Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help please! I don't know what is wrong...


  • This topic is locked This topic is locked
3 replies to this topic

#1 gsschum

gsschum

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 21 January 2010 - 08:32 AM

System:
Microsoft Windows XP Professional Version 2002
Service Pack 3

IntelŪ PentiumŪ 4
CPU 2.40 GHz
1.00 GB RAM

Other Info:

Turn off System Restore on all drives has been checked.

Symptons:

My router has to be manually reset to default everyonce in awhile due to "a page cannot be dispalyed error." The first several times it detects my connection as "static" even though under TCP/IP properties I have it set to DHCP. I also noticed that the page kept refreshing and under mozilla firefox navigation toolbar, the "X" or "stop loading this page" kept reapting while at the bottom it was saying "Done". After being very persistent and many attempts it finally detected DHCP. Another problem I notcied mozilla keeps stopping the page from being redirected. Also gmer.exe keeps crashing within several seconds of opening application. I also ran ATF Cleaner.

Hidden Object
C:\DOCUMENTS AND SETTINGS\STEVE.SLS_COMP\LOCAL SETTINGS\TEMP\RARSFX0\K643DXP.EXE

LOGS:

======================================================================


Kaspersky Anti-Virus

1/19/2010 1:15:30 PM Task started File Anti-Virus Kaspersky Anti-Virus
1/19/2010 1:28:23 PM Task started File Anti-Virus Kaspersky Anti-Virus
1/19/2010 3:55:38 PM Detected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199174.exe Generic Host Process for Win32 Services
1/19/2010 5:25:24 PM Deleted: not-a-virus:RemoteAdmin.Win32.WinVNC.4 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199174.exe Generic Host Process for Win32 Services
1/19/2010 5:25:24 PM Detected: not-a-virus:RiskTool.Win32.PsExec.123 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199175.exe Generic Host Process for Win32 Services
1/19/2010 6:22:57 PM Deleted: not-a-virus:RiskTool.Win32.PsExec.123 C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199175.exe Generic Host Process for Win32 Services
1/19/2010 6:22:57 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Generic Host Process for Win32 Services
1/19/2010 6:30:00 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Skipped by user Generic Host Process for Win32 Services
1/19/2010 6:32:04 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Windows Explorer
1/19/2010 6:32:39 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1604\A0199177.exe Skipped by user Windows Explorer
1/19/2010 6:32:42 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Windows Explorer
1/19/2010 6:32:54 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Skipped by user Windows Explorer
1/19/2010 6:33:26 PM Detected: not-a-virus:Client-IRC.Win32.mIRC.g C:\Program Files\mIRC\mirc.exe Windows Explorer
1/19/2010 6:36:41 PM Deleted: not-a-virus:Client-IRC.Win32.mIRC.g C:\Program Files\mIRC\mirc.exe Windows Explorer
1/19/2010 6:38:19 PM Detected: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Windows Explorer
1/19/2010 6:38:56 PM Untreated: not-a-virus:NetTool.Win32.PsKill.a C:\RECYCLER\S-1-5-21-936119014-1497507713-1777090905-1002\Dc35.exe Skipped by user Windows Explorer


======================================================================

Malwarebytes' Anti-Malware 1.44
Database version: 3597
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/19/2010 2:12:27 AM
mbam-log-2010-01-19 (02-12-27).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 245444
Time elapsed: 49 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\huwebijum (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yowujeje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fefiweta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hutoziyo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\juviyame.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yagerumu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186205.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186221.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186222.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1572\A0186223.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191319.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191352.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191604.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1573\A0191674.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1579\A0193853.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1589\A0196158.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1589\A0196333.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1600\A0198506.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1600\A0198742.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1601\A0198831.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7852596F-B680-4853-8413-FB6069A893DD}\RP1601\A0199005.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bilayupa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fejepena.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tepepife.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.


======================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:09 AM, on 1/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineScannerApp.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\steve.SLS_COMP\Desktop\OTL.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Programs\pcAnywhere10.5\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7217 bytes


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 26 January 2010 - 05:26 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 29 January 2010 - 01:33 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:30 PM

Posted 01 February 2010 - 12:33 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users