need help....have a virus

View previous topic View next topic Go down

need help....have a virus

Post by bspence729 on Fri Apr 17, 2009 11:05 pm

i turned on my laptop, which is over three years old and i'm sure i have a virus. i'm running it in safe mode currently. when i open mozilla, a pop up comes up that says "warning your comp has various viruses. winweb will check..." please help.

bspence729
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : microsoft xp
Points Points : 29271
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help....have a virus

Post by Belahzur on Fri Apr 17, 2009 11:23 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help....have a virus

Post by bspence729 on Fri Apr 17, 2009 11:27 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:15 PM, on 4/17/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
\?\globalroot\C:\WINDOWS\system32\cmd.exe
c:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\AUTMGR.EXE
C:\Documents and Settings\s\Desktop\JavaRa\JavaRa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\s\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {d771f4e6-004b-405c-81a3-fb26923f6932} - C:\WINDOWS\System32\weziroze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [wuyirakelo] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s
O4 - HKLM\..\Run: [CPM238f65dc] Rundll32.exe "c:\windows\system32\kofemube.dll",a
O4 - HKLM\..\Run: [Xrevubigax] rundll32.exe "C:\WINDOWS\ogevecazuculene.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitComet] "C:\grants downloads\BitComet\BitComet.exe" /tray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O20 - AppInit_DLLs: C:\WINDOWS\System32\hajiruno.dll c:\windows\system32\kofemube.dll
O21 - SSODL: C0BCFGEF - {773606CC-2429-16A6-12A5-4AB46B150A39} - C:\WINDOWS\System32\Mpfoja32.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6178 bytes

bspence729
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : microsoft xp
Points Points : 29271
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help....have a virus

Post by Belahzur on Sat Apr 18, 2009 12:06 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O2 - BHO: (no name) - {d771f4e6-004b-405c-81a3-fb26923f6932} - C:\WINDOWS\System32\weziroze.dll
    O4 - HKLM\..\Run: [wuyirakelo] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s
    O4 - HKLM\..\Run: [CPM238f65dc] Rundll32.exe "c:\windows\system32\kofemube.dll",a
    O4 - HKLM\..\Run: [Xrevubigax] rundll32.exe "C:\WINDOWS\ogevecazuculene.dll",e
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [BitComet] "C:\grants downloads\BitComet\BitComet.exe" /tray
    O21 - SSODL: C0BCFGEF - {773606CC-2429-16A6-12A5-4AB46B150A39} - C:\WINDOWS\System32\Mpfoja32.dll (file missing)
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help....have a virus

Post by bspence729 on Sat Apr 18, 2009 12:51 am

ok here's the deal. i did the first part and selected those items and removed them. next, the link to malware did not work (is this virus related?) i went to [You must be registered and logged in to see this link.] and downloaded it. i could not update it becuase it could not connect to the malwarebytes.org site. i ran a quick scan, removed files, and restarted. when i restarted, i was able to update malwarebytes and am about to run a scan again. i am posting the first mbam log file from the original scan. i will post the updated log file in a few minutes. thanks for your help.


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600

4/17/2009 7:10:48 PM
mbam-log-2009-04-17 (19-10-48).txt

Scan type: Quick Scan
Objects scanned: 63352
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\kofemube.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm238f65dc (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrevubigax (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: ctsemp32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kofemube.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\kofemube.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\ctsemp32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\at1394.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\goyipeme.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\eureboc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\lrbll[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\liscpqzaw[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\O1M9WFM1\ddsuper2[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ogevecazuculene.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hajiruno.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nefuwipi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

bspence729
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : microsoft xp
Points Points : 29271
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help....have a virus

Post by Belahzur on Sat Apr 18, 2009 1:19 am

Hello.
Not good news, MBAM found a file usually seen with a file infecter. Depending on the results of this next scan, your machine might need to be formatted.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help....have a virus

Post by bspence729 on Sat Apr 18, 2009 1:31 am

here is the second scan file

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600

4/17/2009 8:03:18 PM
mbam-log-2009-04-17 (20-03-18).txt

Scan type: Quick Scan
Objects scanned: 65207
Time elapsed: 31 minute(s), 30 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm238f65dc (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrevubigax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\tqpxlyy.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\6F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\ddsuper1[1].htm (Virus.Virut) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\ekueefs[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\burbbop[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\ddsuper0[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\akurrbllzi[1].htm (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\ddsuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\O1M9WFM1\xqakkhuv[1].htm (Worm.MarioFev) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wcfgayg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ptrf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.

bspence729
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : microsoft xp
Points Points : 29271
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help....have a virus

Post by bspence729 on Sat Apr 18, 2009 1:34 am

here is the DDS text



DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by s at 20:12:21.45 on Fri 04/17/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.247.25 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\s\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: []
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim\\DeadAIM.ocm",ExportedCheckODLs
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0000000A-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {33564D57-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
TCP: {2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8} = 68.87.85.98,68.87.69.146
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\hajiruno.dll c:\windows\system32\kofemube.dll
LSA: Notification Packages = scecli c:\windows\system32\hajiruno.dll ctsemp32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\s\applic~1\mozilla\firefox\profiles\2dg636ha.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - HiddenExtension: XUL Cache: {AF960C7A-9110-4D7B-A192-C9AD05F6D387} - c:\documents and settings\s\local settings\application

data\{af960c7a-9110-4d7b-a192-c9ad05f6d387}\

============= SERVICES / DRIVERS ===============

S1 phe5603;phe5603;c:\windows\system32\drivers\phe5603.sys --> c:\windows\system32\drivers\phe5603.sys [?]
S2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 630784]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080308.006\NAVENG.sys [2008-3-9 82256]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080308.006\NAVEX15.sys [2008-3-9 895408]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-04-17 20:06 38 a------- C:\E.tmp
2009-04-17 20:06 0 a------- C:\D.tmp
2009-04-17 20:06 0 a------- C:\C.tmp
2009-04-17 20:06 0 a------- C:\B.tmp
2009-04-17 20:06 0 a------- C:\A.tmp
2009-04-17 20:06 0 a------- C:\9.tmp
2009-04-17 20:06 0 a------- C:\8.tmp
2009-04-17 20:06 0 a------- C:\7.tmp
2009-04-17 20:06 0 a------- C:\6.tmp
2009-04-17 20:05 38 a------- C:\5.tmp
2009-04-17 20:05 52,736 a------- C:\4.tmp
2009-04-17 20:05 23,040 a------- C:\3.tmp
2009-04-17 19:26 --d----- c:\program files\LanqiEngine
2009-04-17 19:26 3 a------- c:\windows\system32\bversion.dll
2009-04-17 19:26 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-17 19:24 32,137,216 a------- c:\windows\system32\TRSOCR.dat
2009-04-17 19:23 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-17 19:13 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-17 18:58 --d----- c:\docume~1\s\applic~1\Malwarebytes
2009-04-17 18:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-17 18:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 18:57 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 18:57 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 17:38 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-17 17:38 21,504 a------- c:\windows\system32\AUTMGR.EXE
2009-04-17 17:38 926,720 a------- c:\windows\system32\kernel32_check.dll
2009-04-17 17:38 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-17 17:38 10,240 a------- c:\windows\system32\Packer.dll
2009-04-17 17:38 9 a------- c:\windows\system32\iphy.dll
2009-04-17 17:38 3 a------- c:\windows\system32\fhpatch.dll
2009-04-17 17:38 0 a------- c:\windows\system32\fiplock.dll
2009-04-17 17:38 --d----- c:\windows\dhcp
2009-04-17 17:37 155 a------- c:\windows\system32\SelfDel.bat
2009-04-17 15:27 2 a------- C:\549213935
2009-04-17 15:27 61,952 a------- C:\hclpsfee.exe
2009-04-17 13:16 --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-05 14:36 754 a------- c:\windows\WORDPAD.INI
2009-04-01 19:21 198,656 a------- c:\windows\system32\CNMLM8O.DLL
2009-04-01 19:20 --d----- c:\program files\Canon

==================== Find3M ====================

2009-04-17 19:14 161,536 ac------ c:\windows\system32\drivers\ndis.sys
2009-04-17 15:26 75,776 a--sh--- c:\windows\system32\yojapuye.exe

============= FINISH: 20:13:06.92 ===============

bspence729
Novice
Novice

Posts Posts : 15
Joined Joined : 2008-12-01
OS OS : microsoft xp
Points Points : 29271
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help....have a virus

Post by Belahzur on Sat Apr 18, 2009 1:38 am

Bad news. You have Virut.

It's a file infector, it's infected a lot of files that Windows needs, which can't be fixed.
See here:
[You must be registered and logged in to see this link.]

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum