WiredWX Hobby Weather ToolsLog in

 


descriptionneed help....have a virus Emptyneed help....have a virus

more_horiz
i turned on my laptop, which is over three years old and i'm sure i have a virus. i'm running it in safe mode currently. when i open mozilla, a pop up comes up that says "warning your comp has various viruses. winweb will check..." please help.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:15 PM, on 4/17/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
\?\globalroot\C:\WINDOWS\system32\cmd.exe
c:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\AUTMGR.EXE
C:\Documents and Settings\s\Desktop\JavaRa\JavaRa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\s\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {d771f4e6-004b-405c-81a3-fb26923f6932} - C:\WINDOWS\System32\weziroze.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [wuyirakelo] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s
O4 - HKLM\..\Run: [CPM238f65dc] Rundll32.exe "c:\windows\system32\kofemube.dll",a
O4 - HKLM\..\Run: [Xrevubigax] rundll32.exe "C:\WINDOWS\ogevecazuculene.dll",e
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BitComet] "C:\grants downloads\BitComet\BitComet.exe" /tray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O17 - HKLM\System\CS2\Services\Tcpip\..\{2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8}: NameServer = 68.87.85.98,68.87.69.146
O20 - AppInit_DLLs: C:\WINDOWS\System32\hajiruno.dll c:\windows\system32\kofemube.dll
O21 - SSODL: C0BCFGEF - {773606CC-2429-16A6-12A5-4AB46B150A39} - C:\WINDOWS\System32\Mpfoja32.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel®️ Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6178 bytes

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 82.98.231.89 url.adtrgt.com
    O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
    O2 - BHO: (no name) - {d771f4e6-004b-405c-81a3-fb26923f6932} - C:\WINDOWS\System32\weziroze.dll
    O4 - HKLM\..\Run: [wuyirakelo] Rundll32.exe "C:\WINDOWS\System32\nefuwipi.dll",s
    O4 - HKLM\..\Run: [CPM238f65dc] Rundll32.exe "c:\windows\system32\kofemube.dll",a
    O4 - HKLM\..\Run: [Xrevubigax] rundll32.exe "C:\WINDOWS\ogevecazuculene.dll",e
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [BitComet] "C:\grants downloads\BitComet\BitComet.exe" /tray
    O21 - SSODL: C0BCFGEF - {773606CC-2429-16A6-12A5-4AB46B150A39} - C:\WINDOWS\System32\Mpfoja32.dll (file missing)
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kofemube.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
ok here's the deal. i did the first part and selected those items and removed them. next, the link to malware did not work (is this virus related?) i went to www.download.cnet.com and downloaded it. i could not update it becuase it could not connect to the malwarebytes.org site. i ran a quick scan, removed files, and restarted. when i restarted, i was able to update malwarebytes and am about to run a scan again. i am posting the first mbam log file from the original scan. i will post the updated log file in a few minutes. thanks for your help.


Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600

4/17/2009 7:10:48 PM
mbam-log-2009-04-17 (19-10-48).txt

Scan type: Quick Scan
Objects scanned: 63352
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\kofemube.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm238f65dc (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrevubigax (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: ctsemp32.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kofemube.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\kofemube.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\ctsemp32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\at1394.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\goyipeme.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\eureboc[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\lrbll[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\liscpqzaw[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\O1M9WFM1\ddsuper2[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\ogevecazuculene.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hajiruno.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nefuwipi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
Hello.
Not good news, MBAM found a file usually seen with a file infecter. Depending on the results of this next scan, your machine might need to be formatted.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
here is the second scan file

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600

4/17/2009 8:03:18 PM
mbam-log-2009-04-17 (20-03-18).txt

Scan type: Quick Scan
Objects scanned: 65207
Time elapsed: 31 minute(s), 30 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm238f65dc (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xrevubigax (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\tqpxlyy.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\6F.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Kobcka) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\ddsuper1[1].htm (Virus.Virut) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\7Q1OP240\ekueefs[1].txt (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\burbbop[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\8XUBG9Q3\ddsuper0[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\akurrbllzi[1].htm (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\KPIV0PIB\ddsuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\s\Local Settings\Temporary Internet Files\Content.IE5\O1M9WFM1\xqakkhuv[1].htm (Worm.MarioFev) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ftp_non_crp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\wcfgayg.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ptrf.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
here is the DDS text



DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by s at 20:12:21.45 on Fri 04/17/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.247.25 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\s\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
mRun: [IntelZeroConfig] c:\program files\intel\wireless\bin\ZCfgSvc.exe
mRun: []
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim\\DeadAIM.ocm",ExportedCheckODLs
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [reader_s] c:\windows\system32\config\systemprofile\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0000000A-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/8/B/E/8BE028EC-F134-4AA0-84AB-64F76D6B9842/wmsp9dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
TCP: {2E5BA472-C1F5-47A5-8CAF-118CB3DACFA8} = 68.87.85.98,68.87.69.146
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\windows\system32\hajiruno.dll c:\windows\system32\kofemube.dll
LSA: Notification Packages = scecli c:\windows\system32\hajiruno.dll ctsemp32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\s\applic~1\mozilla\firefox\profiles\2dg636ha.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - HiddenExtension: XUL Cache: {AF960C7A-9110-4D7B-A192-C9AD05F6D387} - c:\documents and settings\s\local settings\application

data\{af960c7a-9110-4d7b-a192-c9ad05f6d387}\

============= SERVICES / DRIVERS ===============

S1 phe5603;phe5603;c:\windows\system32\drivers\phe5603.sys --> c:\windows\system32\drivers\phe5603.sys [?]
S2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
S2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 630784]
S3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080308.006\NAVENG.sys [2008-3-9 82256]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080308.006\NAVEX15.sys [2008-3-9 895408]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-04-17 20:06 38 a------- C:\E.tmp
2009-04-17 20:06 0 a------- C:\D.tmp
2009-04-17 20:06 0 a------- C:\C.tmp
2009-04-17 20:06 0 a------- C:\B.tmp
2009-04-17 20:06 0 a------- C:\A.tmp
2009-04-17 20:06 0 a------- C:\9.tmp
2009-04-17 20:06 0 a------- C:\8.tmp
2009-04-17 20:06 0 a------- C:\7.tmp
2009-04-17 20:06 0 a------- C:\6.tmp
2009-04-17 20:05 38 a------- C:\5.tmp
2009-04-17 20:05 52,736 a------- C:\4.tmp
2009-04-17 20:05 23,040 a------- C:\3.tmp
2009-04-17 19:26 --d----- c:\program files\LanqiEngine
2009-04-17 19:26 3 a------- c:\windows\system32\bversion.dll
2009-04-17 19:26 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-17 19:24 32,137,216 a------- c:\windows\system32\TRSOCR.dat
2009-04-17 19:23 565,248 a------- c:\windows\system32\IPHACTION.dll
2009-04-17 19:13 0 a------- c:\windows\system32\IpSvchostF.dll
2009-04-17 18:58 --d----- c:\docume~1\s\applic~1\Malwarebytes
2009-04-17 18:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-17 18:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-17 18:57 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-17 18:57 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-17 17:38 61,440 a------- c:\windows\system32\tcpd.exe
2009-04-17 17:38 21,504 a------- c:\windows\system32\AUTMGR.EXE
2009-04-17 17:38 926,720 a------- c:\windows\system32\kernel32_check.dll
2009-04-17 17:38 172,032 a------- c:\windows\system32\tcpcon.dll
2009-04-17 17:38 10,240 a------- c:\windows\system32\Packer.dll
2009-04-17 17:38 9 a------- c:\windows\system32\iphy.dll
2009-04-17 17:38 3 a------- c:\windows\system32\fhpatch.dll
2009-04-17 17:38 0 a------- c:\windows\system32\fiplock.dll
2009-04-17 17:38 --d----- c:\windows\dhcp
2009-04-17 17:37 155 a------- c:\windows\system32\SelfDel.bat
2009-04-17 15:27 2 a------- C:\549213935
2009-04-17 15:27 61,952 a------- C:\hclpsfee.exe
2009-04-17 13:16 --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-04-17 13:16 --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-04-05 14:36 754 a------- c:\windows\WORDPAD.INI
2009-04-01 19:21 198,656 a------- c:\windows\system32\CNMLM8O.DLL
2009-04-01 19:20 --d----- c:\program files\Canon

==================== Find3M ====================

2009-04-17 19:14 161,536 ac------ c:\windows\system32\drivers\ndis.sys
2009-04-17 15:26 75,776 a--sh--- c:\windows\system32\yojapuye.exe

============= FINISH: 20:13:06.92 ===============

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
Bad news. You have Virut.

It's a file infector, it's infected a lot of files that Windows needs, which can't be fixed.
See here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS).

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should I do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

descriptionneed help....have a virus EmptyRe: need help....have a virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum