virut infection will not leave me alone, after reformating and reinstalling

View previous topic View next topic Go down

virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:29 am

Belezhar,

I can't figure it out. Is the virus somehow tracing my ip address or something? I went through the last couple of days reinstalling everything and at first, things looked okay, until I see this happening again

my cli.exe got terminated after rebooting with the mcafee software installed.
then the cli for the ATI video card crashed. After rebooting,over the past half hour, I keep getting these.

[img][You must be registered and logged in to see this link.][/img]

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:32 am

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:42 AM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [HP KEYBOARDg] "C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8722 bytes

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:46 am

From MalwareMalBytes

Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 3

4/15/2009 12:46:02 AM
mbam-log-2009-04-15 (00-46-02).txt

Scan type: Quick Scan
Objects scanned: 66425
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:55 am

DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mike at 0:53:03.12 on Wed 04/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.505 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Mike\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [HP KEYBOARDg] "c:\program files\hewlett-packard\hp wireless elite desktop\HPKEYBOARDg.EXE"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: []
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mike\applic~1\mozilla\firefox\profiles\wriqhq49.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-14 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-14 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-14 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-14 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-14 79880]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-14 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-14 40552]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-14 34216]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:56 am

DDS Log part 2

=============== Created Last 30 ================

2009-04-15 00:35 --d----- c:\program files\Unlocker
2009-04-15 00:10 --d----- c:\windows\system32\LogFiles
2009-04-14 23:58 --d----- c:\program files\common files\Macrovision Shared
2009-04-14 23:57 45,392 a----r-- c:\windows\system32\AdobePDF.dll
2009-04-14 23:57 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-04-14 14:31 7,179 a------- c:\windows\system32\Config.MPF
2009-04-14 14:29 --d----- c:\program files\SiteAdvisor
2009-04-14 14:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 14:22 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 14:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-14 14:22 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-04-14 14:21 --d----- c:\program files\common files\McAfee
2009-04-14 14:21 --d----- c:\program files\McAfee.com
2009-04-14 14:21 --d----- c:\program files\McAfee
2009-04-14 14:20 34,216 a------- c:\windows\system32\drivers\mferkdk.sys
2009-04-14 12:35 --d----- c:\program files\Trend Micro
2009-04-14 10:46 168,448 a------- c:\windows\system32\unrar.dll
2009-04-14 10:46 --d----- c:\program files\K-Lite Codec Pack
2009-04-14 10:44 --d----- c:\program files\CCleaner
2009-04-14 10:43 33,664 a------- c:\windows\system32\drivers\BCMWLNPF.SYS
2009-04-14 10:43 253,952 a------- c:\windows\system32\bcmwlu00.exe
2009-04-14 10:43 86,016 a------- c:\windows\system32\preflib.dll
2009-04-14 10:43 69,632 a------- c:\windows\system32\bcmwlpkt.dll
2009-04-14 10:43 44,032 a------- c:\windows\system32\wltrynt.dll
2009-04-14 10:43 3,395,584 a------- c:\windows\system32\BCMWLCPL.CPL
2009-04-14 10:43 2,129,920 a------- c:\windows\system32\WLBCGCBPRO731.DLL
2009-04-14 10:43 1,392,640 a------- c:\windows\system32\WLTRAY.EXE
2009-04-14 10:43 1,253,376 a------- c:\windows\system32\BCMWLTRY.EXE
2009-04-14 10:43 20,480 a------- c:\windows\system32\WLTRYSVC.EXE
2009-04-14 10:43 757,760 a------- c:\windows\system32\bcm1xsup.dll
2009-04-14 10:42 4,792 a------- c:\windows\bcm53.tmp
2009-04-14 10:32 4,222 a------- c:\windows\bcm5.tmp
2009-04-14 10:06 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2009-04-14 10:06 2,096 a------- c:\windows\system32\drivers\ativdkxx.vp
2009-04-14 10:05 4,240 a------- c:\windows\bcm91.tmp
2009-04-14 10:04 4,304 a------- c:\windows\bcm5B.tmp
2009-04-14 10:03 --d----- c:\program files\Broadcom
2009-04-14 10:01 191,872 a------- c:\windows\system32\drivers\SynTP.sys
2009-04-14 10:01 94,299 a------- c:\windows\system32\SynTPAPI.dll
2009-04-14 10:01 81,920 a------- c:\windows\system32\SynTPCo2.dll
2009-04-14 10:01 69,723 a------- c:\windows\system32\SynTPFcs.dll
2009-04-14 10:01 114,688 a------- c:\windows\system32\SynCtrl.dll
2009-04-14 10:01 82,014 a------- c:\windows\system32\SynCOM.dll
2009-04-14 10:01 --d----- c:\program files\Synaptics
2009-04-14 09:59 36,864 a------- c:\windows\system32\drivers\AmdK8.sys
2009-04-14 09:59 --d----- c:\program files\AMD
2009-04-14 09:49 146,944 a------- c:\windows\system32\st325602.dll
2009-04-14 00:53 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-04-14 00:53 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-14 00:53 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-04-14 00:53 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-04-14 00:53 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-04-14 00:53 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-04-14 00:53 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-04-14 00:53 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-14 00:53 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-04-14 00:40 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-14 00:27 --d----- c:\windows\system32\scripting
2009-04-14 00:27 --d----- c:\windows\l2schemas
2009-04-14 00:27 --d----- c:\windows\system32\en
2009-04-14 00:27 --d----- c:\windows\system32\bits
2009-04-14 00:24 --d----- c:\windows\ServicePackFiles
2009-04-14 00:08 --d----- c:\windows\EHome
2009-04-13 23:52 --d----- c:\windows\network diagnostic
2009-04-13 23:35 381,425 -c------ c:\windows\system32\dllcache\copycd.wmv
2009-04-13 23:35 9,585 -c------ c:\windows\system32\dllcache\controls.css
2009-04-13 23:35 8,298 -c------ c:\windows\system32\dllcache\contents.htm
2009-04-13 23:35 6,878 -c------ c:\windows\system32\dllcache\controls.js
2009-04-13 23:35 129,045 -------- c:\windows\system32\drivers\cxthsfs2.cty
2009-04-13 23:35 773 -c------ c:\windows\system32\dllcache\cnth.gif
2009-04-13 23:35 773 -c------ c:\windows\system32\dllcache\cnt.gif
2009-04-13 23:35 772 -c------ c:\windows\system32\dllcache\cntd.gif
2009-04-13 23:35 760 -c------ c:\windows\system32\dllcache\cloapph.gif
2009-04-13 23:35 717 -c------ c:\windows\system32\dllcache\cloapp.gif
2009-04-13 23:35 999 -c------ c:\windows\system32\dllcache\bktrh.gif
2009-04-13 23:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-13 23:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-13 23:18 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-04-13 23:18 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-04-13 23:16 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-13 23:16 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-13 23:16 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-13 23:16 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-13 23:16 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-04-13 23:16 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-04-13 23:16 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-04-13 23:16 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-04-13 23:15 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-04-13 23:14 --d----- c:\windows\system32\PreInstall
2009-04-13 23:14 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-04-13 22:59 --d----- c:\windows\system32\SoftwareDistribution
2009-04-13 22:53 21,504 a------- c:\windows\system32\hidserv.dll
2009-04-13 20:42 --d----- C:\downloads
2009-04-13 20:31 --d----- c:\program files\common files\L&H
2009-04-13 20:27 376 a------- c:\windows\ODBC.INI
2009-04-13 20:27 17,920 a------- c:\windows\system32\mdimon.dll
2009-04-13 20:27 --d----- c:\program files\Microsoft ActiveSync
2009-04-13 20:27 --d----- c:\windows\SHELLNEW
2009-04-13 20:20 --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-04-13 20:17 --d----- c:\docume~1\mike\applic~1\Malwarebytes
2009-04-13 20:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-13 20:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 20:17 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-13 20:17 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-13 19:40 --d----- c:\program files\CONEXANT
2009-04-13 19:40 192,512 a------- c:\windows\system32\drivers\HSXHWAZL.sys
2009-04-13 19:40 114,688 a------- c:\windows\system32\Uci32103.dll
2009-04-13 19:40 86,016 a------- c:\windows\system32\mdmxsdk.dll
2009-04-13 19:40 12,544 a------- c:\windows\system32\drivers\mdmxsdk.sys
2009-04-13 19:40 936,960 a------- c:\windows\system32\drivers\HSX_DPV.sys
2009-04-13 19:40 669,696 a------- c:\windows\system32\drivers\HSX_CNXT.sys
2009-04-13 19:40 141,497 a------- c:\windows\system32\drivers\del1028.cty
2009-04-13 19:40 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-04-13 19:40 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-04-13 19:40 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-04-13 19:39 --d----- c:\program files\SigmaTel
2009-04-13 19:36 --d----- c:\windows\system32\URTTemp
2009-04-13 19:36 --d----- c:\program files\ATI Technologies
2009-04-13 19:31 770,048 a------- c:\windows\system32\BCMLogon.dll
2009-04-13 19:31 604,928 a------- c:\windows\system32\drivers\BCMWL5.SYS
2009-04-13 19:31 89,088 a------- c:\windows\system32\ATL71.DLL
2009-04-13 19:31 499,712 a------- c:\windows\system32\MSVCP71.DLL
2009-04-13 19:31 348,160 a------- c:\windows\system32\MSVCR71.DLL
2009-04-13 19:31 1,060,864 a------- c:\windows\system32\MFC71.DLL
2009-04-13 19:30 45,568 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-04-13 19:29 32,256 a------- c:\windows\system32\drivers\rimmptsk.sys
2009-04-13 19:25 --d----- c:\windows\system32\ReinstallBackups
2009-04-13 19:21 --d----- c:\windows\system32\vmm32
2009-04-13 19:21 --d----- c:\program files\Dell
2009-04-13 19:03 --d----- c:\documents and settings\Mike
2009-04-13 18:59 --ds---- c:\windows\system32\Microsoft
2009-04-13 18:42 8,192 a------- c:\windows\REGLOCS.OLD
2009-04-13 18:40 57,856 ac------ c:\windows\system32\dllcache\EXCH_scripto.dll
2009-04-13 18:39 132,608 ac------ c:\windows\system32\dllcache\fxsclntr.dll
2009-04-13 18:38 2,577 a------- c:\windows\system32\CONFIG.NT
2009-04-13 18:38 0 a------- c:\windows\control.ini
2009-04-13 18:38 23,392 a------- c:\windows\system32\nscompat.tlb
2009-04-13 18:38 16,832 a------- c:\windows\system32\amcompat.tlb
2009-04-13 18:38 316,640 a------- c:\windows\WMSysPr9.prx
2009-04-13 18:37 --dsh--- c:\documents and settings\all users\DRM
2009-04-13 18:37 --d-h--- c:\program files\WindowsUpdate
2009-04-13 18:36 --d----- c:\program files\common files\MSSoap
2009-04-13 18:34 --d----- c:\program files\Online Services
2009-04-13 18:34 --d----- c:\program files\Messenger
2009-04-13 18:34 --d----- c:\program files\MSN Gaming Zone
2009-04-13 18:34 --d----- c:\program files\Windows NT
2009-04-13 11:23 --d----- c:\program files\common files\ODBC
2009-04-13 11:23 --d----- c:\program files\common files\SpeechEngines
2009-04-13 11:23 --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-04-14 00:31 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-13 18:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys

============= FINISH: 0:54:09.70 ===============

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 8:14 am

combofix report

ComboFix 09-04-15.08 - Mike 04/15/2009 1:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.467 [GMT -7:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-03-15 to 2009-04-15 )))))))))))))))))))))))))))))))
.

2009-04-15 07:10 . 2009-04-15 07:10 -------- d-----w c:\windows\system32\LogFiles
2009-04-15 06:57 . 2008-04-07 12:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
2009-04-15 06:57 . 2008-04-07 12:38 45392 ----a-r c:\windows\system32\AdobePDF.dll
2009-04-15 05:57 . 2009-04-15 05:57 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-15 02:54 . 2009-04-15 06:27 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Adobe
2009-04-15 02:49 . 2009-04-15 02:49 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-04-15 02:48 . 2009-04-15 02:48 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-14 21:31 . 2009-04-15 07:50 7179 ----a-w c:\windows\system32\Config.MPF
2009-04-14 21:29 . 2009-04-14 21:29 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-04-14 21:22 . 2009-03-25 18:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-04-14 21:22 . 2009-03-25 18:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-04-14 21:22 . 2009-03-25 18:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-04-14 21:22 . 2008-10-23 20:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-04-14 21:20 . 2009-03-25 18:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-04-14 21:05 . 2009-04-14 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-04-14 17:46 . 2008-09-16 19:23 168448 ----a-w c:\windows\system32\unrar.dll
2009-04-14 17:43 . 2007-03-17 01:10 33664 ----a-w c:\windows\system32\drivers\BCMWLNPF.SYS
2009-04-14 17:43 . 2007-03-17 01:10 86016 ----a-w c:\windows\system32\preflib.dll
2009-04-14 17:43 . 2007-03-17 01:10 44032 ----a-w c:\windows\system32\wltrynt.dll
2009-04-14 17:43 . 2007-03-17 01:10 253952 ----a-w c:\windows\system32\bcmwlu00.exe
2009-04-14 17:43 . 2007-03-17 01:10 69632 ----a-w c:\windows\system32\bcmwlpkt.dll
2009-04-14 17:43 . 2007-03-17 01:10 2129920 ----a-w c:\windows\system32\WLBCGCBPRO731.DLL
2009-04-14 17:43 . 2007-03-17 01:10 20480 ----a-w c:\windows\system32\WLTRYSVC.EXE
2009-04-14 17:43 . 2007-03-17 01:10 1392640 ----a-w c:\windows\system32\WLTRAY.EXE
2009-04-14 17:43 . 2007-03-17 01:10 1253376 ----a-w c:\windows\system32\BCMWLTRY.EXE
2009-04-14 17:43 . 2007-03-17 01:10 3395584 ----a-w c:\windows\system32\BCMWLCPL.CPL
2009-04-14 17:43 . 2007-03-17 01:10 757760 ----a-w c:\windows\system32\bcm1xsup.dll
2009-04-14 17:42 . 2009-04-14 17:42 4792 ----a-w c:\windows\bcm53.tmp
2009-04-14 17:32 . 2009-04-14 17:32 4222 ----a-w c:\windows\bcm5.tmp
2009-04-14 17:25 . 2009-04-14 17:25 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\ATI
2009-04-14 17:25 . 2009-04-14 17:25 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2009-04-14 17:06 . 2006-10-12 04:26 3107788 ----a-w c:\windows\system32\ativvaxx.dat
2009-04-14 17:06 . 2006-08-24 00:26 2096 ----a-w c:\windows\system32\drivers\ativdkxx.vp
2009-04-14 17:05 . 2009-04-14 17:05 4240 ----a-w c:\windows\bcm91.tmp
2009-04-14 17:04 . 2009-04-14 17:04 4304 ----a-w c:\windows\bcm5B.tmp
2009-04-14 17:01 . 2006-03-08 19:51 81920 ----a-w c:\windows\system32\SynTPCo2.dll
2009-04-14 17:01 . 2006-03-08 19:49 69723 ----a-w c:\windows\system32\SynTPFcs.dll
2009-04-14 17:01 . 2006-03-08 19:38 94299 ----a-w c:\windows\system32\SynTPAPI.dll
2009-04-14 17:01 . 2006-03-08 19:35 191872 ----a-w c:\windows\system32\drivers\SynTP.sys
2009-04-14 17:01 . 2006-03-08 19:38 114688 ----a-w c:\windows\system32\SynCtrl.dll
2009-04-14 17:01 . 2006-03-08 19:37 82014 ----a-w c:\windows\system32\SynCOM.dll
2009-04-14 16:59 . 2006-07-02 05:39 36864 ----a-w c:\windows\system32\drivers\AmdK8.sys
2009-04-14 16:49 . 2007-08-21 16:58 146944 ----a-w c:\windows\system32\st325602.dll
2009-04-14 07:53 . 2008-12-20 23:15 52224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-14 07:53 . 2008-12-20 23:15 459264 -c----w c:\windows\system32\dllcache\msfeeds.dll
2009-04-14 07:53 . 2008-12-20 23:15 267776 -c----w c:\windows\system32\dllcache\iertutil.dll
2009-04-14 07:53 . 2008-12-20 23:15 383488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-14 07:53 . 2008-12-20 23:15 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-14 07:53 . 2008-12-19 09:10 13824 -c----w c:\windows\system32\dllcache\ieudinit.exe
2009-04-14 07:53 . 2007-04-17 09:32 2455488 -c----w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-14 07:53 . 2007-03-08 05:10 991232 -c----w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-14 07:53 . 2008-12-20 23:15 6066688 -c----w c:\windows\system32\dllcache\ieframe.dll
2009-04-14 07:40 . 2008-04-14 00:12 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-14 07:27 . 2009-04-14 07:27 -------- d-----w c:\windows\system32\scripting
2009-04-14 07:27 . 2009-04-14 07:27 -------- d-----w c:\windows\l2schemas
2009-04-14 07:27 . 2009-04-14 07:27 -------- d-----w c:\windows\system32\en
2009-04-14 07:27 . 2009-04-14 07:27 -------- d-----w c:\windows\system32\bits
2009-04-14 07:24 . 2009-04-14 07:28 -------- d-----w c:\windows\ServicePackFiles
2009-04-14 07:08 . 2009-04-14 07:08 -------- d-----w c:\windows\EHome
2009-04-14 06:35 . 2004-08-04 10:00 9585 -c----w c:\windows\system32\dllcache\controls.css
2009-04-14 06:35 . 2004-08-04 10:00 8298 -c----w c:\windows\system32\dllcache\contents.htm
2009-04-14 06:35 . 2004-08-04 10:00 6878 -c----w c:\windows\system32\dllcache\controls.js
2009-04-14 06:35 . 2004-08-04 10:00 381425 -c----w c:\windows\system32\dllcache\copycd.wmv
2009-04-14 06:35 . 2004-07-18 05:55 129045 ------w c:\windows\system32\drivers\cxthsfs2.cty
2009-04-14 06:35 . 2004-08-04 10:00 773 -c----w c:\windows\system32\dllcache\cnth.gif
2009-04-14 06:35 . 2004-08-04 10:00 773 -c----w c:\windows\system32\dllcache\cnt.gif
2009-04-14 06:35 . 2004-08-04 10:00 772 -c----w c:\windows\system32\dllcache\cntd.gif
2009-04-14 06:35 . 2004-08-04 10:00 760 -c----w c:\windows\system32\dllcache\cloapph.gif
2009-04-14 06:35 . 2004-08-04 10:00 717 -c----w c:\windows\system32\dllcache\cloapp.gif
2009-04-14 06:35 . 2004-08-04 10:00 999 -c----w c:\windows\system32\dllcache\bktrh.gif
2009-04-14 06:26 . 2009-04-14 06:26 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-14 06:26 . 2009-04-14 06:26 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-14 06:18 . 2008-06-13 11:05 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-14 06:18 . 2008-06-13 11:05 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-14 06:16 . 2008-08-14 10:09 2145280 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-14 06:16 . 2008-08-14 10:11 2189184 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-14 06:16 . 2008-08-14 09:33 2023936 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-14 06:16 . 2008-08-14 09:33 2066048 -c----w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-14 06:16 . 2008-05-08 14:02 203136 -c----w c:\windows\system32\dllcache\rmcast.sys
2009-04-14 06:16 . 2008-10-24 11:21 455296 -c----w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-14 06:16 . 2008-12-11 10:57 333952 -c----w c:\windows\system32\dllcache\srv.sys
2009-04-14 06:16 . 2008-04-11 19:04 691712 -c----w c:\windows\system32\dllcache\inetcomm.dll
2009-04-14 06:15 . 2008-10-15 16:34 337408 -c----w c:\windows\system32\dllcache\netapi32.dll
2009-04-14 06:14 . 2009-04-14 08:08 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Google
2009-04-14 06:14 . 2007-08-11 03:46 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-14 06:13 . 2009-04-14 06:13 0 ----a-w c:\windows\nsreg.dat
2009-04-14 06:13 . 2009-04-14 06:13 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\Mozilla
2009-04-14 05:53 . 2008-04-14 00:11 21504 ----a-w c:\windows\system32\hidserv.dll
2009-04-14 03:42 . 2009-04-15 07:33 -------- d-----w C:\downloads
2009-04-14 03:27 . 2009-04-14 03:33 376 ----a-w c:\windows\ODBC.INI
2009-04-14 03:27 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll
2009-04-14 03:27 . 2009-04-14 03:33 -------- d-----w c:\windows\SHELLNEW
2009-04-14 03:24 . 2009-04-14 03:24 -------- d--h--r C:\MSOCache
2009-04-14 03:21 . 2009-04-15 03:05 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-14 03:20 . 2009-04-15 03:06 -------- d-----w c:\documents and settings\All Users\Application Data\PC Tools
2009-04-14 03:17 . 2009-04-14 03:17 -------- d-----w c:\documents and settings\Mike\Application Data\Malwarebytes
2009-04-14 03:17 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-14 03:17 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-14 03:17 . 2009-04-14 03:17 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-14 02:43 . 2009-04-15 07:07 22280 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 02:43 . 2009-04-14 02:43 127 ----a-w c:\documents and settings\Mike\Local Settings\Application Data\fusioncache.dat
2009-04-14 02:43 . 2009-04-14 02:43 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\ATI
2009-04-14 02:43 . 2009-04-14 02:43 -------- d-----w c:\documents and settings\Mike\Application Data\ATI
2009-04-14 02:43 . 2009-04-15 07:50 -------- d-----w c:\documents and settings\Mike\Local Settings\Application Data\ApplicationHistory
2009-04-14 02:40 . 2005-12-01 08:40 192512 ----a-w c:\windows\system32\drivers\HSXHWAZL.sys
2009-04-14 02:40 . 2005-11-16 06:41 114688 ----a-w c:\windows\system32\Uci32103.dll
2009-04-14 02:40 . 2005-10-05 06:57 12544 ----a-w c:\windows\system32\drivers\mdmxsdk.sys
2009-04-14 02:40 . 2005-10-05 06:56 86016 ----a-w c:\windows\system32\mdmxsdk.dll
2009-04-14 02:40 . 2005-12-01 08:40 936960 ----a-w c:\windows\system32\drivers\HSX_DPV.sys
2009-04-14 02:40 . 2005-12-01 08:40 669696 ----a-w c:\windows\system32\drivers\HSX_CNXT.sys
2009-04-14 02:40 . 2005-12-01 06:39 141497 ----a-w c:\windows\system32\drivers\del1028.cty
2009-04-14 02:40 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-04-14 02:40 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-04-14 02:40 . 2008-04-13 18:45 52864 ----a-w c:\windows\system32\drivers\dmusic.sys
2009-04-14 02:36 . 2009-04-14 02:36 -------- d-----w c:\windows\system32\URTTemp
2009-04-14 02:31 . 2007-03-17 01:10 604928 ----a-w c:\windows\system32\drivers\BCMWL5.SYS
2009-04-14 02:31 . 2007-03-17 01:10 770048 ----a-w c:\windows\system32\BCMLogon.dll
2009-04-14 02:31 . 2007-03-17 01:10 89088 ----a-w c:\windows\system32\ATL71.DLL
2009-04-14 02:31 . 2007-03-17 01:10 499712 ----a-w c:\windows\system32\MSVCP71.DLL
2009-04-14 02:31 . 2007-03-17 01:10 348160 ----a-w c:\windows\system32\MSVCR71.DLL
2009-04-14 02:31 . 2007-03-17 01:10 1060864 ----a-w c:\windows\system32\MFC71.DLL
2009-04-14 02:30 . 2006-11-21 11:25 45568 ----a-r c:\windows\system32\drivers\bcm4sbxp.sys
2009-04-14 02:29 . 2009-04-14 17:03 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-14 02:29 . 2006-11-15 07:16 32256 ----a-w c:\windows\system32\drivers\rimmptsk.sys
2009-04-14 02:21 . 2009-04-14 02:21 -------- d-----w c:\windows\system32\vmm32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-15 07:35 . 2009-04-15 07:35 -------- d-----w c:\program files\Unlocker
2009-04-15 06:58 . 2009-04-15 06:58 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-15 06:53 . 2009-04-14 20:09 -------- d-----w c:\program files\Common Files\Adobe
2009-04-15 03:07 . 2009-04-14 21:21 -------- d-----w c:\program files\McAfee
2009-04-14 21:29 . 2009-04-14 21:29 -------- d-----w c:\program files\SiteAdvisor
2009-04-14 21:22 . 2009-04-14 21:21 -------- d-----w c:\program files\Common Files\McAfee
2009-04-14 21:21 . 2009-04-14 21:21 -------- d-----w c:\program files\McAfee.com
2009-04-14 19:35 . 2009-04-14 19:35 -------- d-----w c:\program files\Trend Micro
2009-04-14 17:46 . 2009-04-14 17:46 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-14 17:44 . 2009-04-14 17:44 -------- d-----w c:\program files\CCleaner
2009-04-14 17:18 . 2009-04-14 02:36 -------- d-----w c:\program files\ATI Technologies
2009-04-14 17:03 . 2009-04-14 17:03 -------- d-----w c:\program files\Broadcom
2009-04-14 17:01 . 2009-04-14 17:01 -------- d-----w c:\program files\Synaptics
2009-04-14 16:59 . 2009-04-14 16:59 -------- d-----w c:\program files\AMD
2009-04-14 16:55 . 2009-04-14 02:29 -------- d-----w c:\program files\DIFX
2009-04-14 08:08 . 2009-04-14 08:07 -------- d-----w c:\program files\Google
2009-04-14 07:39 . 2009-04-14 07:39 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041420090415\index.dat
2009-04-14 07:31 . 2009-04-14 01:38 77423 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-14 07:17 . 2004-08-04 10:00 250048 --sha-r C:\ntldr
2009-04-14 06:25 . 2009-04-14 06:25 -------- d-----w c:\program files\Java
2009-04-14 05:52 . 2009-04-14 05:52 -------- d-----w c:\program files\Hewlett-Packard
2009-04-14 03:31 . 2009-04-14 03:31 -------- d-----w c:\program files\Common Files\L&H
2009-04-14 03:27 . 2009-04-14 03:27 -------- d-----w c:\program files\Microsoft ActiveSync
2009-04-14 03:26 . 2009-04-14 03:26 -------- d-----w c:\program files\Microsoft.NET
2009-04-14 03:22 . 2009-04-14 03:22 -------- d-----w c:\program files\7-Zip
2009-04-14 03:17 . 2009-04-14 03:17 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-14 02:41 . 2009-04-14 02:25 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 02:40 . 2009-04-14 02:40 -------- d-----w c:\program files\CONEXANT
2009-04-14 02:39 . 2009-04-14 02:39 -------- d-----w c:\program files\SigmaTel
2009-04-14 02:31 . 2009-04-14 02:21 -------- d-----w c:\program files\Dell
2009-04-14 02:31 . 2009-04-14 02:21 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-14 01:39 . 2009-04-14 01:39 -------- d-----w c:\program files\microsoft frontpage
2009-04-14 01:35 . 2009-04-14 01:35 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-25 18:06 . 2009-03-25 18:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 8:15 am

combofix part 2


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-14 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"HP KEYBOARDg"="c:\program files\Hewlett-Packard\HP Wireless Elite Desktop\HPKEYBOARDg.EXE" [2008-08-07 486672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-14 148888]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-26 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-01-09 5134864]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 TfFsMon;TfFsMon; [x]
R0 TfSysMon;TfSysMon; [x]
R3 pctplsg;pctplsg; [x]
R3 TfNetMon;TfNetMon; [x]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2008-10-08 203280]

.
Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 17:53]

2009-04-14 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-14 17:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run- - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\wriqhq49.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-15 01:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2876)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-04-15 1:11
ComboFix-quarantined-files.txt 2009-04-15 08:11

Pre-Run: 13,150,629,888 bytes free
Post-Run: 13,187,944,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

261 --- E O F --- 2009-04-14 07:44

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 8:21 am

From looking at my mcafee, i can't explain what the users

192.168.0.100 and 192.168.0.103

are coming from.

[img][You must be registered and logged in to see this link.][/img]

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 2:47 pm

Hello.

From the first screen shot, I can just about read the word "patch", you know using cracks/keygens/patches will only lead to trouble. Stop downloading them otherwise you will keep getting infected.

192.168.*.* sounds like your router, but I doubt that's infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 4:28 pm

Mcafee found this from scanning full in safe mode

4/14/2009 10:47:52 PM Scan Started: 04/14/2009 10:47:52 PM
4/14/2009 10:48:10 PM "C:\DOCUMENTS AND SETTINGS\MIKE\DESKTOP\ADOBE ACROBAT 9 PROFESSIONAL + NEW WORKING PATCH ADDED\CRACKAA9P.RAR" "Generic!Artemis" "5"
4/14/2009 10:48:15 PM "C:\Documents and Settings\Mike\Desktop\Adobe Acrobat 9 Professional + New working Patch Added\CrackAA9P.rar" "Generic!Artemis" "5"
4/14/2009 10:48:15 PM Total objects scanned: 1
4/14/2009 10:48:15 PM Objects detected: 1
4/14/2009 10:48:15 PM Scan Done: 04/14/2009 10:48:15 PM
4/14/2009 11:01:10 PM Scan Started: 04/14/2009 11:01:10 PM
4/14/2009 11:01:27 PM Total objects scanned: 1
4/14/2009 11:01:27 PM Objects detected: 0
4/14/2009 11:01:27 PM Scan Done: 04/14/2009 11:01:27 PM
4/15/2009 1:44:40 AM Scan Started: 04/15/2009 01:44:40 AM
4/15/2009 1:57:40 AM "C:\Documents and Settings\Mike\Desktop\ComboFix.exe" "RemAdm-ProcLaunch!171" "5"
4/15/2009 1:59:42 AM "C:\DOCUMENTS AND SETTINGS\MIKE\DESKTOP\UNLOCKER1.8.7.EXE" "Generic Downloader.ab" "5"
4/15/2009 1:59:47 AM "C:\Documents and Settings\Mike\Desktop\unlocker1.8.7.exe" "Generic Downloader.ab" "5"
4/15/2009 2:02:04 AM "C:\Documents and Settings\Mike\Desktop\New Folder\lab1e\bin\Debug\lab1e.vshost.exe" "New Win32" "5"
4/15/2009 2:02:08 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication1\bin\Debug\WindowsApplication1.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:02:09 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication1\bin\Debug\WindowsApplication1.vshost.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:02:10 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication1\obj\Debug\WindowsApplication1.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:02:12 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication131707\bin\Debug\WindowsApplication131707.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:02:13 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication131707\bin\Debug\WindowsApplication131707.vshost.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:02:14 AM "C:\Documents and Settings\Mike\Desktop\New Folder\WindowsApplication131707\obj\Debug\WindowsApplication131707.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:06:04 AM "C:\Documents and Settings\Mike\My Documents\cmpe 130\btrees\btrees.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:06:12 AM "C:\Documents and Settings\Mike\My Documents\cmpe 130\lab1\hexdmp.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:08:02 AM "C:\Documents and Settings\Mike\My Documents\cmpe 152\winscp382.exe" "New Win32" "5"
4/15/2009 2:11:07 AM "C:\Documents and Settings\Mike\My Documents\My Videos\Veoh\AppBackup\BsSndRpt.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:15:26 AM "C:\Documents and Settings\Mike\My Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\bin\Debug\WindowsApplication1.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:15:27 AM "C:\Documents and Settings\Mike\My Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\bin\Debug\WindowsApplication1.vshost.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:15:29 AM "C:\Documents and Settings\Mike\My Documents\Visual Studio 2005\Projects\WindowsApplication1\WindowsApplication1\obj\Debug\WindowsApplication1.exe" "W32/Virut.n.gen" "5"
4/15/2009 2:18:41 AM "C:\downloads\xx1\ComboFix.exe" "RemAdm-ProcLaunch!171" "5"
4/15/2009 2:28:31 AM "C:\DOWNLOADS\XX1\UNLOCKER1.8.7.EXE" "Generic Downloader.ab" "5"
4/15/2009 2:28:36 AM "C:\downloads\xx1\unlocker1.8.7.exe" "Generic Downloader.ab" "5"
4/15/2009 3:33:26 AM "C:\PROGRAM FILES\UNLOCKER\EBAY_SHORTCUTS_1016.EXE" "Generic Downloader.ab" "5"
4/15/2009 3:33:31 AM "C:\Program Files\Unlocker\eBay_shortcuts_1016.exe" "Generic Downloader.ab" "5"
4/15/2009 4:21:37 AM Total objects scanned: 78510
4/15/2009 4:21:37 AM Objects detected: 19
4/15/2009 4:21:37 AM Scan Done: 04/15/2009 04:21:37 AM

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 4:40 pm

1) so from all of these scans, what do you make out of them or conclude?
2) It looks like I may have to do another reformate and reinstall of windows, mcafee found more exe replicators of the virut.

3) This time, what would you suggest? Could this virus stay in memory even after reformatting the hard drive? If so, how do I tackle that problem? It seems like even if I don't bring over any files, this thing will alway attack a fresh copy of explorer.exe and then other exe files that follow, even on a new install

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 4:49 pm

Hello.
Did you actually format it? wipe everything? because if you backed up any exe files, that's how the infection got back. Because there's a number of infected executable files in the My Documents folder.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 5:15 pm

Yes, I did do the full format. I wonder.

1) If I copied those my document files over to my external, woudl that infect other fiels on the external as well?

2 i'm going to look up the my documen ts folder after copying it over to the external, search for exe's and then delete them before formating and installing windows again.

3) any other extensions I should be aware of searching and destorying before migrating personal files back over to the newly installed pc?

4) Could the virus stay in the RAM or memory? would I have to run the battery out before doing a full format and install?

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 7:46 pm

Belahzur , can you respond to the previous message? I see you skipped it during your mass response to everyone

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 7:50 pm

Sorry about that, it happens sometimes.

There's is one known rootkit which is able to hide in the master boot record (MBR), but I know the signs of that and you don't have it.

Do not backup ANY .exe or .scr <== exe/scr are infected.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 8:26 pm

I understand. I just deleted the partition and I'm waiting for my laptop (unplugged) to die out of power before installing windows.

I had asked you about that previously, but you didn't respond, so I don't know what to do now.

4) Could the virus stay in the RAM or memory? would I have to run the battery out before doing a full format and install?

5) Can the external hard drive that I copied the personal files over (tried to filter out the exe's and scr's while doing so) get infected by this virus if I connect it to a networked pc? or is it only the harddrive that has the windows os booted up the one that is only infected? I'm unsure if my external hard drive is safe from this or not. Please let me know.

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 8:28 pm

No, I don't think it stays in memory or RAM, no need to run the battery out.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 8:38 pm

Are there viruses that ever do that? That link you provided about the virut the other day mentioned a user that tried to do that.

5) Can the external hard drive that I copied the personal files over (tried to filter out the exe's and scr's while doing so) get infected by this virus if I connect it to a networked pc? or is it only the harddrive that has the windows os booted up the one that is only infected? I'm unsure if my external hard drive is safe from this or not. Please let me know.

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 9:00 pm

External hardrive might be infected. You can check by doing this:


  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.


Now, re-open my computer. Find your external drive once plugged in on the list.
Right click it > Explore.
See if there is an autorun.inf file.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 9:21 pm

I didn't see an autorun.inf file. of any kind even when viewing for hidden files and folders.

I may have screwed myself. While I was waiting for your reply, I took the external and connected it to another pc (not connected to the network) because that pc had norton antivirus and I wanted to scan it. It seems that while scanning , it found a "recycled" folder that had some exe's and it was quarantining it, but I wonder, if that happens, even if it's quarantined, can those files still be used by a hacker to be used from the quarantine folder?

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 9:37 pm

I see it have the autoplay menu, but I don't see the autorun.inf file even after expanding the hidden files and folders open.

??

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 15th April 2009, 9:53 pm

Okay, the drive isn't infected then. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 15th April 2009, 10:49 pm

two questions:

1) wait, so if it has the scan and then "autoplay" window pop up, that doesn't necessarily mean that an autorun.inf is existing in the root somewhere?

2) I may have screwed myself. While I was waiting for your reply, I took the external and connected it to another pc (not connected to the network) because that pc had norton antivirus and I wanted to scan it. It seems that while scanning , it found a "recycled" folder that had some exe's and it was quarantining it, but I wonder, if that happens, even if it's quarantined, can those files still be used by a hacker to be used from the quarantine folder?

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 16th April 2009, 12:04 am

The autoplay is caused by Windows, when an external drive/CD is put in, Windows reads it and checks the current setting of what to do when autoplay is activated. Autoplay can be switched off via the registry, but doing so has a few side effects.

You lose the little picture next to CD/external drives and CD's won't start playing manually.

The Recycled folder needs to go, and all the exe files inside it. Once it's quarantined, it's not active and no hacker can get to you, so stop worrying.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by mike69 on 16th April 2009, 12:34 am

So is it only when you double click and execute an infected exe file that all hell breaks lose?

just having the infected exe file residing somewhere on your hard drive isn't going to do anything?

mike69
Intermediate
Intermediate

Posts Posts : 85
Joined Joined : 2009-01-11
OS OS : Windows XP
Points Points : 28994
# Likes # Likes : 0

View user profile

Back to top Go down

Re: virut infection will not leave me alone, after reformating and reinstalling

Post by Belahzur on 16th April 2009, 12:39 am

That's the theory. But it's still not safe to have infected executable files on your hardrive.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum