Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32 Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 chonzy

chonzy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 22 December 2009 - 04:09 PM

I have no idea how i got it. I have tried re formatting (DBAN) and recoverying my computer, but no luck. It is deleteing all my system32 files and not letting me run programs out of safe mode " file name is not a valid win32 program" I have tried Malware bytes, Avira, Spyware Doctor, A-squared none can remove it.I had to run DDS and RootRepeal in safe mode.






DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Compaq_Owner at 9:43:51.37 on Tue 12/22/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.574.436 [GMT -8:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Spyware Terminator *On-access scanning enabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\ctbr.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\ctbr.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PCDrProfiler] "c:\program files\pc-doctor 5 for windows\RunProfiler.exe" -r
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [RBreset] c:\hp\bin\cloaker.exe cmd /c c:\hp\drivers\hpsu\RBLastRunReset.bat
mRun: [OutpostMonitor] "c:\program files\agnitum\outpost firewall\op_mon.exe" /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [Google Updater] "c:\program files\google\google updater\GoogleUpdater.exe" -systray -startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\ctbr.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-22 207792]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-12-22 31128]
S1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-12-22 704384]
S1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-12-22 142592]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-16 192112]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2005-9-16 202352]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-16 169584]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2005-12-30 133792]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-22 359624]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-22 1141712]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-16 1119888]
S3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-12-22 257432]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20060216.009\NAVENG.Sys [2006-6-16 77864]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20060216.009\NavEx15.Sys [2006-6-16 750952]
S3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]

=============== Created Last 30 ================

2009-12-22 16:49:42 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2009-12-22 16:49:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-22 16:49:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-22 16:49:36 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 16:49:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-22 16:25:12 0 d--h--w- c:\windows\PIF
2009-12-22 16:24:33 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-22 16:24:31 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-22 16:23:37 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-22 16:23:35 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-22 16:23:35 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-22 16:23:32 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-22 16:22:36 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-22 16:22:32 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-22 16:21:49 0 d-----w- c:\program files\common files\PC Tools
2009-12-22 16:21:48 0 d-----w- c:\program files\Spyware Doctor
2009-12-22 16:21:48 0 d-----w- c:\docume~1\compaq~1\applic~1\PC Tools
2009-12-22 16:21:48 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-22 16:04:39 0 d-sh--r- C:\cmdcons
2009-12-22 16:04:33 0 d-----w- c:\windows\setup.pss
2009-12-22 16:04:19 0 d-----w- c:\windows\setupupd
2009-12-22 16:00:07 0 d-----w- c:\program files\IObit
2009-12-22 16:00:07 0 d-----w- c:\docume~1\compaq~1\applic~1\IObit
2009-12-22 15:53:09 0 d-----w- c:\program files\WinClamAVShield
2009-12-22 15:53:01 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-12-22 15:52:53 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-12-22 15:51:36 49 ----a-w- c:\windows\transp.gif
2009-12-22 15:51:34 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-12-22 15:51:33 0 d-----w- c:\program files\Agnitum
2009-12-22 15:51:13 0 d-----w- c:\docume~1\alluse~1\applic~1\Agnitum
2009-12-22 15:47:51 0 d-----w- c:\program files\Crawler
2009-12-22 15:44:32 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-12-22 15:44:32 0 d-----w- c:\docume~1\compaq~1\applic~1\Spyware Terminator
2009-12-22 15:44:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Spyware Terminator
2009-12-22 15:44:30 0 d-----w- c:\program files\Spyware Terminator
2009-12-22 15:36:52 0 d-s---w- c:\documents and settings\compaq_owner\UserData
2009-12-22 15:35:20 1831 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_EX318AA-ABA SR1920NX NA630_YC_0Pres_QCNH627_E63NAheREA2_48_INAGAMI2L_SASUSTek Computer INC._V2.00_B3.11_T060919_WXH2_L409_M575_J200_7AMD_8Athlon 64_92.2_#091222_N_Z11C10620_G10DE0241.MRK
2009-12-22 15:33:56 0 d-----w- c:\docume~1\compaq~1\applic~1\Symantec
2009-12-22 15:33:56 0 d-----w- c:\docume~1\compaq~1\applic~1\Intuit
2009-12-22 15:31:48 178 ----a-w- c:\windows\system\hpsysdrv.DAT
2009-12-22 15:30:30 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-12-22 15:30:28 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-12-22 15:30:23 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-12-22 15:15:37 0 d-----r- c:\documents and settings\all users\Documents
2009-12-22 15:15:02 0 d-----r- c:\windows\Offline Web Pages
2009-12-22 15:12:18 0 d-sh--r- c:\windows\system32\dllcache

==================== Find3M ====================

2009-12-22 16:50:52 58880 ----a-w- c:\windows\system32\ctfmon.exe
2009-12-22 16:50:51 1032192 ----a-w- c:\windows\explorer.exe
2008-11-01 21:28:54 32 --sha-w- c:\windows\sminst\HPCD.SYS

============= FINISH: 9:44:13.07 ===============

Attached Files


Edited by chonzy, 22 December 2009 - 04:24 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:34 AM

Posted 04 January 2010 - 11:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,770 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:34 AM

Posted 09 January 2010 - 08:13 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users