1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

[Not curable - Virut] Can't acces Antivirus and Microsoft's sites

Discussion in 'Malware and Virus Removal Archive' started by trojan82, 2010/09/29.

  1. 2010/09/29
    trojan82

    trojan82 Inactive Thread Starter

    Joined:
    2010/09/29
    Messages:
    3
    Likes Received:
    0
    Hi. :(
    I following problem :
    • can't run combofix
    it says i'm infected with some virus (/virut)
    • can't update my Antivirus
    • can't open any Microsoft and Antivirus site

    Operating System: WinXP SP2
    Installed Antivirus: ESET NOD32 Antivirusâ„¢ 3.0.669.0
    Virus signature database : 3230 (20080701)
    Installed Malware Protection: Malwarebytes'


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Skywalker at 2:02:29.81 on Thu 09/30/2010
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.978 [GMT 7:00]

    AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

    ============== Running Processes ===============

    C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\userini.exe
    C:\WINDOWS\system32\userini.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\rserver30\RServer3.exe
    C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
    C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
    C:\WINDOWS\system32\rserver30\FamItrfc.Exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Skywalker\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Connection Wizard,ShellNext = hxxp://www.superstarracing.net/
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - d:\my document\flashget\FlashGetBHO3.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    mRun: [BCU] "c:\program files\devicevm\browser configuration utility\BCU.exe "
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
    mRun: [wwxocjwa~] c:\windows\system32\wwxocjwa~.exe
    mRun: [qaqmyc] RUNDLL32.EXE c:\windows\system32\mskdlpso.dll,w
    dRun: [wwxocjwa~] c:\documents and settings\skywalker\wwxocjwa~.exe
    uExplorerRun: [userini] c:\windows\system32\userini.exe
    mExplorerRun: [userini] c:\windows\system32\userini.exe
    mExplorerRun: [attygq] c:\windows\temp\sn605.exe
    mExplorerRun: [sra0w] c:\windows\temp\hpbuj8t.exe
    IE: Download All By FlashGet3 - d:\my document\flashget\GetAllUrl.htm
    IE: Download By FlashGet3 - d:\my document\flashget\GetUrl.htm
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: c:\progra~1\speedb~1\sblsp.dll
    Trusted Zone: kuaiche.com\software
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: DfLogon - LogonDll.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\skywal~1\applic~1\mozilla\firefox\profiles\86lob42v.default\
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(yahoo.homepage.dontask, truec:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [2006-11-29 127896]
    R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
    R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2009-10-9 46304]
    R1 SASDIFSV;SASDIFSV;c:\docume~1\skywal~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-18 12872]
    R1 SASKUTIL;SASKUTIL;c:\docume~1\skywal~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-11 67656]
    R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
    R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2009-10-9 1242504]
    R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-9-24 44032]
    R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2009-10-9 3328]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-24 136176]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-9-24 1684736]
    S3 NTProcDrv;Process creation detector for NT.;c:\windows\temp\drv1.tmp [2010-9-24 3584]
    S3 rPE.sys;rPE.sys;c:\windows\system32\rPE.sys [2010-9-27 5632]
    S3 rPE3.sys;rPE3.sys;c:\windows\system32\rPE3.sys [2010-9-28 5632]
    S4 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2010-9-24 219360]
    S4 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2010-9-24 68136]
    S4 HdThemeEnabler;Hyperdesk Theme Enabler;c:\program files\the skins factory\hyperdesk\common\HDThemeEnabler.exe [2008-7-21 106496]

    =============== Created Last 30 ================

    2010-09-29 18:54:10 36865 ----a-w- c:\windows\system32\mskdlpso.dll
    2010-09-29 18:54:03 48640 ----a-w- c:\windows\system32\wwxocjwa~.exe
    2010-09-29 18:54:03 48640 ----a-w- c:\documents and settings\skywalker\wwxocjwa~.exe
    2010-09-29 18:31:45 77824 ----a-w- c:\windows\system32\userini.exe
    2010-09-29 18:28:54 891 ----a-w- c:\windows\system32\secushr.dat
    2010-09-29 18:14:47 0 d-----w- c:\windows\system32\appmgmt
    2010-09-29 17:10:27 182912 ----a-w- c:\windows\system32\drivers\drw9902.tmp
    2010-09-29 16:14:11 182912 ----a-w- c:\windows\system32\drivers\drw3F9E.tmp
    2010-09-29 15:53:25 182912 -c--a-w- c:\windows\system32\dllcache\drw3014.tmp
    2010-09-27 18:45:13 65536 ----a-w- c:\windows\system32\LogonDll.dll
    2010-09-27 18:45:10 12104143 ------w- C:\$Persi0.sys
    2010-09-27 18:20:17 182912 -c--a-w- c:\windows\system32\dllcache\drw9D8D.tmp
    2010-09-27 17:42:30 0 d-----w- c:\program files\ESET
    2010-09-27 17:31:31 5632 ----a-w- c:\windows\system32\rPE3.sys
    2010-09-27 14:26:59 0 d-----w- c:\docume~1\skywal~1\applic~1\Flock
    2010-09-27 14:26:47 0 d-----w- c:\program files\Flock
    2010-09-27 11:43:01 88 --sh--r- c:\docume~1\alluse~1\applic~1\7D0B6C8F0F.sys
    2010-09-27 06:54:38 0 ----a-w- c:\windows\urk43lmawl8zhy7ss44az9wl.ini
    2010-09-26 18:34:45 0 d-----w- c:\program files\CCleaner
    2010-09-26 17:17:54 5632 ----a-w- c:\windows\system32\rPE.sys
    2010-09-25 21:47:58 172032 ----a-w- c:\windows\system32\AniGIF.ocx
    2010-09-25 21:32:29 248 ----a-w- c:\windows\system32\secustat.dat
    2010-09-25 21:09:52 25 ----a-w- c:\windows\libem.INI
    2010-09-25 21:09:51 0 d-----w- c:\docume~1\skywal~1\applic~1\BITS
    2010-09-24 19:44:02 0 d--h--w- c:\windows\$hf_mig$
    2010-09-24 15:18:56 182912 ----a-w- c:\windows\system32\drivers\drw1A.tmp
    2010-09-24 15:16:52 182912 -c--a-w- c:\windows\system32\dllcache\drw19.tmp
    2010-09-24 15:10:38 0 d-----w- c:\program files\Winamp Detect
    2010-09-24 14:56:08 182912 -c--a-w- c:\windows\system32\dllcache\drw31.tmp
    2010-09-24 10:16:50 0 d-----w- c:\docume~1\skywal~1\applic~1\FLVPlayer4Free
    2010-09-24 03:22:27 0 d-----w- c:\docume~1\skywal~1\applic~1\PointBlank
    2010-09-24 01:51:56 0 d-----w- c:\program files\common files\ODBC
    2010-09-24 01:51:54 0 d-----w- c:\program files\common files\SpeechEngines
    2010-09-24 01:51:35 0 d-----r- c:\documents and settings\all users\Documents
    2010-09-23 23:50:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
    2010-09-23 23:27:50 0 d-----w- c:\docume~1\skywal~1\applic~1\Malwarebytes
    2010-09-23 23:27:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-09-23 23:27:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-09-23 23:21:22 0 d-----w- c:\docume~1\skywal~1\applic~1\Process Hacker 2
    2010-09-23 21:02:20 0 d-----w- c:\docume~1\skywal~1\applic~1\Radmin
    2010-09-23 21:01:00 0 d-----w- c:\program files\Radmin Viewer 3
    2010-09-23 20:56:15 0 d-----w- c:\docume~1\skywal~1\applic~1\SUPERAntiSpyware.com
    2010-09-23 20:56:15 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-09-23 20:53:26 0 d-----w- c:\program files\Faronics
    2010-09-23 20:27:26 0 d-----w- c:\program files\Yahoo!
    2010-09-23 20:12:28 0 d-----w- c:\program files\SpeedBit Video Accelerator
    2010-09-23 20:12:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Speedbit
    2010-09-23 20:10:30 0 d-----w- c:\docume~1\skywal~1\applic~1\Rainmeter
    2010-09-23 20:08:05 0 d-----w- c:\program files\Corel
    2010-09-23 20:08:05 0 d-----w- c:\program files\common files\Protexis
    2010-09-23 20:08:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Corel
    2010-09-23 20:06:39 0 d-----w- c:\program files\Topaz Labs
    2010-09-23 20:06:39 0 d-----w- c:\program files\common files\Topaz Labs
    2010-09-23 19:59:49 0 d-----w- c:\program files\K-Lite Codec Pack
    2010-09-23 19:58:15 0 d-----w- c:\program files\Bonjour
    2010-09-23 19:51:49 0 d-----w- c:\program files\common files\Macrovision Shared
    2010-09-23 19:47:24 0 d-----w- c:\docume~1\skywal~1\applic~1\Skinux
    2010-09-23 19:47:11 0 d-----w- c:\program files\The Skins Factory
    2010-09-23 19:33:07 0 d-----w- c:\program files\Stardock
    2010-09-23 19:32:14 0 d-----w- c:\program files\IndoClient
    2010-09-23 19:31:39 0 d-----w- c:\program files\Mozilla Firefox 4.0 Beta 4
    2010-09-23 19:22:38 0 d-----w- c:\program files\common files\ATI Technologies
    2010-09-23 19:20:20 0 d-----w- c:\program files\ATI Technologies
    2010-09-23 19:20:19 0 d-----w- c:\program files\ATI
    2010-09-23 19:10:22 0 d-----w- c:\program files\Realtek
    2010-09-23 19:08:04 0 d--h--w- c:\program files\DeviceVM
    2010-09-23 19:07:49 0 d-----w- c:\program files\Gigabyte
    2010-09-23 19:01:17 0 d-sh--w- c:\documents and settings\all users\DRM
    2010-09-23 19:01:05 0 d--h--w- c:\program files\WindowsUpdate
    2010-09-23 19:00:27 0 d-----w- c:\program files\common files\MSSoap
    2010-09-23 18:59:31 0 d-----w- c:\program files\Online Services
    2010-09-23 18:59:27 0 d-----w- c:\program files\Messenger
    2010-09-23 18:59:24 0 d-----w- c:\program files\MSN Gaming Zone
    2010-09-23 18:58:56 0 d-----w- c:\program files\Windows NT

    ==================== Find3M ====================

    2010-09-29 18:28:34 1059840 ----a-w- c:\windows\explorer.exe
    2010-09-27 18:37:41 2048 --s-a-w- c:\windows\bootstet.dat
    2010-09-27 18:26:47 55296 ----a-w- c:\windows\system32\wbem\grpconv.exe
    2010-09-24 03:22:24 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
    2010-09-23 23:12:13 17488 ----a-w- c:\windows\gdrv.sys
    2010-09-23 22:31:50 218112 ----a-w- c:\windows\system32\wbem\wmiprvse.exe
    2010-09-23 22:26:27 57856 ----a-w- c:\windows\system32\spoolsv.exe
    2010-09-23 22:25:51 8192 ----a-w- c:\windows\system32\lpr.exe
    2010-09-23 22:24:35 602112 ----a-w- c:\windows\system32\ati2evxx.exe
    2010-09-23 21:34:10 17914880 ----a-w- c:\windows\RTHDCPL.EXE
    2010-09-23 21:17:15 368640 ----a-w- c:\windows\system32\wbem\wmic.exe
    2010-09-23 21:17:15 206848 ----a-w- c:\windows\system32\wbem\wmiadap.exe
    2010-09-23 21:17:15 136192 ----a-w- c:\windows\system32\wbem\wmiapsrv.exe
    2010-09-23 21:17:14 23552 ----a-w- c:\windows\system32\wbem\winmgmt.exe
    2010-09-23 21:17:14 126464 ----a-w- c:\windows\system32\wbem\wbemtest.exe
    2010-09-23 21:17:13 27136 ----a-w- c:\windows\system32\wbem\unsecapp.exe
    2010-09-23 21:17:12 47104 ----a-w- c:\windows\system32\wbem\scrcons.exe
    2010-09-23 21:17:11 26624 ----a-w- c:\windows\system32\wbem\mofcomp.exe
    2010-09-23 21:11:40 3722 ---h--w- c:\windows\fonts\mlog
    2010-09-23 21:11:08 41984 ----a-w- c:\windows\system32\wupdmgr.exe
    2010-09-23 21:11:08 40960 ----a-w- c:\windows\system32\xcopy.exe
    2010-09-23 21:11:07 176128 ----a-w- c:\windows\system32\wuauclt1.exe
    2010-09-23 21:11:05 42496 ----a-w- c:\windows\system32\wpnpinst.exe
    2010-09-23 21:11:05 24064 ----a-w- c:\windows\system32\wscntfy.exe
    2010-09-23 21:11:05 15872 ----a-w- c:\windows\system32\write.exe
    2010-09-23 21:11:05 126976 ----a-w- c:\windows\system32\wscript.exe
    2010-09-23 21:11:04 42496 ----a-w- c:\windows\system32\wpabaln.exe
    2010-09-23 21:11:01 15872 ----a-w- c:\windows\system32\winver.exe
    2010-09-23 21:11:00 22016 ----a-w- c:\windows\system32\winmsd.exe
    2010-09-23 21:11:00 129536 ----a-w- c:\windows\system32\winmine.exe
    2010-09-23 21:09:45 417280 ----a-w- c:\windows\system32\mstsc.exe
    2010-09-23 21:08:59 92672 ----a-w- c:\windows\system32\dfrgfat.exe
    2010-09-23 19:48:13 218624 ----a-w- c:\windows\system32\uxtheme.dll
    2010-09-23 19:32:15 39936 ----a-w- c:\windows\dwlGina2.dll
    2010-09-23 19:32:15 130560 ---h--r- c:\windows\Duf.exe
    2010-09-23 18:59:48 21640 ----a-w- c:\windows\system32\emptyregdb.dat
    2010-07-16 22:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-14 08:00:00 108032 ----a-w- c:\windows\system32\ff_vfw.dll

