UNOWN VIRUS

View previous topic View next topic Go down

UNOWN VIRUS

Post by Lazilion on 17th April 2009, 1:33 pm

I don't know what the virus really is but some times I get errors with WIN32 on it.

The virus leads me to different websites and slows down my computer straight after the error reading.

This is the HIJACK reading:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:28 PM, on 17/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 6244 bytes

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Belahzur on 17th April 2009, 2:11 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 17th April 2009, 11:32 pm

I couldn't update it because the virus doesn't let me update but from the report there wasn't a single problem.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 2

18/04/2009 9:30:01 AM
mbam-log-2009-04-18 (09-30-01).txt

Scan type: Quick Scan
Objects scanned: 79020
Time elapsed: 2 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Belahzur on 18th April 2009, 12:07 am

Lets see if there's a rootkit present.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 29th April 2009, 2:36 am

These are the results:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Belahzur on 29th April 2009, 11:56 am

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\MapleStory\npkcmsvc.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Now we need to get an uninstall list, and we can use Hijack This for that too.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 30th April 2009, 7:16 am

I did'nt get any of the files stated but I also couldn't update the Avira antivirus software.

I also got two unopenable files.

These are the results I got:


Avira AntiVir Personal
Report file date: Thursday, 30 April 2009 16:18

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : MENON

Version information:
BUILD.DAT : 9.0.0.394 17962 Bytes 4/17/2009 11:20:00
AVSCAN.EXE : 9.0.3.5 466689 Bytes 4/16/2009 23:57:30
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 01:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 02:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 01:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 03:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 11:33:26
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 22:41:14
ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 05:58:20
Engineversion : 8.2.0.100
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 08:36:42
AEscript.DLL : 8.1.1.56 352634 Bytes 2/26/2009 11:01:56
AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 02:44:25
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 09:24:41
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 04:06:10
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 11:01:56
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 06:49:16
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 11:01:56
AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 04:06:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 05:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 05:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 05:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/11/2008 23:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 01:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 05:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 01:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 06:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 01:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 06:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/1/2009 23:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 01:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 02:45:45
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 01:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Thursday, 30 April 2009 16:18

Starting search for hidden objects.
'36313' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'Dot1XCfg.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'TODDSrv.exe' - '1' Module(s) have been scanned
Scan process 'TAPPSRV.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sqlwriter.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'Toshiba.exe' - '1' Module(s) have been scanned
Scan process 'iFrmewrk.exe' - '1' Module(s) have been scanned
Scan process 'ZCfgSvc.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'TDispVol.exe' - '1' Module(s) have been scanned
Scan process 'sqlservr.exe' - '1' Module(s) have been scanned
Scan process 'TFncKy.exe' - '1' Module(s) have been scanned
Scan process 'THotkey.exe' - '1' Module(s) have been scanned
Scan process 'DVDRAMSV.exe' - '1' Module(s) have been scanned
Scan process 'PadExe.exe' - '1' Module(s) have been scanned
Scan process 'CFSvcs.exe' - '1' Module(s) have been scanned
Scan process 'TvsTray.exe' - '1' Module(s) have been scanned
Scan process 'SmoothView.exe' - '1' Module(s) have been scanned
Scan process 'DDWMon.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'agrsmmsg.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
49 processes with 49 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '70' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.


End of the scan: Thursday, 30 April 2009 17:00
Used time: 41:46 Minute(s)

The scan has been done completely.

6886 Scanned directories
507783 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
507781 Files not concerned
7872 Archives were scanned
2 Warnings
2 Notes
36313 Objects were scanned with rootkit scan
0 Hidden objects were found

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Belahzur on 30th April 2009, 8:33 am

Hello.
The logs look fine, still having problems?

As for you being led to other websites? is it via Google searches?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 1st May 2009, 8:29 am

It's through google but the real problem thats started to occur over a period of two days is that the computer is starting to black screened at random moments.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 1st May 2009, 9:00 am

Everything else is okay now its just that the screen goes black about five minutes after I on the computer.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Belahzur on 1st May 2009, 2:44 pm

That could be a hardware problem.
Installed any new hardware recently?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 9th May 2009, 4:26 am

I believe it would still be the virus because i'm still being led to unown sites and I also cannot watch youtube videos. I can still watch videos if the site leads me to youtube.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Origin on 9th May 2009, 5:46 am

Lets go deeper into this, please do the following:



  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 9th May 2009, 9:50 am

NOthing happens when I run DDS.scr. A black screen appears and thats all that happens.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Origin on 9th May 2009, 3:14 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 10th May 2009, 10:15 am

Combo Fix Log Part 1 :ComboFix 09-05-08.03 - Sachin 10/05/2009 20:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.556 [GMT 10:00]
Running from: c:\documents and settings\Sachin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt

.
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.

2009-05-09 20:11 . 2009-05-09 20:11 -------- d-----w C:\db1b252966fcaf2a7a6a17f5
2009-05-09 09:45 . 2009-05-09 09:45 -------- d--h--w c:\windows\PIF
2009-05-09 03:25 . 2009-05-09 03:25 -------- d-----w C:\b9c72a595bad00161290
2009-05-08 09:00 . 2009-05-08 09:00 -------- d-----w C:\51e10784afcf560d81df
2009-05-08 08:52 . 2009-05-08 08:52 -------- d-----w C:\24666bd8615e1f5a24b87816e8
2009-05-07 21:46 . 2009-05-07 21:46 -------- d-----w C:\95d559c4049e0c0e546fbaa615c3
2009-05-07 11:19 . 2009-05-07 11:19 -------- d-----w C:\4d061dbb97808dfdbd61ca25e955
2009-05-07 05:43 . 2009-05-07 05:43 -------- d-----w C:\168ef2098fb0c3c800f9475c2253f4
2009-05-06 11:22 . 2009-05-06 11:22 -------- d-----w C:\fddd79bbd7f45733d10d6b9f366d
2009-05-05 06:19 . 2009-05-05 06:19 -------- d-----w C:\c73c16d745851fd7788ec54573d6bd73
2009-05-05 06:08 . 2009-05-05 06:08 -------- d-----w C:\11673c1e8d2db2b39689
2009-05-05 06:04 . 2009-05-05 06:04 -------- d-----w C:\6fbc72d38a4bb4a75aeb8d4b6496d1d5
2009-05-05 05:56 . 2009-05-05 05:56 -------- d-----w C:\29c219ebda3850a974ae
2009-05-05 05:27 . 2009-05-05 05:27 -------- d-----w C:\68d3a1eeb2519b4430
2009-05-04 12:25 . 2009-05-04 12:25 -------- d-----w C:\39b5633542121fa4b79e
2009-05-03 22:07 . 2009-05-03 22:07 -------- d-----w C:\9433ccfcd4fcc4274e313ea625
2009-05-03 22:00 . 2009-05-03 22:00 -------- d-----w C:\3257a866a8440bf7e5a322
2009-05-03 11:28 . 2009-05-03 11:28 -------- d-----w C:\c2abe9c822491f8b6a7ce2
2009-05-01 23:11 . 2009-05-01 23:11 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2009-05-01 22:56 . 2009-05-01 22:56 -------- d-----w C:\2297372a13f96eb76026a9
2009-05-01 08:58 . 2009-05-01 08:58 -------- d-----w C:\53eaa7ee0c863f0ef879dca9
2009-05-01 08:52 . 2009-05-01 08:52 -------- d-----w C:\336aaff6f854eea427642e11
2009-05-01 08:39 . 2009-05-01 08:39 -------- d-----w C:\818876746628e39a8131
2009-05-01 08:33 . 2009-05-01 08:33 -------- d-----w C:\fdd411b8bf4abbbf92841b24eee6
2009-05-01 08:24 . 2009-05-01 08:24 -------- d-----w C:\d70f92684c3bd5899c969d223dba5b87
2009-05-01 08:20 . 2009-05-01 08:20 -------- d-----w C:\69a1c8af19cafa47fa99
2009-04-30 22:08 . 2009-04-30 22:09 -------- d-----w C:\e6c174ad9c7736a10ff18023212dc5
2009-04-30 22:04 . 2009-04-30 22:04 -------- d-----w C:\b18c54a9480d8fe34913
2009-04-30 21:59 . 2009-04-30 21:59 -------- d-----w C:\242eae73176f5d554bab064a63
2009-04-30 12:10 . 2009-04-30 12:10 -------- d-----w C:\c9be7a086aeafcce587b
2009-04-30 06:12 . 2009-03-24 06:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-04-30 06:12 . 2009-04-30 06:12 -------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-04-30 06:12 . 2009-04-30 06:12 -------- d-----w c:\program files\Avira
2009-04-17 23:24 . 2009-04-17 23:24 -------- d-----w c:\documents and settings\Sachin\Application Data\Malwarebytes
2009-04-17 23:24 . 2009-04-06 05:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-17 23:24 . 2009-04-06 05:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 23:24 . 2009-04-17 23:24 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-17 23:24 . 2009-04-17 23:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-17 13:12 . 2009-04-17 13:12 -------- d-----w c:\documents and settings\Sachin\Local Settings\Application Data\jZip
2009-04-17 13:06 . 2009-04-17 13:06 -------- d-----w c:\program files\Trend Micro
2009-04-17 11:17 . 2009-04-17 11:17 -------- d-----w c:\documents and settings\Sachin\Application Data\MSNInstaller
2009-04-17 04:32 . 2009-04-17 04:32 -------- d-----w c:\windows\system32\Adobe
2009-04-16 00:21 . 2008-10-16 04:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-04-16 00:21 . 2008-10-16 04:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-04-15 23:59 . 2009-03-06 14:00 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:59 . 2005-07-26 04:20 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-15 23:59 . 2009-02-06 09:54 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:59 . 2009-02-09 10:01 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:59 . 2009-02-06 10:22 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 23:59 . 2009-02-09 10:01 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:59 . 2009-02-06 09:41 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:59 . 2009-02-09 10:01 728576 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:59 . 2009-02-09 10:01 617984 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:59 . 2009-02-09 10:01 715264 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:59 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 08:11 . 2009-05-10 10:02 -------- d-----w c:\documents and settings\Sachin\Tracing
2009-04-15 08:10 . 2009-04-15 08:10 -------- d-----w c:\program files\Microsoft
2009-04-15 08:09 . 2009-04-15 08:09 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-15 08:09 . 2009-04-15 08:10 -------- d-----w c:\program files\Windows Live
2009-04-15 07:55 . 2009-04-15 07:55 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-14 07:46 . 2009-04-14 07:46 -------- d-----w c:\documents and settings\Sachin\Local Settings\Application Data\Adobe
2009-04-13 21:43 . 2009-05-01 08:32 70832 ----a-w c:\documents and settings\Sachin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 14:00 . 2009-04-13 14:00 -------- d-----w c:\documents and settings\Sachin\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 13:09 . 2006-08-31 23:48 -------- d-----w c:\program files\Microsoft Works
2009-04-14 06:50 . 2008-12-29 03:57 -------- d-----w c:\program files\RndLabs
2009-04-14 05:59 . 2008-12-25 09:27 -------- d-----w c:\program files\Accountants Office
2009-04-05 01:33 . 2009-03-27 22:26 -------- d-----w c:\program files\Pando Networks
2009-04-01 06:24 . 2006-08-31 23:04 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 20:14 . 2009-03-28 20:14 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-26 05:33 . 2009-03-21 23:56 -------- d-----w c:\program files\Hotspot_Shield
2009-03-21 23:56 . 2009-03-21 23:56 -------- d-----w c:\program files\Conduit
2009-03-06 14:00 . 2006-08-31 21:40 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:14 . 2006-08-31 21:40 668160 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:14 . 2006-08-31 21:40 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2006-08-31 21:40 1846272 ----a-w c:\windows\system32\win32k.sys
.

