It just started spreading

  1. 21-04-2009  #1
    b000ya
    b000ya is offline Newbie

    It just started spreading

    Greetings,

    This problem started 3 days ago , a program was installed and then the pc started acting weird.The problems are alot , I've attached the eset log file.I ran Malwarebytes and Superantispyware.They would catch files , but then it would re-appear again after I restart the pc mostly , BN2.tmp , VRT4.tmp , and alot of other Virtumonde.NEO applications.Also I saw at the proccess box that REGSVR32.exe was running alot of times , then after I used Combofix , it went back to normal but somehow the virus , still exists.Now I'm saying iexplore.exe whenever I plug in the internet cable even though im not using internet explorer , so Im guessing that the iexplore.exe is a malware of a spyware.Below are my Hijackthis results.

    F.Y.I : I ran all kinds of tests , Spybot search & destroy , Malwareantibytes , NOD32 , Superantispyware, Combo fix.

    An Update: I was trying to Uninstall K-Lite Codec Pack and the REGSVR32 started to appear again in the process window like 15 of them , even more.

    Update Part 2 : I uninstalled NOD32 and installed AVG free edition , and it seems to be marking everything as infected , from firefox to malwarebytes.


    Logfile of HijackThis v1.99.1
    Scan saved at 9:15:05 AM, on 4/21/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\USB Safely Remove\USBSRService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
    C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\GoogleUpdate.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    local
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
    O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startup
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.05\AMVConverter\grab.html
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.05\MediaManager\grab.html
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
    O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8AC2FAA3-9782-4E49-A289-0101D2AE3701}: NameServer = 193.219.146.2,193.219.146.19
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: O&O DiskImage - Unknown owner - C:\Program Files\OO Software\DiskImage\oodiag.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: USB Safely Remove Assistant (USBSafelyRemoveService) - Unknown owner - C:\Program Files\USB Safely Remove\USBSRService.exe

    7-Zip 4.65
    AAA PDF Password Remover V2.0
    Acrobat.com
    Adobe Acrobat 4.0
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9
    Adobe Shockwave Player 11.5
    Alkonas v1.0
    Audacity 1.3.5 (Unicode)
    Autorun Virus Remover 2.3
    BluetoothRemoteControl
    CCleaner (remove only)
    CDBurnerXP
    CircleSurround II Plugin for Windows Media Player
    Convert DOC to PDF For Word 3.50
    Creative WebCam Center
    Creative WebCam NX Ultra Driver (1.01.03.0112)
    Driver Genius Professional Edition
    Dziobas Rar Player 0.009.37
    ESET NOD32 Antivirus
    getPlus(R)_ocx
    GMail Drive Shell Extension
    Google Earth Pro
    Google Gears
    Google Maps Downloader 4.80
    Google Talk (remove only)
    Google Update Helper
    HijackThis 1.99.1
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB942288-v3)
    Internet Download Manager
    InterVideo DeviceService
    K-Lite Codec Pack 4.7.5 (Full)
    Learning Essentials for Microsoft Office
    LG PC Suite
    LG USB Modem driver
    Magic ISO Maker v5.5 (build 0272)
    Malwarebytes' Anti-Malware
    Messenger Plus! Live
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Math
    Microsoft Office Professional Edition 2003
    Microsoft SQL Server 2008 Management Objects
    Microsoft SQL Server Compact 3.5 SP1 English
    Microsoft SQL Server Database Publishing Wizard 1.3
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    mobile PhoneTools
    Mozilla Firefox (3.0.8)
    MP3 Player Utilities 4.05
    MPlayer
    MSVC80_x86
    MSXML 6.0 Parser
    Nero 6 Ultra Edition
    NetTools 4.5
    Nokia Connectivity Cable Driver
    Nokia Multimedia Player
    Nokia PC Suite
    Nokia PC Suite
    NVIDIA Drivers
    O&O DiskImage Professional
    PC Connectivity Solution
    PDF Password Remover v2.1
    Post-it® Software Notes Lite
    QuickTime
    RayV
    Real Alternative 1.8.0
    REALTEK GbE & FE Ethernet PCI NIC Driver
    Security Task Manager 1.7e
    Skype™ 3.8
    SmartSound Quicktracks Plugin
    Spybot - Search & Destroy
    SQL Server System CLR Types
    Super Internet TV v7.4
    SUPERAntiSpyware Free Edition
    System Requirements Lab
    TBS WMP Plug-in
    Trillian
    TuneUp Utilities 2008
    TVAnts 1.0
    Unlocker 1.8.7
    USB Safely Remove 4.0
    VC 9.0 Runtime
    VeryPDF PDF Editor v2.2
    VeryPDF PDF2Word v3.0
    VIA Platform Device Manager
    Video Edit Magic 4.2
    VLC media player 0.9.8a
    VoipDiscount
    webcamXP 2007
    Windows Driver Package - Nokia Modem (03/05/2008 3.7)
    Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
    Windows Driver Package - Nokia Modem (05/22/2008 3.8)
    Windows Driver Package - Nokia Modem (05/22/2008 7.00.0.1)
    Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Live installer
    Windows Live Messenger
    Windows Media Encoder 9 Series
    Windows Media Encoder 9 Series
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player Firefox Plugin
    WinRAR archiver
    WM Recorder 12.0
    XML Notepad 2007
    Last edited by b000ya; 21-04-2009 at 08:23 AM. Reason: Update 2

  3. 23-04-2009  #2
    broni
    broni is offline Senior Member
    Save 20% on AVG Internet Security 2012 Suite!
    First of all, your HJT version is outdated, so use the link below to run current HJT version.
    Secondly, if any scan has been run, we need to see logs.
    Thirdly, never run Combofix, unless you're really familiar with what you're doing.

    Said that.....

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: GMER - Rootkit Detector and Remover - Files, by clicking on Download EXE button.
    Alternative downloads:
    - |MG| GMER 1.0.15.14966
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download, install, and run HijackThis:
    TrendMicro HijackThis Freeware download and review - investigate browser add-ons from SnapFiles
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
+ Reply to Thread
« Quicky - AVG 8 | hijack this log »