    ============= FINISH: 2:02:37.53 ===============
     
    trojan82,
    #1
  2. 2010/09/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Welcome to WindowsBBS :)

    Please post the contents of Attach.txt.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2010/09/29
    trojan82

    trojan82 Inactive Thread Starter

    Joined:
    2010/09/29
    Messages:
    3
    Likes Received:
    0
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/24/2010 2:03:23 AM
    System Uptime: 9/30/2010 1:52:50 AM (1 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | G31M-ES2C
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2600/200mhz
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2600/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 98 GiB total, 90.947 GiB free.
    D: is FIXED (NTFS) - 135 GiB total, 77.936 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 9/30/2010 2:30:21 AM - System Checkpoint

    ==== Installed Programs ======================

    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Reader 9.3.3
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    Apple Application Support
    Apple Software Update
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    ATI AVIVO Codecs
    ATI Catalyst Install Manager
    Browser Configuration Utility
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    Corel Painter Essentials 4
    EasySaver B9.0610.1
    ESET NOD32 Antivirus
    Flock (2.6.0)
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hyperdesk - Crysis Warhead
    Indo Client 5.203
    K-Lite Codec Pack 6.2.0 (Full)
    Malwarebytes' Anti-Malware
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 2.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.10)
    MSN
    PDF Settings
    QuickTime
    Radmin Server 3.4
    Radmin Viewer 3.4
    Realtek High Definition Audio Driver
    Security Update for Windows XP (KB958687)
    SpeedBit Video Accelerator
    Topaz Clean 3
    Topaz Simplify 3
    WebFldrs XP
    Winamp
    Winamp Detector Plug-in
    Windows Installer 3.1 (KB893803)
    WinRAR archiver
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    9/26/2010 4:50:59 AM, error: Service Control Manager [7034] - The VideoAcceleratorService service terminated unexpectedly. It has done this 1 time(s).
    9/25/2010 2:52:53 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    9/25/2010 2:49:15 AM, error: Dhcp [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 00241DEE0696 has been denied by the DHCP server 192.168.1.2 (The DHCP Server sent a DHCPNACK message).
    9/25/2010 2:48:21 AM, error: Service Control Manager [7034] - The Windows Accounts Driver service terminated unexpectedly. It has done this 1 time(s).
    9/25/2010 2:47:41 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00241DEE0696 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    9/25/2010 2:41:24 AM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
    9/24/2010 8:43:41 AM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 00241DEE0696 has been denied by the DHCP server 192.168.1.2 (The DHCP Server sent a DHCPNACK message).
    9/24/2010 7:20:03 AM, error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file wmplayer.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file wmplayer.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 9.0.0.3250.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file pinball.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 5.1.2600.2180.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file mplayer2.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 6.4.9.1125.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file helpctr.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 5.1.2600.2180.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file dialer.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 5.1.2600.2180.
    9/24/2010 7:03:38 AM, information: Windows File Protection [64005] - The protected system file agentsvr.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is 2.0.0.3422.
    9/24/2010 7:03:31 AM, information: Windows File Protection [64005] - The protected system file pinball.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 7:03:31 AM, information: Windows File Protection [64005] - The protected system file mplayer2.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 7:03:31 AM, information: Windows File Protection [64005] - The protected system file dialer.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 6:56:57 AM, information: Windows File Protection [64005] - The protected system file helpctr.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 6:56:57 AM, information: Windows File Protection [64005] - The protected system file agentsvr.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 6:51:38 AM, information: Windows File Protection [64005] - The protected system file wordpad.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Skywalker. The file version of the bad file is unknown.
    9/24/2010 6:13:49 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Hyperdesk Theme Enabler service to connect.
    9/24/2010 6:13:49 AM, error: Service Control Manager [7000] - The Hyperdesk Theme Enabler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    9/24/2010 6:11:20 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    9/24/2010 5:36:45 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
    9/24/2010 5:36:15 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    9/24/2010 5:19:35 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DwProt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
    9/24/2010 5:19:35 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    9/24/2010 5:19:35 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/24/2010 5:19:35 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/24/2010 5:19:35 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    9/24/2010 5:19:35 AM, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    9/24/2010 4:24:58 AM, error: Service Control Manager [7028] - The clr_optimization_v2.0.50727_32 Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
    9/24/2010 2:49:26 AM, error: Service Control Manager [7000] - The Process creation detector for NT. service failed to start due to the following error: The system cannot find the file specified.
    9/24/2010 2:41:15 AM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll. Reference error message: The operation completed successfully. .
    9/24/2010 2:11:08 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\mspqm.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    9/24/2010 2:11:08 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\mspclock.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    9/24/2010 2:11:08 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\mskssrv.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    9/24/2010 2:08:52 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\pci.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    9/24/2010 2:08:52 AM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\isapnp.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
    9/24/2010 10:21:22 AM, error: Service Control Manager [7000] - The EagleNT service failed to start due to the following error: The system cannot find the file specified.
    9/24/2010 10:12:40 PM, error: Dhcp [1002] - The IP address lease 192.168.1.8 for the Network Card with network address 00241DEE0696 has been denied by the DHCP server 192.168.1.2 (The DHCP Server sent a DHCPNACK message).

    ==== End Of File ===========================
     
    trojan82,
    #3
  5. 2010/09/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Thanks :)

    One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

    Thank you for your patience.
     
    PeteC,
    #4
  6. 2010/09/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - explorer.exe located @ C:\Windows
    - userinit.exe and svchost.exe located @ C:\Windows\System32
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
    broni,
    #5
  7. 2010/09/30
    trojan82

    trojan82 Inactive Thread Starter

    Joined:
    2010/09/29
    Messages:
    3
    Likes Received:
    0
    Now i can open antivirus and microsoft's site, i've restore it through the system restore and some system element replaced with the new one.
    But the problem is the "Virut" they still there.

    anyway this is the scan result:
    when the windows start there's some unknown start up item "Project1" at Application tab and Running process tab :
    C:\DOCUME~1\SKYWAL~1\LOCALS~1\Temp\sn605.exe
    C:\DOCUME~1\SKYWAL~1\LOCALS~1\Temp\hpbuj8t.exe
    C:\WINDOWS\Temp\wpv351285665451.exe
    C:\DOCUME~1\SKYWAL~1\APPLIC~1\Winamp\VCLDLL~1\msftdm.exe
    C:\DOCUME~1\SKYWAL~1\APPLIC~1\Winamp\VCLDLL~1\msftdm32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe

    O4 - HKLM\..\Run: [wwxocjwa~] C:\WINDOWS\System32\wwxocjwa~.exe
    O4 - HKLM\..\Run: [qaqmyc] RUNDLL32.EXE C:\WINDOWS\system32\mskdlpso.dll,w
    O4 - HKLM\..\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe
    O4 - HKCU\..\Run: [wwxocjwa~] C:\Documents and Settings\Skywalker\wwxocjwa~.exe
    O4 - HKCU\..\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe
    O4 - HKLM\..\Policies\Explorer\Run: [attygq] C:\DOCUME~1\SKYWAL~1\LOCALS~1\Temp\sn605.exe
    O4 - HKLM\..\Policies\Explorer\Run: [sra0w] C:\DOCUME~1\SKYWAL~1\LOCALS~1\Temp\hpbuj8t.exe
    O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe
    O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\explorer.exe:userini.exe
    O4 - HKUS\S-1-5-18\..\Run: [wwxocjwa~] C:\Documents and Settings\Skywalker\wwxocjwa~.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [wwxocjwa~] C:\Documents and Settings\Skywalker\wwxocjwa~.exe (User 'Default user')

    oh i have other suspicious startup and system elemenet and i have scan it also.

    Win32/Virut. how can i get rid of this? :(:(
     
    trojan82,
    #6
  8. 2010/09/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unfortunately, I don't have good news.

    You are infected with a polymorphic file infector (Virut). This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
    *.exe
    *.scr
    *.htm
    *.html
    *.xml
    *.zip
    *.rar
    *.doc
    *.jpg
    *.pdf

    Backup all your documents and important items only.
    DO NOT backup any files mentioned above.

    I suggest you do the following immediately:

    * Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    * From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    * DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

    To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

    Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

    To find out more information about how you may have got infected in the first place, you can read this article.

    I am sorry I cannot give any better news.
     
    broni,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...