GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Infected with Virtob, please help

View previous topic View next topic Go down

Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 6:17 am

I am getting random DCOM attacks. My antivirus says I have been infected with Virtob, but can't fix it.

Here is my HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:48 PM, on 3/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\System32\svchost.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Jimmy.VALUED-20606295\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [lxdimon.exe] "d:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "d:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools\daemon.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "d:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7191 bytes

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 9:19 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 7:50 pm

Thanks for a fast reply on such a short notice. Here is DDS.txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by Jimmy at 12:48:15.57 on Fri 03/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.452 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090319-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe
D:\Program Files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Jimmy.VALUED-20606295\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools\daemon.exe" -autorun
uRun: [AlcoholAutomount] "d:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [avast!] d:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NBKeyScan] "d:\program files\nero\nero 8\nero backitup\NBKeyScan.exe"
mRun: [lxdimon.exe] "d:\program files\lexmark 3500-4500 series\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "d:\program files\lexmark 3500-4500 series\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - [You must be registered and logged in to see this link.]
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - d:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jimmy~1.val\applic~1\mozilla\firefox\profiles\skwmol9v.default\
FF - plugin: d:\program files\videolan\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-7 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-8-6 20560]
R2 avast! Antivirus;avast! Antivirus;d:\program files\alwil software\avast4\ashServ.exe [2008-6-3 138680]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;d:\program files\alwil software\avast4\ashMaiSv.exe [2008-6-3 254040]
R3 avast! Web Scanner;avast! Web Scanner;d:\program files\alwil software\avast4\ashWebSv.exe [2008-6-3 352920]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-4-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-3-18 99248]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-6-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-8-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-4-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 SASENUM;SASENUM;d:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 sejt1;sejt1;\??\d:\s\sejtengine\sejt.sys --> d:\s\sejtengine\sejt.sys [?]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-4-24 594668]
S3 XDva008;XDva008;\??\c:\windows\system32\xdva008.sys --> c:\windows\system32\XDva008.sys [?]
S3 zenx1;zenx1;\??\c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms\zenxengine_latest\zenxengine_latest\zenx.sys --> c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms\zenxengine_latest\zenxengine_latest\zenx.sys [?]

=============== Created Last 30 ================


==================== Find3M ====================

2009-03-19 23:26 82,484 a------- c:\windows\War3Unin.dat
2009-01-15 23:56 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl0.dat
2008-12-18 00:53 604 a---h--- c:\program files\STLL Notifier
2008-08-18 00:56 784 a------- c:\docume~1\jimmy~1.val\applic~1\mpauth.dat
2008-02-18 13:25 35,184 a------- c:\docume~1\jimmy~1.val\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 12:49:04.79 ===============

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 7:54 pm

Hello.
Bad and good news.

Bad news - Virtob is also known as Virut, a file infector which can't be fixed without formatting.
Good news - DDS log says no exe files modified within the past month, so there may still be some hope.

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 9:22 pm

The version of Dr Web Cureit you are talking about must of been different than mine because I did not see that icon. So I right clicked my infected file and clicked Move Incurable. Here is DrWeb.csv

mirc.exe;D:\Program Files\mIRC;Program.mIRC.617;Incurable.Moved.;

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 9:34 pm

Hello.
Do you know what this is?

zenxengine gms

It's was or still is in My received files like it was sent through msn.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 9:38 pm

... double post. This virus is screwing my computer


Last edited by nesta_p on Fri Mar 20, 2009 9:40 pm; edited 1 time in total

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 9:39 pm

Its a trainer for a game. Should I delete it?(I thought I deleted it a while ago)

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 9:40 pm

Hello.
We'll see what this says.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    sejt1
    zenx1

    :files
    c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms
    d:\s


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 9:52 pm

My OTMoveIt log:

========== SERVICES/DRIVERS ==========

Service\Driver sejt1 deleted successfully.

Service\Driver zenx1 deleted successfully.
========== FILES ==========
File/Folder c:\documents and settings\jimmy.valued-20606295\my documents\my received files\zenxengine gms not found.
File/Folder d:\s not found.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03202009_145043




My computer still acting up. I keep getting the same virus messages from my antivirus. Plus my computer is always busy(there seems to be an hourglass always beside my mouse)

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 10:18 pm

Does your AV say where this virus is located?
Lets go even deeper.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (avast!)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 10:42 pm

My antivirus does show where the virus is found

here is a log of what my AV found in the past two days, when the virus started breaking out on my computer.
3/19/2009 10:32:15 PM SYSTEM 1328 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OHZAYNQA\cnt[1].exe\[Armadillo]" file.
3/19/2009 10:39:01 PM SYSTEM 1328 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 10:39:07 PM SYSTEM 1328 Sign of "Win32:Bifrose-CKD [Trj]" has been found in "C:\WINDOWS\system32\18.scr\[Armadillo]" file.
3/19/2009 10:40:15 PM SYSTEM 1328 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S7EZ4D8Z\unc[1].exe" file.
3/19/2009 10:55:46 PM SYSTEM 1352 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[1]" file.
3/19/2009 11:00:45 PM SYSTEM 1352 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/19/2009 11:02:13 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:02:57 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:04:55 PM SYSTEM 1352 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/19/2009 11:21:28 PM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[3]" file.
3/19/2009 11:21:43 PM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:15:11 AM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2D6D0P0N\unc[1].exe" file.
3/20/2009 1:17:09 AM SYSTEM 1316 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:23:58 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\3HN1G8DN\x[1]" file.
3/20/2009 1:24:07 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 1:24:24 AM SYSTEM 1316 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\System32\x.exe" file.
3/20/2009 1:49:19 AM SYSTEM 1316 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.
3/20/2009 12:55:38 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UMDZYNR0\x[3]" file.
3/20/2009 12:55:59 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\system32\x.exe" file.
3/20/2009 12:56:01 PM SYSTEM 1452 Sign of "Win32:Virtob" has been found in "C:\WINDOWS\System32\x.exe" file.
3/20/2009 2:08:34 PM SYSTEM 1452 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite (C:\Documents and Settings\Jimmy.VALUED-20606295\Local Settings\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\urlclassifier3.sqlite) returning error, 0000001E.

I am about to do the combofix part right now, I'll post it up right after it finishes

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 11:07 pm

My combofix log:

ComboFix 09-03-19.02 - Jimmy 2009-03-20 15:47:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.465 [GMT -7:00]
Running from: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jimmy.VALUED-20606295\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\program files\PS TO USB CONVERTOR\CnsMin5.ico
C:\test.txt
c:\windows\system\svhost.exe
c:\windows\system32\drivers\sysdrv32.sys
c:\windows\system32\pac.txt
c:\windows\system32\SrchSTS.exe
c:\windows\system32\x.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-20 15:09 . 2009-03-20 15:09 59,904 --a------ c:\windows\system32\55.scr
2009-03-20 14:50 . 2009-03-20 14:50 d-------- C:\_OTMoveIt
2009-03-20 13:00 . 2009-03-20 13:00 d-------- c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:50 --------- d-----w c:\program files\PS TO USB CONVERTOR
2009-03-20 05:50 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Azureus
2009-03-17 21:04 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\vlc
2009-01-31 01:51 --------- d-----w c:\program files\Java
2009-01-29 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 05:54 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-29 05:05 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-29 05:05 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\teamspeak2
2009-01-21 06:08 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1
2009-01-16 06:56 4 --sh--r c:\documents and settings\All Users\Application Data\sysqcl0.dat
2008-12-18 07:53 604 ---ha-w c:\program files\STLL Notifier
2008-08-18 07:56 784 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\mpauth.dat
2008-02-18 20:25 35,184 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\GDIPFONTCACHEV1.DAT
2006-10-21 18:38 147,456 ----a-w c:\program files\mozilla firefox\plugins\CDVDiso.dll
2006-01-15 13:38 231,064 ----a-w c:\program files\mozilla firefox\plugins\CDVDisoEFP.dll
2005-05-14 15:04 151,040 ----a-w c:\program files\mozilla firefox\plugins\CDVDisolinuz.dll
2006-01-15 13:38 54,289 ----a-w c:\program files\mozilla firefox\plugins\CDVDlinuz.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\CDVDnull.dll
2005-04-20 08:21 86,016 ----a-w c:\program files\mozilla firefox\plugins\cdvdPeops.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\DEV9null.dll
2005-05-16 08:41 21,732 ----a-w c:\program files\mozilla firefox\plugins\FWnull.dll
2006-03-13 09:34 565,248 ----a-w c:\program files\mozilla firefox\plugins\GSdx9 sse2.dll
2006-03-13 16:33 602,112 ----a-w c:\program files\mozilla firefox\plugins\GSdx9.dll
2006-09-04 00:08 18,944 ----a-w c:\program files\mozilla firefox\plugins\PadSSSPSX.dll
2005-05-14 15:04 372,892 ----a-w c:\program files\mozilla firefox\plugins\PADwin.dll
2006-11-04 09:20 94,208 ----a-w c:\program files\mozilla firefox\plugins\spu2PeopsSound.dll
2005-05-14 15:04 9,728 ----a-w c:\program files\mozilla firefox\plugins\USBnull.dll
2006-11-17 22:06 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 non sse2.dll
2006-11-18 14:50 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 sse2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-22 203720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"lxdimon.exe"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"d:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\WINDOWS\\System32\\55.scr"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-07 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-06 20560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-04-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-03-18 99248]
S2 WindowsTelephony;Windows Telephony;"c:\windows\system\svhost.exe" --> c:\windows\system\svhost.exe [?]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-06-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-08-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-04-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-04-24 594668]
S3 XDva008;XDva008;\??\c:\windows\System32\XDva008.sys --> c:\windows\System32\XDva008.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NBKeyScan - d:\program files\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-20 15:54:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-20 16:03:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 23:01:53

Pre-Run: 6,270,242,816 bytes free
Post-Run: 6,306,021,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
177

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Fri Mar 20, 2009 11:23 pm

Hello. The log shows more malware, so we have to use Combofix with additional directives.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
WindowsTelephony

File::
c:\windows\system32\55.scr

Folder::
C:\_OTMoveIt
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WindowsTelephony]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\55.scr"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Fri Mar 20, 2009 11:44 pm

Thanks for the help. Here is my new ComboFix log:

ComboFix 09-03-19.02 - Jimmy 2009-03-20 16:27:43.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.768.454 [GMT -7:00]
Running from: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy.VALUED-20606295\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\55.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\03202009_145043.log
c:\_otmoveit\MovedFiles\03202009_145043.res
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb
c:\documents and settings\Jimmy.VALUED-20606295\DoctorWeb\CureIt.log
c:\windows\system\svhost.exe
c:\windows\system32\55.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWSTELEPHONY
-------\Service_WindowsTelephony