.

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 10th May 2009, 10:16 am

Combo Fix part 2:
------- Sigcheck -------

[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\svchost.exe
[-] 2004-08-04 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\system32\user32.dll

[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ws2_32.dll
[-] 2004-08-04 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\system32\ws2_32.dll

[-] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[-] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2009-02-20 08:10 666112 5B6A3EB7BB2F338BC2CB9F2FA4AAEA9E c:\windows\$hf_mig$\KB963027\SP3GDR\wininet.dll
[-] 2009-02-20 07:50 667648 711FEABED387B29FF7ED61BC6806A06C c:\windows\$hf_mig$\KB963027\SP3QFE\wininet.dll
[-] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB916281$\wininet.dll
[-] 2006-05-10 05:25 663552 D94CFFDB53E7AC867438E2DFD50E7CBC c:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$NtUninstallKB963027$\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\wininet.dll
[-] 2009-02-20 08:14 668160 1EA0E6DD74199209D60991FD46CE8643 c:\windows\system32\wininet.dll
[-] 2009-02-20 08:14 668160 1EA0E6DD74199209D60991FD46CE8643 c:\windows\system32\dllcache\wininet.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2004-08-04 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\winlogon.exe
[-] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\system32\winlogon.exe

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ndis.sys
[-] 2004-08-04 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\drivers\ndis.sys

[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ip6fw.sys
[-] 2004-08-04 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-01 23:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2009-02-07 09:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\$hf_mig$\KB956572\SP3GDR\ntkrnlpa.exe
[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 05:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2004-08-04 12:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB896256$\ntkrnlpa.exe
[-] 2008-08-14 09:18 2020864 501FDE895F35DF1DAE49FD54BBF9D396 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2005-09-28 23:35 2015744 48472D224E1703882B4DE0E28E205E9B c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntkrnlpa.exe
[-] 2009-02-06 09:49 2020864 243223E3FB74B68DFFBB41989F33DFB3 c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\$hf_mig$\KB956572\SP3GDR\ntoskrnl.exe
[-] 2009-02-07 09:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 06:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2004-08-04 12:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB896256$\ntoskrnl.exe
[-] 2008-08-14 09:55 2142720 60794EA12961B7341AD54C731B50AE15 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2005-09-29 00:02 2136064 25C36DBC46E8EFF2A811769A60715AC5 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ntoskrnl.exe
[-] 2009-02-06 10:29 2142720 19A791C5DFE59AA9BB1461C4957004F6 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\explorer.exe

[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2004-08-04 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\services.exe
[-] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\system32\dllcache\services.exe

[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\lsass.exe
[-] 2004-08-04 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\system32\lsass.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\ctfmon.exe
[-] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2004-08-04 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\system32\spoolsv.exe

[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\userinit.exe
[-] 2004-08-04 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\system32\userinit.exe

[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\termsrv.dll
[-] 2004-08-04 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\system32\termsrv.dll

[-] 2009-03-21 13:54 989184 80202858D245FF07DAA1739C57A3E19B c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2004-08-04 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\kernel32.dll
[-] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:18 986112 B6ACAED7588295129791E0E6A2B0FADE c:\windows\system32\dllcache\kernel32.dll

[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\powrprof.dll
[-] 2004-08-04 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\system32\powrprof.dll

[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\imm32.dll
[-] 2004-08-04 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\system32\imm32.dll

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\sfcfiles.dll
[-] 2004-08-04 12:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\system32\sfcfiles.dll

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 10th May 2009, 10:17 am

Cobo Fix Log Part 3: ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2006-02-02 73728]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-02 364544]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 700416]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2006-04-26 299008]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-05-31 282624]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-08-23 16050688]
"NDSTray.exe"="NDSTray.exe" [BU]
"CFSServ.exe"="CFSServ.exe" [BU]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2006-03-18 89541]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [30/04/2009 4:12 PM 108289]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/02/2007 5:29 AM 29178224]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [29/06/2006 4:50 AM 98816]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Sachin\Application Data\Mozilla\Firefox\Profiles\536f4od1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-10 20:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-10 20:11
ComboFix-quarantined-files.txt 2009-05-10 10:11

Pre-Run: 83,742,453,760 bytes free
Post-Run: 83,784,302,592 bytes free

259 --- E O F --- 2009-05-09 20:15

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Origin on 10th May 2009, 5:18 pm

* Download Dr.Web CureIt to the desktop:
[You must be registered and logged in to see this link.]

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.




Try to run DDS again


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 11th May 2009, 12:05 pm

DDS FILE:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Sachin at 22:02:47.48 on Mon 11/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1014.625 [GMT 10:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sachin\Desktop\dds.pif

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program files\jzip\WebmailPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AGRSMMSG] AGRSMMSG.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sachin\applic~1\mozilla\firefox\profiles\536f4od1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-30 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-30 55640]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-29 98816]

=============== Created Last 30 ================

2009-05-11 22:02 388,608 a------- c:\windows\system32\CF617.exe
2009-05-11 22:02 --d----- C:\ComboFix
2009-05-11 19:57 --d----- c:\documents and settings\sachin\DoctorWeb
2009-05-11 16:03 --d----- C:\b4807194bf73b5de7e756a72e1
2009-05-11 15:41 --d----- C:\db667816641ea5dd71e1490f
2009-05-10 21:26 --d----- C:\b2d9a2ee49f5edd353023b
2009-05-10 20:04 --d----- C:\cmdcons
2009-05-10 20:02 161,792 a------- c:\windows\SWREG.exe
2009-05-10 20:02 98,816 a------- c:\windows\sed.exe
2009-05-10 06:11 --d----- C:\db1b252966fcaf2a7a6a17f5
2009-05-09 19:45 --d-h--- c:\windows\PIF
2009-05-09 13:25 --d----- C:\b9c72a595bad00161290
2009-05-08 19:00 --d----- C:\51e10784afcf560d81df
2009-05-08 18:52 --d----- C:\24666bd8615e1f5a24b87816e8
2009-05-08 07:46 --d----- C:\95d559c4049e0c0e546fbaa615c3
2009-05-07 21:19 --d----- C:\4d061dbb97808dfdbd61ca25e955
2009-05-07 15:43 --d----- C:\168ef2098fb0c3c800f9475c2253f4
2009-05-06 21:22 --d----- C:\fddd79bbd7f45733d10d6b9f366d
2009-05-05 16:19 --d----- C:\c73c16d745851fd7788ec54573d6bd73
2009-05-05 16:08 --d----- C:\11673c1e8d2db2b39689
2009-05-05 16:04 --d----- C:\6fbc72d38a4bb4a75aeb8d4b6496d1d5
2009-05-05 15:56 --d----- C:\29c219ebda3850a974ae
2009-05-05 15:27 --d----- C:\68d3a1eeb2519b4430
2009-05-04 22:25 --d----- C:\39b5633542121fa4b79e
2009-05-04 08:07 --d----- C:\9433ccfcd4fcc4274e313ea625
2009-05-04 08:00 --d----- C:\3257a866a8440bf7e5a322
2009-05-03 21:28 --d----- C:\c2abe9c822491f8b6a7ce2
2009-05-02 09:10 --d----- c:\windows\pss
2009-05-02 08:56 --d----- C:\2297372a13f96eb76026a9
2009-05-01 18:58 --d----- C:\53eaa7ee0c863f0ef879dca9
2009-05-01 18:52 --d----- C:\336aaff6f854eea427642e11
2009-05-01 18:39 --d----- C:\818876746628e39a8131
2009-05-01 18:33 --d----- C:\fdd411b8bf4abbbf92841b24eee6
2009-05-01 18:24 --d----- C:\d70f92684c3bd5899c969d223dba5b87
2009-05-01 18:20 --d----- C:\69a1c8af19cafa47fa99
2009-05-01 08:08 --d----- C:\e6c174ad9c7736a10ff18023212dc5
2009-05-01 08:04 --d----- C:\b18c54a9480d8fe34913
2009-05-01 07:59 --d----- C:\242eae73176f5d554bab064a63
2009-04-30 22:10 --d----- C:\c9be7a086aeafcce587b
2009-04-30 16:12 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-30 16:12 --d----- c:\program files\Avira
2009-04-30 16:12 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-18 09:24 --d----- c:\docume~1\sachin\applic~1\Malwarebytes
2009-04-18 09:24 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-18 09:24 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-18 09:24 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-18 09:24 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 23:06 --d----- c:\program files\Trend Micro
2009-04-17 21:17 --d----- c:\docume~1\sachin\applic~1\MSNInstaller
2009-04-17 14:32 --d----- c:\windows\system32\Adobe
2009-04-16 10:21 268,648 a------- c:\windows\system32\mucltui.dll
2009-04-16 10:21 208,744 a------- c:\windows\system32\muweb.dll
2009-04-16 10:21 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-04-15 18:11 --d----- c:\documents and settings\sachin\Tracing
2009-04-15 18:10 --d----- c:\program files\Microsoft
2009-04-15 18:09 --d----- c:\program files\Windows Live SkyDrive
2009-04-15 17:55 --d----- c:\program files\common files\Windows Live

==================== Find3M ====================

2009-03-07 00:00 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 18:14 668,160 a------- c:\windows\system32\wininet.dll
2009-02-20 18:14 81,920 a------- c:\windows\system32\ieencode.dll

============= FINISH: 22:03:08.78 ===============

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Origin on 12th May 2009, 1:09 am

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :processes
    c:\windows\sed.exe
    c:\windows\system32\CF617.exe


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.



Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Double-click GooredFix.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31533
# Likes # Likes : 0

View user profile

Back to top Go down

Re: UNOWN VIRUS

Post by Lazilion on 12th May 2009, 6:19 am

LOG OTMOVE:

========== PROCESSES ==========
Unable to kill process: c:\windows\sed.exe
Unable to kill process: c:\windows\system32\CF617.exe

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05122009_161546

LOG GOORED FIX:

GooredFix v1.92 by jpshortstuff
Log created at 16:18 on 12/05/2009 running Option #1 (Sachin)
Firefox version 3.0.10 (en-GB)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Lazilion
Intermediate
Intermediate

Posts Posts : 74
Joined Joined : 2009-04-17
OS OS : Windows 7 Home Premium 64bit
Protection Protection : AVG Free
Points Points : 28379
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum