« previous next »
Pages: [1] 2

Author Topic: treatment for "virus.win32.virut.ce"  (Read 2651 times)

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« on: September 30, 2009, 07:12:03 AM »
hi


a few dayz ago i find my pc behaving in a strange manner......so wen i installed n update my zonealarm 7.0.4 antivirus & scaned my pc .....

then i came to know there is a virus named "type_win32" on ma pc....after removal of alot of files wen i restart my pc and try to open any item from control panel i got the message "Windows/system32/rundll32.exe is missing"...
and wen i try to show my hidden folders they didnt appear.....

after this wenever i scan my pc i found virus named "virus.win32.virut.ce"....
in my some or all drives.....

this happens every time wenever i scan my pc............ http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />



and along with this wen i try reinstall rundll32.exe by this command in cmd it didnt work out

expand X:\i386\rundll32.ex_ c:\windows\rundll32.exe
with x being my cd drive

PLZzzZZZ some1 help me out from this problem

Logged

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #1 on: September 30, 2009, 01:31:23 PM »
i have downld and scan with hijack this
and this is the log file

now Tell me wat should i do..........


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:23 AM, on 9/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9666
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [@RegRunOnSecure] C:\PROGRA~1\Greatis\REGRUN~1\OnSecure.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-18\..\Run: [restorer32_a] C:\Documents and Settings\kuku\restorer32_a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [restorer32_a] C:\Documents and Settings\kuku\restorer32_a.exe (User 'Default user')
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O17 - HKLM\System\CS2\Services\Tcpip\..\{5F2F6F0D-C80E-478E-8F3B-5FBEA88006D8}: NameServer = 10.0.1.1 192.168.7.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 3754 bytes
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #2 on: September 30, 2009, 08:01:54 PM »
Download [color=\"#FF0000\"]OTL.exe[/color][/url] by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
NOTE: If you do have problems posting those logs to a reply, please Upload them
If unsure how to upload them, please let me know
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #3 on: October 01, 2009, 04:47:41 AM »
ya i hv attached both the files

as i m facing problem after copy & paste ...............reply was not uploaded and error appears
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #4 on: October 01, 2009, 07:59:26 AM »
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Temporarily disable your AntiVirus realtime protection so it won't interfere with this tool
    If you have any external harddrive or Thumbdrives that have been used on this computer since being infected, please insert them

       
  • Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
       
  • This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, select Complete scan.
       
  • Click the green arrow at the right, and the scan will start.
       
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click File and choose Save report list
       
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
       
  • Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.
NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #5 on: October 01, 2009, 07:08:45 PM »
this ftp link for drweb-cureit.exe  is not working

i m unable to dowload this exe file...............
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #6 on: October 01, 2009, 09:56:03 PM »
I've temporarily uploaded a link to Dr. Web to Rapidshare
You ONLY need the FREE link
Save the installer to desktop and then try running it

http://rapidshare.com/files/287591137/drweb-cureit.exe.html

I'll remove the file after 48 hours as it will be outdated
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #7 on: October 02, 2009, 10:18:24 AM »
thanks i hv downloaded n scaned as u hav said.............

this is the drweb log data.......after complete scan

nyugzjd.dll;C:\WINDOWS\system32;Win32.HLLW.Autoruner.5555;Deleted.;
Presentation22.ppt;D:\data\SHERAZ documents\Uni Documents\M I S\Furqan;Probably office.exploit.16;;
Desktop_.ini;D:\Games\Chess;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Ancient;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\1;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\10;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\11;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\12;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\13;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\14;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\15;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\16;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\17;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\18;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\19;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\2;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\20;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\21;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\22;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\23;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\24;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\25;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\3;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\4;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\5;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\6;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\7;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\8;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\8Bit;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Characters\9;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Classic;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Classic2;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Flower;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Gothic;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Marble;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Menu;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Pinky;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Plastic;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Round;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Short;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Sounds;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Stone;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Symbol2;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Twisted;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Voice;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;D:\Games\Chess\Wood;Win32.HLLW.Gavir.ini;Deleted.;
3. ISO9000-2000 (Revised).ppt.ppt;E:\faraz\ETC\ALL presentations;Probably office.exploit.16;;
Desktop_.ini;E:\faraz\Study\From Arslan\Rotary machinery(project);Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Ethics&Control Awareness Workshop;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Cathodic Protection;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Corrosion;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Eddy Current Testing;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Failure Analysis;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Heat Exchanger;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Piping;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\PSD;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\UFD;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Inspection\Welding;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Alignment;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Autopac;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Balancing;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Bearings;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Boiler;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Compressors;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Compressors\Barrel Type compressor;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Compressors\Centrifugal Compressor;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Compressors\Reciprocating Compressor;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Cooling Tower;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Furnace;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Gas Turbine;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Heat Exchanger;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\LFC;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Machinary Oils;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Machnary Diagnostics;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Mechanical Seal;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Pressure safety valves&Devices;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Pumps;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Rigging;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Steam Turbine;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Maintenance\Welding;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Process;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Ammonia;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\PM&S;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\PM&S\PM&S BIMONTHLY TRG MODULE;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2\Group 3;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2\Group 4;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2\Group 5;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2\Group1;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urea-2\Group2;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Production\Urut;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Professional;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\General;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Heat Excahngers;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Insulation;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Piping;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Pressure vessels&Storage Tanks;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Project Management;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Project Engineering\Structure;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Safety;Win32.HLLW.Gavir.ini;Deleted.;
Desktop_.ini;E:\faraz\Study\Training Presentations\Six Sigma Presentations;Win32.HLLW.Gavir.ini;Deleted.;
A0009086.exe;E:\System Volume Information\_restore{D1094FA1-864F-4DCD-89E2-125B0ECF0239}\RP1;Win32.Virut.56;Cured.;
RtlUpd64.exe;F:\Drivers\New\--+¿+-+¦+-\32bit\2K_XP\Vista64;Win32.Virut.56;Cured.;
Keygen.exe;F:\softwares\docs reader\PDF To Image Converter 1.3;BackDoor.Iroffer.1516;Deleted.;
VTP801.exe\data026;F:\softwares\Lan & p2p Tools\VTP801.exe;Tool.Prockill;;
VTP801.exe/data033\data009;F:\softwares\Lan & p2p Tools\VTP801.exe/data033;Tool.Prockill;;
data033;F:\softwares\Lan & p2p Tools;Archive contains infected objects;;
VTP801.exe;F:\softwares\Lan & p2p Tools;Archive contains infected objects;Moved.;
mpp70rc52.exe\data254;F:\softwares\mesengers\mIRC Power Pack 7.1\mpp70rc52.exe;Probably IRC.Virus;;
mpp70rc52.exe\data594;F:\softwares\mesengers\mIRC Power Pack 7.1\mpp70rc52.exe;IRC.Flood;;
mpp70rc52.exe\data827;F:\softwares\mesengers\mIRC Power Pack 7.1\mpp70rc52.exe;Tool.Moo;;
mpp70rc52.exe;F:\softwares\mesengers\mIRC Power Pack 7.1;Archive contains infected objects;Moved.;
A0009031.EXE;F:\System Volume Information\_restore{D1094FA1-864F-4DCD-89E2-125B0ECF0239}\RP1;Trojan.PWS.Banker.23491;Deleted.;



****************************************************************
but still after restarting the computer................ i not able to see my hidden files & get access to control pannel & properties of computer
********************************************************************************

and after restart i m scanning my C drive with zone alarm and found again viruse2 infected files:

1 file [6to4ex.dll] in the quarantine folder of drweb infected with
Quote
trojan-spy.win32.agent.bagb
1 with
Quote
Net-worm.win32.kido.ih
« Last Edit: October 02, 2009, 10:42:22 AM by faraz »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #8 on: October 02, 2009, 04:26:47 PM »
Again, if you do have External harddrive or Thumbdrives, ensure they are inserted to computer
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #9 on: October 02, 2009, 07:55:58 PM »
i hav used combo fix as you hav said................

but  i do not hav any External harddrive or Thumbdrives right now as i used 1 few dayz ago  but i will get it back from my friend after few dayz............wen i got that i ll treat that in the same way as i have done with this harddisk as u hav said.........

*********************************************************
this is the log of combo.txt
************************************************************

ComboFix 09-10-01.05 - kuku 10/02/2009 18:34.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.894.513 [GMT 5:00]
Running from: c:\documents and settings\kuku\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


(((((((((((((((((((((((((   Files Created from 2009-09-02 to 2009-10-02  )))))))))))))))))))))))))))))))
.

2009-10-02 05:06 . 2009-10-02 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-02 05:06 . 2009-10-02 05:06 -------- d-----w- c:\program files\NOS
2009-10-01 22:40 . 2009-10-01 22:41 -------- d-----w- c:\documents and settings\kuku\DoctorWeb
2009-09-30 21:11 . 2009-10-01 02:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 21:11 . 2009-10-01 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 06:04 . 2009-09-30 06:04 -------- d-----w- c:\program files\Trend Micro
2009-09-30 01:28 . 2009-09-30 01:28 -------- d-----w- c:\program files\MYIE2
2009-09-30 01:27 . 2009-09-30 01:27 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-30 01:27 . 2009-09-30 01:27 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-30 01:27 . 2009-09-30 01:27 -------- d-----w- c:\program files\OpenAL
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\program files\ParetoLogic
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-29 18:50 . 2009-09-29 18:50 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Downloaded Installations
2009-09-29 05:56 . 2009-09-29 05:56 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Yahoo
2009-09-29 05:55 . 2009-09-29 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-29 05:55 . 2009-09-29 05:55 -------- d-----w- c:\documents and settings\kuku\Application Data\Yahoo!
2009-09-29 05:52 . 2009-09-29 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-29 05:52 . 2009-09-29 05:55 -------- d-----w- c:\program files\Yahoo!
2009-09-29 03:09 . 2008-12-22 12:03 55184 ----a-w- c:\windows\system32\drivers\RegRunFM.SYS
2009-09-29 03:09 . 2008-12-22 12:03 33512 ----a-w- c:\windows\system32\drivers\REGRUNRM.SYS
2009-09-29 03:08 . 2009-09-29 03:08 -------- d-----w- c:\windows\RestoreSafeDeleted
2009-09-29 03:02 . 2009-09-29 03:02 -------- d-----w- C:\control
2009-09-29 02:57 . 2009-09-29 02:57 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-29 02:54 . 2009-09-29 02:54 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-09-29 02:54 . 2009-09-29 02:54 2 --shatr- c:\windows\winstart.bat
2009-09-29 02:52 . 2009-09-29 02:52 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys
2009-09-29 02:52 . 2009-09-29 02:52 32480 ----a-w- c:\windows\system32\Partizan.exe
2009-09-29 02:46 . 2008-12-22 12:57 444128 ----a-w- c:\windows\RunGuard.exe
2009-09-29 02:46 . 2008-12-22 12:04 20192 ----a-w- c:\windows\WinBait.exe
2009-09-29 02:46 . 2009-09-29 02:46 -------- d-----w- c:\program files\Greatis
2009-09-29 02:29 . 2009-09-29 02:36 -------- d-----w- c:\windows\system32\NtmsData
2009-09-29 00:07 . 2009-09-29 00:07 -------- d-----w- c:\windows\system32\Lang
2009-09-28 22:30 . 2006-08-01 07:02 49152 ------r- c:\windows\system32\ChCfg.exe
2009-09-28 22:30 . 2009-09-28 22:30 -------- d-----w- c:\windows\system32\RTCOM
2009-09-28 22:30 . 2004-08-03 19:56 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-09-28 22:30 . 2004-08-03 19:56 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-09-28 22:30 . 2004-08-03 18:08 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-09-28 22:30 . 2004-08-03 18:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-09-28 22:29 . 2004-11-18 05:42 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-09-28 22:29 . 2007-03-16 07:06 1822720 ------r- c:\windows\SkyTel.exe
2009-09-28 22:29 . 2006-07-21 08:14 86016 ------r- c:\windows\SoundMan.exe
2009-09-28 22:29 . 2007-01-16 02:39 1191936 ------r- c:\windows\RtlUpd.exe
2009-09-28 22:29 . 2007-03-23 11:19 9715200 ------r- c:\windows\RTLCPL.exe
2009-09-28 22:29 . 2007-03-26 11:21 4395008 ------r- c:\windows\system32\drivers\RtkHDAud.sys
2009-09-28 22:29 . 2007-03-21 06:49 16126464 ------r- c:\windows\RTHDCPL.exe
2009-09-28 22:29 . 2006-10-11 09:42 2157568 ------r- c:\windows\MicCal.exe
2009-09-28 22:29 . 2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe
2009-09-28 22:29 . 2006-05-04 08:26 2808832 ------r- c:\windows\alcwzrd.exe
2009-09-28 22:29 . 2009-09-28 22:29 -------- d-----w- c:\program files\Realtek
2009-09-28 22:28 . 2009-09-28 22:28 315392 ----a-w- c:\windows\HideWin.exe
2009-09-28 22:28 . 2007-01-12 08:54 520192 ------r- c:\windows\RtlExUpd.dll
2009-09-28 22:27 . 2009-09-28 22:27 -------- d-----w- c:\program files\DIFX
2009-09-28 22:27 . 2009-09-28 22:27 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-28 22:27 . 2006-06-18 18:37 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-09-28 10:53 . 2009-09-28 10:53 -------- d-----w- c:\program files\Unlocker
2009-09-28 09:24 . 2009-09-28 09:24 -------- d-----w- c:\program files\Siber Systems
2009-09-28 09:21 . 2009-09-28 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-09-28 09:10 . 2009-09-30 08:50 -------- d-----w- c:\documents and settings\kuku\Application Data\vlc
2009-09-28 09:08 . 2009-09-28 09:08 -------- d-----w- c:\program files\VideoLAN
2009-09-28 08:01 . 2009-09-28 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-28 07:46 . 2009-09-30 03:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 07:08 . 2009-09-28 07:08 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Symantec
2009-09-28 07:06 . 2009-09-28 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-28 07:05 . 2009-10-02 13:39 -------- d-----w- c:\documents and settings\kuku\Application Data\DMCache
2009-09-28 07:05 . 2009-10-01 04:09 -------- d-----w- c:\documents and settings\kuku\Application Data\IDM
2009-09-28 07:05 . 2009-09-28 11:24 -------- d-----w- c:\program files\Internet Download Manager
2009-09-28 07:03 . 2009-09-28 07:04 -------- d-----w- c:\documents and settings\kuku\Application Data\Media Player Classic
2009-09-28 07:03 . 2009-09-28 07:03 -------- d-s---w- c:\documents and settings\kuku\UserData
2009-09-28 07:01 . 2009-09-28 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-28 07:01 . 2004-01-22 14:06 157696 ----a-w- c:\windows\system32\unrar.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 13:40 . 2009-09-28 01:02 5712928 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-02 13:37 . 2009-09-28 01:02 93104 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-02 04:06 . 2009-09-28 01:00 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-09-28 22:29 . 2009-09-28 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 07:00 . 2009-09-28 07:00 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-28 05:36 . 2009-09-28 05:36 -------- d-----w- c:\program files\MSConfig CleanUp
2009-09-28 03:27 . 2009-09-28 03:04 -------- d-----w- c:\program files\Advanced IP Scanner
2009-09-28 03:16 . 2009-09-28 03:09 -------- d-----w- c:\program files\ATI Technologies
2009-09-28 03:10 . 2009-09-28 03:09 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-28 01:20 . 2009-09-28 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-09-28 01:04 . 2009-09-28 01:04 -------- d-----w- c:\documents and settings\kuku\Application Data\MailFrontier
2009-09-28 01:00 . 2009-09-28 01:00 -------- d-----w- c:\program files\Zone Labs
2009-09-28 00:56 . 2009-09-28 00:56 12328 ----a-w- c:\documents and settings\kuku\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 00:50 . 2009-09-28 00:50 -------- d-----w- c:\program files\microsoft frontpage
2009-09-28 00:47 . 2009-09-28 00:47 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-09 10:43 . 2009-09-16 12:26 210352 ----a-w- c:\windows\system32\idmmbc.dll
.

------- Sigcheck -------

[-] 2004-09-01 . 7B11118B078B88F87183FE69EDA43137 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-09-01 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-09-16 3118512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-05-06 6656]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= "c:\progra~1\Greatis\REGRUN~1\RRShell.dll" [2008-10-20 335943]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6792:TCP"= 6792:TCP:adwpjn

R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2/18/2009 2:40 PM 587216]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [9/1/2004 1:00 PM 14336]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [9/29/2009 7:52 AM 34760]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/29/2009 7:54 AM 29584]
S3 REGRUNFM;REGRUNFM;c:\windows\system32\drivers\RegRunFM.SYS [9/29/2009 8:09 AM 55184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
nbowopgq
gidyrx

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 09:43]

2009-09-29 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 09:43]

2009-09-29 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 07:25]

2009-09-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 07:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
LSP: c:\windows\system32\INetHTTPFilter.dll
TCP: {5F2F6F0D-C80E-478E-8F3B-5FBEA88006D8} = 10.0.1.1 192.168.7.2
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-restorer32_a - c:\documents and settings\kuku\restorer32_a.exe
AddRemove-Advanced IP Scanner v1.5 - c:\program files\Advanced IP Scanner\uninstal.exe
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\INetHTTPFilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02 18:42 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-02 13:42

Pre-Run: 21,659,783,168 bytes free
Post-Run: 21,597,544,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

231


****************************************************************
Logged

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #10 on: October 02, 2009, 08:01:55 PM »
after my previous reply i hav scaned my drives again but thanks GOD i didnt found any thing.........


n thanks after this treatment my problem of seeing the hidden files have been solved.......

but still there is wen problem left

whenever i try to open the properties of sytem to adjust resolution or screen saver etc....

i receive this message  "C:/windows/system32/rundll32.exe is missing" same happens wen i try to open any thing in control panel menu.......

i hav also mentiond this thing in my 1st post of this topic...........
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #11 on: October 02, 2009, 10:23:24 PM »
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::
FCopy::
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe | C:\WINDOWS\system32\rundll32.exe

File::
c:\windows\system32\drivers\etc\lmhosts

Registry::
NetSvc::
nbowopgq
gidyrx
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
Can I see that log again
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #12 on: October 03, 2009, 03:00:57 AM »
ComboFix 09-10-01.05 - kuku 10/03/2009  1:44.2.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.894.627 [GMT 5:00]
Running from: c:\documents and settings\kuku\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kuku\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\windows\system32\drivers\etc\lmhosts"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\etc\lmhosts . . . . failed to delete

.
(((((((((((((((((((((((((   Files Created from 2009-09-02 to 2009-10-02  )))))))))))))))))))))))))))))))
.

2009-10-02 05:06 . 2009-10-02 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-02 05:06 . 2009-10-02 05:06 -------- d-----w- c:\program files\NOS
2009-10-01 22:40 . 2009-10-01 22:41 -------- d-----w- c:\documents and settings\kuku\DoctorWeb
2009-09-30 21:11 . 2009-10-01 02:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 21:11 . 2009-10-01 02:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 06:04 . 2009-09-30 06:04 -------- d-----w- c:\program files\Trend Micro
2009-09-30 01:28 . 2009-09-30 01:28 -------- d-----w- c:\program files\MYIE2
2009-09-30 01:27 . 2009-09-30 01:27 86016 ----a-w- c:\windows\system32\OpenAL32.dll
2009-09-30 01:27 . 2009-09-30 01:27 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-09-30 01:27 . 2009-09-30 01:27 -------- d-----w- c:\program files\OpenAL
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\program files\ParetoLogic
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2009-09-29 18:51 . 2009-09-29 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-09-29 18:50 . 2009-09-29 18:50 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Downloaded Installations
2009-09-29 05:56 . 2009-09-29 05:56 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Yahoo
2009-09-29 05:55 . 2009-09-29 05:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-29 05:55 . 2009-09-29 05:55 -------- d-----w- c:\documents and settings\kuku\Application Data\Yahoo!
2009-09-29 05:52 . 2009-09-29 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-09-29 05:52 . 2009-09-29 05:55 -------- d-----w- c:\program files\Yahoo!
2009-09-29 03:08 . 2009-09-29 03:08 -------- d-----w- c:\windows\RestoreSafeDeleted
2009-09-29 03:02 . 2009-09-29 03:02 -------- d-----w- C:\control
2009-09-29 02:57 . 2009-09-29 02:57 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-29 02:54 . 2009-09-29 02:54 29584 ----a-w- c:\windows\system32\drivers\regguard.sys
2009-09-29 02:54 . 2009-09-29 02:54 2 --shatr- c:\windows\winstart.bat
2009-09-29 02:46 . 2009-09-29 02:46 -------- d-----w- c:\program files\Greatis
2009-09-29 02:29 . 2009-09-29 02:36 -------- d-----w- c:\windows\system32\NtmsData
2009-09-29 00:07 . 2009-09-29 00:07 -------- d-----w- c:\windows\system32\Lang
2009-09-28 22:30 . 2006-08-01 07:02 49152 ------r- c:\windows\system32\ChCfg.exe
2009-09-28 22:30 . 2009-09-28 22:30 -------- d-----w- c:\windows\system32\RTCOM
2009-09-28 22:30 . 2004-08-03 19:56 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-09-28 22:30 . 2004-08-03 19:56 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-09-28 22:30 . 2004-08-03 18:08 60288 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-09-28 22:30 . 2004-08-03 18:08 60288 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-09-28 22:29 . 2004-11-18 05:42 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-09-28 22:29 . 2007-03-16 07:06 1822720 ------r- c:\windows\SkyTel.exe
2009-09-28 22:29 . 2006-07-21 08:14 86016 ------r- c:\windows\SoundMan.exe
2009-09-28 22:29 . 2007-01-16 02:39 1191936 ------r- c:\windows\RtlUpd.exe
2009-09-28 22:29 . 2007-03-23 11:19 9715200 ------r- c:\windows\RTLCPL.exe
2009-09-28 22:29 . 2007-03-26 11:21 4395008 ------r- c:\windows\system32\drivers\RtkHDAud.sys
2009-09-28 22:29 . 2007-03-21 06:49 16126464 ------r- c:\windows\RTHDCPL.exe
2009-09-28 22:29 . 2006-10-11 09:42 2157568 ------r- c:\windows\MicCal.exe
2009-09-28 22:29 . 2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe
2009-09-28 22:29 . 2006-05-04 08:26 2808832 ------r- c:\windows\alcwzrd.exe
2009-09-28 22:29 . 2009-09-28 22:29 -------- d-----w- c:\program files\Realtek
2009-09-28 22:28 . 2009-09-28 22:28 315392 ----a-w- c:\windows\HideWin.exe
2009-09-28 22:28 . 2007-01-12 08:54 520192 ------r- c:\windows\RtlExUpd.dll
2009-09-28 22:27 . 2009-09-28 22:27 -------- d-----w- c:\program files\DIFX
2009-09-28 22:27 . 2009-09-28 22:27 -------- dc----w- c:\windows\system32\DRVSTORE
2009-09-28 22:27 . 2006-06-18 18:37 36864 ----a-w- c:\windows\system32\drivers\AmdK8.sys
2009-09-28 10:53 . 2009-09-28 10:53 -------- d-----w- c:\program files\Unlocker
2009-09-28 09:24 . 2009-09-28 09:24 -------- d-----w- c:\program files\Siber Systems
2009-09-28 09:21 . 2009-09-28 09:21 -------- d-----w- c:\windows\system32\Adobe
2009-09-28 09:10 . 2009-09-30 08:50 -------- d-----w- c:\documents and settings\kuku\Application Data\vlc
2009-09-28 09:08 . 2009-09-28 09:08 -------- d-----w- c:\program files\VideoLAN
2009-09-28 08:01 . 2009-09-28 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-09-28 07:46 . 2009-09-30 03:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 07:08 . 2009-09-28 07:08 -------- d-----w- c:\documents and settings\kuku\Local Settings\Application Data\Symantec
2009-09-28 07:06 . 2009-09-28 07:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-28 07:05 . 2009-10-02 20:47 -------- d-----w- c:\documents and settings\kuku\Application Data\DMCache
2009-09-28 07:05 . 2009-10-01 04:09 -------- d-----w- c:\documents and settings\kuku\Application Data\IDM
2009-09-28 07:05 . 2009-09-28 11:24 -------- d-----w- c:\program files\Internet Download Manager
2009-09-28 07:03 . 2009-09-28 07:04 -------- d-----w- c:\documents and settings\kuku\Application Data\Media Player Classic
2009-09-28 07:03 . 2009-09-28 07:03 -------- d-s---w- c:\documents and settings\kuku\UserData
2009-09-28 07:01 . 2009-09-28 07:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-28 07:01 . 2004-01-22 14:06 157696 ----a-w- c:\windows\system32\unrar.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 20:48 . 2009-09-28 01:02 5822240 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-02 20:46 . 2009-09-28 01:02 94568 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-02 20:37 . 2009-09-28 01:00 4212 ---h--w- c:\windows\system32\zllictbl.dat
2009-09-28 22:29 . 2009-09-28 03:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-28 07:00 . 2009-09-28 07:00 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-28 05:36 . 2009-09-28 05:36 -------- d-----w- c:\program files\MSConfig CleanUp
2009-09-28 03:27 . 2009-09-28 03:04 -------- d-----w- c:\program files\Advanced IP Scanner
2009-09-28 03:16 . 2009-09-28 03:09 -------- d-----w- c:\program files\ATI Technologies
2009-09-28 03:10 . 2009-09-28 03:09 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-28 01:20 . 2009-09-28 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-09-28 01:04 . 2009-09-28 01:04 -------- d-----w- c:\documents and settings\kuku\Application Data\MailFrontier
2009-09-28 01:00 . 2009-09-28 01:00 -------- d-----w- c:\program files\Zone Labs
2009-09-28 00:56 . 2009-09-28 00:56 12328 ----a-w- c:\documents and settings\kuku\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-28 00:50 . 2009-09-28 00:50 -------- d-----w- c:\program files\microsoft frontpage
2009-09-28 00:47 . 2009-09-28 00:47 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-09-09 10:43 . 2009-09-16 12:26 210352 ----a-w- c:\windows\system32\idmmbc.dll
2004-09-01 08:00 . 2004-09-01 08:00 170505 --sha-r- c:\windows\system32\nyugzjd.dll
.

------- Sigcheck -------

[-] 2004-09-01 . 7B11118B078B88F87183FE69EDA43137 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys

[-] 2004-09-01 . A77219A971029DC2FB683E8513713803 . 215552 . . [5.1.2600.2055] . . c:\windows\system32\termsrv.dll
.
(((((((((((((((((((((((((((((   SnapShot@2009-10-02_13.40.21   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 09:09 . 2008-10-16 09:09 43544              c:\windows\system32\wups2.dll
+ 2009-09-28 00:48 . 2008-10-16 09:08 34328              c:\windows\system32\wups.dll
+ 2009-09-28 00:48 . 2008-10-16 09:09 51224              c:\windows\system32\wuauclt.exe
+ 2009-10-02 20:38 . 2008-10-16 09:08 34328              c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2009-09-28 00:48 . 2008-10-16 09:08 34328              c:\windows\system32\dllcache\wups.dll
+ 2009-09-28 00:48 . 2008-10-16 09:09 51224              c:\windows\system32\dllcache\wuauclt.exe
+ 2004-09-01 08:00 . 2008-10-16 09:09 92696              c:\windows\system32\dllcache\cdm.dll
+ 2004-09-01 08:00 . 2008-10-16 09:09 92696              c:\windows\system32\cdm.dll
+ 2009-09-28 01:02 . 2009-10-02 20:48 114212              c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-09-28 00:48 . 2008-10-16 09:13 202776              c:\windows\system32\wuweb.dll
+ 2009-09-28 00:48 . 2008-10-16 09:12 323608              c:\windows\system32\wucltui.dll
+ 2009-09-28 00:48 . 2008-10-16 09:12 561688              c:\windows\system32\wuapi.dll
+ 2009-09-28 00:48 . 2008-10-16 09:13 202776              c:\windows\system32\dllcache\wuweb.dll
+ 2009-09-28 00:48 . 2008-10-16 09:12 323608              c:\windows\system32\dllcache\wucltui.dll
+ 2009-09-28 00:48 . 2008-10-16 09:12 561688              c:\windows\system32\dllcache\wuapi.dll
+ 2009-09-28 00:48 . 2008-10-16 09:13 1809944              c:\windows\system32\wuaueng.dll
+ 2009-09-28 00:48 . 2008-10-16 09:13 1809944              c:\windows\system32\dllcache\wuaueng.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-09-16 3118512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-05-06 6656]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6792:TCP"= 6792:TCP:adwpjn

R2 ZeppelinService;plasservice;c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [2/18/2009 2:40 PM 587216]
S2 witrjt;System Windows;c:\windows\system32\svchost.exe -k netsvcs [9/1/2004 1:00 PM 14336]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [9/1/2004 1:00 PM 14336]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/29/2009 7:54 AM 29584]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WITRJT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ    getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
witrjt

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 09:43]

2009-09-29 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe [2009-02-18 09:43]

2009-09-29 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2008-02-22 07:25]

2009-09-29 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2008-02-22 07:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Download All Links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
LSP: c:\windows\system32\INetHTTPFilter.dll
TCP: {5F2F6F0D-C80E-478E-8F3B-5FBEA88006D8} = 10.0.1.1 192.168.7.2
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 01:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt]
"ServiceDll"="c:\windows\system32\nyugzjd.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\INetHTTPFilter.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-02  1:50 - machine was rebooted
ComboFix-quarantined-files.txt  2009-10-02 20:50
ComboFix2.txt  2009-10-02 13:42

Pre-Run: 21,565,091,840 bytes free
Post-Run: 21,722,292,224 bytes free

234

==================================================================

But still i m receive this message "C:/windows/system32/rundll32.exe is missing" wen i try to open any thing in control panel menu/properties.......
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #13 on: October 03, 2009, 08:57:51 AM »
1. Please download [color=\"#FF0000\"]Avenger2[/color] by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C). Or highlight it and right click and select Copy
Code: [Select]
Drivers to delete:
witrjt

Files to delete:
c:\windows\system32\nyugzjd.dll
c:\windows\system32\drivers\etc\lmhosts

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs | witrjt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List | 6792:TCP
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt | ServiceDll

Registry keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt3. Now, open the avenger folder and double click on Avenger.exe to run it.
  • Right click on the window under Input script here:, and select Paste.
       
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
       
  • Click on Execute
       
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
       
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
       
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

In addition:
Please download [color=\"red\"]SystemLook[/color] from one of the links below and save it to your Desktop.
[color=\"blue\"]Download Mirror #1[/color]
[color=\"blue\"]Download Mirror #2[/color][/b]
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: [Select]
    :filefind
    rundll32.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Can you also let me know the following
I see ZoneAlarm Security Suite Antivirus
and ParetoLogic Anti-Virus installed, are they 2 different AV software?
« Last Edit: October 03, 2009, 11:10:28 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #14 on: October 04, 2009, 01:27:01 AM »
yes they both are the different antiviruses........i want to unistall the partologic antivirus but i m not able to get acess to the add/remove program because of rundll32 missing file..........however i have deleted it from the  c:/program files


 //////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Oct 04 00:06:22 2009

00:05:38: Error: can't open file 'C:\WINDOWS\admk.txt' (error 5: access is denied.)
00:05:43: Error: Could not open script file.
Aborting execution! (error 6: the handle is invalid.)
00:05:44: Error: can't open file 'C:\avenger.txt' (error 5: access is denied.)
00:05:46: Error: Could not log error messages to file. (error 6: the handle is invalid.)


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "witrjt" deleted successfully.
File "c:\windows\system32\nyugzjd.dll" deleted successfully.
File "c:\windows\system32\drivers\etc\lmhosts" deleted successfully.
Registry value "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List|6792:TCP" deleted successfully.

Error:  could not delete registry value "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt|ServiceDll"
Deletion of registry value "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt|ServiceDll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\witrjt" deleted successfully.

Error:  could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs|witrjt"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs|witrjt" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
||||||||||
here it is the system look log file


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 00:25 on 04/10/2009 by kuku (Administrator - Elevation successful)

========== filefind ==========

Searching for "rundll32.exe"
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c 33280 bytes [08:00 01/09/2004] [08:00 01/09/2004] DA285490BBD8A1D0CE6623577D5BA1FF

-=End Of File=-
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #15 on: October 04, 2009, 06:38:32 PM »
Quote
.i want to unistall the partologic antivirus but i m not able to get acess to the add/remove program because of rundll32 missing file..........however i have deleted it from the c:/program files

Please don't just delete it's folders, you can do so after proper uninstallation
If you still have the contents of partologic AV folder in recycle bin
Can you open the Recycle bin and right click on it and restore it

THEN:
The size and MD5 of rundll32.exe in the dllcache folder look correct
Can you
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Navigate to the following folder:
C:\WINDOWS\system32\dllcache
In the dllcache folder, Right Click on rundll32.exe and select COPY
Then go back to the system32 folder
Right click and select PASTE

Reboot your computer

Go back into Add and Remove programs and try and properly uninstall partologic antivirus
reboot afterwards

Come back here
Random's System Information Tool (RSIT)

Download [color=\"blue\"]random's system information tool (RSIT)[/color] by [color=\"#6600cc\"]random/random[/color] from >>[color=\"red\"]here[/color]<< and save it to your desktop.
  • Double click on RSIT.exe to launch program.
  • Click Continue at the disclaimer screen.
  • Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
  • Once it has finished, two logs will open:  log.txt[color=\"red\"]<-- this will be maximized[/color] and info.txt[color=\"red\"]<-- this will be minimized[/color].
Can you post both those logs please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #16 on: October 05, 2009, 04:53:41 AM »
bundle of thanks 4 ur help.........

now is there any threat present or nt...

please find the attached file....................
« Last Edit: October 05, 2009, 04:56:09 AM by faraz »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #17 on: October 05, 2009, 10:25:45 PM »
Can you also do the following
Sysprot Antirootkit
Please download [color=\"#0000FF\"]Sysprot Antirootki[/color]t from the linik
and save to your Desktop

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
       
  • Click on the Log tab.
       
  • In the Write to log box select all items.
       
  • Click on the Create Log button on the bottom right.
       
  • After a few seconds a new window should appear.
  • Select Scan Root Drive. Click on the Start button.
       
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.
In addition:
Temporarily disable your realtime protection with your own Virus scanner so it won't interfere with this scan
Please run a free online scan with the [color=\"#0000FF\"]ESET Online Scanner[/color][/url]
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
       
  • Click Start
       
  • When asked, allow the ActiveX control to install
  • Click Start
       
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
       
  • Click Scan (This scan can take awhile, so please be patient)
       
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
       
  • Copy and paste that log as a reply to this topic
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline faraz

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +0/-0
    • View Profile
treatment for "virus.win32.virut.ce"
« Reply #18 on: October 06, 2009, 12:17:45 PM »
SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 536
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 592
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 620
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 664
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 676
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 840
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 860
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 908
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1076
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1132
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PID: 1144
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ati2evxx.exe
PID: 1196
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1396
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
PID: 1676
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1756
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
PID: 1908
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1952
Hidden: No
Window Visible: No

Name: C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PID: 188
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 1828
Hidden: No
Window Visible: No

Name: C:\Program Files\Unlocker\UnlockerAssistant.exe
PID: 2236
Hidden: No
Window Visible: No

Name: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PID: 2276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\RTHDCPL.exe
PID: 2316
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Download Manager\IDMan.exe
PID: 2332
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Download Manager\IEMonitor.exe
PID: 2400
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
PID: 2504
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 2584
Hidden: No
Window Visible: No

Name: C:\Program Files\Internet Explorer\iexplore.exe
PID: 3752
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\kuku\Desktop\SysProt\SysProt.exe
PID: 3184
Hidden: No
Window Visible: Yes

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: \??\C:\Documents and Settings\kuku\Desktop\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: EB4B5000
Module End: EB4C0000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702D00
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: F79D0000
Module End: F79D2000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: F78E0000
Module End: F78E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: F73A1000
Module End: F73CF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: F79D2000
Module End: F79D4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: F7390000
Module End: F73A1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: F74D0000
Module End: F74D9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: F7A98000
Module End: F7A99000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: F7750000
Module End: F7757000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: F74E0000
Module End: F74EB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: F7371000
Module End: F7390000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmload.sys
Service Name: dmload
Module Base: F79D4000
Module End: F79D6000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\dmio.sys
Service Name: dmio
Module Base: F734B000
Module End: F7371000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: F7758000
Module End: F775D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: F74F0000
Module End: F74FD000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: F7333000
Module End: F734B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: F7500000
Module End: F7509000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: F7510000
Module End: F751D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: F7314000
Module End: F7333000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: F7302000
Module End: F7314000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: F72EB000
Module End: F7302000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: F725E000
Module End: F72EB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\NDIS.sys
Service Name: NDIS
Module Base: F7231000
Module End: F725E000
Hidden: No

Module Name: srescan.sys
Service Name: srescan
Module Base: F721D000
Module End: F7231000
Hidden: Yes

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: F7202000
Module End: F721D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Service Name: AmdK8
Module Base: F7640000
Module End: F764E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Service Name: ati2mtag
Module Base: F6FA6000
Module End: F71BA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: F6F92000
Module End: F6FA6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Service Name: usbohci
Module Base: F77C8000
Module End: F77CD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: F6F6F000
Module End: F6F92000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: F77D0000
Module End: F77D7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: F7650000
Module End: F765B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: F7660000
Module End: F766D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: F7670000
Module End: F767F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: F6F4C000
Module End: F6F6F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: F6F27000
Module End: F6F4C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
Service Name: EL90XBC
Module Base: F6F16000
Module End: F6F27000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: F7680000
Module End: F7690000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: F7980000
Module End: F7984000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\parport.sys
Service Name: Parport
Module Base: F6F02000
Module End: F6F16000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: F7690000
Module End: F769D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: F77E0000
Module End: F77E6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Service Name: MTsensor
Module Base: F79E6000
Module End: F79E8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: F7BF7000
Module End: F7BF8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: F76A0000
Module End: F76AD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: F7984000
Module End: F7987000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: F6EEB000
Module End: F6F02000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: F76B0000
Module End: F76BB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: F76C0000
Module End: F76CC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: F77E8000
Module End: F77ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: F6EDA000
Module End: F6EEB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: F76D0000
Module End: F76D9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: F77F0000
Module End: F77F5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: F77F8000
Module End: F77FD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: F6EA9000
Module End: F6EDA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: F76E0000
Module End: F76EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: F7800000
Module End: F7806000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: F79E8000
Module End: F79EA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: F6E4D000
Module End: F6E81000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: F79A4000
Module End: F79A8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: F76F0000
Module End: F76FA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: F7720000
Module End: F772F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: F79EA000
Module End: F79EC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Service Name: IntcAzAudAddService
Module Base: EE811000
Module End: EEC65000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: EE7EF000
Module End: EE811000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: F7730000
Module End: F773F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\klif.sys
Service Name: KLIF
Module Base: EE77C000
Module End: EE79F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Service Name: hidusb
Module Base: F6E9D000
Module End: F6EA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Service Name: ---
Module Base: F7540000
Module End: F7549000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Service Name: ---
Module Base: F7810000
Module End: F7817000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: F79EE000
Module End: F79F0000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: F7B38000
Module End: F7B39000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: F79F0000
Module End: F79F2000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: F7818000
Module End: F781E000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: F79F2000
Module End: F79F4000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: F79F4000
Module End: F79F6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: F7820000
Module End: F7825000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: F7828000
Module End: F7830000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: F6E99000
Module End: F6E9C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: EE749000
Module End: EE75C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: EE6F1000
Module End: EE749000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: EE6C9000
Module End: EE6F1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: EE6A8000
Module End: EE6C9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: F7550000
Module End: F7559000
Hidden: No

Module Name: C:\WINDOWS\System32\vsdatant.sys
Service Name: vsdatant
Module Base: EE648000
Module End: EE6A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Service Name: mouhid
Module Base: F6E85000
Module End: F6E88000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: EE626000
Module End: EE648000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: F7560000
Module End: F7569000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: EE5FA000
Module End: EE626000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: EE58B000
Module End: EE5FA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: F7580000
Module End: F7589000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: F75A0000
Module End: F75B0000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: EE54B000
Module End: EE563000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7A0C000
Module End: F7A0E000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: EE7E7000
Module End: EE7EA000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: F7838000
Module End: F783D000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: F7B23000
Module End: F7B24000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: EC133000
Module End: EC137000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: EBBA6000
Module End: EBBBB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: EBEAB000
Module End: EBEBA000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: EB972000
Module End: EB99F000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Service Name: ParVdm
Module Base: F7A8E000
Module End: F7A90000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: Srv
Module Base: EB8A8000
Module End: EB8FA000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: EB637000
Module End: EB678000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\fdc.sys
Service Name: Fdc
Module Base: F77D8000
Module End: F77DF000
Hidden: No

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwConnectPort
Address: EE67AEB0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateFile
Address: EE677870
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: EE682720
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreatePort
Address: EE67B270
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: EE681520
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: EE681750
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: EE6850B0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateWaitablePort
Address: EE67B360
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteFile
Address: EE677EF0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: EE683740
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: EE683380
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDuplicateObject
Address: EE681290
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadDriver
Address: EE675300
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: EE683A80
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwMapViewOfSection
Address: EE685310
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenFile
Address: EE677D40
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenProcess
Address: EE680FE0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenThread
Address: EE680E00
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRenameKey
Address: EE6841F0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: EE683D70
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRequestWaitReplyPort
Address: EE67AB50
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: EE684020
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSecureConnectPort
Address: EE67B060
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationFile
Address: EE678060
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSystemInformation
Address: EE675170
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: EE682EF7
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: EE681980
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwUnloadDriver
Address: EE6754D0
Driver Base: EE648000
Driver End: EE6A8000
Driver Name: \SystemRoot\System32\vsdatant.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: EE68CCC0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: EE68CCC0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: EE68CCC0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: EE68CCC0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: EE68CCC0
Hooking Module: C:\WINDOWS\System32\vsdatant.sys

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: KAKA:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KAKA:1031
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: KAKA:2869
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: KAKA:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\ZoneLabs\vsmon.exe
State: LISTENING

Local Address: KAKA:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: KAKA:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: KAKA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KAKA:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: KAKA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:1078
Remote Address: NA
Type: UDP
Process: C:\Program Files\Internet Explorer\iexplore.exe
State: NA

Local Address: KAKA:1029
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: KAKA:1032
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:1026
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: KAKA:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: KAKA:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
No hidden files/folders found
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
treatment for "virus.win32.virut.ce"
« Reply #19 on: October 06, 2009, 08:43:18 PM »
Looks good, I'll just wait for the results from Eset Online Scanner now
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2
« previous next »