Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected with a unknown virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 GeraABC

GeraABC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 10 August 2009 - 04:33 PM

computer is very slow plus, no program will open without first showing a box titled "opens with" and the message "choose the program you want to use to open this file". I then found this command on the internet "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f" and tried to run it but the dos command window was blocked from opening so i ran it in safe mode with success and now I can open programs without the "opens with" box opening. Then I ran a trial of Kaspersky Internet Security 2009, which found and eliminated a bunch of stuff. I then uninstalled Kaspersky Internet Security 2009 and was finally able to install spybot which also found and eliminated viruses and trojans. This is the state the computer is in now however some of the things that are autoloaded on start are identified as viruses/trojans and the computer is still very slow.



********************************************************************************************************************************************************************
HIJACKTHIS LOG:
********************************************************************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:11 PM, on 8/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svchast.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1243260841995
O22 - SharedTaskScheduler: Apartment - ThreadingModel - (no file)
O22 - SharedTaskScheduler: kjhsf87fhjdsfn93rjkndfdf - {A36D2A01-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\ghaf8jkdfd.dll (file missing)
O23 - Service: AntipyPro_12 (AntipPro2009_12) - Unknown owner - C:\WINDOWS\svchast.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 3122 bytes
********************************************************************************************************************************************************************
********************************************************************************************************************************************************************




********************************************************************************************************************************************************************
DDS LOG:
********************************************************************************************************************************************************************

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 14:47:17.88 on Mon 08/10/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.71 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\svchast.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title =
mSearch Page = hxxp://www.microsoft.com
mWindow Title =
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link\airplus g wireless adapter utility\AirPlus.exe
uPolicies-explorer: NoActiveDesktop = 00000000
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243260841995
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: ThreadingModel - No File
STS: c:\windows\system32\ghaf8jkdfd.dll: {a36d2a01-00f3-42bd-f434-00bbc39c8953} - c:\windows\system32\ghaf8jkdfd.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyxXPGW

============= SERVICES / DRIVERS ===============

R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 AntipPro2009_12;AntipyPro_12;c:\windows\svchast.exe [2009-7-28 176128]
R3 DLINK11G;D-Link AirPlus G Wireless Adapter;c:\windows\system32\drivers\TNET1130.SYS [2008-11-17 386816]
R3 maestro;ESS Maestro 3 Audio Driver (WDM);c:\windows\system32\drivers\es198x.sys [2008-11-17 174464]
S0 89384714fcbdedb9987af1fa22a44359;89384714fcbdedb9987af1fa22a44359;c:\windows\system32\89384714fcbdedb9987af1fa22a44359.sys --> c:\windows\system32\89384714fcbdedb9987af1fa22a44359.sys [?]
S1 aa1522b5;aa1522b5;c:\windows\system32\drivers\aa1522b5.sys [2009-5-20 0]
S1 battcc;battcc;c:\windows\system32\drivers\battcc.sys --> c:\windows\system32\drivers\battcc.sys [?]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2008-11-13 91496]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-8-15 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-8-15 369688]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-08-10 01:37 <DIR> -cd----- C:\codeTest
2009-08-10 00:25 <DIR> -cd----- c:\windows\system32\WinNTDlls
2009-08-10 00:25 <DIR> -cd----- c:\windows\system32\Win98Dlls
2009-08-10 00:25 <DIR> -cd----- c:\program files\Microsoft Press Training Kit Exam Prep
2009-08-09 10:36 <DIR> -cd----- C:\RegSeeker
2009-08-09 05:22 <DIR> -cds---- c:\documents and settings\administrator\UserData
2009-08-08 23:51 <DIR> -cd----- c:\docume~1\admini~1\applic~1\GrabIt
2009-08-08 21:36 <DIR> -cd----- c:\program files\msn gaming zone
2009-08-08 14:12 <DIR> -cd----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-08-01 01:42 <DIR> -cd----- C:\Temp
2009-08-01 01:23 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-01 01:15 81,984 ac------ c:\windows\system32\bdod.bin
2009-08-01 00:20 187,184 ac------ C:\pskill.exe
2009-07-31 23:46 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-07-31 19:46 664 ac------ c:\windows\system32\d3d9caps.dat
2009-07-29 23:21 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-07-29 23:17 <DIR> -cd----- c:\program files\common files\BitDefender
2009-07-29 18:26 156,000 ac------ C:\bitdefender_tsecurity.exe
2009-07-28 18:08 4 ac------ c:\windows\system32\bincd32.dat
2009-07-28 17:55 8,550 ac------ c:\windows\system32\wispex.html
2009-07-28 17:55 <DIR> acd----- c:\windows\system32\images
2009-07-28 17:52 176,128 ac------ c:\windows\svchast.exe
2009-07-28 17:52 64 ac------ c:\windows\ppp4.dat
2009-07-28 17:52 3 ac------ c:\windows\ppp3.dat
2009-07-28 17:50 36 ac------ c:\windows\system32\sysnet.dat
2009-07-28 17:48 108 ac------ c:\windows\system32\sonhelp.htm
2009-07-28 16:36 54,784 ac------ c:\windows\system32\drivers\UACd.sys
2009-07-28 16:32 <DIR> -cdsh--- c:\windows\system32\lowsec
2009-07-17 15:24 583,443 ac------ C:\XviD_Install.exe
2009-07-17 15:13 819,200 ac------ c:\windows\system32\xvidcore.dll
2009-07-17 15:13 77,824 ac------ c:\windows\system32\xvid.ax
2009-07-17 15:13 180,224 ac------ c:\windows\system32\xvidvfw.dll
2009-07-17 15:12 <DIR> -cd----- c:\program files\Xvid
2009-07-17 15:12 652,794 ac------ C:\XviD-1.2.2-07062009.exe

==================== Find3M ====================

2009-05-24 12:42 45,051 ac------ c:\windows\system32\nvModes.dat

============= FINISH: 14:48:51.38 ===============

********************************************************************************************************************************************************************
********************************************************************************************************************************************************************

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 AM

Posted 11 August 2009 - 08:12 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:42 AM

Posted 05 September 2009 - 05:45 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users