approve every posts before I present them to you.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

Please give me some time to look over your log, I will post the reply as soon as they are approved.

Edited by Tokek, 09 June 2009 - 06:32 PM.

If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#4 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:12:34 PM

Posted 09 June 2009 - 06:32 PM

Hello wkduncan,

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:34 PM

Posted 15 June 2009 - 06:57 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users