1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Virus iexplore.exe (Black Internet Rootkit)

Discussion in 'Malware and Virus Removal Archive' started by ThallesNinja, 2010/07/08.

Thread Status:
Not open for further replies.
  1. 2010/07/08
    ThallesNinja

    ThallesNinja Inactive Thread Starter

    Joined:
    2010/07/08
    Messages:
    3
    Likes Received:
    0
    [Inactive] Virus iexplore.exe (Black Internet Rootkit)

    Yea, another dude with that Rootkit virus.
    Unlike other people tho, I'm not getting any ads nor hearing anything strange. Actually, sometimes the virus lowers my wave sound. BUT, I can still hear IE being browsed in the background (That click sound when you change page)

    Weird thing is, the only thing I've done on the PC today was MSN, install Far Cry 2 and browse FPSBanana, how the hell did I get it?

    Anyway, seems like the only way of deleting the virus is doing that Windows Repair thing, but I don't have the Windows XP CD nor do I know how to do it...

    Can anyone please help?

    Windows XP Professional SP3 if that matters

    And yea, I do know it is that virus, because when I first got it, two process (loader.exe and smss.exe by Black Internet) were running on my PC. Also, if I kill IE, it just respawns
     
    ThallesNinja,
    #1
  2. 2010/07/08
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)

    Please read this as indicated at the head of the forum and post the logs requested in this thread.

    Our Malware Analyst will advise on removal.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2010/07/08
    ThallesNinja

    ThallesNinja Inactive Thread Starter

    Joined:
    2010/07/08
    Messages:
    3
    Likes Received:
    0
    DDS log



    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Cliente at 15:05:16,71 on qui 08/07/2010
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3007.2483 [GMT -3:00]

    AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    svchost.exe 4
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
    svchost.exe 4
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
    C:\Arquivos de programas\DAEMON Tools Lite\DTLite.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\DAP\DAP.EXE
    C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
    C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Arquivos de programas\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
    C:\Arquivos de programas\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Cliente\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Cliente\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Cliente\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Cliente\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Cliente\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\arquivos de programas\orbitdownloader\orbitcth.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\arquiv~1\micros~2\office12\GRA8E1~1.DLL
    BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\arquiv~1\dap\DAPIEL~1.DLL
    uRun: [DAEMON Tools Lite] "c:\arquivos de programas\daemon tools lite\DTLite.exe" -autorun
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DownloadAccelerator] "c:\arquivos de programas\dap\DAP.EXE" /STARTUP
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    mRun: [nwiz] nwiz.exe /installquiet
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avgnt] "c:\arquivos de programas\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    IE: &Clean Traces - c:\arquivos de programas\dap\privacy package\dapcleanerie.htm
    IE: &Download by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/201
    IE: &Download with &DAP - c:\arquivos de programas\dap\dapextie.htm
    IE: &Grab video by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/204
    IE: Baixar com Mipony - file://c:\arquivos de programas\mipony\browser\IEContext.htm
    IE: Do&wnload selected by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/202
    IE: Download &all with DAP - c:\arquivos de programas\dap\dapextie2.htm
    IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\arquiv~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    TCP: {04958B79-94D1-4784-80CC-B2A7CF40C62E} = 200.165.132.147 200.165.132.155
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\arquiv~1\micros~2\office12\GR99D3~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\arquiv~1\micros~2\office12\GRA8E1~1.DLL

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\arquivos de programas\avira\antivir desktop\avgio.sys [2010-6-28 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\avira\antivir desktop\sched.exe [2010-6-28 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\arquivos de programas\avira\antivir desktop\avguard.exe [2010-6-28 267432]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-28 60936]
    S2 clr_optimization_v4.0.30128_32;Microsoft .NET Framework NGEN v4.0.30128_X86;c:\windows\microsoft.net\framework\v4.0.30128\mscorsvw.exe [2010-1-28 130384]
    S3 GarenaPEngine;GarenaPEngine;c:\docume~1\cliente\config~1\temp\MBS1EB.tmp [2010-7-7 25616]
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2010-6-7 13952]
    S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
    S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [2009-6-22 11696]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30128\wpf\WPFFontCache_v0400.exe [2010-1-28 738656]

    =============== Created Last 30 ================

    2010-07-08 05:27:30 0 d-----w- c:\docume~1\cliente\dadosd~1\Malwarebytes
    2010-07-08 05:27:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-08 05:27:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-08 05:27:21 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
    2010-07-08 05:27:21 0 d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
    2010-07-07 20:23:09 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2010-07-07 20:23:09 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2010-07-07 20:23:09 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2010-07-07 20:23:08 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    2010-07-06 21:33:34 138464 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2010-07-06 21:33:27 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
    2010-07-06 21:33:17 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
    2010-07-04 19:26:57 0 d-----w- c:\windows\system32\NtmsData
    2010-07-01 21:48:52 104 ----a-w- C:\Meu computador.lnk
    2010-06-29 05:17:53 0 d-----w- c:\docume~1\cliente\dadosd~1\Avira
    2010-06-29 00:39:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-06-29 00:39:23 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Avira
    2010-06-29 00:39:23 0 d-----w- c:\arquivos de programas\Avira
    2010-06-23 23:16:03 73216 ----a-w- c:\windows\temp.000
    2010-06-23 22:39:15 0 d-----w- c:\arquivos de programas\Hero Editor
    2010-06-23 22:39:02 249856 ------w- c:\windows\Setup1.exe
    2010-06-23 22:39:00 73216 ----a-w- c:\windows\ST6UNST.EXE
    2010-06-21 02:59:46 0 d-----w- c:\docume~1\cliente\dadosd~1\TS3Client
    2010-06-21 02:59:28 0 d-----w- c:\docume~1\alluse~1\dadosd~1\boost_interprocess
    2010-06-20 12:59:58 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-06-20 12:59:58 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-06-20 12:59:58 17264 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-06-15 04:30:14 0 d-----w- c:\docume~1\alluse~1\dadosd~1\Panda Security
    2010-06-12 08:58:46 0 d-----w- c:\arquivos de programas\Phyxion.net
    2010-06-12 06:53:15 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-06-12 06:53:14 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
    2010-06-12 06:53:11 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
    2010-06-12 06:53:10 4075520 ----a-w- c:\windows\system32\nvcuda.dll
    2010-06-12 06:53:10 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
    2010-06-12 06:53:09 227944 ----a-w- c:\windows\system32\nvcodins.dll
    2010-06-12 06:53:09 227944 ----a-w- c:\windows\system32\nvcod.dll
    2010-06-12 06:53:09 2183470 ----a-w- c:\windows\system32\nvdata.bin
    2010-06-12 06:53:09 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-06-12 06:53:09 1097728 ----a-w- c:\windows\system32\nvapi.dll
    2010-06-10 04:29:12 0 d-----w- c:\arquivos de programas\Orbitdownloader

    ==================== Find3M ====================

    2010-07-07 20:01:08 93948 ----a-w- c:\windows\system32\perfc016.dat
    2010-07-07 20:01:08 531572 ----a-w- c:\windows\system32\perfh016.dat
    2010-06-07 19:56:47 13952 ----a-w- c:\windows\system32\drivers\PPJoyBus.sys
    2010-06-05 02:06:36 8042 ----a-w- c:\windows\system32\ealregsnapshot1.reg
    2010-06-01 16:46:52 221599 ----a-w- c:\arquivos de programas\Asprate.rar
    2010-05-31 22:49:30 794408 ----a-w- c:\windows\system32\pbsvc.exe
    2010-05-30 21:20:52 407424 ----a-w- c:\windows\fonts\fsex2p00_public.ttf
    2010-05-30 19:04:14 139152 ----a-w- c:\docume~1\cliente\dadosd~1\PnkBstrK.sys
    2009-06-23 02:39:23 32768 --sha-w- c:\windows\system32\config\systemprofile\configurações locais\histórico\history.ie5\mshist012009062220090623\index.dat

    ============= FINISH: 15:05:35,76 ===============


    Couldn't find the attach button to attach that other log, sorry
    And sorry for delay, I just woke up
     
    ThallesNinja,
    #3
  5. 2010/07/08
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    As posted in our instructions above:

     
    Admin.,
    #4
  6. 2010/07/08
    ThallesNinja

    ThallesNinja Inactive Thread Starter

    Joined:
    2010/07/08
    Messages:
    3
    Likes Received:
    0
    Cant do that now anyway... While running a system Scan with Avira, computer suddenly shut down and now it's not even booting...

    Guess my only option is to try and do that "fixmbr "
    Either way, it's a win-win, since I was waiting for something like this to come up so I'd be forced to format and install Windows 7. Only thing I care about is my lost Oblivion saves...
     
    ThallesNinja,
    #5
  7. 2010/07/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    How far does it go?
    Did you try Safe Mode?
     
    broni,
    #6
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...