Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus/Spyware preventing access to Anti-Virus/Microsoft files

This is a discussion on Virus/Spyware preventing access to Anti-Virus/Microsoft files within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi, My desktop PC running on Windows XP Professional with SP3 is infected with some kind of virus/spyware that prevents


 
 
Thread Tools Search this Thread
Old 11-11-2009, 09:48 AM   #1
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



Hi,

My desktop PC running on Windows XP Professional with SP3 is infected with some kind of virus/spyware that prevents access to anti virus sites.

The virus has also corrupted McAfee virus scan binary and prevents access to sites which clean spyware/malware. I have Malwarebytes' Anti-Malware and SuperAnti Spyware installed. But they cannot update their definitions since the virus attack started about 1 week ago.

I have tried several attempts to clean the virus/malware using the above anti spyware (McAfee scan is corrupted and won't start). The anti spyware finds a few worms and trojans and says that it cleaned them, but they keep coming back. I ran the scan in Safe mode with/without internet connection but that didn't help.

I have Zone Alarm installed but think that it is also infected.

Following are the main symptoms I see

1. No visible error messages/pop ups during bootup.

2. After booting I see quite a few new programs, mainly from the "C:/windows/system32/temp" dir trying to access the internet. Zone Alarm blocks them.

3. After doing a Google search in IE, if I click any website link, it is redirected to another random site. Sometimes opening the link in another IE window helps. (right click -> "open in new window")
Cannot access Microsoft or any anti virus/spyware related website.

4. Many times a pop up message saying "my computer may be infected with spyware" shows up and asks for running a scan. Initially I said "OK" but then when I saw that it starts to download a file, I stopped saying "OK"

5. Sometime a few shortcuts to adult websites appear on my desktop after bootup.

I tried to backup a couple of my files from my desktop to office PC using pen drive. The office PC has "Symantec" anti-virus and detected "W32.Virut.CF" virus and successfully cleaned the pen drive.
When I tried to clean that specific virus on my desktop using Symantec's "FixVirut.com" it didn't help and I still see the above symptoms.

I'm running a genuine version of windows XP and have the original installation CD (from 2004).

Appreciate any help you can provide. Thanks !

I'm attaching the intital scan logs as requested by this forum.


DDS (Ver_09-10-26.01) - NTFSx86
Run by bibtya at 2239.34 on Tue 11/10/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1640 [GMT -5:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\TEMP\VRT4.tmp
C:\PROGRA~1\WinZip\winzip32.exe
C:\Documents and Settings\bibtya\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mail.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*https://www.yahoo.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*https://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*https://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*https://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [IridiumTimeWizard] c:\documents and settings\bibtya\local settings\temporary internet files\content.ie5\oxq38pmz\iridium.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - https://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.loksatta.com/daily/dynamic/wfplayer/tdserver.cab
DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.35mb.com/applet/applet_l.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} - hxxps://www.notesathome.com/InternalSite/WhlCompMgr.cab
DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - hxxp://download.sopcast.com/download/SOPCORE.CAB
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} - hxxp://community.webshots.com/html/WSPhotoUploader.CAB
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://ucricket.com/livetv.ocx
DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
AppInit_DLLs: c:\windows\system32\kbdnet.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {27E53DCF-6B78-4088-BE71-5CA5CDCB2624} - rundll32 pcfr32.dll,laspi

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bibtya\applic~1\mozilla\firefox\profiles\ic0lm3jt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-28 64160]
R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [2001-4-30 4512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-11-26 176128]
R2 HumDisplayServer;Hummingbird Exceed Display Management;c:\program files\hummingbird\connectivity\9.00\exceed\HumDisplayServer.exe [2003-7-23 73728]
S2 2D4844BE;2D4844BE;c:\windows\system32\2d4844be.exe -service --> c:\windows\system32\2D4844BE.EXE -service [?]
S2 vvdsvc;VJVodClientServices;c:\windows\system32\svchost.exe -k vvdsvc [2004-8-4 34304]
S3 DMService;Whale Component Manager;c:\windows\downlo~1\DMService.exe [2008-7-11 423576]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
S3 NaiFiltr;NaiFiltr;c:\program files\common files\network associates\mcshield\naifiltr.sys [2001-11-26 23856]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\packet.sys [2003-8-13 13203]
S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [2005-2-5 14924]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S3 UsbCmxp;Scientific Atlanta WebSTAR 2000 series Cable Modem;c:\windows\system32\drivers\sacmxp2.sys [2004-11-6 14336]

=============== Created Last 30 ================

2009-11-11 03:03:54 0 d-----w- c:\program files\Protection System
2009-11-11 03:03:54 0 ----a-w- c:\windows\SC.INS
2009-11-11 03:03:54 0 ----a-w- c:\windows\sc.exe
2009-11-08 02:37:27 52 ----a-w- c:\windows\system32\4E.tmp
2009-11-08 02:20:13 0 d-----w- c:\program files\Trend Micro
2009-11-08 02:01:19 0 d-----w- c:\program files\ThreatFire
2009-11-08 01:51:16 52 ----a-w- c:\windows\system32\3A.tmp
2009-11-07 03:17:18 0 d-----w- c:\program files\AskBarDis
2009-11-07 02:18:13 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-11-07 01:33:06 0 ----a-w- c:\windows\system32\A2.tmp
2009-11-07 01:33:04 52 ----a-w- c:\windows\system32\A0.tmp
2009-11-07 01:32:48 348 ----a-w- c:\windows\system32\uses32.dat
2009-11-07 01:32:48 100 ----a-w- c:\windows\system32\flags.ini
2009-10-25 14:25:33 115224 ----a-w- C:\img2-001.raw
2009-10-25 13:35:18 0 d--h--w- C:\VJVod_Cache
2009-10-25 04:55:46 0 d-----w- c:\windows\system32\nagasoft
2009-10-20 14:18:02 1 ----a-w- c:\windows\system32\blt.dat
2009-10-19 23:38:21 3 ----a-w- c:\windows\system32\o6.dat
2009-10-19 23:37:58 1 ----a-w- c:\windows\system32\qsf.dat
2009-10-19 23:37:58 1 ----a-w- c:\windows\system32\jl.dat
2009-10-19 23:37:58 1 ----a-w- c:\windows\system32\fcd.dat
2009-10-19 23:17:42 6967 ----a-w- c:\windows\system32\lknm

==================== Find3M ====================

2009-11-07 03:16:56 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-22 09:19:04 5939712 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 10:35:52 193024 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:00:21 247326 ------w- c:\windows\system32\dllcache\strmdll.dll
2008-03-07 23:33:06 104 ----a-w- c:\program files\My Network Places.lnk
2008-08-05 14:16:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat

============= FINISH: 22:08:38.89 ===============
Attached Files
File Type: zip attach.zip (4.5 KB, 25 views)
bibtya015 is offline  
Sponsored Links
Advertisement
 
Old 11-16-2009, 07:35 AM   #2
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi there,

* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish
  • Copy and paste report as a reply to this topic.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 11-16-2009, 06:58 PM   #3
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



Thanks for replying.

I tried to access the online scan as per your suggestion but the virus/spyware is blocking the online scan website. I tried using Google's cache pages and using IP address instead of the domain name but that didn't help either. I had stopped all virus scans, zone alarm and malware/spyware software. I also tried booting in safe mode with networking for running the online scan. But no success.

Moreover, a couple of times, the infected desktop PC showed the blue screen of death, saying windows had terminated some application from corrupting memory. I'm using my office PC to post this reply.

Thanks again for any help you can provide.
bibtya015 is offline  
Sponsored Links
Advertisement
 
Old 11-16-2009, 11:29 PM   #4
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Try to access the site thru this. Do you recall what infection your protection software keeps warning of?
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 11-17-2009, 08:58 AM   #5
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



I don't recall all the names of the virus/spyware. But if I use a pen drive on the infected PC and use the same drive on my office PC which has "Symantec" anti-virus, it detects the "W32.Virut.CF" virus and quarantines the files. It's not able to clean it though. (I've posted this in my original post.)

I also used Symantec's "FixVirut.com" on my infected desktop PC. The scan said that it detected and cleaned the virus but when I restarted the PC, it was still there.

I'll try to access the online scan again tonight as you have suggested.

Thanks !
bibtya015 is offline  
Old 11-17-2009, 09:54 AM   #6
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

Don't use Virut infected pen drive on any system. You have to reformat the pen drive. Let me know about the online scan results and don't use any storage drive that has been plugged in to this infected system with other systems.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 11-17-2009, 07:50 PM   #7
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



I could access the eset-eu/online-scanner webpage using the link you suggested but couldn't start the online scan. IE kept reporting "webpage not found". I used both the web proxy and google search feature.

Meanwhile, when my infected PC boots up, most of the processes start up without any user (Task Manager shows no user, not even SYSTEM).

After being on the internet, for a while and able to access some sites, suddenly, it cannot access any sites that it could previously access and the networking icon in the system tray starts to animate and a yellow spot shows up. If I move the mouse over the icon it says "acquiring network ip...". looks like someone is hacking into the PC ?

please help....
bibtya015 is offline  
Old 11-17-2009, 10:25 PM   #8
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Hi,

Upload following files to https://www.virustotal.com, https://virscan.org or https://jotti.org and post back the results:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\lsass.exe
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 11-18-2009, 07:07 PM   #9
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



don't know what to say... but each time I try to upload any of the files, either the upload just hangs (I waited 30 mins to 1hr. Also the status bar on that site indicates no upload) or after clicking upload button I get website not found.
I tried uploading the files in both "safe mode with networking" and "normal" modes. No luck.
bibtya015 is offline  
Old 11-18-2009, 10:38 PM   #10
Security Team
Analyst
 
Blade81's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jun 2008
Location: Finland
Posts: 1,454
OS: Win7 64-bit, Win8.1 64-bit



Ok. I'm pretty sure Virut infection has taken over your system there. All symptoms indicate that and those findings earlier support that.


Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

Quote:
The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.
McAfee Risk Assessment and Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Quote:
...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...
Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against my advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
__________________

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms please create own topic instead of following instructions given to some other.
Blade81 is offline  
Old 11-19-2009, 06:58 AM   #11
Guest
 
Join Date: Nov 2009
Posts: 6
OS:



Thank you for your time and help.

I'll format the hard disc and reinstall the OS.

You can close this thread.
Thanks again !
bibtya015 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:04 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts