Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformat after Virut Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 greyseal2012

greyseal2012

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire
  • Local time:08:36 PM

Posted 12 October 2010 - 12:37 PM

My Acer Aspire 5680 - OS Vista Home Premium, contracted a virut virus (GoldG), after an attack from 'Antivirus IS'. Followed all processes recommended and suggested by BleepingComputer.com without any real sucess. Reformatted/restored the unit back to its factory settings but still not convinced the unit is free of infection.



DDS (Ver_10-10-10.03) - NTFSx86
Run by greyseal895 at 17:04:38.21 on 12/10/2010
Internet Explorer: 7.0.6000.16386
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.44.1033.18.2046.957 [GMT 1:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Acer\OrbiCam10\OrbiCam.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Users\GREYSE~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
F:\Defogger.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\greyseal895\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://en.uk.acer.yahoo.com
uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [????r]
uRun: [?????????] ??????????????e
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [IS CfgWiz] "c:\program files\common files\symantec shared\opc\{31011d49-d90c-4da0-878b-78d28ad507af}\cltUIStb.exe" /MODULE CfgWiz /GUID {BC8D3EAF-F864-4d4b-AB4D-B3D0C32E2840} /MODE CfgWiz /CMDLINE "REBOOT"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [AcerOrbicamRibbon] "c:\program files\acer\orbicam10\OrbiCam.exe" /hide
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eRecoveryService]
mRun: [PinnacleDriverCheck] c:\windows\system32\\PSDrvCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe

============= SERVICES / DRIVERS ===============

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
R3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-12-2 847392]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-12-2 31232]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-12-2 1174152]
S3 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20061025.029\IDSvix86.sys [2006-12-2 202872]

=============== Created Last 30 ================

2010-10-12 15:04:09 388096 ----a-r- c:\users\greyse~1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-10-12 15:04:04 -------- d-----w- c:\program files\Trend Micro
2010-10-12 14:02:05 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-10-12 13:58:25 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-10-12 13:58:25 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-10-12 13:44:22 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2010-10-12 13:44:21 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2010-10-12 13:44:21 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2010-10-12 13:44:21 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2010-10-12 13:44:21 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2010-10-12 13:44:19 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2010-10-12 13:44:19 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2010-10-12 12:32:18 1285 ----a-w- c:\windows\CLEANUP.CMD
2010-10-12 07:57:27 -------- d-----w- c:\progra~2\SmartSound Software Inc
2010-10-12 07:57:26 -------- d-----w- c:\program files\SmartSound Software
2010-10-12 07:55:34 86016 ----a-w- c:\windows\unvise32qt.exe
2010-10-12 07:55:32 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-10-12 07:55:32 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2010-10-12 07:55:32 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2010-10-12 07:55:31 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2010-10-12 07:55:31 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2010-10-12 07:55:30 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2010-10-12 07:55:28 106496 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2010-10-12 07:55:13 -------- d-----w- c:\windows\system32\QuickTime
2010-10-12 07:54:49 84992 ----a-w- c:\windows\system32\ATL70.DLL
2010-10-12 07:54:34 57856 ----a-w- c:\windows\system32\masd32.dll
2010-10-12 07:54:34 27648 ----a-w- c:\windows\system32\ma32.dll
2010-10-12 07:54:34 196096 ----a-w- c:\windows\system32\macd32.dll
2010-10-12 07:54:34 138752 ----a-w- c:\windows\system32\mase32.dll
2010-10-12 07:54:34 136192 ----a-w- c:\windows\system32\mamc32.dll
2010-10-12 07:54:00 -------- d-----w- c:\program files\DivX
2010-10-12 07:53:32 14165 ----a-w- c:\windows\system32\drivers\Pclepci.sys
2010-10-12 07:50:15 41219 ----a-w- c:\windows\RSETPATH.exe
2010-10-12 07:48:29 -------- d-----w- c:\windows\Downloaded Installations
2010-10-12 07:48:20 974848 ----a-w- c:\windows\system32\MFC70.DLL
2010-10-12 07:48:20 964608 ----a-w- c:\windows\system32\MFC70U.DLL
2010-10-12 07:48:20 54784 ----a-w- c:\windows\system32\MSVCI70.DLL
2010-10-12 07:48:20 49152 ----a-w- c:\windows\system32\PCLEGetGuid.dll
2010-10-12 07:48:20 487424 ----a-w- c:\windows\system32\MSVCP70.DLL
2010-10-12 07:48:20 344064 ----a-w- c:\windows\system32\MSVCR70.DLL
2010-10-12 07:46:47 -------- d-----w- c:\progra~2\Pinnacle Studio
2010-10-12 07:42:17 -------- d-----w- c:\program files\Pinnacle
2010-10-12 07:23:39 -------- d-----w- c:\program files\O2_Installer
2010-10-12 07:12:35 -------- d-----w- c:\users\greyse~1\appdata\local\SupportSoft
2010-10-12 07:12:13 -------- d-----w- c:\program files\common files\SupportSoft
2010-10-12 06:56:47 -------- d--h--w- c:\users\greyse~1\appdata\local\acer eNM
2010-10-12 05:46:44 360448 ----a-w- c:\windows\system32\CheckD2DSystem.exe
2010-10-12 05:46:44 327680 ----a-w- c:\windows\system32\Remove_eRecovery.exe
2010-10-12 05:46:44 16384 ----a-w- c:\windows\system32\LauncheRyAgentUser.exe
2010-10-12 05:46:44 16384 ----a-w- c:\windows\system32\ClearEvent.exe
2010-10-12 05:46:44 1402880 ----a-w- c:\windows\system32\ERUpdateHidden.EXE
2010-10-12 05:45:37 8704 ----a-w- c:\windows\system32\drivers\TVicPort64.sys
2010-10-12 05:45:37 69632 ----a-w- c:\windows\system32\drivers\int15.sys
2010-10-12 05:45:37 6144 ----a-w- c:\windows\system32\drivers\zntport64.sys
2010-10-12 05:45:37 6080 ----a-w- c:\windows\system32\drivers\zntport.sys
2010-10-12 05:45:37 15656 ----a-w- c:\windows\system32\drivers\int15_64.sys
2010-10-12 05:45:37 14544 ----a-w- c:\windows\system32\drivers\TVicPort.sys
2010-10-12 05:44:13 65536 ----a-w- c:\windows\system32\NATTraversal.dll
2010-10-12 05:38:36 53248 ----a-w- c:\windows\system32\acpimof.dll
2010-10-12 05:37:06 -------- d-----w- c:\windows\system32\i386
2010-10-12 05:36:29 -------- d-----w- c:\program files\common files\Logitech
2010-10-12 05:36:29 -------- d-----w- c:\program files\Acer
2010-10-12 05:33:27 506368 ----a-w- c:\windows\system32\athr.sys
2010-10-12 05:33:27 -------- d-----w- c:\windows\Options
2010-10-12 05:33:27 -------- d-----w- c:\program files\Atheros
2010-10-12 05:32:45 -------- d-----w- C:\temp
2010-10-12 05:32:04 176 ----a-w- c:\windows\system32\drivers\RTHDAEQ0.DAT
2010-10-12 05:28:33 1655464 ----a-w- c:\windows\system32\drivers\RTKVHDA.sys
2010-10-12 05:28:32 14336 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-10-12 05:28:26 4186112 ----a-w- c:\windows\RtHDVCpl.exe
2010-10-12 05:27:05 -------- d-----w- c:\program files\Launch Manager
2010-10-12 05:25:49 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-12 05:22:52 187392 ----a-w- c:\windows\Acer.scr
2010-10-12 05:22:52 -------- d-----w- c:\program files\Acer Inc
2010-10-12 05:22:46 73728 ----a-w- c:\windows\system32\ISUSPM.cpl
2010-10-12 05:22:46 368640 ----a-w- c:\program files\common files\installshield\updateservice\_ispmres.dll
2010-10-12 05:22:46 -------- d-----w- c:\windows\Acer
2010-10-12 05:22:45 81920 ----a-w- c:\program files\common files\installshield\updateservice\issch.exe
2010-10-12 05:22:45 618496 ----a-w- c:\program files\common files\installshield\updateservice\agent.exe
2010-10-12 05:22:45 368640 ----a-w- c:\program files\common files\installshield\updateservice\_isusres.dll
2010-10-12 05:22:45 278528 ----a-w- c:\program files\common files\installshield\updateservice\ISDM.exe
2010-10-12 05:22:45 249856 ----a-w- c:\program files\common files\installshield\updateservice\ISUSPM.exe

==================== Find3M ====================

2010-10-12 05:28:43 319984 ----a-w- c:\windows\DIFxAPI.dll

============= FINISH: 17:05:22.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:36 PM

Posted 20 October 2010 - 04:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:36 PM

Posted 24 October 2010 - 07:29 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users