Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Some kind of Trojan, assorted viruses

  • This topic is locked This topic is locked
1 reply to this topic

#1 silvershot


  • Members
  • 1 posts
  • Local time:11:18 AM

Posted 27 July 2009 - 08:59 PM

I have gotten some kind of Trojan and other viruses. I'm better with computers than the average user, but not great. I've tried a couple of programs - MalwareBytes, SuperAntiSpyware, HijackThis - with no luck. In fact, MB and SuperAntiSpyware won't even run. By renaming the Malwarebytes .exe file, I was able to run a full scan, but it didn't seem to help.

What happens is that I get a fake Windows Security Center alert about viruses on my computer. Using Task Manager, I was able to identify this process as wscsvc32.exe, and also noticed a malicious process named b.exe and processes that are called svchost.exe but are actually malicious processes rather than the normal one. I believe I have a service.exe process that is a similar fake, and also malicious.

I checked my firewall and found that it had somehow been disabled. When I tried to re-enable it, it told me that the firewall was controlled by "Group Policy". I'm not sure what this is and did not enable it.

In addition to the fake Security Center alerts, I have seen three things (though not as frequent):
- audio will play itself, usually some kind of ad, and task manager shows an iexplore.exe running even though I don't have any IE windows open. Ending the process gets the audio to stop.
- a few times, on booting up my computer, the Welcome screen (where you enter your password to log in) has not loaded. The screen shows the mouse pointer, but otherwise stays black.
- my homepage was reverted to some scammer site, and shortcuts to what appeared to be pornography and scammer sites were placed on my desktop.

I'm at my wit's end here, and any help you gentlemen can give me would be greatly appreciated. I am not using this computer for anything that requires private information (bank accounts, paypal, etc). I have tried to follow the instructions in the Preparation Guide as closely as possible, but please just let me know if you need more info or logs or anything. Thank you for your time.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Corinthian at 18:41:40.57 on Mon 07/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1983.1283 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Corinthian\ms18_word.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microsoft IntelliPoint\IPoint.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Corinthian\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ms18_word] c:\documents and settings\corinthian\ms18_word.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [ms18_word] c:\windows\system32\ms18_word.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [Monopod] c:\windows\temp\b.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
dRun: [ms18_word] c:\documents and settings\corinthian\ms18_word.exe
dRun: [pridl] "c:\documents and settings\corinthian\application data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\corint~1\applic~1\mozilla\firefox\profiles\x4zm6q2g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - HiddenExtension: XUL Cache: {EE557A16-F7BC-4BCE-BA87-BEFE82AC715D} - c:\documents and settings\corinthian\local settings\application data\{EE557A16-F7BC-4BCE-BA87-BEFE82AC715D}
FF - HiddenExtension: XUL Cache: {7E501673-0122-44C4-AC01-C94A7BDD0328} - c:\windows\system32\config\systemprofile\local settings\application data\{7e501673-0122-44c4-ac01-c94a7bdd0328}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-22 55024]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2008-11-12 8576]
R2 acpi32;acpi32;c:\windows\system32\drivers\acpi32.sys [2004-8-3 40576]
R2 amd64si;amd64si;c:\windows\system32\drivers\amd64si.sys [2004-8-3 40576]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
R2 ws2_32sik;ws2_32sik;c:\windows\system32\drivers\ws2_32sik.sys [2008-9-7 40576]
S0 dklxcn;dklxcn;c:\windows\system32\drivers\mwqrp.sys --> c:\windows\system32\drivers\mwqrp.sys [?]
S0 eldos;eldos;c:\windows\system32\drivers\csqlgphd.sys --> c:\windows\system32\drivers\csqlgphd.sys [?]
S0 ltvdkd;ltvdkd;c:\windows\system32\drivers\nerlgk.sys --> c:\windows\system32\drivers\nerlgk.sys [?]
S0 qvydcfeo;qvydcfeo;c:\windows\system32\drivers\swgjinpj.sys --> c:\windows\system32\drivers\swgjinpj.sys [?]
S0 ryawu;ryawu;c:\windows\system32\drivers\gfib.sys --> c:\windows\system32\drivers\gfib.sys [?]
S0 whqu;whqu;c:\windows\system32\drivers\uadp.sys --> c:\windows\system32\drivers\uadp.sys [?]
S2 feffzxaz;feffzxaz;c:\windows\system32\drivers\kdaic.sys --> c:\windows\system32\drivers\kdaic.sys [?]
S2 ggbcoy;ggbcoy;c:\windows\system32\drivers\zozku.sys --> c:\windows\system32\drivers\zozku.sys [?]
S2 oztph;oztph;c:\windows\system32\drivers\xfyxd.sys --> c:\windows\system32\drivers\xfyxd.sys [?]
S2 systemntmi;systemntmi;c:\windows\system32\drivers\systemntmi.sys [2008-9-7 40576]
S2 tiqh;tiqh;c:\windows\system32\drivers\fpid.sys --> c:\windows\system32\drivers\fpId.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-12-23 50704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-22 7408]
S4 Abel;Abel;c:\program files\cain\Abel.exe [2009-6-1 50688]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-26 45132]
SUnknown ndrotdqrrmj;ndrotdqrrmj; [x]

=============== Created Last 30 ================

2009-07-27 17:04 35,840 a------- c:\windows\system32\B.tmp
2009-07-27 17:04 44 a------- c:\windows\system32\8.tmp
2009-07-27 16:28 35,840 a------- c:\windows\system32\7.tmp
2009-07-27 16:28 44 a------- c:\windows\system32\6.tmp
2009-07-27 16:24 35,840 a------- c:\windows\system32\A.tmp
2009-07-27 16:24 44 a------- c:\windows\system32\9.tmp
2009-07-27 16:24 <DIR> --d----- c:\docume~1\corint~1\applic~1\pridl
2009-07-27 16:24 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-27 13:40 35,840 a------- c:\windows\system32\A9.tmp
2009-07-27 13:40 44 a------- c:\windows\system32\A8.tmp
2009-07-27 13:03 46,592 a------- C:\TMP77CD.tmp
2009-07-27 10:56 35,840 a------- c:\windows\system32\85.tmp
2009-07-27 10:56 120 a------- c:\windows\system32\83.tmp
2009-07-27 01:06 35,840 a------- c:\windows\system32\15.tmp
2009-07-27 01:06 24,917 a------- c:\windows\system32\14.tmp
2009-07-27 01:06 80 a------- c:\windows\system32\13.tmp
2009-07-27 01:01 35,840 a------- c:\windows\system32\12.tmp
2009-07-27 01:01 24,917 a------- c:\windows\system32\11.tmp
2009-07-26 23:07 45,400 a------- c:\windows\system32\ms18_word.exe
2009-07-26 23:07 45,400 a------- c:\documents and settings\corinthian\ms18_word.exe
2009-07-26 23:07 35,840 a------- c:\windows\system32\10.tmp
2009-07-26 21:11 35,840 a------- c:\windows\system32\18.tmp
2009-07-26 21:10 44 a------- c:\windows\system32\17.tmp
2009-07-26 21:10 0 a------- c:\windows\SC.INS
2009-07-26 21:10 0 a------- c:\windows\sc.exe
2009-07-26 21:10 359,808 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-25 05:31 785,408 a------- c:\windows\system32\wscsvc32.exe
2009-07-25 05:31 257,536 a------- c:\windows\system32\resdll.dll
2009-07-25 05:30 0 a------- c:\windows\system32\1CC0.tmp
2009-07-25 05:30 84 a------- c:\windows\system32\1CBD.tmp
2009-07-25 05:30 88 a------- C:\Make Money Online.url
2009-07-25 05:30 70 a------- C:\Girls on your desktop.url
2009-07-25 05:30 <DIR> --d----- c:\program files\sFX
2009-07-25 05:30 211 a------- c:\windows\prxid93ps.dat
2009-07-11 01:25 77,312 a------- c:\windows\system32\drivers\jxinlv.sys
2009-07-06 17:53 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2009-07-27 17:20 40,576 a------- c:\windows\system32\drivers\acpi32.sys
2009-07-27 16:31 40,576 a------- c:\windows\system32\drivers\systemntmi.sys
2009-07-26 23:06 98,304 a------- c:\windows\DUMP4e00.tmp
2009-07-26 21:36 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-07-26 21:10 359,808 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-26 21:09 98,304 a------- c:\windows\DUMP4c0c.tmp
2009-07-25 12:12 98,304 a------- c:\windows\DUMP4536.tmp
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys

============= FINISH: 18:43:07.98 ===============

Attached Files

Edited by silvershot, 27 July 2009 - 09:01 PM.

BC AdBot (Login to Remove)



#2 fenzodahl512


  • Members
  • 6,738 posts
  • Local time:12:18 AM

Posted 28 July 2009 - 04:43 PM

mRun: [reader_s] c:\windows\system32\reader_s.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe

That's Virut.. Up to date, nothing that can cure Virut 100%.. The only action I can suggest is to reformat and reinstall Windows.. A quote from an expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

full reformat means, format on ALL partitions..

Looking at log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users