Log'N'Rock: Infected [RESOLVED] - Log'N'Rock

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Infected [RESOLVED]

#1 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 04 July 2009 - 04:39 AM

Hi,
I feel I have been infected again with a virus.Whenever I boot my pc the scvhost crashes when the startup screen comes and it gives me a "dont send" error.The windows still works fine but there have been some odd things like my COD4 has started crashing etc.Secondly I have seen internet activity in the background which stops when I end the process UPDHOST in the task manager.Also when I boot my pc antivir detects something known as host file.

LOGFILE OF HIJACK THIS
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:36 AM, on 7/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [audiolg] C:\winntsys\files\udphost.exe
O4 - Startup: udphost.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1241963770109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241964081875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE599F74-F910-4848-B0CE-55AB947D45D6}: NameServer = 203.99.163.240,202.125.132.12
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7475 bytes
0

#2 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 04 July 2009 - 04:58 AM

LOGFILE OF MBAM

I only scanned with MBAM but didnot remove the detected items.Please guide me If I should remove the detected items with MBAM


Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/4/2009 10:55:27 AM
mbam-log-2009-07-04 (10-55-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 28605
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiolg (Trojan.Dropper) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\winntsys\files\udphost.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\Hassaan\local settings\temp\mia11C.tmp\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleanerPro) -> No action taken.
c:\documents and settings\Hassaan\my documents\dsfsdf\cryptload_1.1.6\router\fritz!box\nc.exe (PuP.Keylogger) -> No action taken.
c:\documents and settings\Hassaan\start menu\Programs\Startup\udphost.exe (Trojan.Dropper) -> No action taken.
0

#3 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 04 July 2009 - 06:55 AM

I also scanned with avira.The detections are below
I also beg from you please try to get my pc uninfected before 10thJuly because my father is coming and it would create a BIG BIG problem for me.

[DETECTION] Is the TR/Agent.61440.86 Trojan
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\etc\hosts
[DETECTION] Is the TR/Qhost.DC Trojan

C:\WINDOWS\system32\drivers\etc\hosts
[DETECTION] Is the TR/Qhost.DC Trojan
[NOTE] The file was moved to '4ac1edf9.qua'!
0

#4 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 04 July 2009 - 12:55 PM

Hi again hassaan.. welcome back!..

Please run a full scan again with MBAM and allow it to fix all the items it finds.
Then post back with the MBAM log and a fresh HJT log.

Thanks

Fred..

EDIT: You need to update MBAM first as the definitions are out of date.
Fred..

This post has been edited by Fred Flintstone: 04 July 2009 - 12:56 PM

0

#5 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 04 July 2009 - 02:19 PM

MBAM LOGFILE

Malwarebytes' Anti-Malware 1.38
Database version: 2371
Windows 5.1.2600 Service Pack 3

7/4/2009 8:18:15 PM
mbam-log-2009-07-04 (20-18-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 133256
Time elapsed: 45 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiolg (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\winntsys\files\udphost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Hassaan\local settings\temp\mia11C.tmp\OFFLINE\71747601\2302A1E7\memman.vxd (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
c:\documents and settings\Hassaan\my documents\dsfsdf\cryptload_1.1.6\router\fritz!box\nc.exe (PuP.Keylogger) -> Quarantined and deleted successfully.
c:\documents and settings\Hassaan\start menu\Programs\Startup\udphost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{61383f0e-6bd9-4c10-9f36-462377b2d288}\RP47\A0031617.exe (PuP.Keylogger) -> Quarantined and deleted successfully.
c:\system volume information\_restore{61383f0e-6bd9-4c10-9f36-462377b2d288}\RP50\A0035817.rbf (Rogue.sysCleanerPro) -> Quarantined and deleted successfully.
0

#6 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 04 July 2009 - 02:41 PM

HJT


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:16 PM, on 7/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1241963770109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241964081875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE599F74-F910-4848-B0CE-55AB947D45D6}: NameServer = 203.99.163.240,202.125.132.12
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7344 bytes
0

#7 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 04 July 2009 - 04:26 PM

Hi Hassaan,
MBAM has taken care of the trojan.

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)

    • Scan Options:
      • Scan Archives
      • Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How are things running now??

Fred..
0

#8 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 05 July 2009 - 09:50 AM

is it necessary?bcoz kaspersky online scanner really sucks.I have wasted around four hours in this thing but no luck :(
Anyother online scanner?If You think kaspersky scan is necessary then I can download it and scan and post the log.
Btw,things have improved.Nomore of scvhost crash at the startup

This post has been edited by hassaan: 05 July 2009 - 04:17 PM

0

#9 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 05 July 2009 - 08:47 PM

Hi hassaan..
Yes, Kaspersky is a bit temperamental at times but it is a good scanner for all that,,
Lets see if BitDefender will work better for you..

BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Note: You will need to use Internet Explorer for this scan.

Glad to hear that things seem ok now, but just want to be sure your pc is clean and nothing is still "lurking"..

Thanks

Fred... B)
0

#10 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 06 July 2009 - 08:36 AM

I did a scan(only drive C) first with bitdefender online scan then with kaspersky(installed).The logs are below:-

REPORT OF BITDEFENDER

Scanned File


Status

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\platform\Admin\AdminServer.dll


Infected with: Trojan.Packed.4626

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\platform\Admin\AdminServer.dll


Deleted

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\platform\Friends\friendsUI.dll


Infected with: Trojan.Generic.1073761

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\platform\Friends\friendsUI.dll


Deleted

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\vstdlib.dll


Infected with: Trojan.Generic.831836

C:\Documents and Settings\Hassaan\Local Settings\temp\RarSFX2\vstdlib.dll


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046090.sys


Infected with: Rootkit.18687

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046090.sys


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046091.exe


Infected with: Generic.Malware.K!.1788F5EF

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046091.exe


Disinfection failed

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046091.exe


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046107.exe


Infected with: Trojan.Generic.378469

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0046107.exe


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048504.exe


Infected with: Trojan.Generic.378469

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048504.exe


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048508.exe


Infected with: Trojan.Generic.378469

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048508.exe


Deleted

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048509.sys


Infected with: Rootkit.18687

C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048509.sys


Deleted



KASPERSKY REPORT


Full Scan: stopped 41 minute ago (events: 2, objects: 59, time: 00:00:02)
7/6/2009 2:51:39 PM Task stopped
7/6/2009 2:51:37 PM Task started
Objects Scan: completed 11 minutes ago (events: 28, objects: 106448, time: 00:03:31)
7/6/2009 2:51:49 PM Task started
7/6/2009 2:54:06 PM Detected: Backdoor.Win32.SdBot.nhw C:\Documents and Settings\Hassaan\Desktop\Counter Strike 1.6 version 3147\sXe-Disabler.dll
7/6/2009 2:54:54 PM Deleted: Backdoor.Win32.SdBot.nhw C:\Documents and Settings\Hassaan\Desktop\Counter Strike 1.6 version 3147\sXe-Disabler.dll
7/6/2009 3:06:13 PM Detected: Trojan.Win32.Vapsup.ugo C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP52\A0044650.exe
7/6/2009 3:07:31 PM Deleted: Trojan.Win32.Vapsup.ugo C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP52\A0044650.exe
7/6/2009 3:07:51 PM Detected: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0047369.dll
7/6/2009 3:07:53 PM Deleted: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0047369.dll
7/6/2009 3:07:54 PM Detected: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048506.dll
7/6/2009 3:07:54 PM Detected: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048510.dll
7/6/2009 3:07:55 PM Deleted: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048506.dll
7/6/2009 3:07:56 PM Deleted: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP54\A0048510.dll
7/6/2009 3:08:13 PM Detected: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP56\A0048733.dll
7/6/2009 3:08:22 PM Deleted: Backdoor.Win32.SdBot.nhw C:\System Volume Information\_restore{61383F0E-6BD9-4C10-9F36-462377B2D288}\RP56\A0048733.dll
7/6/2009 3:11:51 PM Processing error C:\WINDOWS\inf\netbcm4u.inf Read error
7/6/2009 3:11:51 PM Processing error C:\WINDOWS\inf\netbcm4u.PNF Read error
7/6/2009 3:11:51 PM Processing error C:\WINDOWS\inf\netbcm4p.inf Read error
7/6/2009 3:11:51 PM Task stopped
7/6/2009 3:11:58 PM Task started
7/6/2009 3:12:06 PM Processing error C:\WINDOWS\Installer\1babea.msi Read error
7/6/2009 3:12:06 PM Processing error C:\WINDOWS\Installer\6146b1.msp Read error
7/6/2009 3:12:06 PM Processing error C:\WINDOWS\Installer\614776.msp Read error
7/6/2009 3:12:06 PM Processing error C:\WINDOWS\Installer\614699.msp Read error
7/6/2009 3:12:06 PM Task stopped
7/6/2009 3:13:49 PM Task started
7/6/2009 3:14:08 PM Processing error C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi/_13017_URTM_STD_ENU_X86_IXP.MSM/FL_dfdll_dll_75023_____X86.3643236F_FC70_11D3_A536_0090278A1BB8 Read error
7/6/2009 3:14:08 PM Task stopped
7/6/2009 3:18:41 PM Task started
7/6/2009 3:22:12 PM Task completed
Rootkit Scan: completed 23 minutes ago (events: 2, objects: 526, time: 00:05:33)
7/6/2009 3:04:38 PM Task started
7/6/2009 3:10:14 PM Task completed
0

#11 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 06 July 2009 - 09:48 AM

Hi hassaan...
That's cleared a lot of stuff although most of it is in infected system restore points which we will clear out later.
Let's have a quick look at your security setup..

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Are things running better now??

Fred...
0

#12 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 06 July 2009 - 09:51 AM

Things are running better!

NOTE that I have disabled Kaspersky myself during this test as I was playing game.Usually its scanning is on

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Disabled!
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 13
Out of date Java installed!
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Kaspersky Lab Kaspersky Anti-Virus 2010 klwtblfs.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)
Request Timed Out (Check Internet connection?)

Scan took 6 seconds.
`````````End of Log```````````
0

#13 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 06 July 2009 - 10:17 AM

Hi hassaan..
From the report it appears you do not have a firewall running..This is not recommended.
I suggest you either activate Windows firewall or better still install one of the following:

I see no indication in your log that you have a firewall installed and active!.

Some good FREE firewalls are:

Please download only one of the above and install it to your computer

A tutorial on understanding and using firewalls may be found HERE.

Also:
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 14 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 14...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • On the pulldown-menu, choose Windows as your platform.
  • Check "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue.
  • Click on the link under Windows Offline Installation to download the file and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name. They should have next icon next to it: Posted Image
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
Now to clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings button.
  • Then click Delete Files...
  • There are two options in the window to clear the cache - Leave BOTH checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


Let me know when you have carried out the above and we can start to clean up here..
Thanks

Fred...
0

#14 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Posted 06 July 2009 - 02:41 PM

DONE AS YOU SAID :)

NEW LOG

Results of screen317's Security Check version 0.98.4
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 14
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Kaspersky Lab Kaspersky Anti-Virus 2010 klwtblfs.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)
Request Timed Out (Check Internet connection?)

Scan took 17 seconds.
`````````End of Log```````````
0

#15 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 06 July 2009 - 11:51 PM

Hi hassaan...Cleanup time!..

Lets clean up temp files:
Please download ATF Cleaner by Atribune. (This program is for XP, Vista and Windows 2000 )
    Double-click ATF-Cleaner.exe to run the program.
    Under Main "Select Files to Delete" choose: Select All.
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
  • Reboot.<<<< IMPORTANT..

Turn ON System Restore
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Finally:
Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/...p2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 and newer versions should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!...

Regards...
Fred..:cheers:
0

#16 User is offline   hassaan Icon

  • Log'N'Rocker
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 02-May 09

Post icon  Posted 07 July 2009 - 04:11 AM

THANKS!!
I really appreciate your support.
0

#17 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 07 July 2009 - 07:59 AM

You are welcome... :)

Good luck... :cheers:
0

#18 User is offline   Fred Flintstone Icon

  • Dave Gilmour
  • Icon
  • Group: Malware Experts
  • Posts: 2,515
  • Joined: 20-April 08
  • Gender:Male
  • Location:Somerset

Posted 09 July 2009 - 12:14 AM

Since this issue appears to be resolved, this Topic is now closed. Should you need this thread reopened, please PM me or another Staff member, including the address of this thread and we will reopen it for you. :)
0
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users