Avast WEBforum
Other => Viruses and worms => Topic started by: jrudesh on August 08, 2007, 05:39:22 AM
-
1. How was it detected?
Automatically create parent folder named .exe with folder icon in flash drives
Virus Description: Win32:Poison-P [Trj] 3 massages pop up in same time in boot and after time to time
Automatically create text, command on opened software.
Trend Micro house call detected few Malware but failed remove WORM_AUTORUN.K
2. What was the source of the file, where did the file come from?
Flash drive folder like .exe
3. When was it downloaded or received?
week ago
4. What is the exact file name with extension.
avast catch these
nhatquanglan20.exe Win32:Trojano-1134 [Trj], Win32:Agent-XW [Trj]
test2.exe Win32:Poison-P [Trj]
and these are infected avast does not detect, C:\WINDOWS\system32\svchost.exe
I like avast because it don't give much problems. I want to continue my work whether there is a virus or not. Some AV coders think people buy computers to click there pop ups.Hope others will agree Grin
Virus is smart enough to kill HijackThis, But i manage to take a log in first few seconds of statup.
ComboFix fail to continue its operation.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:55 AM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Intel\IDU\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\713xRMTMon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\713xRMT.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O1 - Hosts: 60.12.193.37 auto.search.msn.com
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\system32\scvvhostwb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [scvvhost] C:\WINDOWS\system32\scvvhost.exe
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Scheduler for OEM.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CSNetManagerXp - Unknown owner - C:\WINDOWS\system32\isass.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 7535 bytes
-
Hi jrudesh. I'm looking at your log now.
Does it make sense to you that your internet searches are being directed to sites in China? I don't know what part of the world you're in.
-
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
Save it to your desktop but don't do anything with it yet.
Now open HijackThis and click to Do a System Scan Only. When the scan is complete place a check mark next to these lines.
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O1 - Hosts: 60.12.193.37 auto.search.msn.com
O1 - Hosts: 60.12.193.37 auto.search.msn.es
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\system32\scvvhostwb.dll (file missing)
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [scvvhost] C:\WINDOWS\system32\scvvhost.exe
O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe (User 'Default user')
O23 - Service: CSNetManagerXp - Unknown owner - C:\WINDOWS\system32\isass.exe (file missing)
Now close all other windows, including your browser, and click fix checked. Close HJT.
Now double click OTMoveit and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\scvvhostwb.dll
C:\WINDOWS\system32\scvvhost.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\isass.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Now see if you can run ComboFix and post the log, followed by a fresh HJT log.
Do you have a TV card installed in your computer. There are a couple files that could be related to the remote control for this or could be malware.
-
File/Folder C:\WINDOWS\system32\scvvhostwb.dll not found.
File/Folder C:\WINDOWS\system32\scvvhost.exe not found.
C:\WINDOWS\system32\scvhost.exe moved successfully.
File/Folder C:\WINDOWS\system32\isass.exe not found.
Created on 08-08-2007 22:40:53
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46, on 2007-08-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Intel\IDU\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\713xRMTMon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\WINDOWS\713xRMT.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\Software\OTMoveIt.exe
C:\WINDOWS\regedit.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [scvvhost] C:\WINDOWS\system32\scvvhost.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Scheduler for OEM.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 7004 bytes
-
Open HJT again and fix this line
O4 - HKCU\..\Run: [scvvhost] C:\WINDOWS\system32\scvvhost.exe
If ComboFix will run now please post a log along with a new HJT log.
-
If you are having problems with the registry
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
This will re-enable the registry if it is disabled. But check first, try and run regedit. If it fails then run the script. If it works then do not run the script
Please download and run this small script file accept the warnings when it runs http://www.dougknox.com/security/scripts/regtools.vbs (http://"http://www.dougknox.com/security/scripts/regtools.vbs") A reboot will be required.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:18 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Intel\IDU\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\713xRMTMon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\713xRMT.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Scheduler for OEM.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 6911 bytes
Thank you mauserme, seem like symptoms gone. ComboFix will ran ok
Thank you essexboy
-
If you don't mind posting the ComboFix log - I would just like to make sure nothing is lurking unseen.
And does regedit work OK?
EDIT: We may need to look at your flash drive too, to prevent re-infection.
-
First time avast blocked virus activity till it show a warning massage.
But this time it does not happen i have only about 5-7 seconds to deal with Hijack.
I took another log.
I tried to fix
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
but it automatically recover it.
I have something to say.
C:\WINDOWS\hinhem.scr
comes to my clip board(R-click,paste)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:43 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\IDU\IDUServ.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\sdpasvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\scvhost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Intel\IDU\iptray.exe
C:\Program Files\Intel\IDU\awtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\713xRMTMon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\honestech\honestech TVR\scheduleTV.exe
C:\WINDOWS\system32\OSK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\MSSWCHX.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Program Files\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TV Card Remote Control Device Monitor] C:\WINDOWS\713xRMTMon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Scheduler for OEM.lnk = C:\Program Files\honestech\honestech TVR\scheduleTV.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
--
End of file - 7214 bytes
-
It type this
unTrình di?n xi?c "r?n tóc gáy" http://www.freewebtown.com/gaigoitanbinh
Trình di?n xi?c "r?n tóc gáy" http://www.freewebtown.com/gaigoitanbinh
unTrình di?n xi?c "r?n tóc gáy" http://www.freewebtown.com/gaigoitanbinh
Trình di?n xi?c "r?n tóc gáy" http://www.freewebtown.com/gaigoitanbinh
FC:\WINDOWS\hinhem.scrC:\WINDOWS\hinhem.scr
-
O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe is trying to disguise itself as the process svchost.exe (notice the vc are swapped in the infected file).
So if you are still able to access task manager (Alt + Ctrl + Del) then open it up and kill the process scvhost.exe, then open hijackthis and remove the infected entries.
If the file/process keeps replacing itself disable system restore, restart the PC then repeat the above steps.
--lee
-
Welcome back Lee long time no see.
-
Heya David ;)
--lee
-
Hi Lee. Thanks for the input.
We've essentially done the equivalent - fixing several HJT lines and killing the file with OTMoveIt - but it seems to have returend.
@jrudesh
Did this happen after you plugged in your flash drive?
Please download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
-
mauserme,lee,DavidR,
Thank you for helping me. ;D
I tried HJT again after my last post.
I understood what your doing little bit. I looked in to combofix log too. It showed Unnecessary reg entries which call for virus file most are for MntDrCore.exe(Hope you know about this).I looked for these entries in regedit but noticed that they are not visible to me. The other thing I notice yesterday was my internet connection speed is reducing. May be spy is in. I delete a scheduled task to activate sch???.exe everyday 9am. I kept my pc off for about 24h and booted today.
Now it show no virus symptoms. I plugged in my flash It had previously created virus files like
New Folder.exe
sch???.exe
I delete them. They didn't appear again.
I see more entries than yesterday. But some are missing still.
I can access task manager.
I think there is a risk of coming this again with next boot up. Virus may be hiding in a installing package which will install at startup.( I guess this because I saw a loading/installing bar for few milliseconds at startup in a previews time ).
Did this happen after you plugged in your flash drive?
Of course, as i describe at the very top accidentally i clicked a folder like(icon) .exe which had a name smiler to the parent directory.
It is not a unusual thing because lot of computers in University of moratuwa, Sri Lanka, infected by this virus(Not only this they infected to what doesn't norton catches) Now they are going from norton to kaspersky which seems to be having the bigest virus definition. Most virus spreading method here is flash drives. Give your ideas to stop this.
I'm thinking about a software which disable executable activities from flash drive. how about that
Seems like issas.exe also has a contribution here(As my flash plugged to my friends computer which is protected by AVG poped up for issas.exe actuvity )
I'll send WinPFind logs too...
-
Did this happen after you plugged in your flash drive?
Of course, as i describe at the very top ...
Ok.
But I saw that you have a VPN and wanted to make sure that wasn't the source of reinfection. Or a downloader.
For now you should turn off autoplay on your external drives, then post the logs. We should be able to get this cleared up.
-
I did a norton online scan.
Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\scvhost.exe is infected with W32.Imaut.AA
C:\virus\fduqd.exe is infected with Downloader I have no idea about how these came here.But I can identify they were in my flash.
C:\virus\scvhost.VI0 is infected with W32.Imaut.AA
C:\virus\scvhost.VI1 is infected with W32.Imaut.AA
C:\virus\scvvhost.exe~ is infected with Spyware.Perfect
C:\virus\Skin.VI0 is infected with W32.Imaut.AA
C:\virus\scvhost.exe is infected with W32.Imaut.AA
C:\virus\1.exe is infected with W32.Imaut.AA
C:\virus\untitled folder.exe is infected with W32.Imaut.AA
C:\virus\Prabhashwari.exe is infected with W32.Imaut.AA
C:\virus\BackBoard.exe is infected with W32.Imaut.AA
C:\virus\2.exe is infected with W32.Imaut.AA
C:\virus\images.exe is infected with W32.Imaut.AA
C:\virus\akka.exe is infected with W32.Imaut.AA
C:\virus\Model.exe is infected with W32.Imaut.AA
C:\virus\fonts.exe is infected with W32.Imaut.AA
C:\virus\hand written.exe is infected with W32.Imaut.AA
C:\virus\Tower Hall.exe is infected with W32.Imaut.AA
C:\virus\Prabhashvari 2007.exe is infected with W32.Imaut.AA
C:\virus\Prabhashvari 01.exe is infected with W32.Imaut.AA
C:\virus\Prabhashvari 03.exe is infected with W32.Imaut.AA
C:\virus\Prabhashvari 02.exe is infected with W32.Imaut.AA
C:\virus\Advertisements.exe is infected with W32.Imaut.AA
C:\virus\Code.exe is infected with W32.Imaut.AA
C:\virus\VCD_Centre_v1.2.exe is infected with W32.Imaut.AA
C:\virus\VCD Center v 1.2_source.exe is infected with W32.Imaut.AA
C:\virus\Data.exe is infected with W32.Imaut.AA
C:\virus\Images.VI0 is infected with W32.Imaut.AA
C:\virus\Back.exe is infected with W32.Imaut.AA
C:\virus\Customer.exe is infected with W32.Imaut.AA
C:\virus\VCD Center v 1.2.exe is infected with W32.Imaut.AA
C:\virus\Images.VI1 is infected with W32.Imaut.AA
C:\virus\Training.exe is infected with W32.Imaut.AA
C:\virus\Ministry of Petroleum and Petroleum Resources Development - Sri Lanka_files.exe is infected with W32.Imaut.AA
C:\virus\fire wood.exe is infected with W32.Imaut.AA
C:\virus\chapter4_files.exe is infected with W32.Imaut.AA
C:\virus\Review of literature on residential firewood use, wood-smoke and air toxics - International Literature_files.exe is infected with W32.Imaut.AA
C:\virus\Membrane.exe is infected with W32.Imaut.AA
C:\virus\JTYUE%123GGJGS.exe is infected with W32.Imaut.AA
C:\virus\Folder Settings.exe is infected with W32.Imaut.AA
C:\WINDOWS\hinhem.scr is infected with W32.Imaut.AA
C:\WINDOWS\system32\blastclnnn.exe is infected with W32.Imaut.AA
C:\WINDOWS\system32\isass.dll is infected with W32.SillyFDC
C:\WINDOWS\system32\scvvhost.exe~ is infected with Spyware.Perfect
-
WinPFind3.txt attached.
-
Give me some time with the log ...
-
Sorry to take so long - it looks like you reinstalled the OS on 27 June and, with a 60 day log, there are quite a few files to look at. Your worm installed on 28 June with Vundo appearing more recently.
Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Files/Folders - Created Within 60 days]
NY -> hinhem.scr -> %SystemRoot%\hinhem.scr
NY -> ffhkj.ini -> %System32%\ffhkj.ini
NY -> blastclnnn.exe -> %System32%\blastclnnn.exe
NY -> isass.dll -> %System32%\isass.dll
NY -> ffhkj.tmp -> %System32%\ffhkj.tmp
NY -> ffhkj.ini2 -> %System32%\ffhkj.ini2
NY -> ffhkj.bak1 -> %System32%\ffhkj.bak1
[Files/Folders - Modified Within 60 days]
NY -> srchasst -> %SystemRoot%\srchasst
NY -> hinhem.scr -> %SystemRoot%\hinhem.scr
NY -> ffhkj.ini -> %System32%\ffhkj.ini
NY -> isass.dll -> %System32%\isass.dll
NY -> ffhkj.tmp -> %System32%\ffhkj.tmp
NY -> ffhkj.ini2 -> %System32%\ffhkj.ini2
NY -> ffhkj.bak1 -> %System32%\ffhkj.bak1
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here. Its OK if some of the files are not found.
Also let me know of any problems you encounter performing these steps or any continuing problems you are having with the computer.
Now, if Combofix will run, do that and post its log.
Then, whether or not ComboFix ran successfully post a new WinPFind3u3Find log but this time change the options to 30 day rather than 60 day.
-
[Files/Folders - Created Within 60 days]
C:\WINDOWS\hinhem.scr moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.ini moved successfully.
C:\WINDOWS\SYSTEM32\blastclnnn.exe moved successfully.
C:\WINDOWS\SYSTEM32\isass.dll moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.tmp moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.ini2 moved successfully.
C:\WINDOWS\SYSTEM32\ffhkj.bak1 moved successfully.
[Files/Folders - Modified Within 60 days]
C:\WINDOWS\srchasst\mui\0409 moved successfully.
C:\WINDOWS\srchasst\mui moved successfully.
C:\WINDOWS\srchasst\chars moved successfully.
Folder cleanup failed. C:\WINDOWS\srchasst scheduled to be deleted on reboot.
File C:\WINDOWS\hinhem.scr not found!
File C:\WINDOWS\SYSTEM32\ffhkj.ini not found!
File C:\WINDOWS\SYSTEM32\isass.dll not found!
File C:\WINDOWS\SYSTEM32\ffhkj.tmp not found!
File C:\WINDOWS\SYSTEM32\ffhkj.ini2 not found!
File C:\WINDOWS\SYSTEM32\ffhkj.bak1 not found!
< End of log >
Created on 08/12/2007 21:25:05
It asked for a reboot
ComboFix log in file attached.
WinPFind3U log attached
-
Its time to get rid of those registry entries you mentioned for MntDrCore.exe and svch0st.exe (note this has a numeric 0 in the 5th position). We'll also take of killVBS.vbs while we're at it.
Download ERUNT from here and back up your entire registry
http://www.snapfiles.com/get/erunt.html
Next we'll create a registry fix. Copy and paste ALL of the information below in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE > ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08ef52f9-313f-11dc-b644-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ea80f37-2868-11dc-b61f-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59f2db76-313e-11dc-b643-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f59142c-2f9d-11dc-b639-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8b2273dc-2be9-11dc-b62e-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90805d17-30f9-11dc-b640-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c29761e-2a1b-11dc-b623-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba03a77c-2539-11dc-9e59-00167675b7f3}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c393d5ae-2a1c-11dc-b624-00167675b7f3}]
To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.
Now open OTMoveIt and paste in this path
c:\virus
c:\windows\system32\killvbs.vbs
Click the move button and post the results (killvbs.vbs may not be found but I would like to make sure it is gone).
Your L: and M: drives both also carried the infection. You should now mount each of them and delete any of these files if found in the root
MntDrCore.exe
SSCVIIHOST.exe
Svch0st.exe < - Again, this has a numeric 0 in the 5th position
You must also empty the recycle bin for all drives as a fake ctfmon.exe located in the recycle bin on the M: drive was being run from the registry.
After doing all of the above please post fresh ComboFix and HJT logs.
EDIT: added a path to the OTMoveIT list
Did you create a file named C:\virus.zip on 8 August? Possibly to upload a sample to avast, or is this file unknown to you?