Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with lsm32.sys


  • This topic is locked This topic is locked
8 replies to this topic

#1 j5mello

j5mello

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 21 October 2009 - 11:37 PM

Recently acquired a set of trojans (probably while looking for a cd-key for a game i torrented). I have Windows Vista Business 32bit. My current symptoms are as follows:

I get desktop icons linking to youporn.com and various other sites.
I can hear advertisements (for items like Jet Dry and other products) coming from my speakers even though I'm not running anything.
I have a Protection System program that is clearly an illicit anti-virus.
I have several odd processes listed in task manager like VRT3B8A.tmp, wmdtc.exe and lsm32.sys
I also have problems launching certain exes, usually getting a failed to initialize (0xc000007b) error when i try to launch them.
I also get certain desktop shortcuts reading the .exe they are linked to as being move/nonexistent or having a different icon than they are supposed to.


I have run SUPERAntiSpyware Professional several times. It removes the above named temp file and several others most of them listed under a Gen-Bongl[L] trojan. However upon restarting the computer the files are back where they are and things are back to "abnormal."

My DDS.scr log:


DDS (Ver_09-10-13.01) - NTFSx86
Run by John at 0:09:45.60 on Thu 10/22/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vistaâ„¢ Business 6.0.6002.2.1252.1.1033.18.3070.1739 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Mozilla Firefox\Free Download Manager\fdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\TEMP\VRT3B8A.tmp
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\System32\Rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wmdtc.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\FastNetSrv.exe
C:\Windows\system32\lsm32.sys
C:\Windows\system32\lsm32.sys
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\mozilla firefox\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
uRun: [Free Download Manager] c:\program files\mozilla firefox\free download manager\fdm.exe -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
mRun: [14693] c:\uiabu.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
dRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-542\wirelesscm.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: 1.exe - c:\windows\system32\ahui.exe
IFEO: reader_s.exe - c:\windows\system32\ahui.exe
IFEO: regedit.exe - c:\windows\system32\ahui.exe
IFEO: servises.exe - c:\windows\system32\ahui.exe
IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{740A27D6-C573-4A49-8BEF-920455489834}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2008-11-24 21504]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2006-11-2 114688]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2009-10-9 1078664]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-12-27 809296]

=============== Created Last 30 ================

2009-10-21 22:16 20,480 a------- c:\windows\system32\5488047.exe
2009-10-21 22:15 828 a------- c:\windows\system32\8515437.exe
2009-10-21 22:15 0 a------- c:\windows\SC.INS
2009-10-21 22:15 0 a------- c:\windows\sc.exe
2009-10-21 22:15 <DIR> --d----- c:\program files\Protection System
2009-10-21 15:39 <DIR> --d----- c:\program files\Microsoft Games
2009-10-21 12:03 <DIR> --d----- c:\program files\Monte Cristo
2009-10-20 14:56 218,624 a------- c:\windows\system32\msv1_0.dll
2009-10-20 14:56 3,600,456 a------- c:\windows\system32\ntkrnlpa.exe
2009-10-20 14:56 3,548,216 a------- c:\windows\system32\ntoskrnl.exe
2009-10-20 14:56 60,928 a------- c:\windows\system32\msasn1.dll
2009-10-20 14:56 144,896 a------- c:\windows\system32\drivers\srv2.sys
2009-10-20 14:56 604,672 a------- c:\windows\system32\WMSPDMOD.DLL
2009-10-20 14:39 26,176 a---h--- c:\windows\system32\hamachi.sys
2009-10-20 14:39 <DIR> --d----- c:\program files\LogMeIn Hamachi
2009-10-16 21:31 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-10-16 21:31 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-10-16 21:30 <DIR> --d----- c:\users\john\appdata\roaming\SUPERAntiSpyware.com
2009-10-16 21:30 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-15 14:27 <DIR> --d----- c:\program files\AVG
2009-10-15 11:47 <DIR> --d----- c:\users\john\appdata\roaming\Malwarebytes
2009-10-15 11:47 <DIR> --d----- c:\programdata\Malwarebytes
2009-10-15 11:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 11:47 <DIR> --d----- c:\progra~2\Malwarebytes
2009-10-14 21:24 <DIR> --d----- c:\users\john\Tracing
2009-10-14 16:03 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-10-14 16:02 <DIR> --d----- c:\windows\PCHEALTH
2009-10-14 14:49 <DIR> --d----- c:\program files\common files\Windows Live
2009-10-14 10:41 <DIR> --d----- c:\program files\LogMeIn Hamachi(182)
2009-10-12 11:42 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-10-06 15:32 <DIR> --d-h--- c:\windows\PIF
2009-10-03 22:05 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-10-03 22:00 2,421,760 a------- c:\windows\system32\wucltux.dll
2009-10-03 22:00 87,552 a------- c:\windows\system32\wudriver.dll
2009-10-03 22:00 171,608 a------- c:\windows\system32\wuwebv.dll
2009-10-03 22:00 53,760 a------- c:\windows\system32\wuapp.exe
2009-09-29 21:46 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-09-29 21:46 499,712 a------- c:\windows\system32\kerberos.dll
2009-09-29 21:46 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-09-29 21:46 270,848 a------- c:\windows\system32\schannel.dll
2009-09-29 21:46 175,104 a------- c:\windows\system32\wdigest.dll
2009-09-29 21:46 72,704 a------- c:\windows\system32\secur32.dll
2009-09-29 21:46 9,728 a------- c:\windows\system32\lsass.exe
2009-09-29 21:33 <DIR> --d----- c:\windows\system32\vi-VN
2009-09-29 21:33 <DIR> --d----- c:\windows\system32\eu-ES
2009-09-29 21:33 <DIR> --d----- c:\windows\system32\ca-ES
2009-09-29 00:14 <DIR> --d----- c:\programdata\Paradox Interactive
2009-09-29 00:14 <DIR> --d----- c:\progra~2\Paradox Interactive
2009-09-28 15:23 <DIR> --d----- c:\program files\iPod
2009-09-28 15:23 <DIR> --d----- c:\program files\iTunes
2009-09-28 00:05 515,416 a------- c:\windows\system32\XAudio2_5.dll
2009-09-28 00:05 69,464 a------- c:\windows\system32\XAPOFX1_3.dll
2009-09-28 00:05 5,501,792 a------- c:\windows\system32\d3dcsx_42.dll
2009-09-28 00:05 1,974,616 a------- c:\windows\system32\D3DCompiler_42.dll
2009-09-28 00:05 1,892,184 a------- c:\windows\system32\D3DX9_42.dll
2009-09-28 00:05 453,456 a------- c:\windows\system32\d3dx10_42.dll
2009-09-28 00:05 238,936 a------- c:\windows\system32\xactengine3_5.dll
2009-09-28 00:05 235,344 a------- c:\windows\system32\d3dx11_42.dll
2009-09-25 23:32 <DIR> --d----- c:\program files\AFFPlanetStorm
2009-09-25 14:52 <DIR> --d----- c:\windows\system32\EventProviders
2009-09-23 22:40 32,784 a------- c:\programdata\nvModes.dat
2009-09-23 22:40 32,784 a------- c:\progra~2\nvModes.dat
2009-09-23 22:37 4,223,008 a------- c:\windows\system32\NVStWiz.exe
2009-09-23 22:36 485,920 a------- c:\windows\system32\nvuninst.exe
2009-09-23 22:26 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-09-23 12:06 1,060,864 a------- c:\windows\system32\mfc71.dll
2009-09-23 12:06 40,960 a------- c:\windows\system32\psfind.dll

==================== Find3M ====================

2009-10-20 15:02 51,200 a------- c:\windows\inf\infpub.dat
2009-10-20 15:02 143,360 a------- c:\windows\inf\infstrng.dat
2009-10-20 15:02 86,016 a------- c:\windows\inf\infstor.dat
2009-09-29 21:33 665,600 a------- c:\windows\inf\drvindex.dat
2009-09-11 23:25 139,072 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-11 23:25 189,672 a------- c:\windows\system32\PnkBstrB.exe
2009-09-05 14:25 1,183,744 a------- c:\windows\system32\drivers\athr.sys
2009-08-28 22:30 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2009-08-28 22:30 458,752 a------- c:\windows\apppatch\AcSpecfc.dll
2009-08-28 22:30 2,159,616 a------- c:\windows\apppatch\AcGenral.dll
2009-08-28 22:30 542,720 a------- c:\windows\apppatch\AcLayers.dll
2009-08-28 20:27 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 20:14 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-17 02:42 2,173,472 a------- c:\windows\system32\nvcplui.exe
2009-08-17 02:42 1,346,080 a------- c:\windows\system32\nvsvs.dll
2009-08-17 02:41 3,176,992 a------- c:\windows\system32\nvwss.dll
2009-08-17 02:41 4,033,056 a------- c:\windows\system32\nvvitvs.dll
2009-08-17 02:41 1,292,832 a------- c:\windows\system32\nvmobls.dll
2009-08-17 02:41 195,104 a------- c:\windows\system32\nvmccss.dll
2009-08-17 02:41 3,553,824 a------- c:\windows\system32\nvgames.dll
2009-08-17 02:41 13,904,416 a------- c:\windows\system32\nvcpl.dll
2009-08-17 02:41 4,930,080 a------- c:\windows\system32\nvdisps.dll
2009-08-17 02:41 764,448 a------- c:\windows\system32\nvsvc.dll
2009-08-17 02:41 215,584 a------- c:\windows\system32\nvvsvc.exe
2009-08-17 02:41 143,360 a------- c:\windows\system32\nvshext.dll
2009-08-17 02:41 92,704 a------- c:\windows\system32\nvmctray.dll
2009-08-17 00:57 10,858,496 a------- c:\windows\system32\nvoglv32.dll
2009-08-17 00:57 7,569,920 a------- c:\windows\system32\nvd3dum.dll
2009-08-17 00:57 3,298,304 a------- c:\windows\system32\nvwgf2um.dll
2009-08-17 00:57 2,169,376 a------- c:\windows\system32\nvcuvid.dll
2009-08-17 00:57 1,985,536 a------- c:\windows\system32\nvcuda.dll
2009-08-17 00:57 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-17 00:57 1,044,992 a------- c:\windows\system32\nvapi.dll
2009-08-17 00:57 485,920 a------- c:\windows\system32\nvudisp.exe
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcod162.dll
2009-08-17 00:57 155,648 a------- c:\windows\system32\nvcod.dll
2009-08-14 13:36 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-08-14 11:53 17,920 a------- c:\windows\system32\netevent.dll
2009-08-14 09:49 29,184 a------- c:\windows\system32\TCPSVCS.EXE
2009-08-14 09:49 37,888 a------- c:\windows\system32\ROUTE.EXE
2009-08-14 09:49 31,232 a------- c:\windows\system32\MRINFO.EXE
2009-08-14 09:49 47,104 a------- c:\windows\system32\NETSTAT.EXE
2009-08-14 09:49 39,936 a------- c:\windows\system32\ARP.EXE
2009-08-14 09:49 28,672 a------- c:\windows\system32\HOSTNAME.EXE
2009-08-14 09:49 30,208 a------- c:\windows\system32\finger.exe
2009-08-14 09:48 105,984 a------- c:\windows\system32\netiohlp.dll
2009-08-11 23:41 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-08-11 23:41 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-08-07 19:51 15,308,424 a------- c:\windows\system32\xlive.dll
2009-08-07 19:51 13,642,888 a------- c:\windows\system32\xlivefnt.dll
2009-08-03 00:21 23,320 a------- c:\windows\system32\PhysXDevice.dll
2009-07-04 22:56 139,152 a------- c:\users\john\appdata\roaming\PnkBstrK.sys
2008-12-03 11:00 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2009-07-06 12:06 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-06 12:06 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-06 12:06 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-06 12:06 245,760 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 0:10:04.69 ===============

Attached Files


Edited by j5mello, 21 October 2009 - 11:38 PM.


BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:14 AM

Posted 31 October 2009 - 09:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 j5mello

j5mello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 31 October 2009 - 02:54 PM

Symptoms are still the same as those outlined in the OP plus something new:

I get desktop icons linking to youporn.com and various other sites.
I can hear advertisements (for items like Jet Dry and other products) coming from my speakers even though I'm not running anything.
I have a Protection System program that is clearly an illicit anti-virus.
I have several odd processes listed in task manager like VRT3B8A.tmp, wmdtc.exe and lsm32.sys
I also have problems launching certain exes, usually getting a failed to initialize (0xc000007b) error when i try to launch them.
I also get certain desktop shortcuts reading the .exe they are linked to as being move/nonexistent or having a different icon than they are supposed to.

New: My games explorer in vista is missing nearly all of the .lnk files for games i have installed.

I've run SuperAntiSpyware Pro several times... both in normal windows and in safe mode, most recent scan was just before I checked this thread. It says its removing files but so far nothing has changed the problems reappear about 2 or so power-ons after the scan.
I've traced some of the bad programs and their services which I've disabled in the services window. I've also re-enabled the Windows Security Center (and UAC) which the virus/malware disabled.
I currently have no anti virus installed.

I'm going to be away from my comp for the next 5 hours so you won't get any new posts from me till then.

DDS log follows:

DDS (Ver_09-10-26.01) - NTFSx86
Run by John at 15:41:05.64 on Sat 10/31/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3070.2011 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Mozilla Firefox\Free Download Manager\fdm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\wirelesscm.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\D-Link\D-Link RangeBooster N DWA-542\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
svchost.exe C:\Windows\TEMP\VRTF90D.tmp
C:\Program Files\DAEMON Tools Pro\DTProShellHlp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mURLSearchHooks: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\drivers\smss.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\mozilla firefox\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe" -autorun
uRun: [Free Download Manager] c:\program files\mozilla firefox\free download manager\fdm.exe -autorun
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ter8m] RUNDLL32.EXE c:\windows\temp\msxm192z.dll,w
mRun: [14693] c:\uiabu.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [restorer32_a] c:\windows\system32\restorer32_a.exe
dRun: [nDler2] \\?\globalroot\systemroot\system32\nDler2.exe
StartupFolder: c:\users\john\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\d-link\d-link rangebooster n dwa-542\wirelesscm.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\mozilla firefox\free download manager\dllink.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: 1.exe - c:\windows\system32\ahui.exe
IFEO: reader_s.exe - c:\windows\system32\ahui.exe
IFEO: regedit.exe - c:\windows\system32\ahui.exe
IFEO: servises.exe - c:\windows\system32\ahui.exe
IFEO: sys64_nov.exe - c:\windows\system32\ahui.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\mozilla firefox\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\programdata\id software\quakelive\npquakezero.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\7i082tq2.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071301000019.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: No Registry Reference - c:\program files\mozilla firefox\extensions\{740A27D6-C573-4A49-8BEF-920455489834}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2009-10-9 1078664]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-8-17 239648]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S4 fastnetsrv;fastnetsrv Service;c:\windows\system32\fastnetsrv.exe --> c:\windows\system32\FastNetSrv.exe [?]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-12-27 809296]

=============== Created Last 30 ================

2009-10-31 19:27:26 48128 ----a-w- c:\windows\system32\reader_s.exe
2009-10-31 19:27:25 52 ----a-w- c:\windows\system32\730.tmp
2009-10-31 18:45:26 52 ----a-w- c:\windows\system32\73F7.tmp
2009-10-31 18:37:09 52 ----a-w- c:\windows\system32\E3A9.tmp
2009-10-31 16:58:49 52 ----a-w- c:\windows\system32\4DC1.tmp
2009-10-31 04:11:46 52 ----a-w- c:\windows\system32\5BF4.tmp
2009-10-31 01:14:40 52 ----a-w- c:\windows\system32\BBEE.tmp
2009-10-30 18:08:00 104 ----a-w- c:\windows\system32\DE4.tmp
2009-10-30 16:27:31 144 ----a-w- c:\windows\system32\8600.tmp
2009-10-30 15:25:04 0 ----a-w- c:\windows\system32\1058.tmp
2009-10-30 15:25:01 144 ----a-w- c:\windows\system32\405.tmp
2009-10-29 21:02:41 99080 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-28 01:21:09 118 ----a-w- c:\windows\oijxdfh42.tmp
2009-10-27 00:51:47 258048 ----a-w- c:\windows\ishvbf3v44.exe
2009-10-27 00:51:40 184 ----a-w- c:\windows\ishvbf3v42.tmp
2009-10-26 01:16:38 700 ----a-w- c:\windows\system32\1253626.exe
2009-10-25 05:53:08 0 d-----w- c:\program files\common files\Blizzard Entertainment
2009-10-25 02:11:02 700 ----a-w- c:\windows\system32\9747431.exe
2009-10-24 01:20:45 836 ----a-w- c:\windows\system32\6814997.exe
2009-10-22 02:15:49 828 ----a-w- c:\windows\system32\8515437.exe
2009-10-22 02:15:44 0 ----a-w- c:\windows\SC.INS
2009-10-22 02:15:44 0 ----a-w- c:\windows\sc.exe
2009-10-21 19:39:02 0 d-----w- c:\program files\Microsoft Games
2009-10-21 16:03:53 0 d-----w- c:\program files\Monte Cristo
2009-10-20 18:56:19 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-20 18:56:13 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-20 18:56:13 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-20 18:56:09 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-20 18:56:06 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-20 18:56:04 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-20 18:39:14 26176 ---ha-w- c:\windows\system32\hamachi.sys
2009-10-20 18:39:01 0 d-----w- c:\program files\LogMeIn Hamachi
2009-10-17 01:31:44 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-17 01:30:46 0 d-----w- c:\users\john\appdata\roaming\SUPERAntiSpyware.com
2009-10-17 01:30:46 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-15 18:27:29 0 d-----w- c:\program files\AVG
2009-10-15 15:47:05 0 d-----w- c:\users\john\appdata\roaming\Malwarebytes
2009-10-15 15:47:01 0 d-----w- c:\programdata\Malwarebytes
2009-10-15 15:47:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-15 01:24:44 0 d-----w- c:\users\john\Tracing
2009-10-14 20:03:37 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-10-14 20:02:09 0 d-----w- c:\windows\PCHEALTH
2009-10-14 18:49:59 0 d-----w- c:\program files\common files\Windows Live
2009-10-14 14:41:53 0 d-----w- c:\program files\LogMeIn Hamachi(182)
2009-10-12 15:42:13 0 d-sh--w- c:\windows\system32\%APPDATA%
2009-10-06 19:32:29 0 d--h--w- c:\windows\PIF
2009-10-04 02:05:51 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-04 02:00:53 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-04 02:00:38 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-04 02:00:30 53760 ----a-w- c:\windows\system32\wuapp.exe
2009-10-04 02:00:30 171608 ----a-w- c:\windows\system32\wuwebv.dll

==================== Find3M ====================

2009-10-31 19:27:07 32784 ----a-w- c:\programdata\nvModes.dat
2009-10-26 02:06:01 138736 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-26 02:05:52 188968 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-20 19:02:30 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-20 19:02:29 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-20 19:02:29 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-30 01:33:19 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-09-29 21:31:20 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-09-05 18:25:36 1183744 ----a-w- c:\windows\system32\drivers\athr.sys
2009-09-04 21:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-17 06:42:20 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-17 06:42:18 1346080 ----a-w- c:\windows\system32\nvsvs.dll
2009-08-17 06:41:54 3176992 ----a-w- c:\windows\system32\nvwss.dll
2009-08-17 06:41:52 4033056 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-17 06:41:52 195104 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-17 06:41:52 1292832 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-17 06:41:50 3553824 ----a-w- c:\windows\system32\nvgames.dll
2009-08-17 06:41:48 92704 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-17 06:41:48 764448 ----a-w- c:\windows\system32\nvsvc.dll
2009-08-17 06:41:48 4930080 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-17 06:41:48 215584 ----a-w- c:\windows\system32\nvvsvc.exe
2009-08-17 06:41:48 143360 ----a-w- c:\windows\system32\nvshext.dll
2009-08-17 06:41:48 13904416 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-17 05:32:00 4223008 ----a-w- c:\windows\system32\NVStWiz.exe
2009-08-17 04:57:00 7569920 ----a-w- c:\windows\system32\nvd3dum.dll
2009-08-17 04:57:00 485920 ----a-w- c:\windows\system32\nvuninst.exe
2009-08-17 04:57:00 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-17 04:57:00 3298304 ----a-w- c:\windows\system32\nvwgf2um.dll
2009-08-17 04:57:00 2169376 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-17 04:57:00 1985536 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-17 04:57:00 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-17 04:57:00 155648 ----a-w- c:\windows\system32\nvcod162.dll
2009-08-17 04:57:00 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-17 04:57:00 10858496 ----a-w- c:\windows\system32\nvoglv32.dll
2009-08-17 04:57:00 1044992 ----a-w- c:\windows\system32\nvapi.dll
2009-08-14 17:36:18 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 29184 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 37888 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 31232 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 47104 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 39936 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:14 28672 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:13 30208 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-12 03:41:24 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-12 03:41:24 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-07 23:51:54 15308424 ----a-w- c:\windows\system32\xlive.dll
2009-08-07 23:51:54 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-08-03 04:21:54 23320 ----a-w- c:\windows\system32\PhysXDevice.dll
2008-12-03 15:00:43 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-07-06 16:06:25 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-06 16:06:25 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-06 16:06:25 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-06 16:06:25 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-01-13 06:42:08 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009011320090114\index.dat

============= FINISH: 15:42:05.85 ===============

Attached Files



#4 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:14 AM

Posted 01 November 2009 - 08:17 AM

Hello j5mello and Welcome to BleepingComputer.

I'm DocSatan and I will be helping you with your "Malware" related computer problems. Please give me some time to research your Log and I will get back to you ASAP. :(

In the meantime:

1. Please TRACK this Topic

  • At the top-right of this thread, click on the Posted Image button.
  • In the list that drops down, click on Posted Image
  • Place a tick-mark next to Immediate E-Mail Notification
  • Then click on Posted Image
  • You will now receive an e-mail as soon as a Reply is made to this Topic. :(
2. Do Not Make Any Changes to the "Infected" Computer.
  • Once you have posted a NEW DDS Log, Do Not make any changes to the computer. I will be researching the DDS Log that you post and any changes made to the system might interfere with the FIX that I prepare for you. Examples of "Changes":
  • Deleting Files/Folders
  • Installing/Uninstalling Programs
  • Running Anti-Virus, Anti-Malware, Anti-Spyware, etc., Programs
3. Please do not seek Help with this issue at another Computer Help Forum
  • While we are working together I must insist that you do not seek help with this matter at any other Help Forum.
  • Having multiple (more than one) Forums provide help for the same computer issue will result in confusion with preparing a Fix.
  • It is also not fair to the Volunteer who is helping you, as her/his time will be wasted trying to fix a computer that someone else is also trying to fix.
  • So, if you have posted at another Computer Help Forum for this same issue I would ask that you choose which Forum that you wish to stay with and inform the other Forum(s) that you no longer require their assistance.
4. Throughout the course of us working together, I will be posting step-by-step procedures for you to follow on your computer.
  • If at any time you do not fully understand what I have said, or you are not exactly sure what you are supposed to do, then please stop there and Post back to this topic and ask your questions. That way I will be able to more clearly explain the step/procedure and we won't have to worry about any steps being done incorrectly. :)

Doc.

#5 j5mello

j5mello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 01 November 2009 - 11:45 AM

Thanks for the help DocSatan.

I've already got the thread on email notification and I haven't changed anything since I posted the last DDS log.

I'm going to be away from my computer for 7 hours starting about 2 hours from now, so you won't get any new post from me till much later.

Edited by j5mello, 01 November 2009 - 12:11 PM.


#6 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:14 AM

Posted 02 November 2009 - 08:52 AM

Hello j5mello,

I'm sorry to be the bearer of some very bad news, but...

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:My advice to you, J5mello, is to reformat and reinstall. Virut is not disinfectable. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut. BleepingComputer DOES NOT assume any responsibility for any attempt to repair this infection. Trying to fix Virut is at your own risk and against our advice!

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.
Keep in mind, though, that with a Virut infection, there is always a chance of backed up data reinfecting your system! Do NOT backup any applications/installers and do NOT backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files. Also avoid backing up compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them as Virut can penetrate and infect these files within compressed files too.
NOTE: If you have to backup files, do so only for MS Office documents & any non-executable files. Burn them to CD/DVD. Do NOT copy files from the infected machine to your flash drive or external hard drive as they may become compromised in the process. You risk infecting the other machine!

If you do not know how to perform a fresh install, use these websites and read for instructions how to format and reinstall Windows:Should you have any questions, please feel free to ask.

Doc.

#7 j5mello

j5mello
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 02 November 2009 - 10:55 AM

Ok I figured it might be a lost cause. I have some questions though:

I recently bought an iomega Prestige Desktop Hard Drive (1TB) which has the iomega Protection Suite on it. The Suite includes McAfee VirusScan Plus on it. Assuming I initially setup the drive on a different computer (i.e. register it and make sure the virus scan is up to date) can I use that to transfer my files off safely? I'm mainly looking to get my music plus some random other items off my HDD.

If not then just burning them to a data DVD should be safe correct?


Also I connected my flash drive to the system because I needed to retrieve one of my papers. How likely is it that the drive is infected and if so how can i clean it?

Edited by j5mello, 02 November 2009 - 12:23 PM.


#8 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:07:14 AM

Posted 05 November 2009 - 05:17 AM

j5mello,

1. What should you back-up/transfer from the infected machine:
  • You should ONLY back-up/transfer Important Documents that you Really Need, such as:
    • MS Documents, Spreadsheets, and other important (personal) data files.
    • any files that DO NOT have the extensions in the list below should be safe to transfer
  • There is ALWAYS a chance that you will still infect the clean computer that you are transferring these files to. This is why it is important to only transfer Important files that you really, really need.
2. Files NOT to back-up/transfer to the clean computer:
  • applications/installers
  • executable files (*.exe)
  • screensavers (*.scr)
  • autorun (.ini) or script (.php, .asp, .html, .htm, .xml) files
  • compressed files (.zip, .cab, .rar) that have .exe or .scr files inside them: Virut can penetrate and infect these files within compressed files too
  • any Operating System-related files
  • any files that you do not recognize
3. What method should you use to transfer files from the infected computer:
  • Do NOT copy files from the infected machine to your flash drive or external hard drive as they may become compromised in the process. You risk infecting the other machine!
  • Burn them to CD/DVD
As far as the Flash Drive that you used to transfer that Paper, it might be fine as long as there were no files with the extensions from the above list on it. You can try scanning the Flash Drive with an AntiVirus program, but they aren't 100% on the detection. The only sure fire way to insure that the Flash Drive is Clean, is to Reformat it as well.
  • Virut CAN spread via Flash Drives, so it is possible that the computer that you transferred the Document to, via this Flash Drive, might have also been infected with Virut.
I hope that this has helped you out some.
(Thanks to my coach htv8 for this additional info)

Doc.

#9 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:14 PM

Posted 11 November 2009 - 10:37 AM

As the problem here seems to be resolved, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. If you should have a new issue, please start a new topic. Everyone else with similar problems, please start a new topic.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users