Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

torrentreactor virus - kaspersky, norton, avg, hijackthis, and regedit disabled

This is a discussion on torrentreactor virus - kaspersky, norton, avg, hijackthis, and regedit disabled within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. I recently got a pretty nasty virus that I'm pretty sure I got from torrentreactor, who've apparently been recently hacked.


Reply
 
Thread Tools Search this Thread
Old 05-25-2009, 05:03 PM   #1
Registered Member
 
Join Date: May 2009
Posts: 5
OS: Win XP Home SP2



I recently got a pretty nasty virus that I'm pretty sure I got from torrentreactor, who've apparently been recently hacked.

My internet has been going very slow, and I see that my LAN icon is always blue (transmitting data), so I'm sure I'm sending some private information to someone and it's probably downloading more bad things to my computer as I type. Worst of all, it seems to have disabled every virus fighting tool I know (kas, norton, avg, hijackthis, and regedit, so far I've tried and they've all failed). The only one I've managed to run so far is Malware Bytes, but it isn't able to remove the virus completely. It seems to get worse every day. I normally manage to fix any virus with some help from google, but information on this one seems to be lacking. Doesn't help that I can't get its name with Kaspersky =(. I have attached my MBAM log files. The latest full scan was done in safe mode. Any help would be appreciated.

Thanks in advance.
Attached Files
File Type: txt mbam-log-2009-05-19 (06-58-24).txt (24.2 KB, 0 views)
File Type: txt mbam-log-2009-05-25 (01-38-31).txt (15.8 KB, 0 views)

__________________
BoswerLK is offline   Reply With Quote
Old 05-25-2009, 05:05 PM   #2
Registered Member
 
Join Date: May 2009
Posts: 5
OS: Win XP Home SP2



Here's the full scan in safe mode.
Attached Files
File Type: txt mbam-log-2009-05-25 (05-36-46).txt (844 Bytes, 11 views)

__________________
BoswerLK is offline   Reply With Quote
Old 05-25-2009, 05:40 PM   #3
Registered Member
 
Join Date: May 2009
Posts: 5
OS: Win XP Home SP2



Managed to run hijackthis right after running MBAM. Attaching log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:45 PM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\regedit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User

'Default user')
O4 - Startup: regsvr32.lnk = C:\WINNT\system32\regsvr32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1

\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web traffic protection statistics - {1f460357-8a94-4d71-9ca3-

aa4acf32ed8e} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program

Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) -

http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/micr...uweb_site.cab?

1206779846546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/micr...uweb_site.cab?

1206779780921
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -

http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) -

http://install.anark.com/client/vers...n/AMClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2515AA29-2F54-4377-99FF-81849BE5897C}: NameServer =

192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA02B79B-3DF6-4EB1-8B24-FC8B51A0A739}: NameServer =

194.54.90.226
O17 - HKLM\System\CS1\Services\Tcpip\..\{2515AA29-2F54-4377-99FF-81849BE5897C}: NameServer =

192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2515AA29-2F54-4377-99FF-81849BE5897C}: NameServer =

192.168.1.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1

\mzvkbd3.dll
O23 - Service: Kaspersky Anti-Virus (avp) - Kaspersky Lab - C:\Program Files\Kaspersky

Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Performance Logs and Alerts SysmonLogRpcLocator (SysmonLogRpcLocator) -

Unknown owner - C:\WINNT\system32\1033i.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\

--
End of file - 5949 bytes
__________________
BoswerLK is offline   Reply With Quote
Old 05-25-2009, 07:01 PM   #4
Registered Member
 
Join Date: May 2009
Posts: 5
OS: Win XP Home SP2



Ran ComboFix. Regedit and hijackthis functionality restored. Kaspersky is still nonfunctional.
Attached Files
File Type: txt combolog.txt (16.7 KB, 1 views)
__________________
BoswerLK is offline   Reply With Quote
Old 05-27-2009, 04:20 PM   #5
Registered Member
 
Join Date: May 2009
Posts: 5
OS: Win XP Home SP2



nevermind, managed to fix everything

__________________
BoswerLK is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 11:24 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts