Help! I think i have a virus (or a trojan)!
July 25th, 2020
Heres a screen shot:
It just never stops coming!!!! Its so annoying I can’t do anything because it comes up the top of all my programs.. I’ve tried scanning but it found some i got rid of them and then when i scan again nothing comes up….I’m doing full scan (which is supposed to scan my whole computer) It only scans around 967 items!!!!
Please download the current version of HijackThis from here: http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
- Double click and run the installer.
- It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
- After installing, you should get the user agreement, press accept and Hijack This will run.
- Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
Please remember that ALL links must be coded, including, but not limited to, e-mail addresses, passwords, and internal links. Coded for you this time.
crunkster
Here:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:18 AM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Applications\uTorrent\uTorrent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE
E:\Applications\Internet Download Manager\IDMan.exe
C:\Documents and Settings\Admin\reader_s.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\dllhost.exe
E:\Applications\Internet Download Manager\IEMonitor.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055c089-8582-441b-a0bf-17b458c2a3a8} - E:\Applications\Internet Download Manager\IDMIECC.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: C:\WINDOWS\system32\yhafd78auhd.dll - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\yhafd78auhd.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [uTorrent] "E:\Applications\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R230 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /FU "C:\WINDOWS\TEMP\E_S83.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [IDMan] E:\Applications\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [A00F42B90.exe] C:\DOCUME~1\Admin\LOCALS~1\Temp\_A00F42B90.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Admin\reader_s.exe
O4 - HKCU\..\Run: [svc] c:\program Files\ThunMail\testabd.exe
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0830049644-8873455473-743235540-0321\service.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links with IDM - E:\Applications\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - E:\Applications\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download Video on This Page - E:\Applications\YouTube Video Downloader\IEPage.html
O8 - Extra context menu item: Download Video This Links To - E:\Applications\YouTube Video Downloader\IELink.html
O8 - Extra context menu item: Download with IDM - E:\Applications\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Download Video - {7966A32A-5783-4F0B-824C-09077C023080} - E:\Applications\YouTube Video Downloader\IEPage.html
O9 - Extra 'Tools' menuitem: Download Video on This Page - {7966A32A-5783-4F0B-824C-09077C023080} - E:\Applications\YouTube Video Downloader\IEPage.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: __c0045856 - C:\WINDOWS\system32\__c0045856.dat (file missing)
O22 - SharedTaskScheduler: gsf87hfunf98398jd - {C6C7B2A1-00F3-42BD-F434-00AABA2C8953} - C:\WINDOWS\system32\yhafd78auhd.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe (file missing)
O23 - Service: Symantec Eraser Service (erasersvc10910) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 10018 bytes
Possibly virtumonde or a variant. This line O2 - BHO: C:\WINDOWS\system32\yhafd78auhd.dll
looks like what it does. It makes a random named .dll that’s different on each infection so looking for one specific file name is useless on it. and by doing that the name of the .dll doesn’t come up in a search on google if you’re looking for each and every running process you have going.
Just looked that line up and it is a problem. Go here : http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and get Combofix. It’s a free app and it removes a lot of trojans and other nasty things. I had virtumonde and nothing else would remove it.
Yup. it would be Virut Infection. Just go to this location and tell me what you see. c:\windows\system32\drivers\host . open Host file with notepad. if you see something like “Chura.pl” , you cant do anything much my friend. Probably it would have injected itself with all the exe files and hence none will work. is correct. Anyhow, lemme know what you see in Host file.
i checked up my system32/driver and there was no file called host….? i’m puzzled
The hosts file is under system32\drivers\etc\hosts
Also was right.
I’m afraid I have bad news.
Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine’s executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.
Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
Recent variants also modify htm, html, asp and php files.
Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.
For more information, please see these two links.
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Instructions how to format and reinstall Windows can be found here
http://web.mit.edu/ist/products/winxp/advanced/reinstall-format.html
So host file has been deleted from your system, booper. Lemme know another thing booper. can u open any exe file ? can you execute any exe ? . I understood that norton pops up plenty of windows, still forget it for sometime and try executing some exe files. tel me whether you can do that. if u can do that, you might be in little safe state.
Im sorry, i forgot to put the directory etc in that drivers location. Sorry Booper. & thanks for correcting that . Thanks a lot. Sorry booper.
C:\WINDOWS\system\svchost.exe
Virus. Seeing as it doesn’t belong there at all. It should be the system32 folder, and ONLY that folder.
Edit:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Delete this entry as well. It disables your regedit. Meaning you can’t edit registry entries yourself manually. As you can see clearly here some of your policies got overwritten too. Make sure you carefully check your registry.
Simplest way is just reinstalling Windows though. To avoid getting it again.
here is the lmhost.SAM file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The “#” character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:<domain>
# #INCLUDE <filename>
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters “#PRE” will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the “#DOM:<domain>” tag will associate the
# entry with the domain specified by <domain>. This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The <domain> is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying “#INCLUDE <filename>” will force the RFC NetBIOS (NBT)
# software to seek the specified <filename> and parse it as if it were
# local. <filename> is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share “public” in the example below must be in the
# LanManServer list of “NullSessionShares” in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add “public” to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC
# 102.54.94.102 “appname \0x14” #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the “appname” server contains a special
# character in its name, the “popular” and “localsrv” server names are
# preloaded, and the “rhino” server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
P.S. I can open .exe
P.S.S.i am hoping the last thing i will do is (i have backed up with norton ghost) use a backup and go back to day may 27th when it worked, which when i last backed up
Note: I am now using Symantec Endpoint Protection. Which antivirus will help me more? please make a note and i will try it.
still comes up arghhh
Why would you risk loading a possibly infected ghost image again? It could’ve been in there already without you noticing.
It’s up to you, but I highly advice you to just do a clean install and work from there.
It was well after than and anyway i have way more backups from ages ago
boper, i dint say to open lmhosts. i asked u to open Host file. probably your host file might have got deleted as i said . if you can open exe files, you could have possibility to safe guard. Becoz, virut wont let us to open exe file. & My personal openion is, i wont recommend Nor*** to any one. my choice would be Kaspersky. it rocks. Try what said. try combo fix. but be careful while running combo fix. You should run it in Normal mode. while it runs, dont do any mouse clicks . wait till it finishes. And post combo fix log here.
Run Combofix before reinstalling your OS. I had the same thing and it removed it on my PC. It’s worth a shot before going to drastic measures.
I puzzled but i think combofix did the job. This is what i did
i ran combofix and then i installed the windows recovery thingy and then when it asked for me to restart I did. then when i rebooted my antivirus program started to find there virut and variant things and also backdoors, about 10 or them. after that i had to restart after the deletion, it doesn’t come up anymore I didn’t get up to the combofix log thingy
If you feel that your issue is resolved, its well & Good. If you still need to clarify , run hijackthis now. post the hijackthis log here.
Combofix removed mine the first time around and it was gone and over. Was quite simple and painless and just the 1 run did it.
HERE IS COMBOFIX LOG(i got it to work)
ComboFix 09-05-30.03 – Admin 06/01/2009 16:58.1 – NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3583.2915 [GMT 10:00]
Running from: e:\installations\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Admin\reader_s.exe
c:\program files\Bifrost
c:\program files\Bifrost\logg.dat
c:\program files\Bifrost\unrealhack.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\windows\Install.txt
c:\windows\KBPK090530.log
c:\windows\patchw32.dll
c:\windows\pw32a.dll
c:\windows\system\svchost.exe
c:\windows\system32\3361
c:\windows\system32\certstore.dat
c:\windows\system32\comsa32.sys
c:\windows\system32\dncyool64.sys
c:\windows\system32\dpcxool64.sys
c:\windows\system32\drivers\kungsfvdylklrm.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\kungsfeyxwevdo.dll
c:\windows\system32\kungsfpuyavymp.dll
c:\windows\system32\kungsfvnsctowq.dat
c:\windows\system32\kungsfwqbwulht.dat
c:\windows\system32\msncache.dll
c:\windows\system32\ntalme.sys
c:\windows\system32\pueynqu.dll
c:\windows\system32\reader_s.exe
c:\windows\system32\sopidkc.exe
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\wtukd32.exe
c:\windows\Tasks\At1.job
c:\windows\TEMP\mta38147.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
——-\Legacy_dhcpsrv
——-\Legacy_ias
——-\Legacy_msncache
——-\Legacy_sopidkc
——-\Legacy_sxuvnzhl
——-\Service_dhcpsrv
——-\Service_ias
——-\Service_msncache
——-\Service_sopidkc
——-\Service_sxuvnzhl
((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.
2009-05-31 10:15 . 2009-05-31 10:15——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\gbrwizxx
2009-05-31 10:15 . 2009-05-31 10:15——–d—–wc:\documents and settings\Admin\Application Data\gbrwizxx
2009-05-31 10:12 . 2009-05-31 10:12——–d—–wc:\documents and settings\NetworkService\Local Settings\Application Data\gbrwizxx
2009-05-31 10:12 . 2009-05-31 10:12——–d—–wc:\documents and settings\NetworkService\Application Data\gbrwizxx
2009-05-31 09:39 . 2009-05-31 09:5246640—-a-wc:\windows\system32\msln.exe
2009-05-31 09:12 . 2009-05-31 09:12——–d–h–wc:\windows\PIF
2009-05-31 00:32 . 2009-05-31 00:32——–d—–wc:\program files\Trend Micro
2009-05-30 11:56 . 2009-05-30 11:56——–d-s—wc:\windows\system32\config\systemprofile\UserData
2009-05-30 11:34 . 2009-05-30 11:49——–d—–wc:\windows\dhcp
2009-05-30 11:33 . 2009-05-31 09:370—-a-wc:\windows\system32\drivers\def5746a.sys
2009-05-30 11:33 . 2009-05-30 11:33212224-c–a-wc:\windows\system32\dllcache\ndis.sys
2009-05-30 11:22 . 2009-05-30 11:228704—-a-wc:\windows\system32\SpOrder.dll
2009-05-30 11:00 . 2009-05-30 11:05——–d—–wc:\documents and settings\Admin\Application Data\Hide IP NG
2009-05-29 06:37 . 2007-04-12 04:19129024—-a-wc:\windows\system32\AVERM.dll
2009-05-29 06:37 . 2006-09-26 03:5728672—-a-wc:\windows\system32\AVEQT.dll
2009-05-29 06:14 . 2009-01-21 16:40163840—-a-wc:\windows\system32\SecureNet.dll
2009-05-29 06:06 . 2009-05-29 06:06——–d—–wc:\program files\Dream Computer Piano
2009-05-28 22:01 . 2009-05-28 22:01——–d—–wc:\documents and settings\Admin\Application Data\GRETECH
2009-05-26 06:40 . 2009-05-26 06:40——–d—–wc:\documents and settings\Admin\Application Data\Atari
2009-05-26 06:34 . 2009-05-26 06:3443520—-a-wc:\windows\system32\CmdLineExt03.dll
2009-05-26 06:21 . 2009-05-26 06:21——–d—–wc:\documents and settings\Admin\Application Data\Leadertech
2009-05-25 21:54 . 2009-05-25 21:54——–d—–wc:\documents and settings\Admin\Application Data\Media Player Classic
2009-05-25 07:08 . 2009-05-25 07:08611064—-a-wc:\windows\system32\drivers\sptd.sys
2009-05-23 21:40 . 2009-05-23 21:40198064—-a-wc:\documents and settings\Admin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
2009-05-23 21:39 . 2005-05-10 08:54258352—-a-wc:\windows\system32\unicows.dll
2009-05-23 21:39 . 2009-05-24 11:48——–d—–wc:\documents and settings\Admin\Application Data\IDM
2009-05-23 10:23 . 2009-05-23 21:38——–d—–wc:\documents and settings\Admin\Application Data\GetRightToGo
2009-05-19 10:35 . 2009-03-26 15:35210352—-a-wc:\windows\system32\idmmbc.dll
2009-05-19 09:31 . 2009-05-22 05:520—-a-wc:\windows\system32\drivers\EagleNt.sys
2009-05-16 23:27 . 2009-05-16 23:28——–d—–wc:\windows\system32\NtmsData
2009-05-16 11:29 . 2009-05-24 10:11——–d—–wc:\program files\Windows Live Safety Center
2009-05-15 07:41 . 2006-12-14 18:01113664—-a-wc:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
2009-05-15 07:41 . 2004-09-10 10:1249152—-a-wc:\windows\system32\E_DCINST.DLL
2009-05-15 07:41 . 2006-04-18 16:0062976—-a-wc:\windows\system32\E_FD4BAIP.DLL
2009-05-15 07:41 . 2006-12-07 16:0476800—-a-wc:\windows\system32\E_FLBAIP.DLL
2009-05-13 06:48 . 2009-05-13 06:48——–d—–wc:\windows\system32\scripting
2009-05-13 06:48 . 2009-05-13 06:48——–d—–wc:\windows\l2schemas
2009-05-13 06:48 . 2009-05-13 06:48——–d—–wc:\windows\system32\en
2009-05-13 06:48 . 2009-05-13 06:48——–d—–wc:\windows\system32\bits
2009-05-13 06:45 . 2009-05-13 06:49——–d—–wc:\windows\ServicePackFiles
2009-05-11 07:52 . 2006-12-14 00:00110592—-a-wc:\documents and settings\Admin\Application Data\U3\temp\cleanup.exe
2009-05-11 07:24 . 2007-02-12 07:463096576—ha-wc:\documents and settings\Admin\Application Data\U3\temp\Launchpad Removal.exe
2009-05-11 07:24 . 2009-05-28 07:16——–d—–wc:\documents and settings\Admin\Application Data\U3
2009-05-10 23:20 . 2009-05-10 23:20——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\ApplicationHistory
2009-05-10 06:43 . 2009-05-10 06:43——–d—–wc:\program files\netframe
2009-05-06 04:49 . 2009-05-06 04:52——–d—–wc:\documents and settings\All Users\Application Data\NexonUS
2009-05-06 04:49 . 2009-05-06 04:4998304—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-05-06 04:49 . 2009-05-06 04:4981920—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-05-06 04:49 . 2009-05-06 04:49520192—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-05-06 04:49 . 2009-05-06 04:49335872—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-05-06 04:49 . 2009-05-06 04:49258352—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-05-06 04:49 . 2009-05-06 04:49167936—-a-wc:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-05-06 04:05 . 2009-05-06 11:49——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\PMB Files
2009-05-06 04:05 . 2009-05-06 04:14——–d—–wc:\documents and settings\All Users\Application Data\PMB Files
2009-05-06 04:04 . 2009-05-06 04:04——–d—–wc:\program files\Pando Networks
2009-05-06 04:01 . 2009-05-06 04:01——–d—–wc:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-05-04 07:21 . 2009-05-04 07:21——–d—–wC:\EPSON SPR230
2009-05-04 07:15 . 2008-04-13 18:4725856—-a-wc:\windows\system32\drivers\usbprint.sys
2009-05-04 07:14 . 2009-05-04 07:14——–d—–wc:\program files\EPSON
2009-05-04 07:14 . 2009-05-15 07:41——–d—–wc:\documents and settings\All Users\Application Data\EPSON
2009-05-03 12:11 . 2009-05-03 12:11——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\Ahead
2009-05-03 12:01 . 2009-05-03 12:01——–d—–wc:\documents and settings\Admin\Application Data\Ahead
2009-05-03 11:59 . 2005-07-29 15:122977792——wc:\windows\UNNMP.exe
2009-05-03 11:57 . 2001-07-09 00:50155648—-a-wc:\windows\system32\NeroCheck.exe
2009-05-03 11:57 . 2009-05-03 11:57——–d—–wc:\program files\Common Files\Nero
2009-05-03 11:56 . 2001-03-08 08:3024064——wc:\windows\system32\msxml3a.dll
2009-05-03 11:56 . 2009-05-03 11:56——–d—–wc:\documents and settings\All Users\Application Data\Ahead
2009-05-03 11:56 . 2009-05-04 06:02——–d—–wc:\program files\Common Files\Ahead
2009-05-03 10:37 . 2009-05-03 10:37——–d—–wc:\documents and settings\All Users\Application Data\nView_Profiles
2009-05-02 12:03 . 2009-05-02 12:03——–d-s—wc:\documents and settings\Admin\UserData
2009-05-02 09:49 . 2009-05-23 10:34——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\RobloxVersions
2009-05-02 08:32 . 2009-05-02 08:33——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\Roblox
2009-05-02 08:31 . 2009-05-23 10:34——–d—–wc:\documents and settings\Admin\Local Settings\Application Data\RobloxDownloads
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 07:02 . 2009-04-28 11:08——–d—–wc:\documents and settings\Admin\Application Data\DMCache
2009-06-01 07:00 . 2009-04-28 11:02——–d—–wc:\documents and settings\Admin\Application Data\uTorrent
2009-05-28 21:59 . 2009-04-27 13:56——–d—–wc:\program files\GRETECH
2009-05-26 06:19 . 2009-04-27 13:11——–d–h–wc:\program files\InstallShield Installation Information
2009-05-18 10:01 . 2009-05-01 07:55396232—-a-wc:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-13 08:34 . 2009-04-27 13:33——–d—–wc:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 06:57 . 2009-04-27 13:4576192—-a-wc:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-13 06:50 . 2009-04-27 13:0186327—-a-wc:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-01 07:54 . 2009-04-27 13:35——–d—–wc:\program files\MSBuild
2009-05-01 07:54 . 2009-05-01 07:54——–d—–wc:\program files\Reference Assemblies
2009-05-01 07:52 . 2009-05-01 07:52——–d—–wc:\program files\MSXML 6.0
2009-05-01 06:39 . 2009-05-01 06:391286767—-a-wc:\documents and settings\Admin\Application Data\uTorrent\PowerISO.v4.4\PowerISO44.exe
2009-05-01 06:39 . 2009-05-01 06:399216—-a-wc:\documents and settings\Admin\Application Data\uTorrent\PowerISO.v4.4\KEYGEN\Keygen.exe
2009-04-30 07:26 . 2009-04-30 07:262720449—-a-wc:\documents and settings\Admin\Application Data\uTorrent\Magic ISO 5.4 with Serial number\Magic ISO Maker 5.4 Build 239.exe
2009-04-30 07:18 . 2009-04-30 07:18107888—-a-wc:\windows\system32\CmdLineExt.dll
2009-04-30 06:48 . 2009-04-28 10:10——–d—–wc:\documents and settings\All Users\Application Data\Messenger Plus!
2009-04-29 11:57 . 2009-04-29 11:57——–d—–wc:\program files\MSXML 4.0
2009-04-29 11:37 . 2009-04-27 13:23——–d—–wc:\program files\Common Files\Adobe
2009-04-28 10:57 . 2009-04-28 09:15——–d—–wc:\documents and settings\Admin\Application Data\SAMSUNG
2009-04-28 10:47 . 2009-04-28 09:095632—-a-wc:\windows\system32\drivers\StarOpen.sys
2009-04-28 10:44 . 2009-04-28 10:44——–d—–wc:\program files\Samsung
2009-04-28 10:08 . 2009-04-28 10:08——–d—–wc:\program files\Common Files\Logitech
2009-04-28 10:08 . 2009-04-28 10:06——–d—–wc:\program files\Logitech
2009-04-28 09:49 . 2009-04-28 09:47——–d—–wc:\program files\Windows Live
2009-04-28 09:49 . 2009-04-28 09:49——–d—–wc:\program files\Microsoft Sync Framework
2009-04-28 09:48 . 2009-04-28 09:48——–d—–wc:\program files\Microsoft
2009-04-28 09:48 . 2009-04-28 09:48——–d—–wc:\program files\Windows Live SkyDrive
2009-04-28 09:44 . 2009-04-28 09:44——–d—–wc:\program files\Common Files\Windows Live
2009-04-28 09:15 . 2009-04-28 09:15——–d—–wc:\program files\DtsFilter
2009-04-28 09:15 . 2009-04-28 09:15——–d—–wc:\program files\GNU
2009-04-27 13:45 . 2009-04-27 13:45——–d—–wc:\documents and settings\Admin\Application Data\Symantec
2009-04-27 13:45 . 2009-04-27 13:21——–d—–wc:\documents and settings\All Users\Application Data\Symantec
2009-04-27 13:43 . 2009-04-27 13:21——–d—–wc:\program files\Common Files\Symantec Shared
2009-04-27 13:43 . 2009-04-27 13:43——–d—–wc:\program files\Norton Ghost
2009-04-27 13:41 . 2009-04-27 13:41——–d—–wc:\program files\MSECache
2009-04-27 13:35 . 2009-04-27 13:35——–d—–wc:\program files\Microsoft Works
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\documents and settings\Admin\Application Data\Apple Computer
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\program files\iTunes
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\program files\iPod
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\documents and settings\All Users\Application Data\Apple Computer
2009-04-27 13:29 . 2009-04-27 13:28——–d—–wc:\program files\Common Files\Apple
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\program files\Bonjour
2009-04-27 13:29 . 2009-04-27 13:29——–d—–wc:\program files\QuickTime
2009-04-27 13:28 . 2009-04-27 13:28——–d—–wc:\program files\Apple Software Update
2009-04-27 13:28 . 2009-04-27 13:28——–d—–wc:\documents and settings\All Users\Application Data\Apple
2009-04-27 13:27 . 2009-04-27 13:270—-a-wc:\windows\nsreg.dat
2009-04-27 13:27 . 2009-04-27 13:27——–d—–wc:\documents and settings\All Users\Application Data\Windows Live Toolbar
2009-04-27 13:25 . 2009-04-27 13:25——–d—–wc:\program files\Common Files\Adobe AIR
2009-04-27 13:21 . 2009-04-27 13:21——–d—–wc:\program files\Symantec
2009-04-27 13:21 . 2009-04-27 13:21805—-a-wc:\windows\system32\drivers\SYMEVENT.INF
2009-04-27 13:21 . 2009-04-27 13:2160800—-a-wc:\windows\system32\S32EVNT1.DLL
2009-04-27 13:21 . 2009-04-27 13:21123952—-a-wc:\windows\system32\drivers\SYMEVENT.SYS
2009-04-27 13:21 . 2009-04-27 13:2110563—-a-wc:\windows\system32\drivers\SYMEVENT.CAT
2009-04-27 13:15 . 2009-04-27 13:11——–d—–wc:\program files\Common Files\InstallShield
2009-04-27 13:11 . 2009-04-27 13:11——–d—–wc:\program files\VIA
2009-04-27 13:09 . 2009-04-27 13:09——–d—–wc:\program files\Intel
2009-04-27 13:02 . 2009-04-27 13:02——–d—–wc:\program files\microsoft frontpage
2009-04-27 13:00 . 2009-04-27 13:0021640—-a-wc:\windows\system32\emptyregdb.dat
2009-03-13 08:01 . 2008-06-19 13:12149768—-a-wc:\windows\system32\drivers\WpsHelper.sys
2009-03-06 14:22 . 2006-02-28 12:00284160—-a-wc:\windows\system32\pdh.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MsnMsgr”=”c:\program files\Windows Live\Messenger\msnmsgr.exe” [2009-02-06 3885408]
“ctfmon.exe”=”c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“LogitechSoftwareUpdate”=”c:\program files\Logitech\Video\ManifestEngine.exe” [2005-06-08 196608]
“uTorrent”=”e:\applications\uTorrent\uTorrent.exe” [2009-04-28 272176]
“IDMan”=”e:\applications\Internet Download Manager\IDMan.exe” [2009-05-19 2811312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“IMJPMIG8.1″=”c:\windows\IME\imjp8_1\IMJPMIG.EXE” [2006-02-28 208952]
“PHIME2002ASync”=”c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2006-02-28 455168]
“PHIME2002A”=”c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE” [2006-02-28 455168]
“HDAudDeck”=”c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe” [2008-08-15 30003200]
“NvCplDaemon”=”c:\windows\system32\NvCpl.dll” [2008-05-16 13529088]
“NvMediaCenter”=”c:\windows\system32\NvMcTray.dll” [2008-05-16 86016]
“ccApp”=”c:\program files\Common Files\Symantec Shared\ccApp.exe” [2008-08-14 115560]
“QuickTime Task”=”c:\program files\QuickTime\qttask.exe” [2009-01-05 413696]
“iTunesHelper”=”c:\program files\iTunes\iTunesHelper.exe” [2009-01-06 290088]
“Norton Ghost 14.0″=”c:\program files\Norton Ghost\Agent\VProTray.exe” [2008-12-11 2245992]
“LVCOMSX”=”c:\windows\system32\LVCOMSX.EXE” [2005-07-19 221184]
“LogitechVideoRepair”=”c:\program files\Logitech\Video\ISStart.exe” [2005-06-08 458752]
“LogitechVideoTray”=”c:\program files\Logitech\Video\LogiTray.exe” [2005-06-08 217088]
“Adobe Reader Speed Launcher”=”c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696]
“nwiz”=”nwiz.exe” – c:\windows\system32\nwiz.exe [2008-05-16 1630208]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
“DisallowRun”= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@=”Service”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@=”Service”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@=”Service”
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\\system32\\sessmgr.exe”=
“c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe”=
“c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE”=
“c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe”=
“c:\\Program Files\\Bonjour\\mDNSResponder.exe”=
“c:\\Program Files\\iTunes\\iTunes.exe”=
“c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE”=
“c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe”=
“e:\\Applications\\uTorrent\\uTorrent.exe”=
“c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe”=
“c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe”=
“e:\\Games\\combat arms\\Combat Arms\\NMService.exe”=
“%windir%\\Network Diagnostic\\xpnetdiag.exe”=
“c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe”=
“\\”= c:\\WINDOWS\\system\\svchost.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
“58250:TCP”= 58250:TCP:Pando Media Booster
“58250:UDP”= 58250:UDP:Pando Media Booster
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2/28/2006 10:00 PM 5120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/31/2009 7:08 PM 101936]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1558000]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [4/27/2009 11:11 PM 845184]
S1 def5746a;def5746a;c:\windows\system32\drivers\def5746a.sys [5/30/2009 9:33 PM 0]
S2 Darkness;Darkness;c:\windows\system\svchost.exe –> c:\windows\system\svchost.exe [?]
S2 erasersvc10910;Symantec Eraser Service;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [8/14/2008 2:45 PM 108392]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [4/27/2009 11:13 PM 36864]
.
Contents of the ‘Scheduled Tasks’ folder
2009-05-28 c:\windows\Tasks\AppleSoftwareUpdate.job
– c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
2009-05-31 c:\windows\Tasks\OGADaily.job
– c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]
2009-06-01 c:\windows\Tasks\OGALogon.job
– c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]
.
– – – – ORPHANS REMOVED – – – –
BHO-{0043ac60-dbe2-4530-a8cb-80c81d5da951} – c:\windows\system32\mhrkjbmw.dll
BHO-{04b130a3-6e2c-4f23-be86-4128338eaf95} – c:\windows\system32\pueynqu.dll
Notify-__c0045856 – c:\windows\system32\__c0045856.dat
SafeBoot-procexp90.sys
SafeBoot-Symantec Antvirus
.
——- Supplementary Scan ——-
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:8081
uSearchURL,(Default) = hxxp://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
IE: Download all links with IDM – e:\applications\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM – e:\applications\Internet Download Manager\IEGetVL.htm
IE: Download Video on This Page – e:\applications\YouTube Video Downloader\IEPage.html
IE: Download Video This Links To – e:\applications\YouTube Video Downloader\IELink.html
IE: Download with IDM – e:\applications\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel – c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{7966A32A-5783-4F0B-824C-09077C023080} – e:\applications\YouTube Video Downloader\IEPage.html
FF – ProfilePath – c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\qxmt1fth.default\
FF – component: c:\documents and settings\Admin\Application Data\IDM\idmmzcc3\components\idmmzcc.dll
FF – plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF – plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
—- FIREFOX POLICIES —-
FF – user.js: network.proxy.type – 0
FF – user.js: network.proxy.http – FF – user.js: network.proxy.http_port – 0
FF – user.js: network.proxy.ssl – FF – user.js: network.proxy.ssl_port – 0
FF – user.js: network.proxy.ftp – FF – user.js: network.proxy.ftp_port – 0
FF – user.js: network.proxy.gopher – FF – user.js: network.proxy.gopher_port – 0
FF – user.js: network.proxy.socks_version – 5
FF – user.js: network.proxy.socks – FF – user.js: network.proxy.socks_port – 0
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-01 17:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes … scanning hidden autostart entries … HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1???????????????????????????????????????????????? scanning hidden files … scan completed successfully
hidden files: 0
**************************************************************************
.
——————— DLLs Loaded Under Running Processes ———————
– – – – – – – > ‘explorer.exe'(2576)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
e:\applications\Internet Download Manager\idmmkb.dll
.
———————— Other Running Processes ————————
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\msdtc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\Video\FxSvr2.exe
e:\applications\Internet Download Manager\IEMonitor.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-01 17:04 – machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 07:03
Pre-Run: 249,856,421,888 bytes free
Post-Run: 250,504,253,440 bytes free
348— E O F —2009-05-14 10:30
HERE IS HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:27 PM, on 6/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Applications\uTorrent\uTorrent.exe
E:\Applications\Internet Download Manager\IDMan.exe
E:\Applications\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU
/SAOS01?FORM=TOOLBR
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 – BHO: IDM Helper – {0055c089-8582-441b-a0bf-17b458c2a3a8} – E:\Applications\Internet Download Manager\IDMIECC.dll
O2 – BHO: Search Helper – {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} – C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 – BHO: Windows Live Toolbar Helper – {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} – C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 – Toolbar: &Windows Live Toolbar – {21FA44EF-376D-4D53-9B0F-8A89D3229068} – C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 – HKLM\..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 – HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 – HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 – HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 – HKLM\..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 – HKLM\..\Run: [Norton Ghost 14.0] “C:\Program Files\Norton Ghost\Agent\VProTray.exe”
O4 – HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 – HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 – HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [LogitechSoftwareUpdate] “C:\Program Files\Logitech\Video\ManifestEngine.exe” boot
O4 – HKCU\..\Run: [uTorrent] “E:\Applications\uTorrent\uTorrent.exe”
O4 – HKCU\..\Run: [IDMan] E:\Applications\Internet Download Manager\IDMan.exe /onboot
O8 – Extra context menu item: Download all links with IDM – E:\Applications\Internet Download Manager\IEGetAll.htm
O8 – Extra context menu item: Download FLV video content with IDM – E:\Applications\Internet Download Manager\IEGetVL.htm
O8 – Extra context menu item: Download Video on This Page – E:\Applications\YouTube Video Downloader\IEPage.html
O8 – Extra context menu item: Download Video This Links To – E:\Applications\YouTube Video Downloader\IELink.html
O8 – Extra context menu item: Download with IDM – E:\Applications\Internet Download Manager\IEExt.htm
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 – Extra button: Download Video – {7966A32A-5783-4F0B-824C-09077C023080} – E:\Applications\YouTube Video Downloader\IEPage.html
O9 – Extra ‘Tools’ menuitem: Download Video on This Page – {7966A32A-5783-4F0B-824C-09077C023080} – E:\Applications\YouTube Video Downloader\IEPage.html
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) – http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 – DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) – http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 – Service: Apple Mobile Device – Apple Inc. – C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 – Service: Bonjour Service – Apple Inc. – C:\Program Files\Bonjour\mDNSResponder.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: Darkness – Unknown owner – C:\WINDOWS\system\svchost.exe (file missing)
O23 – Service: Symantec Eraser Service (erasersvc10910) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 – Service: iPod Service – Apple Inc. – C:\Program Files\iPod\bin\iPodService.exe
O23 – Service: LiveUpdate – Symantec Corporation – C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 – Service: Norton Ghost – Symantec Corporation – C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: Symantec Management Client (SmcService) – Symantec Corporation – C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 – Service: Symantec Network Access Control (SNAC) – Symantec Corporation – C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 – Service: Symantec Endpoint Protection (Symantec AntiVirus) – Symantec Corporation – C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 – Service: SymSnapService – Symantec – C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
—
End of file – 8299 bytes
Please remember that ALL links must be coded, including, but not limited to, e-mail addresses, passwords, and internal links. Links coded.
~ hecos ~
HOPEFULLY ITS GONE
O23 - Service: Darkness - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
You’re lucky the file is gone.
by the way…my internet doesn’t work…i’m using my other computer but when i go into network connections in control panel there are no network connections and when i try in my norton antivirus to recover and use a backup, when i have to choose a drive to backup it doesn’t show any drives. since this isn’t the computer with the problem i can’t show you any screen shots.
You have Virut, it’s unfixable. Running Combofix will only help a little until the virus spreads again to every file on the machine.
You have Virut, it's unfixable. Running Combofix will only help a little until the virus spreads again to every file on the machine.
It is removable.
http://www.technipages.com/network-connections-missing-from-control-panel.html
and http://support.microsoft.com/kb/825826
and
http://www.updatexp.com/scannow-sfc.html
These are the virut variant file names.
- - - - ORPHANS REMOVED - - - -
BHO-{0043ac60-dbe2-4530-a8cb-80c81d5da951} - c:\windows\system32mhrkjbmw.dll
BHO-{04b130a3-6e2c-4f23-be86-4128338eaf95} - c:\windows\system32pueynqu.dll
If they’re orphans the root cause and files are removed and it’s gone.
I’m pretty sure I got it on a popup that said click to scan your PC. If you click cancel it infects anyway. When you get one of those you have to stop the browser process in task manager. Anything else clicked in the browser and it installs the virus. I was using Firefox too. I had virut twice and removed it both times with combofix. I was paying more attention and remember that popup deal. The second time I got it before it infected too many files.
i have reinstalled windows and it is all fine now…. Thanks to everyone that helped……Really appriciate it
@ , and
I you would like anything from me e.g. a reward, etc. please pm and i will be happy to help you with anything you want
A reward is not needed, I do this to help people not for the rewards, very nice gesture though
A reward is not needed, I do this to help people not for the rewards, very nice gesture though
I concur.
Thanks boper.. its good to hear that you’ve reformated your pc. To be Frank & honest, Virut infection doesnt have any fix.. None of the tools or softwares created till now doesnt have the capability to resolve virut. Though I have suggested ComboFix, that too cant cure the infection completely. it will create an impact that, it cleaned the infection. But even Combo Fix cant cure virut. Thats what said from the beginning, & i knew very well that he is right. As i dont like to give Negative replies, i dint stress on that.. Anyhow, over is over. you fixed it. Good. keep in touch pal. Tc. B Happy
are you sure?? i have a rapid share account you could download and upload with?
Thanks Buddy. I too have a premium a/c now.. My friend Gave it.. Anyhow, we are the maximum users of RS, so dont give to us boper.. if you share it with us, then , there wont be anything left for you….. lol … Just Kidding Bro.