Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

7.tmp Virus on my Computer


  • This topic is locked This topic is locked
1 reply to this topic

#1 munawar

munawar

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 07 September 2009 - 09:10 AM

Hi - I thought I had this beat, but this morning I logged in and I found links to porntube and the like on my desktop. Checking task mager, there were several virus processes running (c.tmp, 7.tmp). Please help me get rid of this virus.


This is what I've already done:
1. Run Hijack this, removed the obvious culprits
2. Several scans of Malware


Issues:
1. I cannot update my malware db. I think the virus is stopping this. malware DB is from 8/2/09
2. I can't visit 75% of all virus scan sites like housecall or norton antivirus.

Malware and Hijack this & RootRepeal and DDS Logs:
----------------------------------------------------------
-------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

07/09/2009 10:02:19 AM
mbam-log-2009-09-07 (10-02-19).txt

Scan type: Quick Scan
Objects scanned: 104884
Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 18
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\servises.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\windows\fonts\services.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run (Trojan.Agent) -> Data: c:\windows\fonts\services.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\servises.exe (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\4291605.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\9511113.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT11.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\c2d.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nk.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



------------------------------------
Hijackthis
------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:53 AM, on 07/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\servises.exe
C:\WINDOWS\system32\servises.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\servises.exe
D:\Utilities\Malware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe
D:\Utilities\Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
D:\Utilities\EditPad\EditPad.exe
D:\Utilities\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [30184] C:\WINDOWS\system32\D.tmp.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Utilities\Malware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKLM\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKCU\..\Policies\Explorer\Run: [servises] C:\WINDOWS\system32\servises.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = munawarali.com
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: sofatnet Service (sofatnet) - Unknown owner - C:\WINDOWS\system32\sofatnet.exe (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\Windows Live\Messenger\usnsvc.exe (file missing)

--
End of file - 2824 bytes
------------------------------------------------------
------------------------------------------------------
------------------------------------------------------


DDS Logs


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 14/05/2007 9:33:51 PM
System Uptime: 09/07/2009 10:14:35 AM (1440 hours ago)

Motherboard: ECS | | P4M800PRO-M
Processor: Intel® Pentium® 4 CPU 2.66GHz | CPU 1 | 2661/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 49 GiB total, 13.251 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 41.899 GiB free.
E: is FIXED (NTFS) - 98 GiB total, 37.106 GiB free.
F: is FIXED (NTFS) - 38 GiB total, 24.207 GiB free.
G: is FIXED (NTFS) - 49 GiB total, 17.161 GiB free.
H: is FIXED (NTFS) - 2 GiB total, 2.429 GiB free.
I: is CDROM (UDF)
K: is CDROM (CDFS)
L: is FIXED (NTFS) - 39 GiB total, 39.387 GiB free.
M: is FIXED (NTFS) - 2 GiB total, 2.421 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: PnP BIOS Extension
Device ID: ROOT\SYSTEM\0003
Manufacturer: (Standard system devices)
Name: PnP BIOS Extension
PNP Device ID: ROOT\SYSTEM\0003
Service: d347bus

==== System Restore Points ===================

RP1: 06/09/2009 9:15:11 AM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.42
Ad-Aware SE Personal
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Acrobat 8.1.2 Professional
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color Common Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe InDesign CS2
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 8.1.2
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
µTorrent
AVS DVD Player version 2.4
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
DAEMON Tools
DivX Content Uploader
DivX Web Player
EasyPoint Mouse Software
FileZilla Client 3.0.6
FontHit Font Tools
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IrfanView (remove only)
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Lame ACM MP3 Codec
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Microsoft Windows Application Compatibility Database
Mozilla Firefox (2.0.0.13)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
NVIDIA Drivers
Polar Precision Performance SW 4
QuickTime
R-Studio 4.2
Real Alternative 1.60
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942830)
Security Update for Windows XP (KB942831)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Skins
StreamDown
SyncBackSE
Trillian
Update for Outlook 2007 Junk Email Filter (kb947945)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.6b
WebFldrs XP
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
XML Paper Specification Shared Components Pack 1.0

==== End Of File ===========================






DDS (Ver_09-07-30.01) - NTFSx86
Run by munawarali at 10:21:26.54 on 07/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.1023.608 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe C:\WINDOWS\TEMP\VRT1.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Utilities\Malware\Malwarebytes\Malwarebytes' Anti-Malware\mbam.exe
D:\Utilities\Firefox\firefox.exe
C:\Documents and Settings\munawarali\Desktop\dds.scr

============== Pseudo HJT Report ===============

mSearchAssistant = hxxp://www.google.com/ie
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\misc\adobe acrobat 8\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [reader_s] c:\documents and settings\munawarali\reader_s.exe
mRun: [30856] c:\windows\system32\7.tmp.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [servises] c:\windows\system32\servises.exe
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
dRun: [systemprofile] c:\windows\system32\config\systemprofile\systemprofile.exe /i
dRun: [servises] c:\windows\system32\servises.exe
mExplorerRun: [servises] c:\windows\system32\servises.exe
dExplorerRun: [servises] c:\windows\system32\servises.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\munawa~1\applic~1\mozilla\firefox\profiles\3u2lyu0u.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - component: c:\documents and settings\munawarali\application data\mozilla\firefox\profiles\3u2lyu0u.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: d:\audio video draw\audio\real alternative\browser\plugins\nppl3260.dll
FF - plugin: d:\audio video draw\audio\real alternative\browser\plugins\nprpjplug.dll
FF - plugin: d:\audio video draw\video\divx\divx content uploader\npUpload.dll
FF - plugin: d:\os apps\adobe reader\reader\browser\nppdf32.dll
FF - plugin: d:\utilities\firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 zyuqxaiccvygp1;zyuqxaiccvygp1.sys;c:\windows\system32\drivers\zyuqxaiccvygp1.sys [2009-9-7 40192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-31 38160]
RUnknown protect;protect; [x]
RUnknown zkgvbynd1;zkgvbynd1; [x]
S2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe --> c:\windows\system32\sofatnet.exe [?]
S3 FeMouWDM;Fellowes Mouse Driver;c:\windows\system32\drivers\FeMouWDM.sys [2007-11-24 11393]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"f:\development\vs 2005\common7\ide\remote debugger\x86\msvsmon.exe" /service msvsmon80 --> f:\development\vs 2005\common7\ide\remote debugger\x86\msvsmon.exe [?]

=============== Created Last 30 ================

2009-09-07 10:16 53,248 a------- c:\windows\system32\8.tmp
2009-09-07 10:16 18,944 a------- c:\windows\system32\7.tmp
2009-09-07 10:16 59,392 -------- c:\windows\system32\reader_s.exe
2009-09-07 10:16 22,016 a------- c:\windows\system32\3.tmp
2009-09-07 10:16 268 a------- c:\windows\system32\2.tmp
2009-09-07 09:51 40,192 a------- c:\windows\system32\drivers\zyuqxaiccvygp1.sys
2009-09-07 09:47 94,272 ac------ c:\windows\system32\dllcache\agp440.sys
2009-09-07 09:46 6 a------- c:\windows\system32\_id.dat
2009-09-06 10:30 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-06 10:28 <DIR> --d----- c:\windows\ERUNT
2009-09-06 09:35 <DIR> --d----- c:\documents and settings\munawarali\WINDOWS
2009-09-06 09:21 <DIR> --d----- c:\documents and settings\munawarali\Contacts
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\foobar2000
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\ComodoGroup
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\.easytag
2009-09-06 09:20 184,320 a------- c:\docume~1\munawa~1\applic~1\file1.exe
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Windows Search
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Windows Live Writer
2009-09-06 09:20 <DIR> --d----- c:\docume~1\munawa~1\applic~1\uTorrent
2009-09-06 09:19 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Songbird2
2009-09-06 09:19 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Moyea
2009-09-06 09:19 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Malwarebytes
2009-09-06 09:19 <DIR> --d----- c:\docume~1\munawa~1\applic~1\Foxit
2009-09-05 18:53 53,248 a------- c:\program files\common files\alg.exe
2009-09-05 18:36 <DIR> --dsh--- c:\documents and settings\munawarali\IETldCache
2009-09-05 18:36 <DIR> --d----- c:\documents and settings\munawarali
2009-09-05 17:46 511 a------- c:\temp\copynew.bat
2009-09-05 17:44 <DIR> --d----- c:\temp\backup
2009-09-05 17:40 <DIR> --d----- c:\temp\restore
2009-09-05 17:40 <DIR> --d----- c:\temp\new
2009-09-05 17:39 <DIR> --d----- c:\temp\orig
2009-09-05 17:39 <DIR> --d----- c:\temp\repair
2009-09-05 13:04 43 a------- c:\windows\system32\kbiwkmuvuchubr.dat
2009-09-05 13:02 <DIR> --d----- c:\windows\Performance
2009-09-05 12:50 <DIR> --d----- C:\temp
2009-09-05 11:33 720 a------- c:\windows\crpf.bin
2009-09-04 11:57 33,280 a------- c:\windows\system32\myriad32.dll
2009-09-03 09:27 286,720 a------- c:\windows\system32\qtwm.exe
2009-09-03 09:27 33,280 a------- c:\windows\system32\tarant32.dll
2009-09-03 09:27 3,107 a------- c:\windows\system32\kfsgg
2009-09-03 09:26 0 a------- c:\windows\SC.INS
2009-09-02 09:00 19,968 -------- c:\windows\system32\kbiwkmkbxstprt.dll
2009-09-02 09:00 68,608 a------- c:\windows\system32\drivers\kbiwkmrlovbdqv.sys
2009-09-02 09:00 43,008 a------- c:\windows\system32\kbiwkmssrntixv.dll
2009-09-02 09:00 15,061 a------- c:\windows\system32\kbiwkmieewbpfw.dat
2009-09-02 09:00 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-08-15 17:05 <DIR> --d----- c:\program files\Microsoft Device Emulator
2009-08-15 17:04 <DIR> --d----- c:\program files\Windows Mobile 5.0 SDK R2
2009-08-12 21:17 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 21:17 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-09-07 09:47 94,272 a------- c:\windows\system32\drivers\agp440.sys
2009-09-06 09:20 4 ----h--- c:\windows\fonts\mlog
2009-09-03 12:26 1,984 a------- c:\windows\system32\d3d9caps.dat
2009-08-16 16:55 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-08-16 16:53 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-21 08:46 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-06-20 23:01 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 101,376 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 96,768 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 188,416 a------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 163,840 a------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 457,248 a------- c:\windows\system32\nvudisp.exe
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 10:21:57.20 ===============
============= FINISH: 10:21:57.20 ===============
============= FINISH: 10:21:57.20 ===============
============= FINISH: 10:21:57.20 ===============

RootRepeal Logs!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 10:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: diohldu.sys
Image Path: diohldu.sys
Address: 0xF752F000 Size: 61440 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF41CD000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A5D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: protect.sys
Image Path: C:\WINDOWS\System32\drivers\protect.sys
Address: 0xB81D3000 Size: 36864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB829B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: zkgvbynd1.sys
Image Path: C:\WINDOWS\system32\drivers\zkgvbynd1.sys
Address: 0xB8203000 Size: 40192 File Visible: No Signed: -
Status: -

Name: zyuqxaiccvygp1.sys
Image Path: C:\WINDOWS\system32\DRIVERS\zyuqxaiccvygp1.sys
Address: 0xF770F000 Size: 40192 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\RootRepeal report 09-07-09 (10-32-40).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Temp\bdnauqiiydy.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\YouTube FLV Downloader
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\YouTube FLV Downloader\*
Status: Could not enumerate files with the Windows API (0x00000003)!


Path: C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\YouTube FLV Downloader\Homepage.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\YouTube FLV Downloader\Uninstall YouTube FLV Downloader.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Start Menu\Programs\Video\Moyea\YouTube FLV Downloader\YouTube FLV Downloader.lnk
Status: Invisible to the Windows API!

Path: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4oxh9c26\p[2].exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\4oxh9c26\up[1].exe
Status: Allocation size mismatch (API: 65536, Raw: 24576)

Path: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\e6xnnumb\p[4].exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\qncdm5on\p[2].exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

Path: c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\x5yt6azu\p[3].exe
Status: Allocation size mismatch (API: 69632, Raw: 49152)

SSDT
-------------------
#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\zkgvbynd1.sys" at address 0xb82093ae

Stealth Objects
-------------------
Object: Hidden Module [Name: reader_s.exe]
Process: reader_s.exe (PID: 1472) Address: 0x00400000 Size: 606208

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 1508) Address: 0x01000000 Size: 20480

Object: Hidden Module [Name: svchost.exe]
Process: svchost.exe (PID: 216) Address: 0x01000000 Size: 20480

==EOF==

Attached Files


Edited by munawar, 07 September 2009 - 09:43 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,808 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:44 AM

Posted 07 September 2009 - 11:09 PM

Hello munawar,

I'm afraid I have very bad news.

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Virut is not effectively disinfectable. Your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:If you have questions about the reformat and reinstall process, please post those questions in the Windows XP forum.

Orange Blossom :cherry;
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users