Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost.exe error, bitrix security malware, and a worm


  • Please log in to reply
9 replies to this topic

#1 DMatakami

DMatakami

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 11 November 2010 - 03:09 AM

This started a little while back when I first found out I had a program called bofabotxxx.exe in my processes, i did some looking and found that it appeared to be malware. I installed Norton 360 Internet Security 2010 on the computer and it killed most of it stating it was Win32 Ramnit!

Now I see svchost.exe errors after a short while on my computer, the old "Generic Host Process for Win32 has encountered an error and needs to close" message. This is normally followed by the bottom bar going grey. I looked into the error report and found that it was apparently a worm. I have the latest report (or at least what I could obtain from it) here.

Error Signature:

szAppName : svchost.exe szAppVer : 5.1.2600.5512 szModName : ntdll.dll
szModVer : 5.1.2600.2180 offset : 00021260

Error Report Contents:

C:\DOCUME~1\Owner\LOCALS~1\Temp\WER0f26.dir00\svchost.exe.mdmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\WER0f26.dir00\appcompat.txt

I ran a scan with DDS and this is what it returned:

DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 18:17:07.67 on Wed 11/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.798 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\program files\steam\steam.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\USB TV\EM28XX\BDARemote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Philips\GoGear ARIA Device Manager\GoGear_Aria_DeviceManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.8.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5\coIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{F7A57798-763E-65F8-9036-F1A3493B8033}] "c:\documents and settings\owner\application data\moyc\ewwo.exe"
uRun: [{02D20F88-F62D-B04C-33EF-302350E8C623}] "c:\documents and settings\owner\application data\duubi\yfke.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CICache] CICache.exe
mRun: [Dit] Dit.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0417.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [bofabotxxx.exe] c:\bofabotxxx.exe\bofabotxxx.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\deltaa~1.lnk - c:\program files\delta\delta.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear aria device manager\GoGear_Aria_DeviceManager.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
mASetup: {B0B9B83C-BBFC-49F5-93F4-BC388B073320} - rundll32.exe "c:\documents and settings\owner\application data\bitrix security\hwwkat9.dll", DllUnrer
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xfnn2d0t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\program files\arcsoft\media converter for philips\internet video downloader\plugin_firefox\components\nsURLRecordEx.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {875BD05B-5531-4D55-A528-A51595C19422} - c:\documents and settings\owner\local settings\application data\{875BD05B-5531-4D55-A528-A51595C19422}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-11-8 32008]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-3 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-24 501888]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-11-8 76440]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-24 116784]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2010-11-10 67584]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-18 20328]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-11-8 6415608]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-24 126392]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-25 4497704]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-25 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-10-22 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\ipsdefs\20101108.002\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20101110.002\NAVENG.SYS [2010-11-10 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.5.0.127\definitions\virusdefs\20101110.002\NAVEX15.SYS [2010-11-10 1371184]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-11-8 26096]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-9-30 637952]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2010-1-18 13568]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-25 15656]

=============== Created Last 30 ================

2010-11-10 23:32:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Safe mirror
2010-11-10 23:31:27 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-09 16:50:09 714752 ----a-w- c:\windows\system32\ntdll.backup
2010-11-08 08:03:42 -------- d-----w- c:\program files\EXErrorsFix
2010-11-08 07:29:56 71880 ----a-w- c:\windows\system32\PxSecure.dll
2010-11-08 07:29:55 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-11-08 07:29:55 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-11-08 07:29:53 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-11-08 07:29:53 -------- d-----w- c:\program files\Prevx
2010-11-08 07:29:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-11-06 20:20:02 -------- d-----w- c:\program files\RegistryFix8
2010-11-06 13:33:23 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-06 04:00:41 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2010-11-06 03:18:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\THQ
2010-11-03 22:06:47 -------- d-----w- c:\windows\system32\xlive
2010-11-03 22:06:46 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-11-03 21:44:41 -------- d-----w- c:\program files\Volition Inc
2010-11-03 07:23:24 -------- d-----w- c:\program files\CCleaner
2010-11-03 07:22:09 -------- d-----w- c:\windows\pss
2010-11-03 07:10:12 2 --shatr- c:\windows\winstart.bat
2010-11-03 07:09:36 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-11-03 07:09:32 -------- d-----w- c:\program files\UnHackMe
2010-11-01 20:16:02 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-10-28 04:49:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-10-28 03:51:03 -------- d-----w- c:\program files\HP Photo Creations
2010-10-28 03:51:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2010-10-28 03:47:14 737280 ----a-w- c:\windows\system32\hposwia_d02a.dll
2010-10-28 03:47:14 598016 ----a-w- c:\windows\system32\hpost_d02a.dll
2010-10-28 03:47:14 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-10-28 03:47:14 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-10-28 03:47:14 307200 ----a-w- c:\windows\system32\hposc_d02a.dll
2010-10-25 20:43:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-10-25 20:43:46 -------- d-----w- c:\program files\Security Task Manager
2010-10-25 04:17:32 758272 ----a-w- c:\windows\system32\RGSS104E.dll
2010-10-25 04:17:31 778752 ----a-w- c:\windows\system32\RGSS102E.dll
2010-10-25 04:17:30 761856 ----a-w- c:\windows\system32\RGSS104J.dll
2010-10-25 04:17:30 685056 ----a-w- c:\windows\system32\RGSS103J.dll
2010-10-25 04:17:29 781312 ----a-w- c:\windows\system32\RGSS102J.dll
2010-10-25 04:17:28 771584 ----a-w- c:\windows\system32\RGSS100J.dll
2010-10-25 04:17:14 -------- d-----w- c:\program files\common files\Enterbrain
2010-10-25 00:46:25 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-25 00:46:25 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-25 00:46:24 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-25 00:46:24 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-25 00:46:24 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-25 00:46:23 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-25 00:46:23 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-25 00:46:23 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-25 00:46:00 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005
2010-10-23 02:05:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-23 02:05:56 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-23 02:05:56 -------- d-----w- c:\program files\Symantec
2010-10-23 02:05:03 -------- d-----w- c:\program files\Norton Internet Security
2010-10-23 02:04:25 -------- d-----w- c:\program files\NortonInstaller
2010-10-23 01:24:49 -------- d-----w- c:\docume~1\owner\applic~1\Tific
2010-10-23 01:24:36 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Symantec
2010-10-18 19:07:55 -------- d-----w- c:\program files\NCH Software
2010-10-18 19:07:10 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-18 18:55:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Nero
2010-10-18 18:54:38 -------- d-----w- c:\program files\Nero

==================== Find3M ====================

2010-11-09 16:48:33 708096 ----a-w- c:\windows\system32\ntdll.dll
2010-10-01 00:27:14 65536 ----a-w- c:\documents and settings\owner\typex_loader.exe
2010-10-01 00:27:14 159744 ----a-w- c:\documents and settings\owner\typex_io.dll
2010-10-01 00:27:14 122880 ----a-w- c:\documents and settings\owner\typex_config.exe
2010-10-01 00:22:17 3928064 ----a-w- c:\documents and settings\owner\game.exe
2010-09-30 17:56:17 0 ----a-w- c:\windows\Vfizesupa.bin
2010-09-21 00:55:56 310288 ----a-w- c:\windows\system32\js3250.dll
2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-14 02:47:34 22328 ----a-w- c:\docume~1\owner\applic~1\PnkBstrK.sys
2010-09-14 02:47:23 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-14 02:47:07 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-20 01:48:45 128829 ----a-w- c:\program files\WolfTeam_Install_2009_06_24_DNA.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2000BB-22GUC0 rev.08.02D08 -> Harddisk0\DR0 -> \Device\Ide\IdePort4 P4T0L0-1f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A760EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x88544872; SUB DWORD [EBP-0x4], 0x8854412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A7F0AB8]
3 CLASSPNP[0xB8168FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000009a[0x8A897670]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A886940]
[0x8A80EC38] -> IRP_MJ_CREATE -> 0x8A760EC5
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5f; }
detected disk devices:
\Device\Ide\IdeDeviceP4T0L0-1f -> \??\IDE#DiskWDC_WD2000BB-22GUC0_____________________08.02D08#5&2f2ac0b5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A760AEA
user & kernel MBR OK
sectors 390721966 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:19:46.46 ===============


The rootkit doesn't surprise me seeing as a rootkit detector I used found a couple of them.

