Author Topic: Problems with a virus  (Read 30846 times)

0 Members and 1 Guest are viewing this topic.

mauserme

  • Guest
Re: Problems with a virus
« Reply #15 on: June 20, 2007, 08:28:43 PM »
There are a few suspicious files showing in ComboFix that have not been removed.  Please upload these to Virus Total for analysis and post the results

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
C:\WINDOWS\resouese.dll
C:\WINDOWS\SYSTEM32\Advpak.dll



Your HJT log looks OK - just some clean up.  Open HJT again and click to Run a System Scan Only.  When complete, place a check mark next to these lines:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Next, close all windows including your browser and click Fix Checked.




This line appears to be a remant of Windows Blinds

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\

Is that program functioning correctly for you?  There seems to be a missing file.




Also, are you familiar with the sites shown in these lines?:

O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab

O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab

O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab



What is the current status of the trojan warnings?

chinhis13

  • Guest
Re: Problems with a virus
« Reply #16 on: June 21, 2007, 07:53:07 PM »
Thanks mauserme.

Here is the result(I couldn't scan resource.dll, it said it couldn't recieve a file from my computer):

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe

STATUS: FINISHEDComplete scanning result of "dmap_01200019124.exe", received in VirusTotal at 06.21.2007, 19:18:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007  no virus found
Authentium 4.93.8 06.21.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  No threat detected
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
Ikarus T3.1.1.8 06.21.2007  no virus found
Kaspersky 4.0.2.24 06.21.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.09.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\Advpak.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007  no virus found
Authentium 4.93.8 06.21.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
F-Secure 6.70.13030.0 06.20.2007  no virus found
Ikarus T3.1.1.8 06.21.2007  no virus found
Kaspersky 4.0.2.24 06.21.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home..
My computer had been repaired for so many times..coz of viruses!
Don't know whether all viruses has been deleted right now...(it runs slow)
How may I solve the problems?
Is that the HJC Log tells the suspicious files?
Really thanks, I am an idiot of computer... :(

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What's that? ???

The trojan warning problem has finally solved.
Thanks for helping. :)
« Last Edit: October 12, 2008, 05:53:34 PM by chinhis13 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Problems with a virus
« Reply #17 on: June 21, 2007, 08:43:59 PM »
With all this malware hiding in the system folders you need to consider preventative measures.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Problems with a virus
« Reply #18 on: June 22, 2007, 03:27:37 AM »
Hi again chinhis13.  Sorry I've been away for so long - I wasn't getting notifications that you had posted a response.

Please download OTMoveIt  by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also, try to upload C:\WINDOWS\resouese.dll to Virus Total again (please note that the file name is a misspelling of "resource" when you're looking for it).

Quote
[It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home..
My computer had been repaired for so many times..coz of viruses!
Don't know whether all viruses has been deleted right now...(it runs slow)
How may I solve the problems?
Is that the HJC Log tells the suspicious files?
Really thanks, I am an idiot of computer...

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What's that? 

I am familiar with PPSTREAM. But another(O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab), doesn't.

Is there any problem with this software(ppstream)?
I heard some from internet is that it maybe get files in the computer...


The trojan warning problem has finally solved.
Sometimes its HJT, sometimes other tools, that pinpoint the suspicious files.  In this case ComboFix was more usefull (so far).

The fact that you are no longer getting trojan warnings is a good sign - we've made some progress.  But you're not clean yet. 

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ seems to be part of a program called Windows Blinds but there is a missing file.  Do you know this program?  Is it working correctly?

I'm still researching the ppstream, etc.
« Last Edit: June 22, 2007, 03:29:21 AM by mauserme »

chinhis13

  • Guest
Re: Problems with a virus
« Reply #19 on: June 22, 2007, 08:24:34 AM »
With all this malware hiding in the system folders you need to consider preventative measures.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.


Thanks David very much. I will try it now. :)

chinhis13

  • Guest
Re: Problems with a virus
« Reply #20 on: June 22, 2007, 08:35:38 AM »
Thanks for your help.
« Last Edit: October 12, 2008, 05:54:18 PM by chinhis13 »

mauserme

  • Guest
Re: Problems with a virus
« Reply #21 on: June 22, 2007, 01:58:58 PM »
Yes, those two files are gone now.

When you installed Messenger Plus there was an option to install a "sponsor program".   Do you recall if you installed both, or just Messenger Plus?

chinhis13

  • Guest
Re: Problems with a virus
« Reply #22 on: June 22, 2007, 05:35:48 PM »
Yes, those two files are gone now.

When you installed Messenger Plus there was an option to install a "sponsor program".   Do you recall if you installed both, or just Messenger Plus?

I just installed Messenger Plus without the sponsor program.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #23 on: June 22, 2007, 05:56:09 PM »
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
« Last Edit: June 22, 2007, 05:58:27 PM by chinhis13 »

mauserme

  • Guest
Re: Problems with a virus
« Reply #24 on: June 22, 2007, 06:37:18 PM »
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
Yes:

AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
avast! + any other resident antivirus (like AVG or PC Tools) is not good as they will conflict.

For now, please download the free version of SuperAntiSpyware and do a complete system scan.  When it finishes save, then post, the log it produces

http://www.superantispyware.com/

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re: Problems with a virus
« Reply #25 on: June 23, 2007, 03:20:49 AM »
AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
Another options would be a-squared and, for a second resident, Spyware Terminator.
The best things in life are free.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #26 on: June 23, 2007, 09:22:56 AM »
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
Yes:

AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
avast! + any other resident antivirus (like AVG or PC Tools) is not good as they will conflict.

For now, please download the free version of SuperAntiSpyware and do a complete system scan.  When it finishes save, then post, the log it produces

http://www.superantispyware.com/


Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2007 at 02:52 PM

Application Version : 3.8.1002

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type       : Complete Scan
Total Scan Time : 01:36:59

Memory items scanned      : 515
Memory threats detected   : 0
Registry items scanned    : 5527
Registry threats detected : 0
File items scanned        : 7375
File threats detected     : 39

Adware.Tracking Cookie
   C:\Documents and Settings\Anthony\Cookies\anthony@toplist[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@realmedia[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@questionmarket[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@ehg-win2000mag.hitbox[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@tribalfusion[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@hitbox[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@overture[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@statcounter[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@www.inmediahk[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@1072556060[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@doubleclick[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adinterax[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adimages.sina.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@2o7[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@cgi-bin[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@fastclick[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@specificclick[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@crossmedia.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@rambler[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@pr1.crossmedia.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@atwola[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@atdmt[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@serving-sys[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adserving.cpxinteractive[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@tripod[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@ad.yieldmanager[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@bs.serving-sys[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ehg-youtube.hitbox[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ad.yieldmanager[2].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@casalemedia[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@doubleclick[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ehg-dig.hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ehg-f5.hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@hitbox[2].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@overture[1].txt

They have been removed by SuperAnti Spyware.
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function?

Thanks.
« Last Edit: October 12, 2008, 05:55:21 PM by chinhis13 »

chinhis13

  • Guest
Re: Problems with a virus
« Reply #27 on: June 23, 2007, 09:23:18 AM »
AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
Another options would be a-squared and, for a second resident, Spyware Terminator.

Thanks :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67197
Re: Problems with a virus
« Reply #28 on: June 23, 2007, 01:47:11 PM »
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function? ???
It is not a resident application, the free version.
You need to update and scan on-demand.
For resident and automatic updates, use Spyware Terminator.
The best things in life are free.

chinhis13

  • Guest
Re: Problems with a virus
« Reply #29 on: June 23, 2007, 02:28:47 PM »
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function? ???
It is not a resident application, the free version.
You need to update and scan on-demand.
For resident and automatic updates, use Spyware Terminator.

Thanks for answering my question.
« Last Edit: October 12, 2008, 05:55:35 PM by chinhis13 »