Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan.Win32.C4DLMedia.b, Backdoor.Generic11.AKSH, CutWail.L and possibly Virut

  • This topic is locked This topic is locked
15 replies to this topic

#1 redcakes


  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 10 September 2009 - 03:44 PM


I'm trying to fix my sister's computer which has/had lots of viruses on it (eg braviax). I've got so far, but would really appreciate some help!

She runs Windows XP version 5.1 service pack 2

It is running very slowly and this message pops ups:
NT Authority system shut down status code 1073741819
There is a 60 second countdown, but after this the computer doesn't actually shut down. However access to programs is limited, the system freezes/runs very slowly and cannot access the internet.

The PC has AVG 8.5 and I have managed to run Spybot Search & Destroy and Malwarebytes which have all found and cleaned different trojans.

I researched the message and found the Sasser worm gave a similar error, so I downloaded the Windows Malicious Software tool and ran it.

It found one infection: VirTool:WinNT/CutWail.L but could only partially remove it. However, the PC would not reboot after this in either safe or normal mode – the only option was to 'Restore to last known configuration' when the NT authority message instantly popped up again (it also appeared in safe mode with networking).

AVG also warned of Trojan horse Backdoor.Generic11.AKSH detected on C:\windows\system32\drivers\ntfs.sys

But could not remove it.

The file's properties showed an extra user: [S-1-5-21-789336058-527237240-725345543-500].

I tried to run combofix in normal mode but it just hung (and I later discovered a bug.txt file). I was able to run it in safe mode. It deleted/quarantined a series of files which are now sitting in Qoobox.

I replaced the ntfs.sys file with a copy from my Windows XP and deleted the corrupted file. AVG was then able to heal the Trojan infection (and also then detected and healed it on a system restore file). However, a hidden S-1-5-21… file keeps appearing in C:/recycler on reboot (I have disabled system restore a number of times before deleting this file with Killbox).

I was able to run the Windows Malicious Software tool and it cleaned (partially?) the CutWail.L virus. The link to the manual steps didn't work.

I used dialafix to restore the windows update connections (which had stopped working/were blocked) and updated her system with all the updates and Windows XP service pack 3.

I have also run SDFix (which found 1 trojan).

The PC is now running fine and can access the internet, run combofix in normal mode etc. Scans are running clean apart from the Kaspersky one which found: Trojan.Win32.C4DLMedia.b [Kaspersky Lab] on something called Luna Player set-up.exe. I uninstalled the player and deleted that file.

The combofix bug.txt log I found today from when it failed to run said the system might have Virut.

Does this message definitely mean the PC has Virut? Is there any way to tell/files to check for?

I ran Symantec's W32.Virut tool and it didn't find anything. I ran AVG's virut tool and it found a load of files it couldn't open, then shut down.

My sis is starting college in a couple of weeks, so I need to know if I have to break the bad news that the only solution is to wipe the hard drive and start again…

I've attached the DDS log as per the instructions – and sorry if this is too much information! (There is no rootrepeal file because when I try to run it I get this message: Error - invalid PE image found!)

DDS (Ver_09-07-30.01) - NTFSx86
Run by Jess at 21:17:40.89 on 10/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.455 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Program Files\Philips\SA28XX Device Manager\main.exe
C:\Documents and Settings\Jess\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAutoUpdate.exe
C:\Documents and Settings\Jess\My Documents\Cleaning\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [Google Update] "c:\documents and settings\jess\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [PDService.exe] c:\program files\utimaco\safeguard privatedisk\pdservice.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [CONNECTScheduler] "c:\program files\sony\connectautoupdate\CONNECTScheduler.exe" /RUN_SCHEDULER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VAIO Update 4] "c:\program files\sony\vaio update 4\VAIOUpdt.exe" /Stationary
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\sony\connectautoupdate\CONNECTAUTrayApp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\sa28xx device manager\main.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159120926468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-18 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-12-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-18 108552]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-7-6 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2009-2-5 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-2-5 234888]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-26 297752]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-11-21 10976]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2009-09-10 15:35 <DIR> --d----- c:\documents and settings\jess\DoctorWeb
2009-09-10 15:11 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-09-10 15:09 <DIR> --d----- c:\windows\ERUNT
2009-09-10 15:03 <DIR> --d----- C:\SDFix
2009-09-10 14:47 <DIR> --d----- C:\Rooter$
2009-09-10 14:13 4,224 ac------ c:\windows\system32\dllcache\beep.sys
2009-09-10 14:13 4,224 -------- c:\windows\system32\drivers\beep.sys
2009-09-10 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure
2009-09-10 09:09 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-07 21:36 <DIR> --dsh--- c:\documents and settings\jess\IECompatCache
2009-09-07 14:18 <DIR> --d----- C:\SmitfraudFix
2009-09-07 14:09 1,885,088 a------- C:\SmitfraudFix.exe
2009-09-07 11:48 <DIR> --dsh--- c:\documents and settings\jess\PrivacIE
2009-09-07 11:47 <DIR> --dsh--- c:\documents and settings\jess\IETldCache
2009-09-07 11:42 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-09-07 11:42 <DIR> --d----- c:\windows\ie8updates
2009-09-07 11:41 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-09-07 11:41 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-09-07 11:38 <DIR> -cd-h--- c:\windows\ie8
2009-09-07 11:13 <DIR> --d----- C:\Update
2009-09-06 20:10 <DIR> --d----- c:\windows\system32\scripting
2009-09-06 20:09 <DIR> --d----- c:\windows\system32\en
2009-09-06 20:09 <DIR> --d----- c:\windows\l2schemas
2009-09-06 20:09 <DIR> --d----- c:\windows\system32\bits
2009-09-06 19:56 <DIR> --d----- c:\windows\EHome
2009-09-06 19:38 <DIR> --d----- c:\windows\system32\CatRoot2
2009-09-06 16:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-06 16:19 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-06 16:19 <DIR> --d----- c:\docume~1\jesssh~1\applic~1\SUPERAntiSpyware.com
2009-09-06 16:03 574,976 -------- c:\windows\system32\drivers\ntfs.sys
2009-09-06 16:00 <DIR> a-dshr-- C:\cmdcons
2009-09-06 15:34 230,912 a------- c:\windows\PEV.exe
2009-09-06 15:34 161,792 a------- c:\windows\SWREG.exe
2009-09-06 15:34 98,816 a------- c:\windows\sed.exe
2009-09-06 14:28 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-06 10:56 <DIR> --d----- c:\program files\Autoruns
2009-09-03 20:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-03 20:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-30 12:28 <DIR> --d----- C:\Kontiki
2009-08-30 11:18 <DIR> --d----- c:\docume~1\jesssh~1\applic~1\Malwarebytes
2009-08-30 11:18 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-30 11:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-30 11:18 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-30 11:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-30 11:03 <DIR> --d----- c:\windows\pss
2009-08-30 10:50 18,483 a------- c:\windows\system32\adisovul.lib
2009-08-30 10:50 17,424 a------- c:\docume~1\jesssh~1\applic~1\xetonimo.dat
2009-08-30 00:11 <DIR> --d----- c:\docume~1\jesssh~1\applic~1\Reg Tool
2009-08-30 00:11 <DIR> --d----- c:\program files\Reg Tool
2009-08-29 23:52 <DIR> --d----- c:\program files\CCleaner
2009-08-29 23:19 <DIR> --d----- c:\program files\Trend Micro
2009-08-25 22:11 12,691 a------- c:\windows\uren.lib
2009-08-25 22:11 13,776 a------- c:\windows\uciq.db
2009-08-25 22:11 13,700 a------- c:\program files\common files\radewune.dat
2009-08-24 19:15 13,511 a------- c:\windows\ywilyb.dat
2009-08-22 16:33 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-22 15:58 <DIR> --d----- C:\!KillBox
2009-08-21 23:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-21 23:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-21 23:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-21 23:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-21 23:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-21 23:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-21 23:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-21 23:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-21 23:53 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-14 20:26 <DIR> --d----- c:\program files\Guitar Pro 5
2009-08-12 03:02 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-09-06 20:13 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-15 18:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-15 18:40 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 18:09 915,456 -------- c:\windows\system32\wininet.dll
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 00:25 410,984 a------- c:\windows\system32\deploytk.dll
2008-09-10 21:28 711,560 ac------ c:\program files\SonicStageInstaller.exe
2008-04-20 22:01 6,167,304 ac------ c:\program files\BBC-iPlayer_Setup.exe
2008-04-01 23:44 4,506,256 ac------ c:\program files\LimeWireWin.exe

============= FINISH: 21:18:22.92 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 25 September 2009 - 06:20 PM


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt


#3 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 26 September 2009 - 03:06 PM

Hi Syler,

Thanks very much for responding. I haven't done anything more since posting so the issues are still the same.

Attached are the two files you requested.


Attached Files

  • Attached File  info.txt   28.82KB   18 downloads
  • Attached File  log.txt   41.44KB   21 downloads

#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 27 September 2009 - 04:38 AM

Hello redcakes,

ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Post the contents of C:\ComboFix.txt in your next reply.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Please post back here with the following logs:
  • Combofix.txt
  • Dr Web report


#5 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 28 September 2009 - 03:05 PM


Sorry for the delay, it took a little while for Dr Cure It to run.

Attached are the logs you've asked for (didn't have permission to upload CSV files so I've saved it as txt).

However, something odd happened when I ran DrCureIt. When I came back to the machine after leaving the scan to run, a popup window said "[random string of letters for filename] is shutting down Windows Explorer". I clicked cancel to sending an error report, but the results page shut down. (I saw some of the file names and Combofix was in there.)

I opened up DrCureIt again and it ran the Express Scan, the results page was empty. I ran the complete scan again and this time no popup message came up and I was able to move the infected files. However, this time there were fewer files - e.g. it didn't find the Combofix file again (I've checked and it is in DrCureIt's quarantine).

Sorry if I did this wrong.


Attached Files

#6 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 28 September 2009 - 03:07 PM

Sorry, all above refs are to Dr Web, not Dr Cure it.

#7 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 28 September 2009 - 06:38 PM

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    c:\program files\Common Files\radewune.dat
    c:\documents and settings\Jess Sheasby\Application Data\xetonimo.dat
    c:\documents and settings\Paul Sheasby\Application Data\iwij.dat
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy the content of the following codebox into the main textfield :
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


You still have some leftovers from an incomplete uninstallation of Norton security products on your computer.
To remove the leftovers please download and run the Norton Removal Tool.

Note: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer.
If you use ACT! or WinFAX, back up those databases before you proceed.

Please post back here with the following logs:
  • OTM results
  • Systemlook results
  • New Rsit log


#8 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 29 September 2009 - 03:54 PM


Thanks for that.

Here are the logs you requested.

Attached Files

#9 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 29 September 2009 - 05:14 PM


That's looking ok now, please let me know in your next reply if you have any more problems.

Uninstall ComboFix
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
Posted Image


Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Reamove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back here with the following logs:
  • Kaspersky report
  • New Rsit log


#10 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 01 October 2009 - 07:02 AM


Great news! Thanks so much for your help. I followed your instructions and the logs are attached. The scan came back clean.

However, I couldn't uninstall Combofix - it came up with a 'file not found' error message. I had a look and it's in the DrWeb quarantine folder (along with a few other programmes).

Attached Files

#11 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 01 October 2009 - 08:56 AM

Download a fresh copy of combofix, then do the instructions to uninstall it, you can also delete Dr Web quarantine. Please post back with a new DDS
log and tell me if their are any more problems.



#12 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 01 October 2009 - 11:42 AM

Thanks for the info - I've now uninstalled combofix and deleted the quarantined files.

Attached are the DDS logs. The only remaining problem is this undeletable file in the hidden C:/recycler folder:


Error message is that it "...is being used by another person or program."

Attached Files

#13 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 01 October 2009 - 12:45 PM

Your logs look ok now, Can you tell me why you would want to delete this?



#14 redcakes

  • Topic Starter

  • Members
  • 8 posts
  • Local time:11:50 PM

Posted 01 October 2009 - 03:40 PM


Thanks for that - really good to hear.

I thought the problem with deleting that file might be a leftover from when I 'deleted' her infected ntfs.sys file and replaced it with a copy from my Windows XP. But if it's usual to have these kinds of files in recycler, and it's not an indication of a lurking trojan, then fine.

In which case, thanks very much for taking the time to help with this.

Much appreciated.

#15 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:50 AM

Posted 01 October 2009 - 04:18 PM

Their is no need to worry about that file :(

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Congratulations! You now appear clean! :(

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Keeping Windows updated
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates are always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewalls I would recomend, only install one of these.

Zone Alarm
comodo..........Note: Only Install the Firewall as a standalone if you already have an AntiVirus installed on your computer.

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall
and choose Off (not recommended) option. Then please click Apply and Ok.

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Use MVPS hosts file
Using a custom host file like the MVPS HOSTS file can help to block ads, banners, 3rd party Cookies,
3rd party page counters, web bugs, and even most hijackers. It doesn't use up any extra system resources
and may even speed up the loading of web pages. You can download and find instructions below.


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Happy surfing :)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users