Destuctive Virus

Question

amrith92 119 Junior Poster

14 Years Ago

Hi!

Virus Details ; Platform: Win XP

My laptop is affected by some sort of virus, and as it destroyed my AVG 8.5 free installation, I downloaded Avira Free antivirus software. This virus didn't let me install it (It blocked out all antivirus websites) and keeps downloading small 8.50 kb files (randomly named) into this directory - C:\Documents and Settings\username\Local Settings\Temp\ - besides which, it creates a folder named "Qoobox" in C:\, and different Executables in C:\WINDOWS, namely SED.exe, NIRCMD.exe, GREP.exe, TASKMAN.exe, SWSC.exe, SWREG.exe, vfind.exe, zip.exe.

I have been fighting this virus for the past 14 hours, manually altering registry keys that were infected using a satndalone registry editor(Not the one windows provides, as both regedit and taskmgr have been disabled, and I cannot permanently set their reg keys back to 0x00). HijackThis showed two DPF's (O16) that were probably infected (I'll upload the log if you require it), apart from which it showed an O10 - unknown file in winsock LSP - : c:\windows\system32\nwprovau.dll (I have left this as I have NetBIOS installed). After taking the log, and fixing the above said, I ran ComboFix. The log showed some infected registry keys, all of which deals with infecting Removable drives. I have manually fixed these. I have attached this log as well. The striking thing to me was that the virus made ComboFix unworkable after I used it! It now gives an error message when I open it.

The virus also renders some applications useless, for eg, I cannot run some .exe files. I looked up how the process starts using Process Explorer, and found that these programs start and then are stopped suddenly, and I just can't figure out why (or how). At first it didn't let me install Avira, so I had to carry out a manual installation, which involved extracting the setup files with WinRAR and then heading out from there. Eventually, I got it running, and did a scan of my C:\ drive, and here are the results (I'm not sure of what to do with these as it lists some very important core windows files as being infected with the w32/Sality.Y variant of virus.), which are attached below. (Its way too large to be posted)

I have also scanned my whole computer with Malwarebytes' Anti-Malware, but that didn't show anything. Atribune's VundoFix also returned a negative.

Could somebody help me with this?

*ANY* help is appreciated!

Thanks for your time,

Amrith

windows-virus

AVSCAN.txt (160.35 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

Avira AntiVir Personal

Report file date: Thursday, May 14, 2009  20:47



Scanning for 1394518 virus strains and unwanted programs.



Licensee        : Avira AntiVir Personal - FREE Antivirus

Serial number   : 0000149996-ADJIE-0000001

Platform        : Windows XP

Windows version : (Service Pack 2)  [5.1.2600]

Boot mode       : Normally booted

Username        : user

Computer name   : LAPTOP



Version information:

BUILD.DAT       : 9.0.0.394     17962 Bytes   4/17/2009 11:20:00

AVSCAN.EXE      : 9.0.3.5      466689 Bytes   4/17/2009 04:27:32

AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 06:28:26

LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 07:05:50

LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 06:28:54

ANTIVIR0.VDF    : 7.1.0.0    15603712 Bytes  10/27/2008 08:00:38

ANTIVIR1.VDF    : 7.1.2.12    3336192 Bytes   2/11/2009 16:03:28

ANTIVIR2.VDF    : 7.1.3.185   2010112 Bytes   5/12/2009 15:12:32

ANTIVIR3.VDF    : 7.1.3.206     96768 Bytes   5/14/2009 15:12:34

Engineversion   : 8.2.0.166

AEVDF.DLL       : 8.1.1.1      106868 Bytes   5/14/2009 15:13:24

AESCRIPT.DLL    : 8.1.1.81     385401 Bytes   5/14/2009 15:13:22

AESCN.DLL       : 8.1.1.10     127348 Bytes   5/14/2009 15:13:18

AERDL.DLL       : 8.1.1.3      438645 Bytes  10/29/2008 13:54:42

AEPACK.DLL      : 8.1.3.16     397686 Bytes   5/14/2009 15:13:16

AEOFFICE.DLL    : 8.1.0.36     196987 Bytes   2/26/2009 15:31:58

AEHEUR.DLL      : 8.1.0.128   1757559 Bytes   5/14/2009 15:13:10

AEHELP.DLL      : 8.1.2.2      119158 Bytes   2/26/2009 15:31:58

AEGEN.DLL       : 8.1.1.42     348531 Bytes   5/14/2009 15:12:44

AEEMU.DLL       : 8.1.0.9      393588 Bytes   10/9/2008 10:02:40

AECORE.DLL      : 8.1.6.9      176500 Bytes   5/14/2009 15:12:36

AEBB.DLL        : 8.1.0.3       53618 Bytes   10/9/2008 10:02:40

AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 04:18:00

AVPREF.DLL      : 9.0.0.1       43777 Bytes   12/5/2008 06:02:16

AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 10:04:30

AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 06:02:10

AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 10:35:42

AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 06:07:10

SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 10:33:50

SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 03:51:34

NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 06:02:12

RCIMAGE.DLL     : 9.0.0.21    2438401 Bytes    2/9/2009 07:15:46

RCTEXT.DLL      : 9.0.37.0      86785 Bytes   4/17/2009 05:49:50



Configuration settings for the scan:

Jobname.............................: ShlExt

Configuration file..................: C:\DOCUME~1\user\LOCALS~1\Temp\069e14a7.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, 

Process scan........................: off

Scan registry.......................: off

Search for rootkits.................: off

Integrity checking of system files..: off

Scan all files......................: Intelligent file selection

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: high

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,



Start of the scan: Thursday, May 14, 2009  20:47



Starting the file scan:



Begin scan in 'C:\'

C:\pagefile.sys

    [WARNING]   The file could not be opened!

    [NOTE]      This file is a Windows system file.

    [NOTE]      This file cannot be opened for scanning.

C:\WINDOWS\regedit.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\taskman.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\MRT.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\cmd.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\rundll32.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\taskmgr.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\WINDOWS\system32\mshta.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.3.2.6\iTunesSetupAdmin.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\CD Burning\NOUSHAD_A.K@20080614_090333\JITHUMON_V.A@20080614_085906\EEGtoGo.exe

    [DETECTION] Contains code of the W32/Sality.Y Windows virus

C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\s9e517zf.default\Cache\C2152591d01

  [0] Archive type: RAR SFX (self extracting)

    --> 32788R22FWJFW\psexec.cfexe

      [1] Archive type: RSRC

CF.txt (11.71 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

ComboFix 09-05-13.02 - user 05/14/2009 18:21.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.247.77 [GMT 5.5:30]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-04-14 to 2009-05-14  )))))))))))))))))))))))))))))))
.

2009-05-14 12:20 . 2009-05-14 12:20	--------	d-----w	C:\VundoFix Backups
2009-05-13 19:55 . 2009-05-13 19:55	--------	d-----w	c:\windows\$regcmp$
2009-05-13 15:41 . 2009-05-13 15:41	22024	----a-w	c:\windows\system32\drivers\pxscan.sys
2009-05-13 15:41 . 2009-05-13 15:41	27656	----a-w	c:\windows\system32\drivers\pxsec.sys
2009-05-13 15:40 . 2009-05-13 15:40	--------	d-----w	c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-13 04:52 . 2009-05-13 04:52	--------	d-----w	C:\downloads
2009-05-13 04:50 . 2009-05-13 04:50	--------	d-----w	c:\documents and settings\user\Local Settings\Application Data\PCHealth
2009-05-12 22:07 . 2009-05-12 22:07	--------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-12 17:07 . 2009-05-12 17:07	--------	d-----w	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-12 17:04 . 2009-05-12 17:04	--------	d-----w	c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-12 16:26 . 2009-05-12 16:26	--------	d--h--w	c:\windows\PIF
2009-05-05 20:01 . 2009-05-05 20:01	--------	d-----w	c:\program files\Common Files\NSV
2009-05-03 10:45 . 2009-05-03 10:45	--------	d-----w	c:\documents and settings\user\Application Data\codeblocks
2009-04-23 16:31 . 2009-04-23 16:31	--------	d-----w	c:\documents and settings\user\Local Settings\Application Data\Opera

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 14:44 . 2004-08-03 13:56	283648	----a-w	c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-03 13:56	826368	----a-w	c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-03 13:56	78336	----a-w	c:\windows\system32\ieencode.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SpybotSD TeaTimer"="f:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 172122]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 761946]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 356352]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 210328]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=c:\windows\pss\Exif Launcher 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Orbit.lnk
backup=c:\windows\pss\Orbit.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"bgsvcgen"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"f:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\WINDOWS\\System32\\spool\\drivers\\W32X86\\3\\HP1006MC.EXE"=
"f:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Documents and Settings\\user\\Desktop\\KillProcess.exe"=
"c:\\Documents and Settings\\user\\Desktop\\ATF-Cleaner.exe"=
"c:\\WINDOWS\\system32\\MRT.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files\\Registrar Lite\\rl.exe"=
"f:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe"=
"c:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DW20.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\QuickTime\\qttask.exe"=
"c:\\Documents and Settings\\user\\Desktop\\APT\\apt.exe"=
"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=
"f:\\1901912.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/13/2009 9:11 PM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/13/2009 9:11 PM 27656]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/11/2008 9:21 PM 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/11/2008 9:21 PM 107272]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\inmkfn.sys --> c:\windows\system32\drivers\inmkfn.sys [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/13/2008 1:20 PM 33752]
S4 avg8emc;AVG8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe --> f:\progra~1\AVG\AVG8\avgemc.exe [?]
S4 avg8wd;AVG8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe --> f:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{152b27a4-b9fb-11dd-bdc2-0014381e0905}]
\Shell\AutoRun\command - H:\browsercall.exe Ursocol SR.jpg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19501a68-5f8f-11dd-bcc2-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2355968c-2321-11dd-bc55-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a8cbe-36a4-11dd-bc71-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ef806e-ee89-11dd-be20-0014381e0905}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
\Shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abcd2c2e-5a39-11dd-bca1-0014a517c7ec}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde17f26-b88d-11dc-bba9-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce30f0ac-87bc-11dc-bb0a-0014a517c7ec}]
\Shell\auto\command - H:\SVCH0ST.EXE e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SVCH0ST.EXE e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fc-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - H:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fd-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - xwatmaf.exe
\Shell\explore\Command - xwatmaf.exe
\Shell\open\Command - xwatmaf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f50b00c6-c73d-11dc-bbda-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = 192.168.1.34:8080
IE: &Download by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - f:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload s

hijackthis.log_.txt (5.79 KB)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:25 PM, on 5/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\user\Desktop\APT\apt.exe
F:\Program Files\Spybot - Search & Destroy\SDShred.exe
F:\Program Files\Registrar Lite\rl.exe
C:\DOCUME~1\user\LOCALS~1\Temp\fmtewm.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5926 bytes

2 Contributors
12 Replies
202 Views
2 Days Discussion Span
Latest Post 14 Years Ago Latest Post by amrith92

All 12 Replies

jholland1964 650 Posting Expert

14 Years Ago

We would prefer that you copy/paste logs, not upload them. By not having to open an attached file this protects the helper or others reading the post from possibly opening an infected file.
FYI,
Your infected O16 files are legitmate files and not infections.
Your Unknown O10 listing is also legitimate Microsoft Client Services for Netware

May I ask where you got the information on the various files you list?
Qoobox is NOT created by your virus, it is the quarantine file created by Combofix. Who told you to run Combofix? It was run incorrectly by the way.
Also created by Combofix: NIRCMD.exe
You obviously have run a multitude of programs and attempted registry fixes that we know nothing about or how or why you did them.
One reason fixes won't work is you are running Spybot TeaTimer which INTERFERES with fixes attempted on many items.
I would like to see the MBA-M log and also the log containing the O16 infected files you mention since the ones in the log you have attached are NOT infections.

jholland1964 650 Posting Expert

14 Years Ago

We are at a REAL disadvantage here. You have done steps prior to coming here, we cannot see those logs, the info you have given me is basically incomplete. The two O16 items you say you removed were not necessarily infected files, both refer to the AMI Picture Viewer when just searching for the NAME of the file. But that is not all we use to research, we use the full entry from the log. You have no logs.
The infected files you say were created by the virus don't show in the combofix log at all, they should have shown there. Is this the only run of combofix you did?
You have not posted a MBA-M log.
I am very hesitant to offer any suggestions, what with the registry edits and various tools you have run.

jholland1964 650 Posting Expert

14 Years Ago

Where are you located?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

amrith92 119 Junior Poster · Answer 1 · 2009-05-15T00:24:53+00:00

Hi!

A quick Update: I got the Task Manager and Registry Editor up and running! ... but the virus is still there :(

amrith92 119 Junior Poster · Answer 2 · 2009-05-15T01:18:01+00:00

Update 2: Uninstalled Avira... Sorry about that, but when I restarted the computer, it sort of went haywire - It kept popping up lots of windows asking me whether I should run a certain program/process and it also was adamant that its own setup file was a W32/Sality.Y

Also, my laptop seems to be stable, but I still cannot start some applications. I've also destroyed some suspect files (including 1 autorun.exe)...

amrith92 119 Junior Poster · Answer 3 · 2009-05-15T04:00:13+00:00

We would prefer that you copy/paste logs, not upload them. By not having to open an attached file this protects the helper or others reading the post from possibly opening an infected file.
FYI,
Your infected O16 files are legitmate files and not infections.
Your Unknown O10 listing is also legitimate Microsoft Client Services for Netware
May I ask where you got the information on the various files you list?
Qoobox is NOT created by your virus, it is the quarantine file created by Combofix. Who told you to run Combofix? It was run incorrectly by the way.
Also created by Combofix: NIRCMD.exe
You obviously have run a multitude of programs and attempted registry fixes that we know nothing about or how or why you did them.
One reason fixes won't work is you are running Spybot TeaTimer which INTERFERES with fixes attempted on many items.
I would like to see the MBA-M log and also the log containing the O16 infected files you mention since the ones in the log you have attached are NOT infections.

Hi!

Thanks for your reply.

The registry fixes that I had carried out are listed in the ComboFix log, as I had mentioned:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{152b27a4-b9fb-11dd-bdc2-0014381e0905}]
\Shell\AutoRun\command - H:\browsercall.exe Ursocol SR.jpg

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19501a68-5f8f-11dd-bcc2-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2355968c-2321-11dd-bc55-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d6a8cbe-36a4-11dd-bc71-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ef806e-ee89-11dd-be20-0014381e0905}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
\Shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abcd2c2e-5a39-11dd-bca1-0014a517c7ec}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bde17f26-b88d-11dc-bba9-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce30f0ac-87bc-11dc-bb0a-0014a517c7ec}]
\Shell\auto\command - H:\SVCH0ST.EXE e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL SVCH0ST.EXE e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fc-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - H:\loader.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2f779fd-29a6-11de-bee9-0014381e0905}]
\Shell\AutoRun\command - xwatmaf.exe
\Shell\explore\Command - xwatmaf.exe
\Shell\open\Command - xwatmaf.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f50b00c6-c73d-11dc-bbda-0014381e0905}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

I set all the above data values (of REG_SZ type) to "" (NULL, size = 1). I did this because I was pretty sure that these would infect any removable disks I attach to my computer.

I am aware that O10 and O16 entries can be legit, but the O16 entries that I had deleted were :
1) file:///G:/CDVIEWER/Cdviewer.cab - I'm pretty sure that this is some sort of malware/spyware program

2) amiviewer.cab

I left the O10 entry alone: The entry was :
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

I hadn't saved that particular HiJackThis log file, but I had a look at the backups saved on HiJackThis, and those were the changes that I had made.

I thought that I had turned off SpyBot's TeaTimer Service, but I hadn't checked it before running ComboFix (It didn't give a warning as well, so I might have overlooked this), sorry about that.

I wasn't aware that Qoobox and NIRCMD.exe was created by ComboFix, thanks for the info :)

There was also another folder with "Qoobox" that was called "32788R22FWJFW", which I had also deleted.

Thanks,

amrith92 119 Junior Poster · Answer 4 · 2009-05-15T22:44:45+00:00

Okay, Lets start afresh:

1. I first uninstalled extra/unnecessary programs that I had installed after I noticed the virus.

2. I took a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:12 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winqfwl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5142 bytes

*Note*: The HijackThis Entry
C:\DOCUME~1\user\LOCALS~1\Temp\winqfwl.exe is the randomly named 8.50 kb file that keeps appearing in my Current User Temp folder, that I had made an earlier reference to.

3. I then did a m-bam scan, which found two errors, namely the registry keys that alters the visibility of Task Manager and Registry Editor. Below is the scan log:

Malwarebytes' Anti-Malware 1.33
Database version: 1720
Windows 5.1.2600 Service Pack 2

5/15/2009 9:54:00 PM
mbam-log-2009-05-15 (21-54-00).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 116455
Time elapsed: 25 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

That's about what has happened in the past 14 hours...

Could you help me out with this?

Thanks for your time,

Amrith

amrith92 119 Junior Poster · Answer 5 · 2009-05-15T23:01:10+00:00

A quick update:

This is my HiJackThis log file after the M-BAM scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:23 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\user\LOCALS~1\Temp\winsujox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5125 bytes

Thanks!

Amrith

amrith92 119 Junior Poster · Answer 6 · 2009-05-15T23:46:11+00:00

Hi!

I just checked if my M-BAM was up to date, and it turns out that it wasn't. So I did another M-BAM / HijackThis scan and here are the logs:

1. M-BAM Log

Malwarebytes' Anti-Malware 1.36
Database version: 2135
Windows 5.1.2600 Service Pack 2

5/15/2009 11:01:46 PM
mbam-log-2009-05-15 (23-01-46).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 150784
Time elapsed: 14 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:48 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
F:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.34:8080
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - F:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - F:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Orbit.lnk = F:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://F:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://172.16.0.6/ami/install/msxml4.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67F09C9D-70DD-42D4-A622-6ED8BC2543A2}: NameServer = 203.90.87.121
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 4979 bytes

Thanks!

Amrith

amrith92 119 Junior Poster · Answer 7 · 2009-05-16T23:14:55+00:00

Where are you located?

As in Geographically? In India...

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 8 · 2009-05-17T01:41:02+00:00

Just wanted to check your geographic location before I had you fix something that wasn't needed...it wasn't. The logs look so-so...EXCEPT...you are not running an anti-virus program, nor do I see a firewall on the machine. These are ABSOLUTE MUSTS otherwise all this fixing is for absolutely nothing.
There are many good, FREE anti-virus programs and FREE firewalls out there;
Pick one of each, download, install, update, enable...AND USE THEM...
Avira Free Anti-virus

Avast Free Anti-virus

Online Armor Free Firewall

Comodo Free Firewall

then do a new HJT scan and post back here with that log.

amrith92 119 Junior Poster · Answer 9 · 2009-05-17T02:13:07+00:00

Just wanted to check your geographic location before I had you fix something that wasn't needed...it wasn't. The logs look so-so...EXCEPT...you are not running an anti-virus program, nor do I see a firewall on the machine. These are ABSOLUTE MUSTS otherwise all this fixing is for absolutely nothing.
There are many good, FREE anti-virus programs and FREE firewalls out there;
Pick one of each, download, install, update, enable...AND USE THEM...
Avira Free Anti-virus
Avast Free Anti-virus
Online Armor Free Firewall
Comodo Free Firewall
then do a new HJT scan and post back here with that log.

Hi!

Thanks for your reply. I tried downloading BOTH antivirus software, but they do not install(I get the setup screen, and then the process suddenly disappears). The same holds true for many executables (especially antivirus software) that I have ( I should mention that I have AVG 8.5 AV Professional Edition, but even that doesn't install) On my other computers(I have two desktop PC's at home), I have AVG 8.5 installed on one and ZoneAlarm Security Suite on the other. I tried installing both these on my laptop, but both fail as well.

Any ideas on how to resolve this?

PS: I have PCTools SpyDoctor that I've stopped using on my old Desktop PC, and I tried installing that on the Laptop too, but it just doesn't seem to work :(

PPS: AVG 7.5 was installed on the Laptop before, but the virus stopped me from even opening the main screen, let alone running a scan. So that's why I uninstalled it in the first place...

Destuctive Virus

Recommended Answers Collapse Answers

All 12 Replies

Recommended Answers