Unknown VIRUS posibility

View previous topic View next topic Go down

Unknown VIRUS posibility

Post by xxzozo on Sat Aug 01, 2009 4:43 am

Ive been having issues with my PC. XP runs real slow freezes can not ron many programs such as system restore, Defrag Malwarebytes' Anti-Malware among many others. At first I thought it was a software issue being microsoft service pack 3 So I removed it and still no change. Any thoughts ??

xxzozo
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-06-06
OS : XP/vista/7

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by Origin on Sat Aug 01, 2009 4:54 am

Hello xxzozo,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by xxzozo on Sat Aug 01, 2009 5:00 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:25 AM, on 8/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avnotify.exe
C:\Documents and Settings\Big Bad Jean\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - [You must be registered and logged in to see this link.] Files\Free Download Manager\dllink.htm
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.92,85.255.112.104
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.92,85.255.112.104
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.92,85.255.112.104
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3963 bytes

xxzozo
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-06-06
OS : XP/vista/7

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by Origin on Sat Aug 01, 2009 5:02 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by xxzozo on Sat Aug 01, 2009 5:48 am

OK The results didnt automatically paste on my notepad. I also am unable to copy& paste. Whats the secret??

xxzozo
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-06-06
OS : XP/vista/7

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by xxzozo on Sat Aug 01, 2009 5:57 am

I think I figured it out !! GMER 1.0.15.15011 [w1j39yip.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-01 01:55:58
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT F8E45DB6 ZwCreateKey
SSDT F8E45DAC ZwCreateThread
SSDT F8E45DBB ZwDeleteKey
SSDT F8E45DC5 ZwDeleteValueKey
SSDT F8E45DCA ZwLoadKey
SSDT F8E45D98 ZwOpenProcess
SSDT F8E45D9D ZwOpenThread
SSDT F8E45DD4 ZwReplaceKey
SSDT F8E45DCF ZwRestoreKey
SSDT F8E45DC0 ZwSetValueKey
SSDT F8E45DA7 ZwTerminateProcess

INT 0x01 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F84A04F6
INT 0x03 \SystemRoot\System32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F84A059C

Code 82EC2A08 ZwEnumerateKey
Code 82EE5CC0 ZwFlushInstructionCache
Code 82ED3E56 IofCallDriver
Code 82EF05B6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 82ED3E5B
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 82EF05BB
PAGE ntoskrnl.exe!ZwEnumerateKey 805783A4 5 Bytes JMP 82EC2A0C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80585F1C 5 Bytes JMP 82EE5CC4

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys (*** hidden *** ) [SYSTEM] MSIVXserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXpxptxqiodpluamtauyywvgruxsaqqecq.dll
Reg HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXcubhbiihdsbclxrhwthyojwpjjmmhder.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpcfqptameubfxrldkrjwbxxvmvdppkow.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpcfqptameubfxrldkrjwbxxvmvdppkow.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcfjxuwtineoaxtherkcoymyvqxidoqbaf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcmylvrsttfefltituhjouhxdqwhkekayl.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcpcfqptameubfxrldkrjwbxxvmvdppkow.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcpcfqptameubfxrldkrjwbxxvmvdppkow.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcfjxuwtineoaxtherkcoymyvqxidoqbaf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcmylvrsttfefltituhjouhxdqwhkekayl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXpxptxqiodpluamtauyywvgruxsaqqecq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXcubhbiihdsbclxrhwthyojwpjjmmhder.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXpxptxqiodpluamtauyywvgruxsaqqecq.dll
Reg HKLM\SYSTEM\ControlSet005\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXcubhbiihdsbclxrhwthyojwpjjmmhder.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\MSIVXcount 4 bytes
File C:\WINDOWS\system32\MSIVXcubhbiihdsbclxrhwthyojwpjjmmhder.dll 54272 bytes executable
File C:\WINDOWS\system32\MSIVXpxptxqiodpluamtauyywvgruxsaqqecq.dll 23552 bytes executable
File C:\WINDOWS\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys 77824 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

xxzozo
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-06-06
OS : XP/vista/7

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by Origin on Sat Aug 01, 2009 6:09 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
MSIVXserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by xxzozo on Sat Aug 01, 2009 8:54 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "MSIVXserv.sys" found!
ImagePath: \systemroot\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "MSIVXserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\MSIVXklmxtagppeiqalwrhnkfvcebtyqgphav.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

xxzozo
Novice
Novice

Status :
Online
Offline

Posts : 40
Joined : 2009-06-06
OS : XP/vista/7

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by bigblaqq on Sun Aug 02, 2009 12:34 pm

Origin !! Is that bad if Im still having the "ORIGINal " problems. But the PC uis alot faster now !!!

bigblaqq
Novice
Novice

Status :
Online
Offline

Posts : 44
Joined : 2009-06-06
OS : xp

View user profile

Back to top Go down

Re: Unknown VIRUS posibility

Post by Origin on Sun Aug 02, 2009 7:53 pm

Hello bigblaqq, these instructions are only for this member, doing anything to your computer with instructions that were not for your computer could damage it. Please start your own topic so I can look at it.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum