WiredWX Hobby Weather ToolsLog in

 


descriptionMultiple virus/malware infected XP system EmptyMultiple virus/malware infected XP system

more_horiz
Hi,

I suspect my computer is completely infested with malware and/or viruses. Im running windows xp with symantec anti-virus corporate edition 10. My Anti-virus software detected and dealt with a few files. One file, specified zorb.p, couldnt be quarantined for a while but now is apparently. But the computer continues to slow down and show abnormally high CPU useage.
Also, my browser (firefox and explorer) regularly redirects me to phishing scams and pharmaceutical drug websites.....nice huh!

I have run DSS here is the report....


DDS (Ver_10-03-17.01) - NTFSx86
Run by Nick at 17:57:54.53 on 15/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.2047.1240 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nick\My Documents\Recieved Files\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVD.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Fmabebazobifuyi] rundll32.exe "c:\windows\clatuvi2.dll",Startup
dRun: [M5T8QL3YW3] c:\windows\temp\Cdr.exe
dRun: [V71IQL7HI7] c:\windows\temp\Cdq.exe
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\3113068.lnk - c:\documents and settings\nick\local settings\temp\mvNat.exe
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\nick\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
TCP: NameServer = 93.188.162.162,93.188.166.193
TCP: {EF8D00EE-962E-491B-9E02-3AAADF85A2AF} = 93.188.162.162,93.188.166.193
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nick\applic~1\mozilla\firefox\profiles\c7ttzg7m.default\
FF - prefs.js: browser.startup.homepage - chrome://speeddial/content/speeddial.xul
FF - plugin: c:\documents and settings\nick\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-8-15 218592]
R0 Vax347b;Vax347b;c:\windows\system32\drivers\Vax347b.sys [2006-6-6 159616]
R0 Vax347s;Vax347s;c:\windows\system32\drivers\Vax347s.sys [2006-6-6 5248]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-8-15 112592]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-2 217600]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NAVENG.sys [2010-8-14 85424]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100811.002\NAVEX15.sys [2010-8-14 1362608]
S2 CX2388X;Xpert DVBT 23880 Video Capture;c:\windows\system32\drivers\cx88cap.sys [2006-6-6 159488]
S2 CX88CROSS;Xpert 2388x Crossbar;c:\windows\system32\drivers\cx88bar.sys [2006-6-6 8704]
S2 CX88TS;Xpert 2388x Transport Stream Capture;c:\windows\system32\drivers\cx88ts.sys [2006-6-6 13056]
S3 CXBDATUNE;Xpert BDA DVB Tuner/Demod;c:\windows\system32\drivers\cxbdatun.sys [2006-6-6 101888]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-6-14 27064]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-8-15 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-8-15 1142224]

=============== Created Last 30 ================

2010-08-15 15:55:55 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-08-15 15:55:55 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-08-15 15:55:10 0 d-----w- c:\program files\Spyware Doctor
2010-08-15 15:55:10 0 d-----w- c:\program files\common files\PC Tools
2010-08-15 15:55:10 0 d-----w- c:\docume~1\nick\applic~1\PC Tools
2010-08-15 15:55:10 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2010-07-17 04:00:04 423656 ----a-w- c:\windows\system32\deployJava1.dll
2009-04-17 19:47:44 74240 ----a-w- c:\program files\l

============= FINISH: 17:58:36.43 ===============

Im pretty sure there is some strange processes and things going on there but dont really know where to go next. I tried installing and running spyware doctor but it wouldnt run properly.

I would really appreciate any hekp you could give me.

Thanks

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see this topic.

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Multiple virus/malware infected XP system Bf_new Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Here are the results of the Malwarebytes scan. My browser wouldnt let me view the Malwarebytes web site (all other pages work fine) so i had to download it to another computer and install it on this one. Then it wouldn't update (in the same way that spyware doctor wouldn't). It seems that what ever has infected me is quite smart.

Malwarebytes found and removed some files but i dont know if im in the clear yet, what do you think?

Cheers.....


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

18/08/2010 16:52:04
mbam-log-2010-08-18 (16-52-04).txt

Scan type: Quick scan
Objects scanned: 131977
Time elapsed: 34 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.162,93.188.166.193 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ef8d00ee-962e-491b-9e02-3aaadf85a2af}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.162,93.188.166.193 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Nick\Local Settings\Temp\audiodgt.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Local Settings\Temp\c2cdll.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nick\Local Settings\Temp\mvNat.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mswsock32.dll (Spyware.Passwords) -> Quarantined and deleted successfully.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process << Selected
    • Kernel Modules << Selected
    • SSDT << Selected
    • Kernel Hooks << Selected
    • IRP Hooks << NOT Selected
    • Ports << NOT Selected
    • Hidden Files << Selected

  • At the bottom of the page

    • Hidden Objects Only << Selected

  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The
    log will be saved automatically in the same folder Sysprot.exe was
    extracted to. Open the text file and copy/paste the log here.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name:
Service Name: ---
Module Base: F743C000
Module End: F7454000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: atapi
Module Base: B12F8000
Module End: B1310000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F79BD000
Module End: F79BF000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F758EC58
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwCreateKey
Address: F788A112
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwCreatePagingFile
Address: F7582C70
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwCreateProcess
Address: F78692D6
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwCreateProcessEx
Address: F78694C8
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwDeleteKey
Address: F788A900
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwDeleteValueKey
Address: F788ABB4
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwEnumerateKey
Address: F75834FE
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwEnumerateValueKey
Address: F758ED50
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwOpenKey
Address: F7888E12
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwQueryKey
Address: F758351E
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwQueryValueKey
Address: F758ECA6
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwRenameKey
Address: F788B020
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwSetSystemPowerState
Address: F758E4F0
Driver Base: F7581000
Driver End: F75A8000
Driver Name: Vax347b.sys

Function Name: ZwSetValueKey
Address: F788A3D2
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

Function Name: ZwTerminateProcess
Address: F7868F44
Driver Base: F785E000
Driver End: F7897000
Driver Name: PCTCore.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Messenger\ikkle_devi12@hotmail.com\SharingMetadata\mr_hockey_monkey@hotmail.com\DFSR\Staging\CS{EFC4BFF2-C3F5-7133-182D-AB93233A1127}\01\10-{EFC4BFF2-C3F5-7133-182D-AB93233A1127}-v1-
Status: Hidden

Object: C:\Documents and Settings\Nick\My Documents\My Music\iTunes\iTunes Music\Sigur Rós\Hvarf _ Heim\1-03 Í gcr.MP3
Status: Hidden

Object: C:\Documents and Settings\Nick\My Documents\My Music\iTunes\iTunes Music\Sigur Rós\Hvarf _ Heim\2-04 Ágctis Byrjun.MP3
Status: Hidden

Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{36C3BFBE-D60E-4318-A7E7-AE9D040E16F7}
Status: Access denied

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
    Link 1
    Link 2
    Link 3

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000015d

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FD000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7581000 Vax347b.sys
0xF7570000 pci.sys
0xF75F7000 isapnp.sys
0xF74B1000 fltMgr.sys
0xF7499000 \WINDOWS\System32\Drivers\SPTDDRV1.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7607000 MountMgr.sys
0xF747A000 ftdisk.sys
0xF798D000 dmload.sys
0xF7454000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF743C000
0xF798F000 Vax347s.sys
0xF7424000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7412000 sr.sys
0xF785E000 PCTCore.sys
0xF7717000 PxHelp20.sys
0xF7847000 KSecDD.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xBA72B000 Mup.sys
0xF7647000 agp440.sys
0xB9E23000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9B2B000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB9B17000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7817000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9AF4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF781F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9AE2000 \SystemRoot\system32\DRIVERS\Rtlnicxp.sys
0xF7727000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB9E13000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA6C7000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9ACE000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7677000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7757000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9FB4000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA6C3000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF7687000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9FAC000 \SystemRoot\System32\Drivers\AnyDVD.sys
0xF7697000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9AAB000 \SystemRoot\system32\DRIVERS\ks.sys
0xB9FA4000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB970B000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xB96E7000 \SystemRoot\system32\drivers\portcls.sys
0xF76B7000 \SystemRoot\system32\drivers\drmk.sys
0xBA296000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA6BB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB96D0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB9F9C000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB96BF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB9F94000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB9F8C000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB968E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7560000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB9671000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xF79DF000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB963D000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5F1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7540000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7510000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79E3000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB9F84000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79E5000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79E9000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB159D000 \SystemRoot\System32\Drivers\Null.SYS
0xF79EB000 \SystemRoot\System32\Drivers\Beep.SYS
0xB9F74000 \SystemRoot\System32\drivers\vga.sys
0xF79ED000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79EF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB9F6C000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF775F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA6EF000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0844000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB07EC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB07C4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB07A3000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF74E0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0781000 \SystemRoot\System32\drivers\afd.sys
0xF74D0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0755000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB158F000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xB06E6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA6AB000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA63B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB0606000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79B7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB087F000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7787000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB1593000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAE4F6000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE281000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE58E000 \SystemRoot\system32\drivers\sysaudio.sys
0xADD2D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79AD000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xADE56000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xADD19000 \??\C:\Program Files\NavNT\NAVAPEL.SYS
0xADBBE000 \SystemRoot\system32\DRIVERS\srv.sys
0xAD6A5000 \SystemRoot\System32\Drivers\HTTP.sys
0xAD866000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF77D7000 \??\C:\Program Files\PeerGuardian2\pgfilter.sys
0xADFD2000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xAD4C3000 \??\C:\Program Files\NavNT\NAVAP.sys
0xAD377000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100811.002\NAVEX15.sys
0xAD363000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100811.002\NAVENG.sys
0xAD188000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
648 C:\WINDOWS\system32\smss.exe
696 csrss.exe
724 C:\WINDOWS\system32\winlogon.exe
768 C:\WINDOWS\system32\services.exe
788 C:\WINDOWS\system32\lsass.exe
948 C:\WINDOWS\system32\ati2evxx.exe
964 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe
1152 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1316 svchost.exe
1572 C:\WINDOWS\system32\spoolsv.exe
1732 C:\WINDOWS\system32\ati2evxx.exe
1860 C:\WINDOWS\explorer.exe
2032 C:\Program Files\NavNT\vptray.exe
164 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
176 C:\WINDOWS\soundman.exe
220 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
236 C:\Program Files\iTunes\iTunesHelper.exe
264 C:\Program Files\Common Files\Java\Java Update\jusched.exe
292 C:\Program Files\PeerGuardian2\pg2.exe
336 C:\WINDOWS\system32\ctfmon.exe
408 C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
448 C:\Program Files\MagicDisc\MagicDisc.exe
912 svchost.exe
840 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1120 C:\Program Files\Bonjour\mDNSResponder.exe
1140 C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
1436 C:\Program Files\NavNT\defwatch.exe
1556 C:\WINDOWS\system32\inetsrv\inetinfo.exe
836 C:\Program Files\Java\jre6\bin\jqs.exe
1660 C:\Program Files\NavNT\rtvscan.exe
2044 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
2020 C:\WINDOWS\system32\svchost.exe
2312 C:\Program Files\iPod\bin\iPodService.exe
2724 alg.exe
3652 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3660 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
3916 C:\WINDOWS\system32\MSGSYS.EXE
2480 C:\WINDOWS\system32\wuauclt.exe
3108 C:\Program Files\Mozilla Firefox\firefox.exe
3168 C:\Documents and Settings\Nick\My Documents\Recieved Files\MBRCheck.exe
3800

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-22FRA0, Rev: 77.07W77
PhysicalDrive1 Model Number: Maxtor6L300S0, Rev: BANC1G10

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
279 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Please run the F-Secure Online Scanner

  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Scanning Report
Monday, August 23, 2010 14:27:06 - 14:55:40

Computer name: MEDIA-CENTER
Scanning type: Quick scan
Target: System
6 malware found
TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Admeta (spyware)

* System (Disinfected)

Dropped:Trojan.Downloader.JMRR (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Imrworldwide (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 5725
* System: 5725
* Not scanned: 0

Actions:

* Disinfected: 6
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

Options
Scanning engines:

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
How is the system performing now?

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Its not running too much better, im still getting excessive processor usage and some unkown processes but the redirects from the browsers have gone. I got an alert from Norton about that zorb.p virus again too. I still think there is something going wrong here. My system recovered form "a serious error" recently as well......

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
Hi Jay,

im off on holiday for a week. Be in touch when i get back.

Cheers

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
ok

descriptionMultiple virus/malware infected XP system EmptyRe: Multiple virus/malware infected XP system

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum