Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan? servises.exe, svchost.exe, 1.tmp, 2.tmp etc. opening up


  • This topic is locked This topic is locked
6 replies to this topic

#1 R10pez10

R10pez10

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 21 September 2009 - 05:53 AM

I only noticed this recently.
It started with the task manager being blocked
'Task Manager has been disabled by the administrator.'
Weird, I thought. I _am_ the administrator.
Open up Run. regedit.
'Registry Editor has been disabled by the administrator.'
This was getting fishy.

--

Finding a script (regtmcmdrestore.vbs) let me take a look into what was happening in Task Manager.
All through the joint, random named .tmp files, either with numbers
(1.tmp, 2.tmp through to 8.tmp or so);
or letters
(A.tmp, B.tmp, etcetera);
or both
(3F.tmp, blah blah blah).

Also there was like, nine or so svchost.exe's running, also something called 'servises.exe',
which being obviously spelt wrong, made me really think something was up.

--

I think I managed to remove a lot of the things by playing with stuff, erasing suspicious things with Eraser (http://eraser.heidi.ie/),
removing suspicious keys in the registry with regedit;
I believe I've got it to the point where it stops blocking Task Manager and Regedit now.
But still, the processes (although killable in Task Manager) return as soon as I restart the computer.
The startup tab in msconfig is loaded with entries like 5, 7 (the random number .tmp files mentioned above, I bet) and servises.
I uncheck them of course, but as soon as I restart, there they are again, with more entries.

--

Anyway, onto the logs. Here's my DDS.txt file:


DDS (Ver_09-07-30.01) - FAT32x86
Run by Leila at 18:25:23.50 on Mon 21/09/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.0.1252.61.1033.18.511.83 [GMT 8:00]


============== Running Processes ===============

C:\WINXP\system32\svchost -k rpcss
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINXP\system32\spoolsv.exe
svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINXP\System32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\System32\svchost.exe -k imgsvc
svchost.exe C:\WINXP\TEMP\VRT2.tmp
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Documents and Settings\Leila\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uWindow Title =
mSearch Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: &Google Web Accelerator Helper: {69a87b7d-de56-4136-9655-716ba50c19c7} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
BHO: {8fd9ce74-7d5b-4791-bada-d80b7cffeb9a} - telopezo.dll
BHO: MSN helper: {9bc9c69a-6384-4a7c-a4d3-f8c697f4253f} - smarp.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.32.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Web Accelerator: {db87bfa2-a2e3-451e-8e5a-c89982d87cbf} - c:\program files\google\web accelerator\GoogleWebAccToolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [servises] c:\winxp\system32\servises.exe
mRun: [11722] c:\winxp\system32\5.tmp.exe
mRun: [servises] c:\winxp\system32\servises.exe
dRun: [sys64_nov] .\4.tmp
uExplorerRun: [servises] c:\winxp\system32\servises.exe
mExplorerRun: [servises] c:\winxp\system32\servises.exe
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: MaxRecentDocs = 11 (0xb)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
mPolicies-explorer: NoInstrumentation = 1 (0x1)
IE: &Search - ?p=ZU
IE: Add to Google Photos Screensa&ver - c:\winxp\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.32.0\gears.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: com.au\www.nova937
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {883D8A68-4370-4B86-B026-CB9A91DA9F5C} = 203.161.127.1,203.153.224.42
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: hizuriki.dll duvafiyi.dll c:\winxp\system32\folayeju.dll
SSODL: pesatehok - {88a79aa2-ae23-42e2-a5f8-360da5b4ccab} - c:\winxp\system32\folayeju.dll
STS: mujuzedij: {88a79aa2-ae23-42e2-a5f8-360da5b4ccab} - c:\winxp\system32\folayeju.dll
LSA: Notification Packages = scecli telopezo.dll hizuriki.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\leila\applic~1\mozilla\firefox\profiles\hmxazw78.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\documents and settings\leila\application data\mozilla\firefox\profiles\hmxazw78.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npcosmop211.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: g:\opera 10.00\program\plugins\npdsplay.dll
FF - plugin: g:\opera 10.00\program\plugins\npwmsdrm.dll
FF - plugin: g:\opera\program\plugins\npdsplay.dll
FF - plugin: g:\opera\program\plugins\npmusicn.dll
FF - plugin: g:\opera\program\plugins\NPSibelius.dll
FF - plugin: g:\opera\program\plugins\NPSWF32.dll
FF - plugin: g:\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R3 NeroCd2k;NeroCd2k;c:\winxp\system32\drivers\NeroCD2k.sys [2001-4-16 44227]
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10733.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10733.sys [?]
S3 JL2005;JL2005A Toy Camera;c:\winxp\system32\drivers\toywdm.sys [2005-4-29 71336]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\winxp\system32\drivers\nmwcdnsu.sys [2008-10-19 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\winxp\system32\drivers\nmwcdnsuc.sys [2008-10-19 8320]
S3 PSI;PSI;c:\winxp\system32\drivers\psi_mf.sys [2008-10-27 7808]
S3 PVUSB;CESG502 USB Driver;c:\winxp\system32\drivers\CESG502.SYS [2007-9-18 40672]
S4 gupdate1c9dddd2cac1ac0;Google Update Service (gupdate1c9dddd2cac1ac0);c:\program files\google\update\GoogleUpdate.exe [2009-5-26 133104]

=============== Created Last 30 ================

2009-09-21 17:58 18,944 a------- c:\winxp\system32\5.tmp
2009-09-21 17:58 27,174 a------- c:\winxp\system32\4.tmp
2009-09-21 17:58 132 a------- c:\winxp\system32\3.tmp
2009-09-21 17:37 528,896 a------- c:\winxp\system32\dllcache\user32.dll
2009-09-21 17:33 <DIR> --d----- c:\winxp\ERUNT
2009-09-21 17:26 <DIR> --d----- C:\SDFix
2009-09-21 16:53 61,440 a------- c:\winxp\system32\drivers\918.exe
2009-09-21 16:47 61,440 a------- c:\winxp\system32\drivers\337.exe
2009-09-21 16:43 62,976 a------- c:\winxp\system32\servises.exe
2009-09-21 16:42 44,070 a------- c:\winxp\system32\sys64_nov.exe
2009-09-21 16:42 27,174 a------- c:\documents and settings\leila\sys64_nov.exe
2009-09-21 16:00 <DIR> --d----- c:\winxp\_system32
2009-09-21 06:37 744 a------- C:\2392389.exe
2009-09-21 06:35 2,126 a------- c:\winxp\system32\wpa.dbl
2009-09-20 18:07 45,056 a------- c:\winxp\system32\smyrp.dll
2009-09-20 18:06 73,216 a------- c:\winxp\system32\inform.dat
2009-09-20 18:06 45,056 a------- c:\winxp\system32\smarp.dll
2009-09-20 18:06 3 a------- c:\winxp\system32\lkd
2009-09-20 16:57 6 a------- c:\winxp\system32\_id.dat
2009-09-20 16:50 88,576 a------- c:\winxp\system32\sekikawe.dll
2009-09-20 15:52 <DIR> --d----- C:\Autoruns
2009-09-20 15:41 7,396 a------- c:\winxp\system32\drivers\pctcore.cat
2009-09-20 15:41 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-20 15:30 38,400 a------- c:\winxp\system32\minotaze.dll
2009-09-20 12:24 <DIR> --dsh--- C:\FOUND.001
2009-09-20 11:45 161,536 a------- c:\winxp\system32\dllcache\ndis.sys
2009-09-20 11:44 744 a------- C:\3434717.exe
2009-09-20 11:44 0 a------- c:\winxp\SC.INS
2009-09-19 06:21 <DIR> --d----- c:\docume~1\leila\applic~1\Dropbox
2009-09-17 15:31 54,156 a---h--- c:\winxp\QTFont.qfn
2009-09-17 15:31 1,409 a------- c:\winxp\QTFont.for
2009-08-29 08:53 <DIR> --dsh--- C:\FOUND.000
2009-08-22 20:51 0 a----r-- C:\logwmemory.bin
2009-08-22 20:47 <DIR> --d----- c:\docume~1\leila\applic~1\Soldat

==================== Find3M ====================

2009-09-21 16:42 4 ----h--- c:\winxp\fonts\mlog
2009-09-20 11:45 161,536 a------- c:\winxp\system32\drivers\ndis.sys
2009-09-03 19:57 246,184 a------- c:\docume~1\leila\applic~1\GDIPFONTCACHEV1.DAT
2009-07-25 05:23 411,368 a------- c:\winxp\system32\deploytk.dll
2009-06-26 20:22 2,129,408 a------- c:\winxp\system32\python31.dll
2004-06-16 20:52 282 a------- c:\program files\Favorites.pre
2003-12-18 23:53 266 ---sh--- c:\program files\desktop.ini
2003-12-18 23:53 11,079 ----h--- c:\program files\folder.htt
2002-07-31 19:55 102 ---sh--- c:\winxp\WSYS049.SYS
1999-07-07 08:00 6 ---shr-- c:\winxp\@@desktop.dat
2005-01-01 13:39 1,682 a--sh--- c:\winxp\system32\KGyGaAvL.sys
2005-01-01 13:39 56 ---shr-- c:\winxp\system32\D598D6EA47.sys
2005-08-05 20:56 276 ---sh--- c:\winxp\system32\oypmzlb\csrss.dat

============= FINISH: 18:27:16.60 ===============

I trust help'll be on the way.

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:17 PM

Posted 08 October 2009 - 05:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 R10pez10

R10pez10
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 08 October 2009 - 10:13 AM

That's fine, that's alright.
I figured I'm not the only one having computer problems! Heh.
While it's scanning now, I better mention a few of the things that've been happening.

Watching the processes with ProcessExplorer when connecting to the internet showed that a lot of crap seems to happen when I connect to the internet. So much so, that it would debilitate the connection to the point of not-able-to-be-used-ability. So i'm actually viewing this now on a cheap laptop bought off of a friend of my sister. It's alright, actually. Anyway I copied the .exe i downloaded from the mirror onto a USB, then copied it onto the other computer, then ran it (being very careful not to run the .exe off the USB because trying to run ComboFix before [I thought it would be worth a shot], it said it wouldn't run because it had been compromised by something called virut? [virut, I read, travels by attaching itself to .exe files]). So I've copied and pasted the logs from the other computer on the USB and i'll transfer them over now (it finished scanning quicker than I expected).

Also I found something called KillBox and was permanently removing malicious files manually (with enough success to keep me satisfied) untill I accidentally removed an essential-to-startup file... I'll skip the details on this but panic did ensue. But luckily i had the hard drive that a friend gave me, and since the original hard-drive wouldn't boot any more, it is now the slave to my friend's hard drive master. So the computer works again.

I think that's enough of my wordy ramblings for now, heh. I don't know if they made any sense?
Here are the logs, OTL.Txt:

OTL logfile created on: 8/10/2009 10:55:28 PM - Run 1
OTL by OldTimer - Version 3.0.18.4 Folder = C:\Documents and Settings\Ronald\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1023.48 Mb Total Physical Memory | 740.96 Mb Available Physical Memory | 72.40% Memory free
1.61 Gb Paging File | 1.43 Gb Available in Paging File | 88.92% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 190.16 Gb Free Space | 97.36% Space Free | Partition Type: NTFS
Drive D: | 102.77 Gb Total Space | 102.71 Gb Free Space | 99.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 27.94 Gb Total Space | 2.12 Gb Free Space | 7.57% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
Drive I: | 7.52 Gb Total Space | 6.99 Gb Free Space | 92.94% Space Free | Partition Type: FAT32

Computer Name: RONALDS-COMP
Current User Name: Ronald
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/01/19 05:34:37 | 00,921,936 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2008/05/16 14:01:00 | 00,180,292 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2004/08/04 20:00:00 | 00,033,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2004/08/04 20:00:00 | 00,235,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\wmiprvse.exe
PRC - [2009/01/19 05:34:48 | 00,506,712 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2004/08/04 20:00:00 | 01,049,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/08/04 20:00:00 | 00,135,168 | -H-- | M] (lin) -- C:\WINDOWS\System32\3361\services.exe
PRC - [2009/02/20 20:03:56 | 00,055,809 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/02/20 20:03:56 | 00,055,809 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2004/08/04 20:00:00 | 00,406,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\cmd.exe
PRC - [2009/02/20 20:03:56 | 00,055,809 | ---- | M] () -- C:\WINDOWS\services.exe
PRC - [2009/09/24 11:34:51 | 00,056,832 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
PRC - [2009/09/24 11:34:52 | 00,056,320 | ---- | M] (Heaventools Software) -- C:\Documents and Settings\Ronald\reader_s.exe
PRC - [2009/01/09 18:57:32 | 07,440,896 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/01/09 19:00:52 | 07,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/01/09 19:00:52 | 07,418,368 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/10/05 06:09:12 | 00,538,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ronald\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2004/08/04 20:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2009/01/19 05:34:37 | 00,921,936 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2008/05/16 14:01:00 | 00,180,292 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2005/03/22 09:48:30 | 00,039,904 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\drivers\cercsr6.sys -- (cercsr6 [Boot | Stopped])
DRV - [2004/08/04 20:00:00 | 00,002,304 | ---- | M] () -- C:\WINDOWS\System32\isadisk.sys -- (isadisk [On_Demand | Stopped])
DRV - [2009/01/19 05:30:13 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2009/02/16 15:36:10 | 00,033,920 | ---- | M] () -- C:\WINDOWS\System32\Drivers\lniabcco.sys -- (lniabcco [Boot | Running])
DRV - [2008/05/16 14:01:00 | 06,557,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2009/02/16 15:28:54 | 00,053,248 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\ndisio.sys -- (Passthru [On_Demand | Running])
DRV - [2004/08/04 20:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2009/02/07 15:40:40 | 00,000,000 | ---D | M] -- C:\WINDOWS\System32\Restore -- (restore [On_Demand | Stopped])
DRV - [2004/08/04 20:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/08/04 06:31:36 | 00,032,768 | ---- | M] (SiS Corporation) -- C:\WINDOWS\System32\DRIVERS\sisnic.sys -- (SISNIC [On_Demand | Running])
DRV - [2009/09/23 16:43:25 | 00,040,192 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\zkixmwapy9.sys -- (zkixmwapy9 [System | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKU\S-1-5-21-299502267-606747145-725345543-1003\S-1-5-21-299502267-606747145-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.0.1
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: treestyletab@piro.sakura.ne.jp:0.7.2009021201
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.6

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2081/02/14 20:27:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2081/02/14 20:27:23 | 00,000,000 | ---D | M]

[2009/02/09 17:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Extensions
[2009/02/09 17:31:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/06/17 17:20:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Firefox\Profiles\s5hz51qa.default\extensions
[2081/02/14 21:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Firefox\Profiles\s5hz51qa.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/02/15 09:34:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Firefox\Profiles\s5hz51qa.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2081/02/14 20:56:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Firefox\Profiles\s5hz51qa.default\extensions\foxmarks@kei.com
[2081/02/14 21:23:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Ronald\Application Data\mozilla\Firefox\Profiles\s5hz51qa.default\extensions\treestyletab@piro.sakura.ne.jp
[2009/02/15 09:35:32 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/02/09 17:30:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/02/12 21:03:33 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/01/20 13:08:56 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/01/20 13:08:57 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/02/06 11:44:28 | 01,447,296 | ---- | M] (Microsoft Corporation) -- C:\Program Files\mozilla firefox\plugins\npLegitCheckPlugin.dll
[2009/01/20 13:08:58 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/01/20 07:28:04 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/01/20 07:28:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/01/20 07:28:04 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/01/20 07:28:04 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/01/20 07:28:04 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/01/20 07:28:04 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/01/20 07:28:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\pmnllkHb.dll ()
O4 - HKLM..\Run: [16915] C:\WINDOWS\System32\16.tmp.exe File not found
O4 - HKLM..\Run: [gesitugewe] C:\WINDOWS\System32\motatuwo.DLL ()
O4 - HKLM..\Run: [noyijekom] C:\WINDOWS\System32\tuhuguhi.DLL ()
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe (Heaventools Software)
O4 - HKLM..\Run: [services] C:\WINDOWS\services.exe ()
O4 - HKU\.DEFAULT..\Run: [reader_s] File not found
O4 - HKU\.DEFAULT..\Run: [sys64_nov] File not found
O4 - HKU\S-1-5-18..\Run: [reader_s] File not found
O4 - HKU\S-1-5-18..\Run: [sys64_nov] File not found
O4 - HKU\S-1-5-21-299502267-606747145-725345543-1003..\Run: [reader_s] C:\Documents and Settings\Ronald\reader_s.exe (Heaventools Software)
O4 - Startup: C:\Documents and Settings\Ronald\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
F3 - HKU\.DEFAULT WinNT: Load - (C:\WINDOWS\system32\msnvyo.exe) - C:\WINDOWS\System32\msnvyo.exe (-)
F3 - HKU\.DEFAULT WinNT: Run - (C:\WINDOWS\system32\msvcotwy.exe) - C:\WINDOWS\System32\msvcotwy.exe (-)
F3 - HKU\S-1-5-18 WinNT: Load - (C:\WINDOWS\system32\msnvyo.exe) - C:\WINDOWS\System32\msnvyo.exe (-)
F3 - HKU\S-1-5-18 WinNT: Run - (C:\WINDOWS\system32\msvcotwy.exe) - C:\WINDOWS\System32\msvcotwy.exe (-)
F3 - HKU\S-1-5-21-299502267-606747145-725345543-1003 WinNT: Load - (C:\WINDOWS\system32\msopie.exe) - C:\WINDOWS\System32\msopie.exe (-)
F3 - HKU\S-1-5-21-299502267-606747145-725345543-1003 WinNT: Run - (C:\WINDOWS\system32\msomyuu.exe) - C:\WINDOWS\System32\msomyuu.exe (-)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll File not found
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\progra~1\Manson\liser.dll) - c:\Program Files\Manson\liser.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\tuhuguhi.dll) - C:\WINDOWS\System32\tuhuguhi.dll ()
O20 - AppInit_DLLs: (wohupuda.dll) - C:\WINDOWS\System32\wohupuda.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\kiyivoc: DllName - thisiswrong.dll - File not found
O20 - Winlogon\Notify\pmnllkHb: DllName - pmnllkHb.dll - C:\WINDOWS\System32\pmnllkHb.dll ()
O21 - SSODL: vasudozel - {d58ffe82-da87-47da-8f2f-7b908d3c2b7e} - C:\WINDOWS\System32\tuhuguhi.dll ()
O22 - SharedTaskScheduler: {d58ffe82-da87-47da-8f2f-7b908d3c2b7e} - tokatiluy - C:\WINDOWS\System32\tuhuguhi.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\System32\pmnllkHb.dll ()
O30 - LSA: Authentication Packages - (C:\WINDOWS\system32\vtUlLFur) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/07 15:35:07 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/12/18 23:54:10 | 00,000,000 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2009/09/20 15:52:22 | 00,000,000 | ---D | M] - G:\Autoruns -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[9 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/09/24 12:56:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/09/24 12:25:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\f-secure
[2081/02/14 20:53:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2081/02/14 20:22:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2081/02/14 21:05:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronald\Application Data\cogad
[2081/02/14 20:51:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Ronald\Local Settings\Application Data\Downloaded Installations
[2081/02/15 09:24:33 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2081/02/15 09:23:21 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Ronald\Desktop\HJTInstall.exe
[2081/02/15 08:03:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2081/02/14 21:46:04 | 00,077,312 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.EXE
[2081/02/14 21:46:04 | 00,060,416 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.VER
[2081/02/14 21:46:03 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Lang
[2081/02/14 21:06:13 | 00,000,000 | -HSD | C] -- C:\WINDOWS\$ntunistalls
[2081/02/14 21:05:39 | 00,062,464 | ---- | C] (MainConcept AG) -- C:\WINDOWS\Jwotabafitizoyiz.dll
[2081/02/14 21:04:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\inf
[2081/02/14 20:24:28 | 00,897,920 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Ronald\Desktop\WGAPluginInstall.exe
[2009/10/08 22:55:15 | 00,538,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ronald\Desktop\OTL.exe
[2009/09/24 11:15:32 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/24 11:14:03 | 04,608,744 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Ronald\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/09/24 10:47:47 | 00,258,048 | ---- | C] (-) -- C:\4205983.exe
[2009/09/24 10:47:43 | 00,056,832 | ---- | C] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/09/24 10:37:35 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/09/24 10:18:05 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Ronald\Desktop\procexp.exe
[2009/09/24 09:54:42 | 00,111,104 | ---- | C] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Documents and Settings\Ronald\Desktop\KillBox.exe

========== Files - Modified Within 30 Days ==========

[9 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2081/02/15 09:24:33 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Ronald\Desktop\HijackThis.lnk
[2081/02/15 09:23:44 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Ronald\Desktop\HJTInstall.exe
[2081/02/15 09:00:54 | 00,000,595 | ---- | M] () -- C:\WINDOWS\xccwinsys.ini
[2081/02/15 09:00:54 | 00,000,201 | ---- | M] () -- C:\WINDOWS\System32\xcchit32.ini
[2081/02/15 09:00:14 | 00,251,392 | ---- | M] () -- C:\WINDOWS\xccdf32_090131a.dll
[2081/02/15 08:44:26 | 00,099,696 | ---- | M] () -- C:\WINDOWS\System32\drivers\f9e5e08a.sys
[2081/02/15 00:22:57 | 00,030,094 | -HS- | M] () -- C:\WINDOWS\System32\hiklUtwa.ini
[2081/02/15 00:21:00 | 00,030,094 | -HS- | M] () -- C:\WINDOWS\System32\hiklUtwa.ini2
[2081/02/14 21:46:05 | 00,940,794 | ---- | M] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2081/02/14 21:46:05 | 00,146,650 | ---- | M] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2081/02/14 21:46:04 | 00,077,312 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.EXE
[2081/02/14 21:46:04 | 00,060,416 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\ALCFDRTM.VER
[2081/02/14 21:07:26 | 00,182,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2081/02/14 21:07:26 | 00,182,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2081/02/14 21:05:39 | 00,062,464 | ---- | M] (MainConcept AG) -- C:\WINDOWS\Jwotabafitizoyiz.dll
[2081/02/14 21:05:30 | 00,065,536 | ---- | M] () -- C:\WINDOWS\System32\drivers\UACalwrsvsa.sys
[2081/02/14 21:05:28 | 00,003,182 | ---- | M] () -- C:\WINDOWS\ios.dat
[2081/02/14 21:05:25 | 00,039,424 | ---- | M] () -- C:\WINDOWS\System32\pmnllkHb.dll
[2081/02/14 21:05:19 | 00,032,256 | ---- | M] () -- C:\WINDOWS\System32\crypts.dll
[2081/02/14 21:04:46 | 00,036,352 | ---- | M] () -- C:\WINDOWS\xccdf16_090131a.dll
[2081/02/14 21:04:42 | 00,155,156 | ---- | M] () -- C:\WINDOWS\System\xccef090131.exe
[2081/02/14 20:24:28 | 00,897,920 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Ronald\Desktop\WGAPluginInstall.exe
[2009/10/08 22:57:40 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\rasuhena
[2009/10/08 22:53:32 | 00,000,104 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2009/10/08 22:52:07 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/08 22:52:00 | 00,000,318 | ---- | M] () -- C:\WINDOWS\tasks\qwedvofu.job
[2009/10/08 22:52:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/08 22:51:56 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/08 22:51:53 | 00,111,784 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/10/06 16:23:22 | 04,900,442 | -H-- | M] () -- C:\Documents and Settings\Ronald\Local Settings\Application Data\IconCache.db
[2009/10/05 06:09:12 | 00,538,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ronald\Desktop\OTL.exe
[2009/09/24 14:35:09 | 00,024,752 | ---- | M] () -- C:\Documents and Settings\Ronald\Desktop\heh.PNG
[2009/09/24 13:50:33 | 04,608,000 | ---- | M] () -- C:\WINDOWS\System32\rmvirut.nt
[2009/09/24 13:50:33 | 00,000,045 | ---- | M] () -- C:\WINDOWS\System32\rmvirut.lst
[2009/09/24 11:34:51 | 00,056,832 | ---- | M] (Heaventools Software) -- C:\WINDOWS\System32\reader_s.exe
[2009/09/24 11:34:25 | 00,013,588 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2009/09/24 11:32:46 | 00,000,007 | ---- | M] () -- C:\WINDOWS\System32\comsa32.sys
[2009/09/24 11:20:30 | 02,734,080 | ---- | M] () -- C:\Documents and Settings\Ronald\Desktop\rmvirut.exe
[2009/09/24 11:12:36 | 04,608,744 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Ronald\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[2009/09/24 10:47:47 | 00,258,048 | ---- | M] (-) -- C:\4205983.exe
[2009/09/24 10:47:47 | 00,044,070 | ---- | M] () -- C:\WINDOWS\System32\sys64_nov.exe
[2009/09/24 10:47:38 | 00,040,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\zspnfypyt7.sys
[2009/09/24 10:47:27 | 00,000,724 | ---- | M] () -- C:\8716699.exe
[2009/09/24 10:47:18 | 00,000,000 | ---- | M] () -- C:\WINDOWS\SC.INS
[2009/09/24 10:47:18 | 00,000,000 | ---- | M] () -- C:\WINDOWS\sc.exe
[2009/09/23 22:31:14 | 00,111,104 | ---- | M] (Option^Explicit Software vbtechcd@gmail.com) -- C:\Documents and Settings\Ronald\Desktop\KillBox.exe
[2009/09/23 16:43:25 | 00,040,192 | ---- | M] () -- C:\WINDOWS\System32\drivers\zkixmwapy9.sys
[2009/09/23 16:34:49 | 00,360,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\TCPIP.SYS
[2009/09/23 16:34:49 | 00,360,320 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\TCPIP.SYS
[2009/09/23 16:34:27 | 00,088,576 | -HS- | M] () -- C:\WINDOWS\System32\tuhuguhi.dll
[2009/09/23 16:34:25 | 00,038,400 | -HS- | M] () -- C:\WINDOWS\System32\bejanapo.dll
[2009/09/21 06:52:22 | 00,038,400 | -HS- | M] () -- C:\WINDOWS\System32\mijejabe.dll
[2009/09/21 06:45:24 | 00,000,744 | ---- | M] () -- C:\8077356.exe

========== Files - No Company Name ==========
[2081/02/15 09:24:33 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Ronald\Desktop\HijackThis.lnk
[2081/02/14 21:46:05 | 00,940,794 | ---- | C] () -- C:\WINDOWS\System32\LoopyMusic.wav
[2081/02/14 21:46:05 | 00,146,650 | ---- | C] () -- C:\WINDOWS\System32\BuzzingBee.wav
[2081/02/14 21:10:57 | 00,030,094 | -HS- | C] () -- C:\WINDOWS\System32\hiklUtwa.ini2
[2081/02/14 21:10:57 | 00,030,094 | -HS- | C] () -- C:\WINDOWS\System32\hiklUtwa.ini
[2081/02/14 21:07:27 | 00,069,632 | -H-- | C] () -- C:\WINDOWS\System32\secupdat.dat
[2081/02/14 21:07:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\ndisio.sys
[2081/02/14 21:07:17 | 00,138,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\ethocvin.sys
[2081/02/14 21:05:28 | 00,003,182 | ---- | C] () -- C:\WINDOWS\ios.dat
[2081/02/14 21:05:25 | 00,039,424 | ---- | C] () -- C:\WINDOWS\System32\pmnllkHb.dll
[2081/02/14 21:05:20 | 00,000,201 | ---- | C] () -- C:\WINDOWS\System32\xcchit32.ini
[2081/02/14 21:05:19 | 00,032,256 | ---- | C] () -- C:\WINDOWS\System32\crypts.dll
[2081/02/14 21:05:10 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\drivers\UACalwrsvsa.sys
[2081/02/14 21:05:06 | 00,099,696 | ---- | C] () -- C:\WINDOWS\System32\drivers\f9e5e08a.sys
[2081/02/14 21:04:46 | 00,251,392 | ---- | C] () -- C:\WINDOWS\xccdf32_090131a.dll
[2081/02/14 21:04:46 | 00,036,352 | ---- | C] () -- C:\WINDOWS\xccdf16_090131a.dll
[2081/02/14 21:04:44 | 00,155,156 | ---- | C] () -- C:\WINDOWS\System\xccef090131.exe
[2081/02/14 21:04:42 | 00,000,595 | ---- | C] () -- C:\WINDOWS\xccwinsys.ini
[2009/09/24 14:35:09 | 00,024,752 | ---- | C] () -- C:\Documents and Settings\Ronald\Desktop\heh.PNG
[2009/09/24 12:27:04 | 02,734,080 | ---- | C] () -- C:\Documents and Settings\Ronald\Desktop\rmvirut.exe
[2009/09/24 11:36:04 | 00,000,104 | ---- | C] () -- C:\WINDOWS\System32\NvApps.xml
[2009/09/24 11:34:38 | 00,013,588 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2009/09/24 11:32:46 | 00,000,007 | ---- | C] () -- C:\WINDOWS\System32\comsa32.sys
[2009/09/24 11:32:26 | 00,111,784 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/24 11:28:18 | 04,608,000 | ---- | C] () -- C:\WINDOWS\System32\rmvirut.nt
[2009/09/24 11:28:18 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\rmvirut.lst
[2009/09/24 11:02:25 | 00,013,646 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/24 10:47:47 | 00,044,070 | ---- | C] () -- C:\WINDOWS\System32\sys64_nov.exe
[2009/09/24 10:47:38 | 00,040,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\zspnfypyt7.sys
[2009/09/24 10:47:27 | 00,000,724 | ---- | C] () -- C:\8716699.exe
[2009/09/24 10:18:05 | 00,072,138 | ---- | C] () -- C:\Documents and Settings\Ronald\Desktop\procexp.chm
[2009/09/24 10:17:20 | 01,615,732 | ---- | C] () -- C:\Documents and Settings\Ronald\Desktop\ProcessExplorer.zip
[2009/09/24 00:03:50 | 00,025,645 | ---- | C] () -- C:\WINDOWS\System32\CNBJHLP.HLP
[2009/09/24 00:03:50 | 00,000,787 | ---- | C] () -- C:\WINDOWS\System32\CNBJHLP.CNT
[2009/09/23 16:42:17 | 00,040,192 | ---- | C] () -- C:\WINDOWS\System32\drivers\zkixmwapy9.sys
[2009/09/21 06:45:24 | 00,000,744 | ---- | C] () -- C:\8077356.exe
[2009/06/23 16:34:22 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\tuhuguhi.dll
[2009/06/23 16:34:22 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\bejanapo.dll
[2009/06/21 06:51:02 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\mijejabe.dll
[2009/06/21 06:45:37 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\wohupuda.dll
[2009/06/21 06:45:37 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\motatuwo.dll
[2009/06/21 06:45:37 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\jevaziji.dll
[2009/06/17 16:42:43 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\kiyivoc.dll
[2009/02/20 19:39:21 | 01,591,232 | -HS- | C] () -- C:\WINDOWS\System32\ktyhrxht.ini
[2009/02/20 19:38:40 | 00,002,070 | -HS- | C] () -- C:\WINDOWS\System32\ruFLlUtv.ini2
[2009/02/20 19:38:40 | 00,002,070 | -HS- | C] () -- C:\WINDOWS\System32\ruFLlUtv.ini
[2009/02/20 18:11:37 | 01,591,232 | -HS- | C] () -- C:\WINDOWS\System32\qlthiofv.ini
[2009/02/20 18:11:01 | 00,003,025 | -HS- | C] () -- C:\WINDOWS\System32\bJmTstwa.ini2
[2009/02/20 18:11:01 | 00,003,025 | -HS- | C] () -- C:\WINDOWS\System32\bJmTstwa.ini
[2009/02/20 17:00:46 | 01,591,232 | -HS- | C] () -- C:\WINDOWS\System32\rdtbndrr.ini
[2009/02/20 17:00:03 | 00,002,978 | -HS- | C] () -- C:\WINDOWS\System32\fihkQXbc.ini2
[2009/02/20 17:00:02 | 00,002,759 | -HS- | C] () -- C:\WINDOWS\System32\fihkQXbc.ini
[2009/02/16 15:36:10 | 00,033,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\lniabcco.sys
[2009/02/16 14:22:18 | 00,000,309 | -HS- | C] () -- C:\WINDOWS\System32\kklortwa.ini
[2009/02/15 10:56:58 | 01,583,164 | -HS- | C] () -- C:\WINDOWS\System32\mmslggma.ini
[2009/02/15 10:56:23 | 00,030,112 | -HS- | C] () -- C:\WINDOWS\System32\pppYayay.ini2
[2009/02/15 10:56:23 | 00,030,112 | -HS- | C] () -- C:\WINDOWS\System32\pppYayay.ini
[2009/02/09 17:16:19 | 00,016,504 | ---- | C] () -- C:\Documents and Settings\Ronald\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/07 22:29:36 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/02/07 20:59:05 | 00,009,728 | ---- | C] () -- C:\Documents and Settings\Ronald\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/07 19:32:02 | 00,000,028 | ---- | C] () -- C:\WINDOWS\MIDISOFT.INI
[2009/02/07 15:53:10 | 04,900,442 | -H-- | C] () -- C:\Documents and Settings\Ronald\Local Settings\Application Data\IconCache.db
[2009/02/07 15:43:15 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Ronald\Application Data\desktop.ini
[2008/10/07 09:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/05/16 14:01:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/05/16 14:01:00 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/05/16 14:01:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/05/16 14:01:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/05/16 14:01:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2004/08/04 20:00:00 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 20:00:00 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 20:00:00 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\Iasv32.dll
[2004/08/04 20:00:00 | 00,022,528 | ---- | C] () -- C:\WINDOWS\System32\6to4v32.dll
[2004/08/04 20:00:00 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\isadisk.sys
[2004/08/04 20:00:00 | 00,000,533 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 20:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/04 20:00:00 | 00,000,010 | ---- | C] () -- C:\WINDOWS\System32\FInstall.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 606955 bytes -> C:\WINDOWS\Temp:temp
< End of report >



and Extras.Txt:

OTL Extras logfile created on: 8/10/2009 10:55:28 PM - Run 1
OTL by OldTimer - Version 3.0.18.4 Folder = C:\Documents and Settings\Ronald\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1023.48 Mb Total Physical Memory | 740.96 Mb Available Physical Memory | 72.40% Memory free
1.61 Gb Paging File | 1.43 Gb Available in Paging File | 88.92% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 190.16 Gb Free Space | 97.36% Space Free | Partition Type: NTFS
Drive D: | 102.77 Gb Total Space | 102.71 Gb Free Space | 99.94% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 27.94 Gb Total Space | 2.12 Gb Free Space | 7.57% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
Drive I: | 7.52 Gb Total Space | 6.99 Gb Free Space | 92.94% Space Free | Partition Type: FAT32

Computer Name: RONALDS-COMP
Current User Name: Ronald
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = csfile] -- C:\WINDOWS\System32\msomhjg.exe (-)
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.com [@ = csfile] -- C:\WINDOWS\System32\msomhjg.exe (-)
.exe [@ = csfile] -- C:\WINDOWS\System32\msomhjg.exe (-)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe File not found

[HKEY_USERS\S-1-5-21-299502267-606747145-725345543-1003\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 File not found
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 File not found
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" File not found

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"35960:TCP" = 35960:TCP:*:Enabled:System59

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{8AAB4176-A747-493A-A42C-B63CFADFD8E3}" = NVIDIA PhysX
"{93C97AD7-7E63-418E-AB8F-0733CD8E81CF}" = Opera 10.00
"{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}" = Opera 9.64
"{B80CC46C-5839-4A48-B051-3CACF23A2718}_is1" = Eraser 5.82
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2E7A0E8-77C4-495F-8FA3-63DAEDAA2DB3}" = F-Secure PSC Prerequisites
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner (remove only)
"HijackThis" = HijackThis 2.0.2
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"NVIDIA Drivers" = NVIDIA Drivers
"SystemRequirementsLab" = System Requirements Lab

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 17/06/2009 3:33:21 AM | Computer Name = RONALDS-COMP | Source = LoadPerf | ID = 3006
Description = Unable to read the performance counter strings of the 009 language
ID. The Win32 status returned by the call is the first DWORD in Data section.

Error - 17/06/2009 7:19:47 AM | Computer Name = RONALDS-COMP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 17/06/2009 7:19:48 AM | Computer Name = RONALDS-COMP | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 21/09/2009 4:39:12 AM | Computer Name = RONALDS-COMP | Source = Application Error | ID = 1000
Description = Faulting application 2F.tmp, version 0.0.0.0, faulting module unknown,
version 0.0.0.0, fault address 0x02d6ff3f.

Error - 23/09/2009 4:40:34 AM | Computer Name = RONALDS-COMP | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BF from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 23/09/2009 4:45:37 AM | Computer Name = RONALDS-COMP | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BA from line 44 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 23/09/2009 10:48:58 PM | Computer Name = RONALDS-COMP | Source = Application Error | ID = 1000
Description = Faulting application 16.tmp, version 0.0.0.0, faulting module 16.tmp,
version 0.0.0.0, fault address 0x0000002f.

Error - 23/09/2009 11:02:25 PM | Computer Name = RONALDS-COMP | Source = Windows Product Activation | ID = 1010
Description = The Windows license was restored due to a system error. You might
need to reactivate your Windows product.

Error - 24/09/2009 12:26:40 AM | Computer Name = RONALDS-COMP | Source = Application Error | ID = 1000
Description = Faulting application fssg.exe, version 7.4.124.0, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00006278.

Error - 24/09/2009 12:28:21 AM | Computer Name = RONALDS-COMP | Source = Application Error | ID = 1000
Description = Faulting application fssg.exe, version 7.4.124.0, faulting module
ntdll.dll, version 5.1.2600.2180, fault address 0x00006278.

[ System Events ]
Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding

Error - 20/09/2009 7:27:37 PM | Computer Name = RONALDS-COMP | Source = DCOM | ID = 10000
Description = Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}.
The
error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe"
-Embedding


< End of report >

Here's to hoping it'll be back to working order soon!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:17 PM

Posted 09 October 2009 - 05:04 AM

Hi,

those are very bad news and I kind of feared this would be the case. :(

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:I would really advise to reinstall. Please be extremely careful with transferring data from the infected PC. For one don't run any executable from the infected PC on your clean PC.
Please also run FlashDisinfector with all flash devices attached on your clean PC. This should stop infection to spread simply through connecting a flashdevice on the infected PC and a clean PC.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 R10pez10

R10pez10
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 09 October 2009 - 06:26 AM

Aw, damn.
Well thanks for all your advice and help!
I'm grateful the computer is still usable without internet access though, and none of the files were lost on it. And if I really feel like making it usable again, I'll just reformat it hey?
Thanks again though,
- r10pez10

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:17 PM

Posted 09 October 2009 - 08:12 AM

Hi,

I would advise to reformat as quickly as possible. Since you can still infect others by sharing files, connecting flash devices and accessing networks.

Virut is also rather badly programmed, the infection may lead to more and more frequent BSOD and an unstable system because it sometimes destroys crucial system files. It is not an infection you should take lightely.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:17 PM

Posted 14 October 2009 - 05:34 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users