1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] Please help..parasite on my pc

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by babotzkie, Aug 9, 2009.

  1. babotzkie

    babotzkie Techie7 New Member

    haha.. really? am i doing well? :)
     
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    You're doing just fine :)
     
  3. babotzkie

    babotzkie Techie7 New Member

    im now downloading the dr web, can i ask why is it my alternative browser cant load? i mean it didn't appear unless i'll wait about 30-40mins.. what should i do?
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    First, we have to make sure, your computer is 100% clean. Then, we'll worry about other issues.
     
  5. babotzkie

    babotzkie Techie7 New Member

    ok ok,im scanning now..
     
  6. babotzkie

    babotzkie Techie7 New Member

    >,< my pc restart again.. and the scan also.. the good news is avast detects virus now,unlike earlier when i reboot my pc.. :)
     
  7. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Are you running Dr.Web, and Avast scans at the same time, or....?
     
  8. babotzkie

    babotzkie Techie7 New Member

    nope.. i only running dr web for scan but the avast running for just protection..
     
  9. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Ok, ok.
     
  10. babotzkie

    babotzkie Techie7 New Member

    broni thanks for helping me to cure my pc,i really i appreciate it..
     
  11. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    You're very welcome, but we're not out of the woods, yet :)
     
  12. babotzkie

    babotzkie Techie7 New Member

    yeah i know.. still scanning.. cant wait the result lol.. there's still some infected and parasite even though we scan it so many time.. :sweatdrop
     
  13. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    We'll get there :)
     
  14. babotzkie

    babotzkie Techie7 New Member

    xampp-win32-1.7.1-installer.exe\data233;C:\Documents and Settings\babotz\Desktop\xampp-win32-1.7.1-installer.exe;Program.PrcView.3725;;
    xampp-win32-1.7.1-installer.exe;C:\Documents and Settings\babotz\Desktop;Archive contains infected objects;Moved.;
    brown[1].jpg;C:\Documents and Settings\babotz\Local Settings\Temporary Internet Files\Content.IE5\S58DK96H;BackDoor.Poison.767;Deleted.;
    x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\G9QNKHQ3;BackDoor.IRC.Sdbot.4538;Deleted.;
    x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;Trojan.Packed.650;Deleted.;
    x[2];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;Win32.Virut.56;Cured.;
    x[2];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;Win32.Virut.56;Cured.;
    x[2];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;BackDoor.IRC.Sdbot.4538;Deleted.;
    x[3];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;Win32.Virut.56;Cured.;
    x[3];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\I1ZOYQZU;BackDoor.IRC.Sdbot.4538;Deleted.;
    x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SH6Z0HMZ;Win32.Virut.30;Cured.;
    x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SH6Z0HMZ;Win32.Virut.56;Cured.;
    x[1];C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SH6Z0HMZ;Trojan.Packed.650;Deleted.;
    A0000008.exe;C:\System Volume Information\_restore{166832B0-51F0-41EA-97E7-42C82450125E}\RP1;BackDoor.Poison.767;Deleted.;
    A0000009.exe;C:\System Volume Information\_restore{166832B0-51F0-41EA-97E7-42C82450125E}\RP1;BackDoor.IRC.Letmein.12;Deleted.;
    A0001018.exe\data233;C:\System Volume Information\_restore{166832B0-51F0-41EA-97E7-42C82450125E}\RP1\A0001018.exe;Program.PrcView.3725;;
    A0001018.exe;C:\System Volume Information\_restore{166832B0-51F0-41EA-97E7-42C82450125E}\RP1;Archive contains infected objects;Moved.;
    02.scr;C:\WINDOWS\system32;BackDoor.IRC.Letmein.12;Deleted.;
    15.scr;C:\WINDOWS\system32;BackDoor.IRC.Letmein.12;Deleted.;
    26.scr;C:\WINDOWS\system32;BackDoor.IRC.Letmein.12;Deleted.;
    57.scr;C:\WINDOWS\system32;BackDoor.IRC.Letmein.12;Deleted.;
    ZrxMgr.exe;C:\WINDOWS\system32\drivers;BackDoor.IRC.Letmein.12;Deleted.;
    pv.exe;C:\xampp\apache\bin;Program.PrcView.3725;Incurable.Moved.;
     
  15. babotzkie

    babotzkie Techie7 New Member

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:32:05 AM, on 8/11/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\xampp\apache\bin\httpd.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\xampp\FileZillaFTP\FileZilla server.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\xampp\apache\bin\httpd.exe
    c:\xampp\mysql\bin\mysqld.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\babotz\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to Facebook | Facebook
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
    O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\system32\drivers\ZrxMgr.exe
    O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\system32\drivers\ZrxMgr.exe
    O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - C:\DOCUME~1\babotz\LOCALS~1\Temp\AVSETUP_49f73b50\basic\avupgsvc.exe (file missing)
    O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\httpd.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\xampp\FileZillaFTP\FileZilla server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe (file missing)
    O23 - Service: MySQL - Unknown owner - c:\xampp\mysql\bin\mysqld.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: WMI Client Service (WMICLISV) - Unknown owner - C:\WINDOWS\system32\wbem\wmiclisv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 8477 bytes
     
  16. babotzkie

    babotzkie Techie7 New Member

    win32:virut
    win32:vitro
    win32:tcpz
    win32:Neeris-B

    they are the virus that always pop-up on my av(avast).
     
  17. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download JavaRa to your desktop and unzip it to its own folder

    • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Open JavaRa.exe again and select Search For Updates.
    • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ================================================================

    I strongly recommend, you update your Internet Explorer to ver. 7 (even, if you don't use it).

    ================================================================

    Uninstall AskBarDis, and DAEMON Tools Toolbar through Add\Remove.

    ===============================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    - O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    - O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
    - O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)
    - O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
    - O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    - O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\system32\drivers\ZrxMgr.exe
    - O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\system32\drivers\ZrxMgr.exe
    - O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
    - O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)



    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    - O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    - O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (leave this one alone, if you have paid version)
    - O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    (leave this one alone, if you have paid version)


    5. Click on Fix checked button.

    6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

    7. Delete following files/folders (if present):
    Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.

    - ZrxMgr.exe file from C:\WINDOWS\system32\drivers

    8. Go Start>Run (Vista users - "Start search"), type in:
    cmd
    Click OK (Vista users - hold CTRL, and SHIFT keys, press Enter).

    Command Prompt window will open.
    Type in:
    sc stop AntiVirUpgradeService
    Press Enter.
    Wait for the service to be stopped.

    Type in:
    sc delete AntiVirUpgradeService
    Press Enter.
    Wait for confirmation.

    Restart computer.

    Repeat same set of two commands (sc stop, and sc delete), replacing AntiVirUpgradeService with LIVESRV, then with NeroRegInCDSrv, and finally with XCOMM

    9. Restart computer.

    10. Post new HijackThis log.
     
  18. babotzkie

    babotzkie Techie7 New Member

    broni, bad news.. the virus infect my LAN, i cant connect through internet. the next step i did is to install vista, now i have dual OS on my pc, im sure the virus still on my pc, what should we do now?
     
  19. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    What do you mean? What happened?
     
  20. babotzkie

    babotzkie Techie7 New Member

    i install another OS,im using vista now, i have dual OS right now, because i dont have LAN driver on my XP mode, the virus disable may LAN so that i cant use my internet.. :no:.

    what should i do?