PDA

View Full Version : Spybot S&D is closing automatically


ChrisLey
2010-07-17, 06:27
Okay,
First I know somethings about Computer, but I'm definity no expert, so I need your help

Yesterday I downloaded a hack for a game, (yeah I know that was stupid), it was an .exe
I tryed to run it, but nothing happened.
I kept my eye on the anti-virus to see if it detected something, it didn't,.
I eliminated the hack, a few minutes later, My anti-virus (ESET NOD32 Anti-Virus Buisness Edition) detected 4 Virus on my computer, whitch it automaticlly moved to quarantine.
Next I started suffering from lagspike of 2 seconds, every 6 seconds, which I didn't experience before.
I did a Full-System Check and It detected 2 more virus, which it automaticlly moved to quarantine, I still suffered the lagspike, so I decided to download Spybot S&D and I inmunize, and did a System Check, It detected Win32.Spynet.a, and then it closed itself, I opened Spybot again, and it detected and closed again itself,

I don't what's happening, but I want to remove it.

Help Please

*Few Notes
-Lagspike is completly gone
-I got a teatimer blacklist detection of Winlogon.exe, I told it to kill it
-When I start my computer I get a bunch of GoogleChrome errors for some reason
-When I turn off my computer I get a WinLogon.exe error



DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 23:21:43,85 on 16/07/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.34.3082.18.1983.1400 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Archivos de programa\iTunes\iTunesHelper.exe
C:\WINDOWS\ZSSnp211.exe
C:\WINDOWS\Domino.exe
C:\Archivos de programa\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\KWorld Multimedia\HyperMediaCenter\DTVR\Scheduled.exe
C:\archivos de programa\steam\steam.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Archivos de programa\KWorld Multimedia\TV Tuner Card Utilities\HMCP3XCtl.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Archivos de programa\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Configuración local\Datos de programa\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hotmail.com/
uWindow Title = Windows Internet Explorer proporcionado por Windows uE
uDefault_Page_URL = hxxp://www.busca7.com
mDefault_Page_URL = hxxp://www.busca7.com
mStart Page = hxxp://www.busca7.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\archiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\archiv~1\micros~4\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\archivos de programa\java\jre1.6.0_01\bin\ssv.dll
BHO: Windows Live Aplicación auxiliar de inicio de sesión: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\user\configuración local\datos de programa\google\update\GoogleUpdate.exe" /c
uRun: [Center Agent] c:\archivos de programa\kworld multimedia\hypermediacenter\dtvr\Scheduled.exe
uRun: [dso32] c:\docume~1\user\config~1\temp\dsoqq.exe
uRun: [Steam] "c:\archivos de programa\steam\steam.exe" -silent
uRun: [HKCU] c:\windows\system32\winlog\Winlogon.exe
mRun: [egui] "c:\archivos de programa\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\archivos de programa\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\archivos de programa\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZSSnp211] c:\windows\ZSSnp211.exe
mRun: [Domino] c:\windows\Domino.exe
mRun: [PWRISOVM.EXE] c:\archivos de programa\poweriso\PWRISOVM.EXE
mRun: [HKLM] c:\windows\system32\winlog\Winlogon.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
mExplorerRun: [Policies] c:\windows\system32\winlog\Winlogon.exe
StartupFolder: c:\docume~1\user\menini~1\progra~1\inicio\erunta~1.lnk - c:\archivos de programa\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\user\menini~1\progra~1\inicio\rocket~1.lnk - c:\windows\bricopacks\vista inspirat 2\rocketdock\RocketDock.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\actual~1.lnk - c:\archivos de programa\eset\minodlogin\MiNODLogin.exe
StartupFolder: c:\docume~1\alluse~1\menini~1\progra~1\inicio\remote~1.lnk - c:\archivos de programa\kworld multimedia\tv tuner card utilities\HMCP3XCtl.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~4\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archiv~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~4\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\archivos de programa\archivos comunes\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archiv~1\spybot~1\SDHelper.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archiv~1\micros~4\office12\GR99D3~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\archiv~1\micros~4\office12\GRA8E1~1.DLL
mASetup: {XQ881J2H-07YA-WRBN-4P25-XN85W68VYEVT} - c:\windows\system32\winlog\Winlogon.exe
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-3-19 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-3-19 93848]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2009-3-19 731840]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2010-6-10 674048]
R3 vvftav211;vvftav211;c:\windows\system32\drivers\vvftav211.sys [2010-6-15 480128]
R3 ZSMC30x;USB PC Camera Service ZSMC30x;c:\windows\system32\drivers\ZS211.sys [2010-6-15 1472000]

=============== Created Last 30 ================

2010-07-15 22:38:14 0 d-----w- c:\archivos de programa\Safer Networking
2010-07-15 22:05:21 0 d-----w- c:\docume~1\alluse~1\datosd~1\Spybot - Search & Destroy
2010-07-15 22:05:21 0 d-----w- c:\archivos de programa\Spybot - Search & Destroy
2010-07-15 21:55:47 117760 --sh--r- C:\biriprg.exe
2010-07-14 23:09:09 333288 ----a-w- c:\docume~1\user\datosd~1\SQLite3.dll
2010-07-13 15:08:45 116224 --sh--r- C:\i8gcgmg.exe
2010-07-12 17:50:14 116736 --sh--r- C:\r3x0k.exe
2010-07-10 03:32:51 0 d-----w- c:\docume~1\user\datosd~1\BitTorrent
2010-07-10 03:32:47 0 d-----w- c:\archivos de programa\BitTorrent
2010-07-09 14:17:10 116224 --sh--r- C:\ggb6w.exe
2010-07-06 15:16:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 15:09:51 117248 --sh--r- C:\x3xh.exe
2010-07-03 17:34:49 0 d-----w- c:\archivos de programa\PowerISO
2010-07-03 17:24:01 0 d-----w- c:\archivos de programa\Tansee iPod Transfer
2010-07-03 13:25:57 117248 --sh--r- C:\g6jk.exe
2010-07-03 03:41:10 0 d-----w- c:\archivos de programa\SystemRequirementsLab
2010-07-03 03:14:28 0 d-----w- c:\archivos de programa\Steam
2010-06-24 21:44:04 0 d-----w- c:\archivos de programa\Bandoo
2010-06-23 16:13:41 117248 --sh--r- C:\eyruu.exe
2010-06-19 21:33:48 0 d-----w- c:\docume~1\alluse~1\datosd~1\WinMaximizer
2010-06-18 15:19:05 117248 --sh--r- C:\09lf.exe
2010-06-18 03:47:40 3417 ----a-w- c:\windows\system32\wbem\Outlook_01cb0e990050f2a2.mof
2010-06-17 20:50:49 115712 --sh--r- C:\1gkbvsni.exe

==================== Find3M ====================

2010-07-17 04:21:22 701793 ---ha-w- c:\docume~1\user\datosd~1\logs.dat
2010-06-18 03:47:40 77520 ----a-w- c:\windows\system32\perfc00A.dat
2010-06-18 03:47:40 456588 ----a-w- c:\windows\system32\perfh00A.dat
2010-06-16 20:24:11 116224 --sh--r- C:\xcr.exe
2010-06-16 01:52:32 114688 --sh--r- C:\krwyrv0d.exe
2010-06-10 18:33:07 315392 ----a-w- c:\windows\HideWin.exe
2010-06-10 13:36:12 64695 ----a-w- c:\windows\BricoPackUninst.cmd
2010-06-10 13:36:12 5997 ----a-w- c:\windows\BricoPackFoldersDelete.cmd
2010-06-10 13:36:12 220160 ----a-w- c:\windows\system32\uxtheme.dll
2010-06-10 04:12:40 505128 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-10 04:12:40 353576 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-10 04:12:40 29480 ----a-w- c:\windows\system32\msxml3a.dll
2010-06-10 03:45:07 21900 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2005-09-20 12:44:14 354429 --sh--r- c:\windows\system32\winlog\Winlogon.exe

============= FINISH: 23:22:06,35 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 09/06/2010 10:50:00 p.m.
System Uptime: 16/07/2010 11:16:02 p.m. (0 hours ago)

Motherboard: MSI | | MS-7309
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | CPU 1 | 2712/200mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | CPU 1 | 2712/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 68 GiB total, 37,885 GiB free.
D: is FIXED (NTFS) - 165 GiB total, 162,026 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP43: 11/07/2010 12:39:43 p.m. - Punto de control del sistema
RP44: 11/07/2010 12:57:46 p.m. - Punto de control del sistema
RP45: 12/07/2010 07:58:33 p.m. - Punto de control del sistema
RP46: 14/07/2010 12:00:52 p.m. - Punto de control del sistema
RP47: 15/07/2010 04:20:15 p.m. - Punto de control del sistema
RP48: 16/07/2010 08:07:53 p.m. - Punto de control del sistema

==== Installed Programs ======================

Actualización para Windows XP (KB898461)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3 - Español
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ares 3.1.5.3033
Audiosurf
BitTorrent
Bonjour
Chinese (Simplified) Language Support
Chinese (Traditional) Language Support
Compresor WinRAR
Counter-Strike: Condition Zero
Counter-Strike: Source
CyberLink PowerDVD 9
Dream Aquarium
ERUNT 1.1j
ESET Antivirus License Finder (MiNODLogin)
ESET NOD32 Antivirus
GameHouse Super Games AIO®
Garry's Mod
Google Chrome
Herramienta de carga de Windows Live
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HyperMediaCenter
iTunes
Java(TM) SE Runtime Environment 6 Update 1
K-Lite Codec Pack 3.01 Full
Korean Language Support
KWorld TV Tuner Card Utilities
KWorld TV713X BDA Driver
L&H Power Translator Pro 7.0
Matemáticas de Microsoft
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - ESN
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Global IME for Chinese (Simplified)
Microsoft Global IME for Chinese (Traditional)
Microsoft Global IME for Chinese (Traditional) ChangJie
Microsoft Global IME for Korean
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (Spanish) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (Spanish) 2007
Microsoft Office Groove MUI (Spanish) 2007
Microsoft Office InfoPath MUI (Spanish) 2007
Microsoft Office OneNote MUI (Spanish) 2007
Microsoft Office Outlook MUI (Spanish) 2007
Microsoft Office PowerPoint MUI (Spanish) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (Spanish) 2007
Microsoft Office Publisher MUI (Spanish) 2007
Microsoft Office Shared MUI (Spanish) 2007
Microsoft Office Word MUI (Spanish) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (Spanish) 12
Microsoft Student con Encarta Premium 2009
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.3)
MSVCRT
MSXML 6.0 Parser
Need for Speed™ Most Wanted
Nero 7.10.1.0
NVIDIA Drivers
Pack Vista Inspirat 2 1.0
Paquete de idioma de Microsoft .NET Framework 2.0 - ESN
Picasa 3
PopCap Deluxe Games
PowerISO
QuickTime
QuickTime Alternative 1.80
Realtek High Definition Audio Driver
Reproductor de Windows Media 11
RunAlyzer
Segoe UI
Shockwave Player
Spybot - Search & Destroy
Steam
Synergy
System Requirements Lab
Tansee iPod Transfer v3.8
VideoLAN VLC media player 0.8.6d
WebFldrs XP
Winamp (remove only)
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Asistente para el inicio de sesión
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Player 11
ZSMC USB PC Camera (ZS0211)

==== Event Viewer Messages From Past Week ========

11/07/2010 12:39:15 p.m., error: sr [1] - El filtro de Restaurar sistema encontró el error inesperado "0xC0000043" mientras procesaba el archivo "ggb6w.exe" en el volumen "HarddiskVolume2". Se ha detenido la supervisión del volumen.

==== End Of File ===========================
Blade81
2010-07-22, 07:19
Hi,

Please post a fresh dds.txt file contents.
ChrisLey
2010-07-23, 00:41
Thanx Alot for the help,
but,
damn

it's too late D:

This seems to be a new virus or something, so in the future, if you can save people like me: This is the other of events

1. I downloaded a Hack for Game, It looked suspicious so I downloaded it, so scanned it, It didn't detect anything (ESET NOD32 Buisness Edition), a few minutes later, it detected a virus, somewhere in my computer (dammnnnn) so it moved to Quarantine
2. The next day, I started suffering a huge lagspike, and Google Chrome errors, I decided to get SpyBot, but it started closing automatically after detecting Windows.Spynet.a (I think), I decided to look for help, so I ended up here, with a simple problem, not seeing the storm that was coming
3. Now I restarted my comp, the lagspike was gone, Teamtimer dected a WinLogon.exe error and I told it to kill it (I dont remeber now so well, what happened later) Then I start getting a WinLogon.exe error when shutting down
4. Next day, I started seeing some process like
galaxy.exe
WinLogon.exe
mrziimrz.exe or something like that
base64.exe

and it said I had bunch of weird programms opened, and I started getting a "Just an Awesome Tool" error

5. I think I posted again,after that,...I went into safemode and search manually for virus (I know how it looked like, it had a special icon and shit):oreo:, So I think that slowed down it shit

6. I started seeing those process again, so I closed them, and had a bunch of chrome.exe in processes, even if I didn't even have it opened. I closed them, all good and easy

7. Next day, it i went into safemode again, and I searched manually, and I finded again, and I deleted them, I restarted and then when I closed chrome.exe or SWARMBOT182.exe (another process from the virus) I gotted blue screen, I went into safemode, but now it restarted when ever i selected safe mode (awww shit)

8. Next day my grumpy grandpa, used the computer, and block me from using it, I heard him arguing that computer was getting some errors and it was a galaxy.exe error (For some reason this computer has some virtual usb drives idk, but i think its fake or somethin) who was trying to duplicate into a Virtual Usb Drive, I told it to save remove those drives, and the error didnt appear again

9. At Nextday I went to check how bad was the computer , and oh god, the virus gaved remote assistance to w/e and it was downloading a torrent by itself of a Keygen, I turned my comp off, and decided to get my local technican


Hope you can add something to SpyBot to detect and stop this malware

-Thanx
Blade81
2010-07-23, 08:18
Ok. Thanks for letting us know :). Topic is now closed.