Hey all,

I have read the sticky about what to do before posting. I will post my hijackthis file first, then the online virus scan file after. I am not sure of what virus i have but it shuts down certain ports within one hour of my computer being on. IE/Firefox will not work, but irc will work. I understand computers, but have been out of the loop for a little while now, and seek any help you can give me. I also get a soundfile that plays every so often, and i can stop the file from playing by stopping the IEXPLORER.exe process in task manager. I use firefox so i know its one of the causes. If you need anything else just say, thanks ikn advance.

-Ted

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:24:45 PM, on 19/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\system32\wscntfy.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Program Files\MSN Messenger\usnsvc.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Documents and Settings\Tedlyn\Desktop\HiJackThis_v2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ASUS WiFi-AP Solo.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - G:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - G:\WINDOWS\system32\browseui.dll
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3537 bytes


Online CA Virus Scanner

*It didn't send the file to my email, so i just copied and pasted what it found ... *sigh* ... more than one virus

File Infection Status Path
cnte_oiduuyes[1].gif Win32/Cavitate!generic G:\Documents and Settings\Tedlyn\Local Settings\Temporary Internet Files\Content.IE5\XDLZ764A\
gwkwraaa.exe Win32/Brospy.EY G:\WINDOWS\system32\
ipv6mote.dll Win32/Brospy.EY G:\WINDOWS\system32\
main.sys Win32/Cutwail!generic G:\WINDOWS\system32\
wsys.dll Win32/Cutwail!generic G:\WINDOWS\system32\


Another note, i do not have any firewalls/anti-virus programs installed ... was planning to use kerio personal firewall after this is hopefully fixed, is kerio a program you guys would recommend?

Welcome to the forum, you said this:

I have read the sticky about what to do before posting
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Since you missed this information, I suggest you read that important information again:

At the present time, do NOT run Trend Micro HijackThis v2.0.0 (BETA) to produce a log for this forum, unless specifically requested, or you have a Vista Operating System.

From the information your posted, I can show you this:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Infostealer.Bzup&threatid=49551

Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior.http://www.google.com/search?hl=en&q=ipv6mote.dll+&btnG=Search

main.sys
http://www.geocities.jp/kiskzo/main.sys.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=62470
Win32/Cutwail is a trojan with rootkit functionality that modifies the system's winlogon.exe file. It may be used to download and execute arbitrary files, either by saving them to disk, or by injecting them into other processes. At the time of publication these files were used to send bulk e-mail, and to update Cutwail to the latest variant.

wsys.dll
http://www.google.com/search?hl=en&q=wsys.dll+&btnG=Search

As you can see your system has been seriously compromised, I believe you should have this information for your safety and security:
You're infected, one or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063


Another note, i do not have any firewalls/anti-virus programs installed ... was planning to use kerio personal firewall after this is hopefully fixed, is kerio a program you guys would recommend?
I would get something in place unless you are planning a reformat, then I would have programs ready to place on the computer before taking it online after the reformat, it takes second to get infected without that protection.

Thanks

This topic has been archived.

If you need it re-opened and will be posting the information requested, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.