Previx 3.0 diagnosis

C:\Documents and Settings\Owner\Application Data\Bitrix Security\hwwkat9.dll (Medium Risk Malware)

\REGISTRY\Machine\Software\Microsoft\Active Setup\Installed Components\ {B0B9B83C-BBFC-49F5-93F4-BC388B073320} (Infected entry)

In addition I was getting an error message on startup from RUNDLL

Error running ejopubit.dll the specified module cannot be found.

I disabled that in msconfig so the error message doesn't appear (it had the name Bxequbohojafabi and the command was rundll32.exe "C:\WINDOWS\ejopubit.dll",Startup)

I also disabled bofabotxxx.exe in startup since it is still there, which leads me to believe the virus is still in my pc.

I was unable to complete a GMER scan three times, even with a random filename. The first one gave a blue screen saying that windows was shut down to prevent damage to your computer, the second and third times had the computer completely freeze unless I did a hard reset. The last time forced me to rollback to my last known good configuration because windows could not boot. Then when it did it took somewhere from twenty to thirty minutes to get explorer to run from the task manager. I got an error from RUNDLL saying:

An exception occurred while trying to run""C:\Documents and Settings\Owner\Application Data\Bitrix Security\hwwkat9.dll

It also disabled my internet forcing a reset from the task manager after installing my wireless networking utility again. I have managed to get it working somewhat again and I would appreciate any and all help with fixing this infection.

Steps Taken:

I have tried to unregister hwwkat9.dll using the command prompt but it stated

LoadLibrary("hwwkat9.dll") failed - Invalid access to memory location

I do have admin privileges.

I tried to replace ntdll.dll with a clean copy using the program replacer and it did not work.

Attached Files



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 18 November 2010 - 10:59 PM

I'm afraid I have very bad news.

Your system is seriously infected.

Win32/Ramnit.A / Win32/Ramnit.B is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DMatakami

DMatakami
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 21 November 2010 - 10:23 PM

Alright then, can I at least show the other DDS log I have?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 21 November 2010 - 10:48 PM

Is it for another computer? If so you will need to start a new topic.

If its for this one, then there isn't much point with a Ramnit infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DMatakami

DMatakami
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 21 November 2010 - 11:24 PM

no, it is actually the same computer. I looked for a TDL3 Rootkit remover on these forums and found one that was from kaspersky labs called TDSS killer. It located and disinfected one threat and shortly afterward, Norton 360 removed the hwwkat9.dll file. all the errors I used to get are gone other than one svchost.exe problem.

That problem is svchost.exe run by local service taking almost 100% cpu and a svchost.exe on the system taking about 20,000kb. (I may not be computer savvy but I am pretty sure that the one svchost.exe that takes up over 10,000kb is definitely something suspicious) After ending those two on startup, I have no problems whatsoever.

I would also like to mention that I went to microsoft's website and downloaded a windows xp service pack 3 software update (to install or update to that software.)

it was from this link
Link

and i burned it to a CD and used it on this computer as I didn't have the original boot disk (or the money to obtain one)I don't quite think that is a system wipe as I never made the disk bootable (on account of not knowing boot sector numbers for xp).

anyway, here's the DDS log for the computer after the work I did.

DDS (Ver_10-11-10.01) - NTFSx86
Run by Owner at 21:25:18.60 on Sun 11/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1178 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\WTouch\WTouchService.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Blaze Media Pro\NMSAccess32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WTouch\WTouchUser.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\F6D4050\v1\BelkinWCUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Philips\GoGear ARIA Device Manager\GoGear_Aria_DeviceManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web

printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0

\activex\AcroIEHelper.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.8.0.5

\coIEPlg.dll
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet

security\engine\17.8.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web

printing\hpswp_BHO.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.8.0.5

\coIEPlg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web

printing\hpswp_bho.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{F7A57798-763E-65F8-9036-F1A3493B8033}] "c:\documents and settings\owner\application data\moyc\ewwo.exe"
uRun: [{02D20F88-F62D-B04C-33EF-302350E8C623}] "c:\documents and settings\owner\application data\duubi\yfke.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CICache] CICache.exe
mRun: [Dit] Dit.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0417.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [bofabotxxx.exe] c:\bofabotxxx.exe\bofabotxxx.exe
dRun: [Raptr] c:\progra~1\raptr\raptrstub.exe --startup
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\deltaa~1.lnk - c:\program files\delta\delta.exe
StartupFolder: c:\documents and settings\owner\start menu\programs\startup\PowerReg Scheduler V3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bdarem~1.lnk - c:\program files\usb tv\em28xx\BDARemote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f6d4050\v1

\BelkinWCUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital

imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear aria device

manager\GoGear_Aria_DeviceManager.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11

\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital

imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\xfnn2d0t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}

\nis_17.5.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\program files\arcsoft\media converter for philips\internet video

downloader\plugin_firefox\components\nsURLRecordEx.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\msn toolbar\platform\4.0.0417.0\npwinext.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {875BD05B-5531-4D55-A528-A51595C19422} - c:\documents and settings\owner\local

settings\application data\{875BD05B-5531-4D55-A528-A51595C19422}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0021-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-11-8 32008]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-10-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-10-24 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}

\nis_17.5.0.127\definitions\bashdefs\20101104.001\BHDrvx86.sys [2010-11-3 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-10-24 501888]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-11-8 76440]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-10-24 116784]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319

\mscorsvw.exe [2010-3-18 130384]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-18 20328]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-11-8 6415608]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-10-24 126392]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2009-12-25 4497704]
R2 WTouchService;WTouch Service;c:\program files\wtouch\WTouchService.exe [2009-12-25 113448]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys

[2010-10-22 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}

\nis_17.5.0.127\definitions\ipsdefs\20101119.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}

\nis_17.5.0.127\definitions\virusdefs\20101121.006\NAVENG.SYS [2010-11-21 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}

\nis_17.5.0.127\definitions\virusdefs\20101121.006\NAVEX15.SYS [2010-11-21 1371184]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-11-8 26096]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-9-30 637952]
S3 CardReaderFilter;Card Reader Filter;c:\windows\system32\drivers\USBCRFT.SYS [2010-1-18 13568]
S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132

\cpuz132_x32.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2010-11-17 23456]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service

[?]
S3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-12-25 15656]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319

\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-11-20 06:20:50 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Deluxe_Digital_Studios
2010-11-20 05:58:56 -------- d-----w- c:\program files\Digital Copy
2010-11-20 02:21:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-11-18 06:49:32 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2010-11-18 06:49:32 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\eSupport.com
2010-11-18 06:06:16 -------- d-----w- c:\program files\Raptr
2010-11-18 06:06:16 -------- d-----w- c:\docume~1\owner\applic~1\Raptr
2010-11-18 05:54:20 -------- d-----w- C:\6ab5fa4ea88c38bf24e912
2010-11-18 05:28:25 173056 ----a-r- c:\windows\system32\binkw32.dll
2010-11-13 20:57:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\THQ
2010-11-13 01:33:39 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-11-13 01:33:38 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-13 01:33:37 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-13 01:31:34 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-12 22:29:28 -------- d-----w- c:\windows\system32\xlive
2010-11-12 22:29:28 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-11-12 21:18:37 888424 ----a-w- c:\windows\system32\nvdispco32.dll
2010-11-12 21:18:37 813672 ----a-w- c:\windows\system32\nvgenco32.dll
2010-11-12 19:17:57 15256 ----a-w- c:\docume~1\owner\applic~1\microsoft\identitycrl\production\ppcrlconfig.dll
2010-11-12 18:35:42 -------- d-----w- c:\program files\Volition Inc
2010-11-11 06:58:52 -------- d-----w- c:\program files\Belkin
2010-11-10 23:32:20 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Safe mirror
2010-11-10 23:31:27 -------- d-----w- c:\program files\Cobian Backup 10
2010-11-09 16:50:09 714752 ----a-w- c:\windows\system32\ntdll.backup
2010-11-08 08:03:42 -------- d-----w- c:\program files\EXErrorsFix
2010-11-08 07:29:56 71880 ----a-w- c:\windows\system32\PxSecure.dll
2010-11-08 07:29:55 76440 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-11-08 07:29:55 32008 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-11-08 07:29:53 26096 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-11-08 07:29:53 -------- d-----w- c:\program files\Prevx
2010-11-08 07:29:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-11-06 13:33:23 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-11-06 04:00:41 599552 -c----w- c:\windows\system32\dllcache\crypt32.dll
2010-11-03 07:22:09 -------- d-----w- c:\windows\pss
2010-11-03 07:10:12 2 --shatr- c:\windows\winstart.bat
2010-11-03 07:09:36 12808 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2010-11-03 07:09:32 -------- d-----w- c:\program files\UnHackMe
2010-11-01 20:16:02 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-10-28 04:49:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-10-28 03:51:03 -------- d-----w- c:\program files\HP Photo Creations
2010-10-28 03:51:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\HP Photo Creations
2010-10-28 03:47:14 737280 ----a-w- c:\windows\system32\hposwia_d02a.dll
2010-10-28 03:47:14 598016 ----a-w- c:\windows\system32\hpost_d02a.dll
2010-10-28 03:47:14 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2010-10-28 03:47:14 309760 ----a-w- c:\windows\system32\difxapi.dll
2010-10-28 03:47:14 307200 ----a-w- c:\windows\system32\hposc_d02a.dll
2010-10-25 20:43:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SecTaskMan
2010-10-25 20:43:46 -------- d-----w- c:\program files\Security Task Manager
2010-10-25 04:17:32 758272 ----a-w- c:\windows\system32\RGSS104E.dll
2010-10-25 04:17:31 778752 ----a-w- c:\windows\system32\RGSS102E.dll
2010-10-25 04:17:30 761856 ----a-w- c:\windows\system32\RGSS104J.dll
2010-10-25 04:17:30 685056 ----a-w- c:\windows\system32\RGSS103J.dll
2010-10-25 04:17:29 781312 ----a-w- c:\windows\system32\RGSS102J.dll
2010-10-25 04:17:28 771584 ----a-w- c:\windows\system32\RGSS100J.dll
2010-10-25 04:17:14 -------- d-----w- c:\program files\common files\Enterbrain
2010-10-25 00:46:25 361904 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdi.sys
2010-10-25 00:46:25 339504 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symtdiv.sys
2010-10-25 00:46:24 43696 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtspx.sys
2010-10-25 00:46:24 328752 ----a-r- c:\windows\system32\drivers\nis\1108000.005\symds.sys
2010-10-25 00:46:24 173104 ----a-w- c:\windows\system32\drivers\nis\1108000.005\symefa.sys
2010-10-25 00:46:23 501888 ----a-w- c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys
2010-10-25 00:46:23 325680 ----a-w- c:\windows\system32\drivers\nis\1108000.005\srtsp.sys
2010-10-25 00:46:23 116784 ----a-w- c:\windows\system32\drivers\nis\1108000.005\ironx86.sys
2010-10-25 00:46:00 -------- d-----w- c:\windows\system32\drivers\nis\1108000.005

==================== Find3M ====================

2010-11-13 20:41:32 241440 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-11-13 20:41:32 241440 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-11-13 20:41:32 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-11-12 21:30:33 77824 ----a-w- c:\windows\soundman.exe
2010-11-12 21:30:32 9324032 ------w- c:\windows\system32\RTLCPL.exe
2010-11-12 21:30:29 16166912 ------w- c:\windows\system32\alsndmgr.cpl
2010-11-12 21:30:29 156672 ------w- c:\windows\system32\RtlCPAPI.dll
2010-11-12 21:30:27 40960 ------w- c:\windows\system32\ChCfg.exe
2010-11-12 21:30:27 208896 ------w- c:\windows\alcupd.exe
2010-11-12 21:30:27 139264 ------w- c:\windows\alcrmv.exe
2010-10-23 02:05:56 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-16 19:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-10-16 19:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll
2010-10-16 19:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll
2010-10-16 19:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-10-16 19:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe
2010-10-16 19:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll
2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll
2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll
2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll
2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll
2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
2010-10-01 00:27:14 65536 ----a-w- c:\documents and settings\owner\typex_loader.exe
2010-10-01 00:27:14 159744 ----a-w- c:\documents and settings\owner\typex_io.dll
2010-10-01 00:27:14 122880 ----a-w- c:\documents and settings\owner\typex_config.exe
2010-10-01 00:22:17 3928064 ----a-w- c:\documents and settings\owner\game.exe
2010-09-30 17:56:17 0 ----a-w- c:\windows\Vfizesupa.bin
2010-09-21 00:55:56 310288 ----a-w- c:\windows\system32\js3250.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ------w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 09:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-14 02:47:34 22328 ----a-w- c:\docume~1\owner\applic~1\PnkBstrK.sys
2010-09-14 02:47:23 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-14 02:47:07 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2009-08-20 01:48:45 128829 ----a-w- c:\program files\WolfTeam_Install_2009_06_24_DNA.exe

