Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another infection (or still infected)


  • This topic is locked This topic is locked
17 replies to this topic

#1 Regicide

Regicide

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 27 January 2011 - 05:05 PM

This time it is much worse. When I start my computer in normal mode, it will only run for about 2-3 minutes before freezing, and AVG has stopped working altogether. Hence, I couldn't get a GMER log to post in here. However, I did manage to get the DDS ones. I'm not sure what to do :/ I am on my computer in safe mode with networking now, this is the only way I can post here. I don't have another computer anymore.




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/16/2007 7:22:35 AM
System Uptime: 1/27/2011 3:41:59 PM (0 hours ago)

Motherboard: | | GE PRO-M2.
Processor: AMD Athlon™ XP 1700+ | Socket 478 | 1310/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 114 GiB total, 50.878 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
C-Media 3D Audio
iTunes
Java Auto Updater
Java™ 6 Update 23
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.13)
NVIDIA Drivers
QuickTime
Shaw Support 3.3.2
SiS 661FX_760_741_M661FX_M760_M741
Software Update for Web Folders
SoulSeek 157 NS 13e
Tag&Rename 3.5.7
TeamViewer 5
VLC media player 1.0.3
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

1/27/2011 8:14:52 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
1/27/2011 3:40:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/27/2011 2:41:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 avgio avipbb Fips ssmdrv
1/27/2011 2:41:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
1/27/2011 2:28:02 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:27:21 PM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/27/2011 2:26:48 PM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/26/2011 11:30:13 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:29:52 PM, error: Service Control Manager [7031] - The Windows Spool Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
1/26/2011 11:28:48 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:27:50 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:23:27 PM, error: Service Control Manager [7031] - The VMwareService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
1/25/2011 8:55:02 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/25/2011 8:55:02 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/24/2011 1:13:32 PM, error: Dhcp [1002] - The IP address lease 24.79.136.249 for the Network Card with network address 00E006090769 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/21/2011 9:41:56 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================






DDS (Ver_10-12-12.02) - NTFSx86
Run by NBN at 15:44:30.40 on Thu 01/27/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.695 [GMT -6:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\shaw\bin\shawsupport.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\csrsc.exe
C:\DOCUME~1\NBN\LOCALS~1\Temp\12894.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\NBN\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Tnaww] c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [NapsterShell] c:\documents and settings\nbn\desktop\napster downloads\napster.exe /systray
mRun: [Microsoft Driver Setup] c:\windows\ggdrive32.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Advanced HTTPL Enable] c:\docume~1\nbn\locals~1\temp\12894.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shawsu~1.lnk - c:\program files\shaw\bin\shawsupport.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nbn\applic~1\mozilla\firefox\profiles\fsxps32n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2007-2-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2007-2-16 115457]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2007-2-16 56816]
R2 WinSpoolSvc;Windows Spool Services;c:\windows\system32\csrsc.exe [2011-1-27 43008]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2007-2-16 192257]

=============== Created Last 30 ================

2011-01-27 17:39:02 43008 --sh--r- c:\windows\system32\csrsc.exe
2011-01-27 17:39:01 43008 ----a-w- c:\windows\system32\x.exe
2011-01-26 02:55:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-26 02:55:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-26 02:55:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-23 23:22:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Soulseek
2011-01-23 23:19:36 -------- d-----w- c:\program files\SoulseekNS
2011-01-23 08:21:29 53248 ----a-w- c:\windows\system32\37.exe
2011-01-23 04:33:06 53248 ----a-w- c:\windows\system32\68.exe
2011-01-20 08:49:09 53248 ----a-w- c:\windows\system32\04.exe
2011-01-20 08:15:53 53248 ----a-w- c:\windows\system32\51.exe
2011-01-15 08:07:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2011-01-14 20:14:35 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-14 20:14:35 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-01-14 20:13:06 -------- d-----w- c:\program files\iPod
2011-01-14 20:12:48 -------- d-----w- c:\program files\iTunes
2011-01-14 20:12:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-14 20:11:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-01-14 20:11:35 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-14 20:11:01 -------- d-----w- c:\program files\Bonjour
2011-01-14 04:51:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 01:07:44 -------- d-----w- c:\program files\TagRename
2011-01-12 04:05:09 -------- d-sha-r- C:\cmdcons
2011-01-11 06:16:05 -------- d-----w- c:\docume~1\nbn\applic~1\Malwarebytes
2011-01-11 06:15:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-09 22:22:26 -------- d-----w- c:\windows\pss
2011-01-05 05:56:38 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\Apple
2011-01-05 05:56:10 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\Apple Computer
2011-01-02 18:50:44 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\shaw
2011-01-02 18:50:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\shaw
2011-01-02 18:49:26 72192 ----a-w- c:\windows\system32\zlib.dll
2011-01-02 18:49:26 -------- d-----w- c:\program files\shaw

==================== Find3M ====================

2011-01-14 04:50:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 15:45:37.45 ===============

Edited by Regicide, 27 January 2011 - 05:10 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 28 January 2011 - 03:09 AM

Hi,

I see you have Malwarebytes installed already, however, it looks like it's not up to date, or you didn't scan with it.

That's why, First of all, please update MalwareBytes:

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh DDS log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 28 January 2011 - 05:51 PM

Alright, here are my logs.
The first one is the MBAM log, from today, after updating again and scanning in Safe Mode.
The second log is the MBAM log I pm'd m0le, taken January 27, 2011 (one day ago), in Normal Mode (I had also updated it that day).
The third log is the new DDS/Attach log, taken today in Normal Mode. After MBAM did its work, I have internet access on Normal Mode again, despite my computer speed being somewhat sluggish. I will attempt to post a GMER log next, from Normal Mode.



First Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5629

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

1/28/2011 9:45:59 AM
mbam-log-2011-01-28 (09-45-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 244920
Time elapsed: 1 hour(s), 40 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService (Worm.SpyBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSpoolSvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_WINSPOOLSVC (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system\vmwareservice.exe (Worm.SpyBot) -> Quarantined and deleted successfully.
c:\documents and settings\NBN\local settings\temp\12894.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\LZQXWQNJ\svr8[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\F95IJZUT\x[1] (Worm.SpyBot) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\F95IJZUT\x[3] (Worm.SpyBot) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\M6FZQVO0\x[2] (Worm.SpyBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\x.exe (Worm.SpyBot) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\csrsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.





Second Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5604

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/27/2011 8:11:08 AM
mbam-log-2011-01-27 (08-11-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 243304
Time elapsed: 4 hour(s), 23 minute(s), 39 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 32

Memory Processes Infected:
c:\WINDOWS\system\vmwareservice.exe (Worm.SpyBot) -> 1856 -> No action taken.
c:\WINDOWS\system32\csrsc.exe (Trojan.Agent) -> 352 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService (Worm.SpyBot) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSpoolSvc (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_WINSPOOLSVC (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Worm.Palevo) -> Value: Shell -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tnaww (Trojan.Agent) -> Value: Tnaww -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Worm.Palevo) -> Value: Taskman -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Driver Setup (Worm.Palevo) -> Value: Microsoft Driver Setup -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman (Trojan.Agent) -> Bad: (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe) Good: () -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1413\syitm.exe,explorer.exe,C:\Documents and Settings\NBN\Application Data\bowcav.exe) Good: (Explorer.exe) -> No action taken.

Folders Infected:
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413 (Worm.AutoRun) -> No action taken.

Files Infected:
c:\WINDOWS\system\vmwareservice.exe (Worm.SpyBot) -> No action taken.
c:\documents and settings\NBN\pf.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\pfs.exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\NBN\local settings\temp\004620.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\0054920.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\040.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\09601.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\142.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\155645.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\234.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\28772.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\3888510.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\5662104.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\572012.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\582.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\6051.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\641.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temp\99172.exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\4KM7ONJV\a2[1].exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\IZQJJG5H\346[2].exe (Trojan.Autorun) -> No action taken.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\IZQJJG5H\n1[1].exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\LZQXWQNJ\n2[1].exe (Trojan.Agent) -> No action taken.
c:\documents and settings\NBN\local settings\temporary internet files\Content.IE5\OQ1Z88CR\345[1].exe (Trojan.Agent) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\DNALABBE\aido[1].exe (Trojan.Agent) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\DNALABBE\rbhkt[1].gif (Extension.Mismatch) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\F95IJZUT\kiuiuhwm[1].gif (Extension.Mismatch) -> No action taken.
c:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\F95IJZUT\x[1] (Worm.SpyBot) -> No action taken.
c:\old system\program files\installshield installation information\Hotbar\bin\4.5.1.0\HbHostOE.dll (Adware.Hotbar) -> No action taken.
c:\WINDOWS\system32\23.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\csrsc.exe (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe (Trojan.Agent) -> No action taken.
c:\RECYCLER\s-1-5-21-0243556031-888888379-781863308-1413\Desktop.ini (Worm.AutoRun) -> No action taken.





Third Log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by NBN at 16:41:05.43 on Fri 01/28/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.713 [GMT -6:00]

AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\NBN\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nbn\applic~1\mozilla\firefox\profiles\fsxps32n.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2007-2-16 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2007-2-16 115457]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2007-2-16 56816]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2007-2-16 192257]
SUnknown VMwareService;VMwareService; [x]
SUnknown WinSpoolSvc;WinSpoolSvc; [x]

=============== Created Last 30 ================

2011-01-26 02:55:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-26 02:55:14 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-26 02:55:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-23 23:22:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\Soulseek
2011-01-23 23:19:36 -------- d-----w- c:\program files\SoulseekNS
2011-01-23 08:21:29 53248 ----a-w- c:\windows\system32\37.exe
2011-01-23 04:33:06 53248 ----a-w- c:\windows\system32\68.exe
2011-01-20 08:49:09 53248 ----a-w- c:\windows\system32\04.exe
2011-01-20 08:15:53 53248 ----a-w- c:\windows\system32\51.exe
2011-01-15 08:07:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Napster
2011-01-14 20:14:35 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-14 20:14:35 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-01-14 20:13:06 -------- d-----w- c:\program files\iPod
2011-01-14 20:12:48 -------- d-----w- c:\program files\iTunes
2011-01-14 20:12:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-01-14 20:11:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-01-14 20:11:35 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-01-14 20:11:01 -------- d-----w- c:\program files\Bonjour
2011-01-14 04:51:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-14 01:07:44 -------- d-----w- c:\program files\TagRename
2011-01-12 04:05:09 -------- d-sha-r- C:\cmdcons
2011-01-11 06:16:05 -------- d-----w- c:\docume~1\nbn\applic~1\Malwarebytes
2011-01-11 06:15:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-09 22:22:26 -------- d-----w- c:\windows\pss
2011-01-05 05:56:38 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\Apple
2011-01-05 05:56:10 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\Apple Computer
2011-01-02 18:50:44 -------- d-----w- c:\docume~1\nbn\locals~1\applic~1\shaw
2011-01-02 18:50:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\shaw
2011-01-02 18:49:26 72192 ----a-w- c:\windows\system32\zlib.dll
2011-01-02 18:49:26 -------- d-----w- c:\program files\shaw

==================== Find3M ====================

2011-01-14 04:50:28 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 16:42:23.76 ===============






UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/16/2007 7:22:35 AM
System Uptime: 1/28/2011 4:38:39 PM (0 hours ago)

Motherboard: | | GE PRO-M2.
Processor: AMD Athlon™ XP 1700+ | Socket 478 | 1309/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 114 GiB total, 50.83 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Bonjour
C-Media 3D Audio
iTunes
Java Auto Updater
Java™ 6 Update 23
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.13)
NVIDIA Drivers
QuickTime
Shaw Support 3.3.2
SiS 661FX_760_741_M661FX_M760_M741
Software Update for Web Folders
SoulSeek 157 NS 13e
Tag&Rename 3.5.7
TeamViewer 5
VLC media player 1.0.3
WebFldrs XP
Windows Internet Explorer 8
Windows XP Service Pack 3
WinRAR archiver

==== Event Viewer Messages From Past Week ========

1/28/2011 9:49:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 avgio avipbb Fips ssmdrv uagp35
1/27/2011 8:14:52 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: uagp35
1/27/2011 3:40:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/27/2011 2:41:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 avgio avipbb Fips ssmdrv
1/27/2011 2:41:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:32:26 PM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
1/27/2011 2:28:02 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/27/2011 2:27:21 PM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/27/2011 2:26:48 PM, error: Service Control Manager [7031] - The Avira AntiVir Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
1/26/2011 11:30:13 PM, error: Service Control Manager [7034] - The IMAPI CD-Burning COM Service service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:29:52 PM, error: Service Control Manager [7031] - The Windows Spool Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
1/26/2011 11:28:48 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:27:50 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
1/26/2011 11:23:27 PM, error: Service Control Manager [7031] - The VMwareService service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 3000 milliseconds: Restart the service.
1/25/2011 8:55:02 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
1/25/2011 8:55:02 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/24/2011 2:57:55 PM, error: Dhcp [1002] - The IP address lease 24.79.136.249 for the Network Card with network address 00E006090769 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
1/21/2011 9:41:56 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.

==== End Of File ===========================

#4 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 28 January 2011 - 07:33 PM

I still could not get a GMER log in Normal Mode without my computer freezing.

edit: I will try scanning once more with MBAM in Normal Mode, since it seems only that using GMER freezes my computer.

Edited by Regicide, 28 January 2011 - 07:40 PM.


#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 02:21 AM

Hi,

Don't worry about gmer though, on some systems, it just freezes, even when there's no malware present.

Anyway, this already looks a lot better here, but please do the following as well:

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 29 January 2011 - 05:46 AM

I keep getting this message when attempting to run ComboFix.exe:

Posted Image

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 05:54 AM

Hi,

Please delete and redownload in Windows safe mode.
If you still get the same, then, I really hope you're not dealing with Virut or any other Fileinfector, because that would mean a format and reinstall unfortunately.

Btw, I see you are normally using Avira, but it's disabled here. Did you disable it manually earlier? Or was it disabled automatically? If it was already disabled (while you didn't disable); then I fear this is indeed a file infector doing this (as Virut & Sality disable AVs+and/or infect them as well)

Are you able to run online scanners?

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 06:01 AM

Also, before I forget,

Please navigate to your system32 folder.
You'll find the following files there:

c:\windows\system32\37.exe
c:\windows\system32\68.exe
c:\windows\system32\04.exe
c:\windows\system32\51.exe

Please upload one of them to here: http://www.bleepingcomputer.com/submit-malware.php?channel=8
But before you do, rename the one you'll be uploading to 37.bad or 68.bad. This as an extra security measure.

Then delete the mentioned files.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 29 January 2011 - 06:01 AM

Yes, AVG was disabled by the infection, and not by me.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 06:04 AM

See my previous reply :)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 29 January 2011 - 06:05 AM

I've submitted a sample and am now scanning with ESET.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 06:12 AM

Hi,

Don't bother to perform any scans anymore... I just received your file and you are indeed infected with Virut :(
This is unfortunately a game over situation here and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 29 January 2011 - 09:59 AM

I don't have a Windows XP cd. And yea, ESET found like 3000 files infected already..

Sigh, I wonder how much this is going to cost to reformat.

#14 Regicide

Regicide
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 29 January 2011 - 10:11 AM

I just read the format instructions, I suppose it's just a matter of getting a hold of a windows installation cd.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:34 AM

Posted 29 January 2011 - 10:11 AM

Didn't you get a recovery cd/whatever either? If not, then please contact the company/whatever where you have purchased this PC and ask them for the cd.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users