Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Thu Dec 31, 2009 5:21 pm

The computer seems fine but I keep getting these virus alerts from my AV.

Application.Win32.Nircmd.~@16774100
C:\32788R22FWJFW.0.tmp\NirCmd.cfxxe
C:\32788R22FWJFW.1.tmp\NirCmd.cfxxe
C:\32788R22FWJFW.2.tmp\NirCmd.cfxxe

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Thu Dec 31, 2009 5:26 pm

False positive. Smile Can you delete that nircmd.exe from each folder.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Thu Dec 31, 2009 5:32 pm

I ignored the warnings from my av and was able to delete the C:\32788R22FWJFW.0.tmp, C:\32788R22FWJFW.1.tmp, and C:\32788R22FWJFW.2.tmp folders. Do you know the reason Combo Fix never worked?

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Thu Dec 31, 2009 5:35 pm

Nope, possible some kind of confliction from Comodo.

Go to Start > Control Panel > Add/Remove Programs and remove the following program.

    Viewpoint Media Player

That should do it now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Thu Dec 31, 2009 5:57 pm

Is there anything else I need to do? I thank you very much for your time and assistance! It is greatly appreciated!

Do you know anything about Blackberry Desktop Manager?

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sun Jan 03, 2010 9:59 pm

Windows Update (error number: Error number: 0x8024D007) is not working along with internet explorer ("The requested lookup key was not found in any active activation context"). MBAM keeps detecting hijack.windowsupdates.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Sun Jan 03, 2010 11:25 pm

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 04, 2010 7:21 pm

GMER doesnt work correctly in normal or safe mode.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Mon Jan 04, 2010 7:22 pm

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 04, 2010 7:31 pm

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/04 14:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xEC209000 Size: 749568 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7FDA000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646bcc

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06461aa

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646832

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064734c

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064608c

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064805c

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06482f4

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645c52

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646fb6

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647166

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645a84

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647cde

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064642e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646a0e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06457b4

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06466be

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064592c

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647712

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064863a

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647a7a

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646db2

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647e8c

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647512

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06463c8

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06465b2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645f56

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645e24

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a352

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064aa76

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a486

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a936

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a5c6

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a6fa

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a1d2

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649424

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ea2

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a834

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649c10

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649d52

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06498f4

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064915c

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06495a6

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649752

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ff2

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ab6

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a0e8

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06492cc

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064aadc

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064ad10

==EOF==

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Wed Jan 06, 2010 8:23 am

What is my next step?

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Wed Jan 06, 2010 6:01 pm

Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, just let it cure whatever it finds...
    o Now, go to Settings >> Change Settings
    o Go to Actions tab >> under Objects section, change the settings to below
    Infected objects - Cure
    Incurable objects - Report
    Suspicious objects - Report
    o Don't change any other settings
  • Start the scan again. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Wed Jan 06, 2010 7:52 pm

Tried the express scan twice and I got this error.

69sbgXP.exe has encountered a problem and needs to close.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 6:03 pm

Is there a way to get Dr. Web Cureit to work?

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Sat Jan 09, 2010 7:09 pm

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 7:23 pm

The link doesn't work.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Sat Jan 09, 2010 7:44 pm

Please do the following:

Please download [You must be registered and logged in to see this link.]

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hȋdden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 7:52 pm

Link doesn't work.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Sat Jan 09, 2010 7:56 pm

Sorry see if you can download it from here:

[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 8:04 pm

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No hȋdden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: EB30B000
Module End: EB3C2000
hȋdden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: EEB07BCC
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwConnectPort
Address: EEB071AA
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateFile
Address: EEB07832
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateKey
Address: EEB0834C
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreatePort
Address: EEB0708C
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSection
Address: EEB0905C
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSymbolicLinkObject
Address: EEB092F4
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateThread
Address: EEB06C52
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteKey
Address: EEB07FB6
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteValueKey
Address: EEB08166
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDuplicateObject
Address: EEB06A84
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwLoadDriver
Address: EEB08CDE
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwMakeTemporaryObject
Address: EEB0742E
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenFile
Address: EEB07A0E
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenProcess
Address: EEB067B4
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenSection
Address: EEB076BE
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenThread
Address: EEB0692C
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRenameKey
Address: EEB08712
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRequestWaitReplyPort
Address: EEB0963A
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSecureConnectPort
Address: EEB08A7A
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSecurityObject
Address: EEB07DB2
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSystemInformation
Address: EEB08E8C
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetValueKey
Address: EEB08512
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwShutdownSystem
Address: EEB073C8
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSystemDebugControl
Address: EEB075B2
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateProcess
Address: EEB06F56
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateThread
Address: EEB06E24
Driver Base: EEB03000
Driver End: EEB22000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
No IRP Hooks found

******************************************************************************************
******************************************************************************************
Ports:
Local Address: CHADS.BELKIN:64228
Remote Address: 192.168.2.1:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: CHADS.BELKIN:2869
Remote Address: 192.168.2.1:13693
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: CHADS.BELKIN:2869
Remote Address: 192.168.2.1:13692
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: CHADS.BELKIN:2215
Remote Address: YX-IN-F19.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Google\Gmail Notifier\gnotify.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2208
Remote Address: 69.46.19.152:HTTP
Type: TCP
Process: [System Idle Process]
State: TIME_WAIT

Local Address: CHADS.BELKIN:2197
Remote Address: 209.234.250.195:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2196
Remote Address: 209.234.250.195:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2174
Remote Address: YX-IN-F154.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2171
Remote Address: A96-17-60-20.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2160
Remote Address: YX-IN-F166.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2126
Remote Address: YX-IN-F93.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:2113
Remote Address: GY-IN-F138.1E100.NET:HTTP
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:1120
Remote Address: A209-8-118-67.DEPLOY.AKAMAITECHNOLOGIES.COM:HTTP
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jusched.exe
State: ESTABLISHED

Local Address: CHADS.BELKIN:1119
Remote Address: VIP1.ANYCAST.CACHEFLY.COM:HTTP
Type: TCP
Process: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
State: CLOSE_WAIT

Local Address: CHADS.BELKIN:1118
Remote Address: 208.116.56.171:HTTP
Type: TCP
Process: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
State: CLOSE_WAIT

Local Address: CHADS.BELKIN:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: CHADS:27015
Remote Address: LOCALHOST:1040
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: ESTABLISHED

Local Address: CHADS:27015
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
State: LISTENING

Local Address: CHADS:5354
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: LISTENING

Local Address: CHADS:5152
Remote Address: LOCALHOST:2079
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: CHADS:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: CHADS:1085
Remote Address: LOCALHOST:1084
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS:1084
Remote Address: LOCALHOST:1085
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS:1082
Remote Address: LOCALHOST:1081
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS:1081
Remote Address: LOCALHOST:1082
Type: TCP
Process: C:\Program Files\Mozilla Firefox\firefox.exe
State: ESTABLISHED

Local Address: CHADS:1045
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: CHADS:1040
Remote Address: LOCALHOST:27015
Type: TCP
Process: C:\Program Files\iTunes\iTunesHelper.exe
State: ESTABLISHED

Local Address: CHADS:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: CHADS:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: CHADS:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: CHADS:CHARGEN
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: LISTENING

Local Address: CHADS:QOTD
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: LISTENING

Local Address: CHADS:DAYTIME
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: LISTENING

Local Address: CHADS:DISCARD
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: LISTENING

Local Address: CHADS:ECHO
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: LISTENING

Local Address: CHADS.BELKIN:5353
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: CHADS.BELKIN:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS.BELKIN:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: CHADS.BELKIN:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: CHADS.BELKIN:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1064
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\explorer.exe
State: NA

Local Address: CHADS:1059
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1038
Remote Address: NA
Type: UDP
Process: C:\Program Files\Google\Gmail Notifier\gnotify.exe
State: NA

Local Address: CHADS:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:57311
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: CHADS:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: CHADS:3776
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\ehome\mcrdsvc.exe
State: NA

Local Address: CHADS:1102
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1101
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1100
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1099
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1095
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1094
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1093
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1037
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: CHADS:1025
Remote Address: NA
Type: UDP
Process: C:\Program Files\Bonjour\mDNSResponder.exe
State: NA

Local Address: CHADS:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: CHADS:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: CHADS:CHARGEN
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: NA

Local Address: CHADS:QOTD
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: NA

Local Address: CHADS:DAYTIME
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: NA

Local Address: CHADS:DISCARD
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: NA

Local Address: CHADS:ECHO
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\tcpsvcs.exe
State: NA

******************************************************************************************
******************************************************************************************
hȋdden files/folders:
Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\#SharedObjects\LCL42XJ4\[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\#SharedObjects\LCL42XJ4\[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\#SharedObjects\LCL42XJ4\[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\#SharedObjects\LCL42XJ4\[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\Documents and Settings\Chad\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#[You must be registered and logged in to see this link.]
Status: hȋdden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}
Status: Access denied

Object: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}(2)
Status: Access denied

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Sat Jan 09, 2010 8:13 pm

Hmm ok please do the following:

I suggest you copy these instructions into a notepad file, because we need to use safe mode and you won't have internet access to read from here.

Download [You must be registered and logged in to see this link.] and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 8:50 pm

SDFix: Version 1.240
Run by Chad on Sat 01/09/2010 at 03:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\CLEANUP.EXE - Deleted
C:\-20020~1 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-09 15:39:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky]
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=str(2):"\systemroot\system32\drivers\ovfsthxicoouodi.sys"
"inst"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\main]
"ver"="icv140409"
"cid"="01"
"bid"=""
"aid"="303720"
"sid"="254"
"feed"=hex:22,64,78,36,3c,2e,3b,29,39,3b,3b,3a,04,4f,01,0c,09,65
"cmddelay"=dword:00003841

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\modules]
"ovfsthx.sys"="\systemroot\system32\drivers\ovfsthxicoouodi.sys"
"ovfsthx.dll"="\systemroot\system32\ovfsthxxgxdsnhe.dll"
"ovfsthxlog.dat"="\systemroot\system32\ovfsthxyelaqcxl.dat"
"ovfsthxwi.dll"="\systemroot\system32\ovfsthxvorsarro.dll"
"ovfsthxff.dll"="\systemroot\system32\ovfsthxiysvtgld.dll"
"ovfsthx.dat"="\systemroot\system32\ovfsthxpjyrxjbp.dat"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001]
"a0"=hex:20,01,00,00,27,9a,d2,21,25,83,cc,5c,3b,a3,08,a1,79,bd,b4,80,39,..
"ujdew"=hex:b9,f1,7f,86,0c,b6,69,a6,2a,b4,e8,38,36,43,80,1b,15,05,b7,b7,69,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40]
"ujdew"=hex:ef,da,bc,b5,0d,d1,e8,04,ec,3a,f3,53,40,73,78,e8,fe,49,41,82,a6,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet012\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet013\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:55,48,7e,ca,8b,26,be,a0,4a,6f,ac,ba,8d,61,cf,25,c1,c2,c8,1b,7e,..

scanning hȋdden registry entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden processes: 0
hȋdden services: 0
hȋdden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Common Files\\AOL\\1169665382\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1169665382\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\AOL 9.1\\waol.exe"="C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL System Information"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\DOCUME~1\\Chad\\LOCALS~1\\Temp\\CS4.exe"="C:\\DOCUME~1\\Chad\\LOCALS~1\\Temp\\CS4.exe:*:Enabled:Windows Center"
"C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="C:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4"
"C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="C:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe:*:Enabled:Pando Media Booster"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Documents and Settings\\Chad\\Local Settings\\Temp\\svcchst32.exe"="C:\\Documents and Settings\\Chad\\Local Settings\\Temp\\svcchst32.exe:*:Enabled:JDrun"
"\\??\\C:\\WINDOWS\\system32\\winlogon.exe"="\\??\\C:\\WINDOWS\\system32\\winlogon.exe:*:enabled:@shell32.dll,-1"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Documents and Settings\\Chad\\Local Settings\\Temp\\JDstart.exe"="C:\\Documents and Settings\\Chad\\Local Settings\\Temp\\JDstart.exe:*:Enabled:JDstart"
"C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"="C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with hȋdden Attributes :

Tue 30 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 24 Nov 2005 245,248 A..HR --- "C:\WINDOWS\system32\drivers\rt73.sys"
Sun 11 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 14 May 2009 305,362 A..HR --- "C:\WINDOWS\system32\drivers\etc\Hosts.bak"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 4 Jan 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 8:51 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:34 PM, on 1/9/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Chad\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Chad\Desktop\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 12168 bytes

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Sat Jan 09, 2010 9:03 pm

Good news we may have found the culprit Smile


1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.]

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky
HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\main
HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\modules

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sat Jan 09, 2010 9:32 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky" deleted successfully.

Error: registry key "HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\main" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\main" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\modules" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky\modules" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Sat Jan 09, 2010 9:42 pm

My bad.

  • In IceSword, press the Registry button on the bottom left of the program.
  • Drag the middle bar further to the right so you can see the paths.
  • Find this path and delete it (Right Click-->Delete)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthxpvpxckky]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sun Jan 10, 2010 1:43 am

I wasn't able to find that path.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Sun Jan 10, 2010 2:01 am

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
ovfsthxpvpxckky

Files to delete:
C:\WINDOWS\system32\drivers\ovfsthxicoouodi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sun Jan 10, 2010 2:12 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthxpvpxckky" not found!
Deletion of driver "ovfsthxpvpxckky" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\ovfsthxicoouodi.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ovfsthxicoouodi.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sun Jan 10, 2010 8:31 pm

I don't know if this helps or not but my AV found these viruses.

c:\cleanup.exe - TrojWare.Win32.Trojan.Agent.~FLX@17459050
c:\zip.exe - Backdoor.Win32.GameThief.Nileage.cz@16778290

Found in System Volume Infoformation:
TrojWare.Win32.Trojan.Agent.~FLX@17459050
Backdoor.Win32.GameThief.Nileage.cz@16778290
TrojWare.Win32.Qhost.SJ@28265172
Application.Win32.Nircmd.~@16774100
ApplicUnsaf.Win32.Hide.~AB@5325787

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Sun Jan 10, 2010 8:59 pm

False positive, they are legit, the avenger uses them.
Please try running MBAM again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Sun Jan 10, 2010 9:14 pm

Malwarebytes' Anti-Malware 1.42
Database version: 3453
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/10/2010 4:13:15 PM
mbam-log-2010-01-10 (16-13-01).txt

Scan type: Quick Scan
Objects scanned: 127425
Time elapsed: 8 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Chad\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> No action taken.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Mon Jan 11, 2010 12:40 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 11, 2010 12:49 am

This is what I got when I tried to run Combo-Fix:

32788R22FWJFW\iexplore.exe & hidec.exe & n.pif, Windows cannot access the specified device, path, or file. you may not have appropriate permissions to access the item.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Mon Jan 11, 2010 12:56 am

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 11, 2010 1:05 am

The online scanner is not available right now.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Mon Jan 11, 2010 1:19 am

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 11, 2010 6:46 am

This is what I get when I try to run ESET Online Scanner and it is trying to download virus signature updates:

Can not get update. Is proxy configured?

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Origin on Mon Jan 11, 2010 7:08 am

Hello, are you behind a proxy? If so what browser are you using?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 11, 2010 7:14 am

I don't think I am behind a proxy

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Mon Jan 11, 2010 11:37 pm

I was able to get the ESET Scanner to work.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f27eba714833a4890841f6cbc9d0bc6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-11 11:32:33
# local_time=2010-01-11 06:32:33 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3073 16777173 80 89 0 2854509 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=93673
# found=0
# cleaned=0
# scan_time=3272

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Belahzur on Wed Jan 13, 2010 12:31 am

Hello.
I don't want to go any further, because of the likely hood of this ends up being Virut. Virut is an infection which CANNOT be fixed without formatting. The longer we try and track it down, the stronger it will get and infect more files.

Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Wed Jan 13, 2010 1:00 am

I thank you very much for the assistance and I will report back after I have reformatted the drive.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus.Win32.Virut.CE@87251467 and Huer.Suspicious@86536553

Post by Chads10R on Tue Jan 26, 2010 12:03 am

After reformatting the drive, everything seems to be working fine. Thank you again for the assistance.

Chads10R
Novice
Novice

Posts Posts : 44
Joined Joined : 2009-12-29
Gender Gender : Male
OS OS : Windows XP SP2
Points Points : 25954
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum