Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Think I'm infected with Sasser and another virus

  • This topic is locked This topic is locked
4 replies to this topic

#1 Ozland


  • Members
  • 4 posts
  • Local time:05:50 PM

Posted 05 October 2009 - 06:17 AM

I think my computer is infected with Sasser and other viruses.
A few days ago my computer suddenly started running slowley but I ignored it.
The next day I reboot my computer and after I log on I see a popup "Services and Application Controller has encountered a problem and needs to close"
after I close it says "Your computer will shut down in 60 seconds" (As i said Sasser) but if I exit that window the computer does not shut down!
But the computer is extremely slow after that.
In the task manager, there is the Dr Watson thing, and i read somewhere that its a cover for a rootkit?
I have attached my DDS and RootRepeal logs and I hope you help me!
BTW This is posted from another comp because as I said my comp is extremely slow and theres no FW cause it was disabled automaticlly.

DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 19:25:04.57 on Mon 05/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.2.1255.972.1033.18.759.318 [GMT 10:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Administrator\temp\TeamViewer\Version4\TeamViewer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Compress Image Using Image Compressor 2008 - c:\program files\masrizal\imc2008\imcieex_compress.html
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238236457312
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\uzwxoweh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (Eng)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/firefox
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\uzwxoweh.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-09-30 19:32 <DIR> --d----- c:\windows\LastGood.Tmp
2009-09-30 18:31 21,504 ac------ c:\windows\system32\dllcache\hidserv.dll
2009-09-30 18:31 21,504 a------- c:\windows\system32\hidserv.dll
2009-09-30 18:30 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-09-30 18:30 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-09-29 20:16 200,704 a----r-- c:\windows\sel3110.exe
2009-09-29 20:16 40,960 a----r-- c:\windows\CleanDev.exe
2009-09-29 20:16 61,440 a----r-- c:\windows\ov519dib.dll
2009-09-29 20:16 307,200 a----r-- c:\windows\vidcap32.exe
2009-09-29 20:15 135,168 a----r-- c:\windows\ov519cap.exe
2009-09-29 20:15 25,211 a----r-- c:\windows\system32\drivers\ov519cmd.sys
2009-09-29 20:15 174,530 a----r-- c:\windows\system32\drivers\ov519vid.sys
2009-09-29 20:15 <DIR> --d----- c:\windows\OvtCam
2009-09-29 20:15 25,099 a----r-- c:\windows\system32\ov519ext.ax
2009-09-29 20:15 40,960 a----r-- c:\windows\system32\ov519ext.dll
2009-09-29 20:15 16,426 a----r-- c:\windows\system32\ov519usd.dll
2009-09-27 16:28 232,192 a------- c:\windows\system32\drivers\rt73.sys

==================== Find3M ====================

2009-10-05 19:25 92,800 a------- c:\windows\system32\drivers\c46af25e.sys
2009-08-16 01:30 94,208 a------- c:\docume~1\admini~1\applic~1\ezplay.sys
2009-08-16 01:30 87,608 a------- c:\docume~1\admini~1\applic~1\inst.exe
2009-08-16 01:30 47,360 a------- c:\docume~1\admini~1\applic~1\pcouffin.sys
2009-08-15 19:22 154,351 a------- c:\windows\hpoins15.dat
2009-08-02 11:40 195,024 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-06-10 00:24 5,018 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-05-25 22:05 148,736 a------- c:\docume~1\alluse~1\applic~1\hpe253D.dll
2008-07-23 18:22 168 ---shr-- c:\docume~1\alluse~1\applic~1\F50A1E3DEB.sys

============= FINISH: 19:27:18.03 ===============

Attached Files

Edited by Ozland, 05 October 2009 - 01:46 PM.

BC AdBot (Login to Remove)


#2 Ozland

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:50 PM

Posted 05 October 2009 - 02:03 PM

I use the Windows Firewall (bad choice I know) and it was disabled automatically so it appears i got Sasser because of no FW but it got disabled after I got the virus.

#3 Ozland

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:50 PM

Posted 06 October 2009 - 01:37 AM

I have done a scan with GMER and attached is the log.
(If someone would be so kind as to help me, I would appreciate it :()

Attached Files

  • Attached File  GMER.log   24.94KB   2 downloads

Edited by Ozland, 06 October 2009 - 01:37 AM.

#4 Ozland

  • Topic Starter

  • Members
  • 4 posts
  • Local time:05:50 PM

Posted 07 October 2009 - 02:55 PM

Thanks for your attention!
I manged to fix it up myself :( (no thanks to you of course).

#5 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:50 AM

Posted 22 October 2009 - 01:18 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users