Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SpamTool.Agent.Naj Trojan and perhaps more


  • This topic is locked This topic is locked
7 replies to this topic

#1 dom3333

dom3333

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 29 July 2009 - 10:43 PM

I downloaded a file from Frostwire and suddenly my computer started going haywire. Pornotube.com icons appear on my desktop regularly after I delete them, some IEXPLORE.EXE process opens up regularly and I start hearing ads as if on a radio, Windows Firewall has been disabled and can't be set back on, Regedit has been disabled and my ESET Antivirus has not been able to deal with it; it has detected a couple of infected files, but the problems still persist.

I'm out of options, and would appreciate it so much if you could help me out in this. Here's my log.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Dom at 23:34:49,35 on 2009-07-29
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.2.1033.18.1022.603 [GMT -4:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\do_not_delete.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\do_not_delete.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\ms18_word.exe
C:\WINDOWS\system32\do_not_delete.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Dom\LOCALS~1\Temp\notepad.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
svchost.exe "C:\WINDOWS\system32\adsldpcd.exe"
C:\WINDOWS\system32\do_not_delete.exe
C:\Documents and Settings\Dom\reader_s.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
svchost.exe C:\WINDOWS\TEMP\VRT11.tmp
C:\WINDOWS\system32\ms18_word.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads Firefox\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://join.123cashformula.com/track/NTI4MzEuNy42LjEyLjAuMC4wLjA
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [Windows System Recover!] c:\docume~1\dom\locals~1\temp\notepad.exe
uRun: [UpdateWin] c:\windows\system32\adsldpcd.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
uRun: [reader_s] c:\documents and settings\dom\reader_s.exe
uRun: [ms18_word] c:\documents and settings\dom\ms18_word.exe
uRunServices: [UpdateWin] c:\windows\system32\adsldpcd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RRT-Auto] c:\documents and settings\dom\desktop\rrt\RRT.exe auto
mRun: [UpdateWin] c:\windows\system32\adsldpcd.exe
mRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
mRun: [ms18_word] c:\windows\system32\ms18_word.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [SmcService] c:\progra~1\sygate\spf\Smc.exe -startgui
mRunServices: [UpdateWin] c:\windows\system32\adsldpcd.exe
dRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dRun: [reader_s] c:\documents and settings\dom\reader_s.exe
dRun: [ms18_word] c:\documents and settings\dom\ms18_word.exe
uExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
mExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
dExplorerRun: [do_not_delete] c:\windows\system32\do_not_delete.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.3.2.dll/206
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241906577500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: ms32clod.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dom\applic~1\mozilla\firefox\profiles\azss7zsl.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\dom\application data\mozilla\firefox\profiles\azss7zsl.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-4-9 94360]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-4-9 731840]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2009-5-10 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2009-5-10 218608]
S3 protect;protect;c:\windows\system32\drivers\protect.sys --> c:\windows\system32\drivers\protect.sys [?]

=============== Created Last 30 ================

2009-07-29 23:30 <DIR> --d----- c:\program files\Trend Micro
2009-07-29 23:29 53,248 a------- c:\windows\system32\2F.tmp
2009-07-29 23:29 24,998 a------- c:\windows\system32\29.tmp
2009-07-29 23:29 120 a------- c:\windows\system32\25.tmp
2009-07-29 23:17 53,248 a------- c:\windows\system32\27.tmp
2009-07-29 23:17 24,998 a------- c:\windows\system32\23.tmp
2009-07-29 23:17 120 a------- c:\windows\system32\21.tmp
2009-07-29 22:04 8,023 a------- c:\windows\system32\drivers\wg3n.sys
2009-07-29 22:04 86,800 a------- c:\windows\system32\drivers\Teefer.sys
2009-07-29 22:04 15,360 a------- c:\windows\system32\drivers\wpsdrvnt.sys
2009-07-29 22:04 86,016 a------- c:\windows\system32\setaid.dll
2009-07-29 22:04 77,824 a------- c:\windows\system32\SSSensor.dll
2009-07-29 22:04 58,536 a------- c:\windows\system32\fwsvpn.dll
2009-07-29 22:04 <DIR> --d----- c:\program files\Sygate
2009-07-29 20:09 53,248 a------- c:\windows\system32\37.tmp
2009-07-29 20:09 24,998 a------- c:\windows\system32\33.tmp
2009-07-29 20:09 120 a------- c:\windows\system32\2E.tmp
2009-07-29 14:47 53,248 a------- c:\windows\system32\1355.tmp
2009-07-29 14:47 24,998 a------- c:\windows\system32\134E.tmp
2009-07-29 14:47 120 a------- c:\windows\system32\1348.tmp
2009-07-29 13:35 53,248 a------- c:\windows\system32\30.tmp
2009-07-29 13:35 24,998 a------- c:\windows\system32\2C.tmp
2009-07-29 13:34 120 a------- c:\windows\system32\2A.tmp
2009-07-28 12:47 <DIR> --d----- c:\program files\VideoLAN
2009-07-28 02:29 44 a------- c:\windows\system32\20.tmp
2009-07-28 02:20 66,560 a------- c:\windows\system32\drivers\vsfocerqmivkyf.sys
2009-07-27 13:48 104,960 a------- c:\windows\services.exe
2009-07-27 13:47 120 a------- c:\windows\system32\1E.tmp
2009-07-27 13:37 66,560 a------- c:\windows\system32\drivers\vsfoceqhwbrpib.sys
2009-07-27 13:37 0 a------- c:\windows\system32\2B.tmp
2009-07-27 13:37 0 a------- c:\windows\SC.INS
2009-07-27 13:37 0 a------- c:\windows\sc.exe
2009-07-27 13:37 <DIR> --d----- c:\program files\Protection System
2009-07-26 15:20 48 a------- c:\windows\system32\12.tmp
2009-07-26 08:51 19,968 a------- c:\windows\system32\86.tmp
2009-07-26 08:51 1 a------- c:\windows\system32\82.tmp
2009-07-26 08:51 84 a------- c:\windows\system32\77.tmp
2009-07-25 12:59 19,968 a------- c:\windows\system32\31.tmp
2009-07-25 12:59 40 a------- c:\windows\system32\28.tmp
2009-07-25 02:16 19,968 a------- c:\windows\system32\68.tmp
2009-07-25 02:16 1 a------- c:\windows\system32\64.tmp
2009-07-25 02:16 84 a------- c:\windows\system32\5E.tmp
2009-07-25 02:16 88 a------- C:\Make Money Online.url
2009-07-25 02:16 70 a------- C:\Girls on your desktop.url
2009-07-24 13:01 19,968 a------- c:\windows\system32\18.tmp
2009-07-24 13:01 1 a------- c:\windows\system32\15.tmp
2009-07-24 13:01 84 a------- c:\windows\system32\11.tmp
2009-07-24 01:39 68,608 a------- c:\windows\system32\do_not_delete.exe
2009-07-24 01:39 6 a------- c:\windows\system32\_id.dat
2009-07-22 13:39 56,320 a------- c:\windows\system32\drivers\smss.exe_
2009-07-22 13:39 19,968 a------- c:\windows\system32\36.tmp
2009-07-22 13:39 1 a------- c:\windows\system32\34.tmp
2009-07-22 13:39 84 a------- c:\windows\system32\32.tmp
2009-07-21 16:45 19,968 a------- c:\windows\system32\19.tmp
2009-07-21 16:45 1 a------- c:\windows\system32\17.tmp
2009-07-21 16:45 84 a------- c:\windows\system32\14.tmp
2009-07-21 16:39 19,968 a------- c:\windows\system32\10.tmp
2009-07-21 16:39 1 a------- c:\windows\system32\F.tmp
2009-07-21 16:39 84 a------- c:\windows\system32\C.tmp
2009-07-21 16:33 16,244 a------- c:\windows\system32\rrt_is.wav
2009-07-21 16:33 7,302 a------- c:\windows\system32\rrt_vf.wav
2009-07-21 16:33 7,148 a------- c:\windows\system32\rrt_tv.wav
2009-07-21 16:33 6,282 a------- c:\windows\system32\rrt_tn.wav
2009-07-21 15:10 19,968 a------- c:\windows\system32\24.tmp
2009-07-21 15:10 1 a------- c:\windows\system32\1F.tmp
2009-07-21 15:10 84 a------- c:\windows\system32\16.tmp
2009-07-21 15:06 <DIR> --d----- c:\program files\ESET
2009-07-21 14:41 19,968 a------- c:\windows\system32\E.tmp
2009-07-21 14:41 1 a------- c:\windows\system32\D.tmp
2009-07-21 14:41 84 a------- c:\windows\system32\B.tmp
2009-07-21 14:36 <DIR> --d----- c:\docume~1\dom\applic~1\AVG8
2009-07-21 14:25 19,968 a------- c:\windows\system32\A.tmp
2009-07-21 14:25 1 a------- c:\windows\system32\3.tmp
2009-07-21 14:25 84 a------- c:\windows\system32\2.tmp
2009-07-21 14:22 19,968 a------- c:\windows\system32\9.tmp
2009-07-21 14:22 1 a------- c:\windows\system32\8.tmp
2009-07-21 14:22 84 a------- c:\windows\system32\7.tmp
2009-07-21 14:19 144 a--sh--- c:\windows\system32\81432845.dat
2009-07-21 14:19 301,056 a------- c:\windows\lsass.exe
2009-07-21 14:19 254,464 a------- c:\windows\svc.exe
2009-07-21 14:18 253,952 a------- c:\windows\odb.exe
2009-07-21 14:18 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-21 14:18 61,440 ---shr-- c:\windows\system32\adsldpcd.exe
2009-07-21 13:19 <DIR> --d----- c:\windows\pss
2009-07-21 12:27 0 a------- c:\windows\system32\mmd109en.dat
2009-07-21 12:27 0 a------- c:\windows\system32\cok458en.dat
2009-07-21 12:27 2,395 a------- c:\windows\system32\2swgnr.tmp
2009-07-21 12:27 1,054 a------- c:\windows\system32\v2lceq.tmp
2009-07-21 12:27 2,504 a------- c:\windows\system32\uqltmj.tmp
2009-07-21 12:27 8 a------- c:\windows\system32\prt.dat
2009-07-21 12:26 19,968 a------- c:\windows\system32\perfc5932.dat
2009-07-21 12:26 1 a------- c:\windows\system32\perfc7683.dat
2009-07-21 12:26 19,968 a------- c:\windows\system32\6.tmp
2009-07-21 12:26 1 a------- c:\windows\system32\5.tmp
2009-07-21 12:26 84 a------- c:\windows\system32\4.tmp
2009-07-21 04:03 155,136 a------- c:\windows\msa.exe
2009-07-21 04:02 140,804 a------- c:\windows\system32\msxml71.dll
2009-07-21 04:02 17,920 a------- c:\windows\system32\geyekrltkpecrf.dll
2009-07-21 04:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\12213284
2009-07-21 04:02 <DIR> --d----- c:\program files\Jcore
2009-07-21 04:02 0 a------- c:\windows\system32\1AF.tmp
2009-07-21 04:02 67,584 a------- c:\windows\system32\1AE.tmp
2009-07-21 04:02 40,192 a------- c:\windows\system32\drivers\zbykqvaiqeoiy5.sys
2009-07-21 04:02 24,998 a------- c:\documents and settings\dom\ms18_word.exe
2009-07-21 04:02 45,480 a------- c:\windows\system32\ms18_word.exe
2009-07-21 04:02 69,120 a------- c:\windows\system32\reader_s.exe
2009-07-21 04:02 56,320 a------- c:\documents and settings\dom\reader_s.exe
2009-07-21 04:02 24,998 a------- c:\windows\system32\1AB.tmp
2009-07-21 04:01 164 a------- c:\windows\system32\1A9.tmp
2009-07-21 04:01 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-21 04:01 <DIR> --d----- c:\docume~1\dom\applic~1\pridl
2009-07-21 04:01 99,660 a------- c:\windows\system32\drivers\6458eca4.sys
2009-07-21 04:01 85 a------- c:\windows\system32\geyekrpusmmvxl.dat
2009-07-21 04:01 39,424 a------- c:\windows\system32\geyekrbocqtuoc.dll
2009-07-21 04:01 64,512 a------- c:\windows\system32\drivers\geyekrlhrdeamn.sys
2009-07-21 04:01 94,208 a------- c:\windows\system32\drivers\smss.exe
2009-07-21 04:01 94,208 a------- C:\imkmpuqp.exe
2009-07-21 04:01 217,801 a------- C:\blxwl.exe
2009-07-21 04:01 15,000 a------- c:\windows\system32\ghaf8jkdfd.dll
2009-07-21 04:01 2 a------- C:\81432845
2009-07-21 03:46 <DIR> --d----- c:\docume~1\dom\applic~1\LimeWire
2009-07-21 03:46 152,576 a------- c:\windows\ap
2009-07-21 03:46 <DIR> --d----- c:\program files\LimeWire
2009-07-21 01:30 <DIR> --d----- c:\docume~1\dom\applic~1\FrostWire
2009-07-21 01:27 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-20 23:45 79 a------- c:\windows\system32\asr_tican
2009-07-20 23:38 79 a------- c:\windows\system32\asr_jgxxe
2009-07-20 22:44 79 a------- c:\windows\system32\asr_jctin
2009-07-20 21:29 79 a------- c:\windows\system32\asr_socsi
2009-07-20 19:02 79 a------- c:\windows\system32\asr_fdbud
2009-07-20 18:52 79 a------- c:\windows\system32\asr_qldfe
2009-07-20 18:49 79 a------- c:\windows\system32\asr_bekud
2009-07-20 15:07 79 a------- c:\windows\system32\asr_rvikd
2009-07-20 14:51 79 a------- c:\windows\system32\asr_clwoa
2009-07-20 14:29 79 a------- c:\windows\system32\asr_vewck
2009-07-19 17:17 <DIR> --d----- c:\docume~1\dom\applic~1\SharePod
2009-07-19 17:08 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-07-19 17:08 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-07-19 17:08 <DIR> --d----- c:\program files\iPod
2009-07-19 17:07 <DIR> --d----- c:\program files\iTunes
2009-07-19 17:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-19 17:07 <DIR> --d----- c:\program files\Bonjour
2009-07-19 17:06 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-07-19 17:06 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-07-16 18:26 79 a------- c:\windows\system32\asr_cvqjy
2009-07-16 18:03 79 a------- c:\windows\system32\asr_ggnok
2009-07-16 16:53 79 a------- c:\windows\system32\asr_zuqwf
2009-07-16 16:13 79 a------- c:\windows\system32\asr_kfbhf
2009-07-16 15:59 79 a------- c:\windows\system32\asr_lcfwn
2009-07-16 15:16 79 a------- c:\windows\system32\asr_blcas
2009-07-16 15:01 79 a------- c:\windows\system32\asr_ohtme
2009-07-15 13:54 79 a------- c:\windows\system32\asr_pcbyn
2009-07-15 13:36 79 a------- c:\windows\system32\asr_ajvpr
2009-07-14 20:04 79 a------- c:\windows\system32\asr_ejhsa
2009-07-14 19:12 79 a------- c:\windows\system32\asr_uejmq
2009-07-14 17:16 79 a------- c:\windows\system32\asr_vaidj
2009-07-14 16:55 79 a------- c:\windows\system32\asr_affdh
2009-07-14 16:18 79 a------- c:\windows\system32\asr_itymx
2009-07-14 14:41 79 a------- c:\windows\system32\asr_udnll
2009-07-14 14:15 79 a------- c:\windows\system32\asr_enfre
2009-07-14 11:17 79 a------- c:\windows\system32\asr_wvcpr
2009-07-13 22:57 79 a------- c:\windows\system32\asr_dmnpm
2009-07-13 22:50 79 a------- c:\windows\system32\asr_fuknd
2009-07-13 22:37 79 a------- c:\windows\system32\asr_ugvwa
2009-07-13 22:17 79 a------- c:\windows\system32\asr_pcofd
2009-07-13 22:07 79 a------- c:\windows\system32\asr_nfkbr
2009-07-13 21:44 79 a------- c:\windows\system32\asr_vnwby
2009-07-13 21:16 0 a------- c:\windows\system32\man8.exe
2009-07-13 21:16 79 a------- c:\windows\system32\asr_gcyqc
2009-07-09 23:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-07-09 23:11 <DIR> --d----- c:\program files\Viewpoint
2009-07-09 23:11 <DIR> --d----- c:\program files\common files\AOL
2009-07-09 23:07 <DIR> --d----- c:\program files\AIM6
2009-07-09 23:07 1,052 a---h--- C:\IPH.PH
2009-07-09 02:13 <DIR> --d----- c:\program files\Yahoo!
2009-07-08 22:26 53,760 ac------ c:\windows\system32\dllcache\vfwwdm32.dll
2009-07-08 22:26 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-07-08 22:26 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-07-08 22:26 43,008 a------- c:\windows\system32\ksxbar.ax
2009-07-08 22:25 307,200 a------- c:\windows\vidcap32.Exe
2009-07-08 22:25 192,512 a------- c:\windows\amcap.exe
2009-07-08 22:25 77,824 a------- c:\windows\Sti211.exe
2009-07-08 22:25 69,632 a------- c:\windows\Domino.EXE
2009-07-08 22:25 <DIR> --d----- c:\windows\EffectResources
2009-07-08 22:25 391,836 a------- c:\windows\system32\drivers\ZS211.sys
2009-07-08 22:25 172,115 a------- c:\windows\system32\ZS211Prp.Ax
2009-07-08 22:25 122,880 a------- c:\windows\ZS211Cap.exe
2009-07-08 22:25 81,920 a------- c:\windows\system32\ZS211STI.dll
2009-07-08 22:25 69,632 a------- c:\windows\ZSSnp211.EXE
2009-07-08 22:25 <DIR> --d----- c:\windows\CatRoot
2009-07-08 22:25 <DIR> --d----- c:\program files\Vimicro
2009-07-08 21:54 <DIR> --d----- c:\docume~1\dom\applic~1\WebCam Recorder
2009-07-08 21:54 <DIR> --d----- c:\program files\Solent
2009-07-07 14:41 <DIR> --d----- c:\program files\coolpro2
2009-07-02 16:06 <DIR> --d----- C:\Westwood

==================== Find3M ====================

2009-07-29 20:09 359,040 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-28 02:21 98,304 a------- c:\windows\DUMP43fe.tmp
2009-07-27 13:37 98,304 a------- c:\windows\DUMP38f2.tmp
2009-07-21 04:02 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-07-07 14:41 142,970 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-06-25 21:43 26,056 a------- c:\windows\system32\drivers\hamachi.sys
2009-06-25 21:03 34,410 a------- c:\windows\scunin.dat
2009-06-25 21:03 114,688 a------- c:\windows\ScUnin.exe
2009-06-20 13:33 137,888 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-06-20 13:32 189,288 a------- c:\windows\system32\PnkBstrB.exe
2009-06-20 13:19 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-05-10 17:39 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-09 17:57 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-05-09 17:57 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-05-09 17:24 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll

============= FINISH: 23:35:15,00 ===============




Thanks in advance!

-Dom

Attached Files



BC AdBot (Login to Remove)

 


#2 dom3333

dom3333
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 01 August 2009 - 03:24 AM

So is there no cure for my problem? Any kind input would be greatly appreciated :thumbup2:

#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:16 PM

Posted 08 August 2009 - 08:02 AM

Hello, dom3333.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 dom3333

dom3333
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 08 August 2009 - 01:52 PM

Thanks aommaster for taking my case!! :thumbup2:

Unfortunately the link you gave me for RSIT is down at the moment. I'll try again to download it later, or if you have another link, well that would be best.

#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:16 PM

Posted 08 August 2009 - 02:08 PM

Hi!

The link seems to work fine for me. Let me know if you still have trouble. If you are still having signs of malware, it could be one of the symptoms.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 dom3333

dom3333
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 08 August 2009 - 04:42 PM

I managed to download it. Here are the files you requested.

Attached Files

  • Attached File  info.txt   11.77KB   3 downloads
  • Attached File  log.txt   32.46KB   4 downloads


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:16 PM

Posted 09 August 2009 - 09:03 AM

Hello, dom3333.
I have some bad news :thumbup2:

Virut file infector warning!

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


A common question I get is: "What files can I back up that I know are not infected?"
Answer:
You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process.
The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too.
Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:16 PM

Posted 11 August 2009 - 05:41 AM

As the problem here seems to be resolved, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. If you should have a new issue, please start a new topic. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users