============= FINISH: 21:25:59.48 ===============

it might still be infected but i am not entirely sure. I want to save a reformat for a last resort.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 22 November 2010 - 11:00 AM

I looked for a TDL3 Rootkit remover on these forums and found one that was from kaspersky labs called TDSS killer. It located and disinfected one threat and shortly afterward

That's not uncommon. A TDSS rootkit infection is often seen with file infectors. To learn more about this rootkit, please refer to:

it might still be infected but i am not entirely sure.

I do not know of any security vendor who will guarantee complete removal of file infectors. Even vendors like Kaspersky say there is no guarantee that some files will not get corrupted during the disinfection process. This means that infected executables and system files can become unusable after attempting to repair them and there's still no quarantee the virus is really gone. Since many of these are legitimate critical files required by the operating system, deletion is not a viable option. This destructive behavior may be by design as explained in File Infectors: To Junk Or Not To Junk.

In my experience, users may find their system performing better for a short time after attempted disinfection only to have it become progressively worst again as the malware continues to reinfect thousands of files. Some folks will try every tool or rescue disk they can find in futile attempts to repair critical system files. If something goes awry during the malware removal process the computer may become unstable or unbootable and you could loose access to all your data. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove the infected files.

These are comments from some of the major anti-virus vendors in regards to file infectors:

...In many cases, files cannot simply be deleted as this would affect the stability or even basic functionality of the operating system and other software. Instead, the infected host program must be disinfected by removing the virus code from it and by carefully restoring the original contents and file structure if possible. This means detection and removal are still an issue for antivirus software....

Avira: Cleaning polymorphic infected files

...for infected users we have to offer no hope - fdisk - format and re-install is the only solution open to them...

avast: a file infector and why we cannot give false hope!

...it injects its code into running processes...The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files...unfortunately, some infections are corrupted beyond repair.

McAfee: polymorphic infector

The suggestions in this article are not intended to 100% guarantee removal of all threats...The file infector employs a technique to make sure its corrupted .DLL format will replace the targeted entensions found within the system. When the computer is rebooted it incidentally boots the infected file and continues its advancement throughtout the system...

Norton (Symantec): File infector

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files...it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. Undetected, corrupted files (possibly still containing part of the viral code) can also be found. This is caused by incorrectly written and non-function viral code present in these files.

AVG: polymorphic infector

That's why the best course of action is to wipe the drive clean, reformat and reinstall the OS.

I cannot add any more to miekiemoes' Blog article: Virut and other File infectors - Throwing in the Towel?.

dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.


Edited by quietman7, 22 November 2010 - 11:05 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DMatakami

DMatakami
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 November 2010 - 11:20 AM

well I guess I will have to roll back to a 60 gb hard drive then. My only problem is getting windows xp on it. But I believe that is a topic for another forum.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 23 November 2010 - 11:30 AM

Not a problem. If you need additional assistance with reformatting or partitioning, you can start a new topic in the Operating Systems Subforums forum.


Caution: If you are considering backing up data, keep in mind, with file infectors, there is always a chance of backed up data reinfecting your system. If the data is important to you, then you can try to salvage some of it but there is no guarantee so be forewarned that you may have to start over again afterwards if reinfected by attempting to recover your data. Only back up your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), dynamic link library (*.dll), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .dll, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 DMatakami

DMatakami
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:02 PM

Posted 23 November 2010 - 11:41 AM

With the polymorphic, my only worry is losing any wmv, avi, mp3, wav, wma, jpg, png, doc, and bmp files. I have heard that virut cannot corrupt them, but I don't buy that.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:02 PM

Posted 23 November 2010 - 12:05 PM

I have not heard any reports of file infectors targeting those files...executable and script files are the primary concern. Although a file infector could corrupt non-executable files they cannot spread that way.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users