Solved C:\WINNT\System32\x malware 2009

By chance is the computer networked or connected to a server?

browse to your Temporary Internet Files in Windows Explorer, and then just copy/paste \Content.IE5 in the address bar.
Delete the content located in the folder


Please download and install SUPERAntiSpyware Home Edition (free edition)

• Load SUPERAntiSpyware and click the Check for Updates button.
• Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

• Open SUPERAntiSpyware and click the Scan your Computer button.
• Check Perform Complete Scan and then click Next.
• SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
• Make sure that they all have a check next to them, and then click Next.
• Click Finish and you will be taken back to the main interface.
• It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
• I'll need a log afterwards of what has been found.
• To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
• Please post the results of the SUPERAntiSpyware log in your next reply.

 

yes it's client pc and networked to connect the server pc
and here is log file
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/10/2009 at 03:12 PM

Application Version : 4.25.1014

Core Rules Database Version : 3790
Trace Rules Database Version: 1746

Scan type : Complete Scan
Total Scan Time : 00:21:47

Memory items scanned : 308
Memory threats detected : 0
Registry items scanned : 3970
Registry threats detected : 0
File items scanned : 10451
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\ZR81\Cookies\pc8@myroitracking[1].txt
C:\Documents and Settings\ZR81\Cookies\pc8@ads.ozonemedia.co[1].txt
C:\Documents and Settings\ZR81\Cookies\pc8@ads.clicksor[1].txt
C:\Documents and Settings\ZR81\Cookies\pc8@tripod[2].txt
C:\Documents and Settings\ZR81\Cookies\pc8@cgi-bin[2].txt
C:\Documents and Settings\ZR81\Cookies\pc8@stat.onestat[2].txt
C:\Documents and Settings\ZR81\Cookies\pc8@overture[1].txt
C:\Documents and Settings\ZR81\Cookies\pc8@adbrite[2].txt
C:\Documents and Settings\ZR81\Cookies\pc8@xiti[1].txt

Malware.SpywareNuker
C:\WINNT\SYSTEM32\DRIVERS\PSHOOK11.SYS
when i was qurantaine suddenly i recieve error run time error and super anitispwyare application terminated automatically
i try to run again scan and see that's the latest tq

 

It's possible another computer also connected to the network is reinfecting the machine or it's the server itself.
We're able to clean but a temp file keeps coming back as infected.
All I can offer for an infected temp file is to do the following

Next:

Click start> run> type cleanmgr and hit enter.

Cleaning drive C:...

When it has finished scanning have ONLY the following checked:

Temporary Internet files
Temporary files
Recycle bin

Hit OK to clean up.

Wait till done.

Malware.SpywareNuker
C:\WINNT\SYSTEM32\DRIVERS\PSHOOK11.SYS

Code:

[URL="http://www.windowsbbs.com/malware-virus-removal/62872-hell-virus-help.html"]http://www.windowsbbs.com/malware-virus-removal/62872-hell-virus-help.html[/URL]
C:\WINNT\System32\drivers\pshook11.sys
That file you sent is from TrekBlue software. You did have at one time or another installed SpywareNuker or PcOrian

The above is a description of the same infection, and is also a thread by you with directions to remove the adware supported software.

 

okey juliet here is i am back already cleaned the temporary files and after 2nd time scaning super antispyware the following files is not detected already deleted
C:\WINNT\SYSTEM32\DRIVERS\PSHOOK11.SYS
and i am agree with you that machine get infected from another running client pc this is also client pc that is connect to other pc to use internet ..
okey here is little bit observartion i have found out after i disable file and priting sharing protcol the virus file doesn't infect it or it doesn't qurantaine by eset i am observing on it and see i think its also main reason that this protocol increasing the risk for this infection further i think u can explain me about this and how to make it's secure and heal this infection tq

 

OK, when networked all computers are connected to each other.
This means all options are open and accessible, rather it be files/folders/printing/music/photos ect.ect. and is normal.

What this suggests to me is one of the computers connected through file sharing/printing is infected on the line.
Now, which one, I wont be able to tell you.
You'll have to disconnect the computers from the service one by one and run scans to find which is the main culprit.
If there are employee's using bad surfing habits those need to be corrected.

We need to
Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below



I hope I have been able to help.

 

yeah thanx juliet rite now i have disable printing and sharing so what's ur suggestion now? i must d/c all pcs from network and scan for viruses and cleaned anything else i make computer myself protected ..tq

 

Yes.
Theres a computer on the network thats reinfecting.
You'll have to individually find which one it is.

 

it seems this virus going to make me crazy like a hell anyway i am trying to check clients one by one by disabling printing sharing protocol i started with one my another client pc it seems i can run any online virus scan and i am posting
dds log
i want to run online virus scan but same problem can't found server i hope u can further advise to start cleaning clients pc what steps should i take b4 i go to all these process

DDS (Ver_09-02-01.01) - FAT32x86
Run by PC71 at 22:45:24.06 on Wed 03/11/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.1.1252.1.1033.18.128.4 [GMT 4.5:30]


============== Running Processes ===============

C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PC71\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWinlogon: Shell=Explorer.exe, c:\program files\microsoft office\WINWORD.EXE
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] ctfmon.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39811.0020833333
DPF: {CAFEEFAC-0014-0002-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: {0650845E-F91C-4F22-86CB-589894C8FD73} = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc71\applic~1\mozilla\firefox\profiles\3gsug6sw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-cneta&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-cneta&p=

============= SERVICES / DRIVERS ===============

R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2007-8-15 39456]
R0 avgntmgr;avgntmgr;c:\winnt\system32\drivers\avgntmgr.sys [2009-2-13 18496]
R1 avgntdd;avgntdd;c:\winnt\system32\drivers\avgntdd.sys [2009-2-13 64448]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-2-13 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-2-13 151297]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-2-28 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-1-1 24688]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2007-3-1 820229]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

=============== Created Last 30 ================

2009-03-11 22:34 16,384 a------- c:\winnt\system32\Perflib_Perfdata_288.dat
2009-03-11 22:34 <DIR> --d----- C:\ComboFix
2009-03-11 21:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-11 21:56 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-11 21:56 <DIR> --d----- c:\docume~1\pc71\applic~1\SUPERAntiSpyware.com
2009-03-11 21:55 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-11 21:55 <DIR> --d----- c:\winnt\pss
2009-03-11 21:36 161,792 a------- c:\winnt\SWREG.exe
2009-03-11 21:36 98,816 a------- c:\winnt\sed.exe
2009-03-05 11:28 86,016 a--shr-- c:\winnt\system32\ryoszdam.dll
2009-02-13 19:27 <DIR> --d----- c:\program files\Avira

==================== Find3M ====================

2009-02-13 14:09 22,904 a------- c:\docume~1\pc71\applic~1\GDIPFONTCACHEV1.DAT
2008-12-24 04:28 737,280 a------- c:\winnt\iun6002.exe
2008-12-24 04:25 57,344 a------- c:\winnt\uneng.exe
2008-12-24 04:25 49,152 a------- c:\winnt\system32\cdrtc.dll
2008-12-24 04:25 45,056 a------- c:\winnt\system32\cdral.dll
2008-12-24 04:19 155,995 a------- c:\winnt\java\packages\S7RZH7Z7.ZIP
2008-12-24 04:19 2,232 a------- c:\winnt\java\packages\data\NBFDJZ5V.DAT
2008-12-24 04:19 2,678 a------- c:\winnt\java\packages\data\OTFBJTBD.DAT
2008-12-24 04:19 2,678 a------- c:\winnt\java\packages\data\D7RTF9ZH.DAT
2008-12-24 04:19 2,678 a------- c:\winnt\java\packages\data\B3T33BFV.DAT
2008-12-24 03:56 558,142 a------- c:\winnt\java\packages\E9RLNJ97.ZIP
2008-12-24 03:56 2,678 a------- c:\winnt\java\packages\data\D3DJZZPJ.DAT
2008-12-24 03:56 2,474 a------- c:\winnt\java\packages\data\BXR9FXVH.DAT
2008-12-24 03:56 2,678 a------- c:\winnt\java\packages\data\XVNX7TJ5.DAT
2008-12-24 03:56 21,952 ----h--- c:\program files\folder.htt
2008-12-24 03:56 271 ----h--- c:\program files\desktop.ini
2008-12-24 03:55 15,012 a------- c:\winnt\system32\emptyregdb.dat
1999-12-07 12:00 32,528 a------- c:\winnt\inf\wbfirdma.sys
1999-12-07 12:00 1,384,448 ---shr-- c:\winnt\system32\msvbvm60.dll

============= FINISH: 22:45:48.73 ===============

 

z4u

We volunteer our time to clean personal computers.
I don't think I can clean every computer connected to a server at your office.
It might also be possible the Server is now infected and you also need to disconnect all computers and reboot the entire server.

I see that ComboFix was run on this machine as well.

How can I see everything when you don't post logs for that as well.


Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  
  
• Click the Browse button and search for the following file: c:\winnt\system32\ryoszdam.dll
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

 

virus again back to previous machine and qurantaine by eset nod32 even i have disabled file and printing sharing .
any suggestion any good way to get rid from this cruel virus..

 

z4u
This may or may not help I don't know.

You need to find out how to secure a networking service/server.
I don't know how myself I've had no training in this but, If you go into

http://www.windowsbbs.com/internet-networking/

http://www.windowsbbs.com/networking/

The above forums, ask for suggestions how to secure your server and services, or how to lock down incoming/outgoing traffic, this should cut down on the problems your having.

 

Your correct.

 

okey i am trying to clean pc one by one hopefully it will secure the network from this messy virus..
and thanks all of you ...

 

Good luck z4u

Safe surfing