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 22:50 --------- d-----w c:\program files\PS TO USB CONVERTOR
2009-03-20 05:50 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Azureus
2009-03-17 21:04 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\vlc
2009-01-31 01:51 --------- d-----w c:\program files\Java
2009-01-29 05:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-29 05:54 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\InstallShield
2009-01-29 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\InstallShield
2009-01-29 05:05 --------- d-----w c:\program files\Teamspeak2_RC2
2009-01-29 05:05 --------- d-----w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\teamspeak2
2009-01-21 06:08 --------- d-----w c:\program files\LibUSB-Win32-0.1.10.1
2009-01-16 06:56 4 --sh--r c:\documents and settings\All Users\Application Data\sysqcl0.dat
2008-12-18 07:53 604 ---ha-w c:\program files\STLL Notifier
2008-08-18 07:56 784 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\mpauth.dat
2008-02-18 20:25 35,184 ----a-w c:\documents and settings\Jimmy.VALUED-20606295\Application Data\GDIPFONTCACHEV1.DAT
2006-10-21 18:38 147,456 ----a-w c:\program files\mozilla firefox\plugins\CDVDiso.dll
2006-01-15 13:38 231,064 ----a-w c:\program files\mozilla firefox\plugins\CDVDisoEFP.dll
2005-05-14 15:04 151,040 ----a-w c:\program files\mozilla firefox\plugins\CDVDisolinuz.dll
2006-01-15 13:38 54,289 ----a-w c:\program files\mozilla firefox\plugins\CDVDlinuz.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\CDVDnull.dll
2005-04-20 08:21 86,016 ----a-w c:\program files\mozilla firefox\plugins\cdvdPeops.dll
2005-05-14 15:04 6,656 ----a-w c:\program files\mozilla firefox\plugins\DEV9null.dll
2005-05-16 08:41 21,732 ----a-w c:\program files\mozilla firefox\plugins\FWnull.dll
2006-03-13 09:34 565,248 ----a-w c:\program files\mozilla firefox\plugins\GSdx9 sse2.dll
2006-03-13 16:33 602,112 ----a-w c:\program files\mozilla firefox\plugins\GSdx9.dll
2006-09-04 00:08 18,944 ----a-w c:\program files\mozilla firefox\plugins\PadSSSPSX.dll
2005-05-14 15:04 372,892 ----a-w c:\program files\mozilla firefox\plugins\PADwin.dll
2006-11-04 09:20 94,208 ----a-w c:\program files\mozilla firefox\plugins\spu2PeopsSound.dll
2005-05-14 15:04 9,728 ----a-w c:\program files\mozilla firefox\plugins\USBnull.dll
2006-11-17 22:06 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 non sse2.dll
2006-11-18 14:50 7,892,992 ----a-w c:\program files\mozilla firefox\plugins\ZeroGS KOSMOS 0.96 sse2.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-20 23:31:57 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_52c.dat
+ 2009-03-20 23:32:09 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools\daemon.exe" [2008-04-01 486856]
"AlcoholAutomount"="d:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-22 203720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"lxdimon.exe"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="d:\program files\Lexmark 3500-4500 Series\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-07-16 61440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-06-24 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"vidc.ffds"= d:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"d:\\Program Files\\Alwil Software\\Avast4\\ashAvast.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"d:\\Program Files\\Lexmark 3500-4500 Series\\Lexmark 3500-4500 Series\\App4R.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-04-07 114768]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-06 20560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2002-04-24 175232]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-03-18 99248]
S3 HFXLowerFilter;HFXLowerFilter;c:\windows\system32\drivers\hfx_lfd.sys [2006-06-21 21632]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2007-08-19 33792]
S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2002-04-24 807917]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SMBE;Sony MPEG2 Encoder Board (WDM);c:\windows\system32\drivers\Smbe.sys [2002-04-24 594668]
S3 XDva008;XDva008;\??\c:\windows\System32\XDva008.sys --> c:\windows\System32\XDva008.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Jimmy.VALUED-20606295\Application Data\Mozilla\Firefox\Profiles\skwmol9v.default\
FF - plugin: d:\program files\VideoLAN\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-03-20 16:33:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
d:\program files\Alwil Software\Avast4\aswUpdSv.exe
d:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdicoms.exe
c:\windows\system32\wscntfy.exe
d:\program files\Alwil Software\Avast4\ashMaiSv.exe
d:\program files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2009-03-20 16:41:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 23:40:12
ComboFix2.txt 2009-03-20 23:03:15

Pre-Run: 6,294,315,008 bytes free
Post-Run: 6,283,218,944 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,4,5
165

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Sat Mar 21, 2009 1:03 am

Hello.
How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by nesta_p on Sat Mar 21, 2009 1:23 am

I haven't had a virus alert in 2 hours, so the computer seems to better. Thanks for helping.

nesta_p
Novice
Novice

Status :
Online
Offline

Posts : 10
Joined : 2009-03-20
OS : XP SP2
Points : 28152
# Likes : 0

View user profile

Back to top Go down

Re: Infected with Virtob, please help

Post by Belahzur on Sat Mar 21, 2009 1:27 am

Hello.
Glad to hear it. Smile

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.
Please enable avast! now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum