Author Topic: Viruses in system32 folder  (Read 52202 times)

0 Members and 1 Guest are viewing this topic.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #30 on: April 15, 2007, 11:55:00 PM »
-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\wvvtsr.dll\",setvm"
"BootService"="rundll32.exe \"C:\\WINDOWS\\opmkjh.dll\",realset"
"Intel system tool"="C:\\WINDOWS\\System32\\svehost.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows update loader"="C:\\Windows\\xpupdate.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\Shell]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000001

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\din700
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService   REG_MULTI_SZ      Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService   REG_MULTI_SZ      DnsCache\0\0
rpcss   REG_MULTI_SZ      RpcSs\0\0
imgsvc   REG_MULTI_SZ      StiSvc\0\0
termsvcs   REG_MULTI_SZ      TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-15 at 05:53:08 ---------

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #31 on: April 15, 2007, 11:56:27 PM »
svehost.exe is a worm trojan (not the same as svchost.exe which you musn't delete).  we need to get rid of that.

I'm not 100% sure that wvvtsr.dll  and opmkjh.dll are malware so I'm reluctant to delete them without testing them first.  I'm quite sure they're not typical system files.

Go ahead and post the DSS log and we will disable what we need to from there.

EDIT: Sorry - you and I are typing at the same time.
« Last Edit: April 16, 2007, 01:17:50 AM by mauserme »

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #32 on: April 16, 2007, 12:07:14 AM »
the only svehost.exe file I found was the backup in the SDFix folder.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #33 on: April 16, 2007, 12:16:35 AM »
Open HijackThis and click Do a System Scan Only.  When it finishes place a check mark next to these lines

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp8C.tmp.dll (file missing)

O2 - BHO: (no name) - {B6F1A4CB-DADD-4D0C-BDFC-E945647302C1} - c:\wmplayer.dll (file missing)

O2 - BHO: (no name) - {cb97713c-658a-43a7-8d4f-bffdc4eb9bea} - C:\WINDOWS\system32\din700.dll (file missing)

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\wvvtsr.dll",setvm

O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\opmkjh.dll",realset

O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe

O20 - Winlogon Notify: din700 - din700.dll (file missing)

O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)


Click the button labled Fix Checked.  Reboot.  If you're able to find svehost.exe now rename it svehost.old  (again, third character E  not C).

I would like you to try to update your Windows Service Pack now to at least SP1 (preferably SP2).  We still need to locate those three files but fixing those lines in hjt should prevent them from loading.  Without at least SP1 your computer will not stay clean very long.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #34 on: April 16, 2007, 12:19:45 AM »
the only svehost.exe file I found was the backup in the SDFix folder.
OK - cool.  Are wvvtsr.dll  and opmkjh.dll there too?  I didn't see any of them in the log.

Oh, and what about trzC.tmp?  Is it still around?

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #35 on: April 16, 2007, 01:00:09 AM »
I think im getting SP2 soon. Oh so in the backups for SDFix, I still rename svehost.exe to svehost.old? The other two files aren't in the SDFix folder. Ill check about the trzc.tmp

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #36 on: April 16, 2007, 01:07:03 AM »
In the _avast4_ folder (where the trzC.tmp was found) I found 3 files named unp23423423.tmp, and the others random numbers behind unp. But I scanned them and put them in the chest, and they seem to be fine now. No other files appeared after I put them in the chest.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67198
Re: Viruses in system32 folder
« Reply #37 on: April 16, 2007, 01:09:12 AM »
In the _avast4_ folder (where the trzC.tmp was found) I found 3 files named unp23423423.tmp, and the others random numbers behind unp.
These files are temporary files created while avast is scanning archives...
For some strange reason (bad scanning, power failure?) they remain there.
It's ok if you send them to Chest.
The best things in life are free.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #38 on: April 16, 2007, 01:09:59 AM »
I think im getting SP2 soon. Oh so in the backups for SDFix, I still rename svehost.exe to svehost.old? The other two files aren't in the SDFix folder. Ill check about the trzc.tmp
No , you don't need to rename it.  Since I didn't see it in the SDFix log I assumed in was still in the system32 directory and I was getting a little frustrated trying to make it go away.  Its fine where it is - we'll delete the backups later.

Go ahead and fix the lines in hjt I posted above and reboot.  Then let me know if you can find C:\WINDOWS\wvvtsr.dll, opmkjh.dll, or trzc.tmp.  You might check the AVG log too - there's a good chance they were removed with that scan.

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #39 on: April 16, 2007, 01:12:01 AM »
In the _avast4_ folder (where the trzC.tmp was found) I found 3 files named unp23423423.tmp, and the others random numbers behind unp.
These files are temporary files created while avast is scanning archives...
For some strange reason (bad scanning, power failure?) they remain there.
It's ok if you send them to Chest.
Thanks Tech.  I suspected it was something like this but with so much malware to be cleaned I wanted to make very sure.  Now we can concentrate on wvvtsr.dll and opmkjh.dll.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #40 on: April 16, 2007, 01:15:30 AM »
I already fixed the lines in Hjt and rebooted. trzC.tmp is in the virus chest, I put it in there when I found out it was a virus. I'll check the AVG log in a minute

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #41 on: April 16, 2007, 01:17:28 AM »
all my AVG report says is

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   11:40:23 AM 4/14/2007

 + Scan result:   





::Report end  ??? ??? Should I scan do a full system scan again?

mauserme

  • Guest
Re: Viruses in system32 folder
« Reply #42 on: April 16, 2007, 01:23:41 AM »
First take a quick look for wvvtsr.dll  and opmkjh.dll and let me know if thy're found.  If you do find them scan them at Virus Total.

Yes, I think an AVGAS scan makes sense.  As before, quarantine anything found. 

Follow this with one (last?) hijackthis log.

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #43 on: April 16, 2007, 01:26:35 AM »
Ok, I still can't find the 2 files. I'll start the full system scan. I'll reply when its done. It might be a while

Steven6767

  • Guest
Re: Viruses in system32 folder
« Reply #44 on: April 16, 2007, 02:00:23 AM »
Ok, the AVGAS scan is done, quarantined all of them. Heres the Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 7:59:24 AM, on 4/15/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe