LadySoth
2012-10-16, 17:33
Computer symptoms:
Randomly restarting.
Before I ran S&D I did a full system virus scan with avast. After no virus' found, I did a full system restore (I was wanting to do this anyway for a fresh start). Only I had to manually install SP3, had problems installing microsoft silverlight. When put on standby last night the computer turned "off", but the fan still ran (weird). When I rebooted I had a whole bunch of errors (can't remember them all) and then the computer would restart again, load up and the errors would pop up again then restart. It kept doing this until I inserted the restore disk and restored the comp again, only to have "extracting error"'s with adobe, real player, microsoft works and some others.
I was not able to install Avast. During the download an error would pop up and then the computer would restart. I was able to install and run S&D only to find that I had the virtumonde.sci Trojan which brought me to here.
P.S. For some reason I was not able to attach the zip file (bad login?)
Will try again after submitting this post.
Thank you for your help.
DDS log:
DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 6.0.2900.2180
Run by Owner at 11:04:35 on 2012-10-16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1670 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.emachines.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.emachines.com
uInternet Connection Wizard,ShellNext = hxxp://www.gocyberlink.com/registration/new/product/app_reg.jsp?Product=PowerDVD&Version=5.0&VersionType=OEM&CDKey=MV2993H79F9H8731&Language=Enu&SR=DVD040526-03&BuildNumber=5.00.1107&Hardware=Desktop%20PC&CustomerNO=2083&Channel=OEM
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - <orphaned>
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - <orphaned>
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{D9CB0CC4-F7F9-4E28-AE7B-A76354F66B36} : DHCPNameServer = 192.168.2.1
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-10-16 13:21:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-10-16 13:21:36 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-10-16 04:22:37 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-10-16 04:22:33 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-10-16 04:22:32 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-10-16 04:22:27 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-10-16 04:22:25 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-10-16 04:22:24 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-10-16 04:15:59 323641 ----a-w- c:\windows\system32\usrdtea.dll
2012-10-16 04:14:58 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2012-10-16 04:13:40 -------- d-----w- c:\windows\SMINST
2012-10-16 04:12:59 89600 ----a-w- c:\windows\system32\smlogsvc.exe
2012-10-16 04:11:59 815104 ----a-w- c:\windows\system32\mmc.exe
2012-10-16 04:10:59 9728 ----a-w- c:\windows\system32\gpkrsrc.dll
2012-10-16 04:09:59 68608 ----a-w- c:\windows\system32\access.cpl
2012-10-16 04:01:46 -------- d-----r- C:\Program Files
2012-10-16 04:01:07 -------- d-----r- c:\documents and settings\all users\Documents
2012-10-16 04:00:23 -------- d-----r- c:\windows\Offline Web Pages
2012-10-16 03:59:59 -------- dcsh--r- c:\windows\system32\dllcache
2012-10-16 03:59:04 -------- d-----w- c:\windows\CACHE
2012-10-16 01:52:00 -------- d-----w- C:\8a84e0d10c9273241caf17
2012-10-16 01:47:46 -------- d-----w- c:\program files\AVAST Software
2012-10-16 01:47:46 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-10-16 01:28:07 453152 ----a-r- c:\windows\system32\nvuninst.exe
2012-10-16 01:28:07 -------- d-----w- c:\windows\nview
2012-10-16 01:28:06 453152 ----a-w- c:\windows\system32\nvudisp.exe
2012-10-16 01:26:28 221184 ----a-w- c:\windows\system32\wmpns.dll
.
==================== Find3M ====================
.
2012-10-16 04:16:40 0 ----a-w- c:\windows\system32\usrvpa.dll
2012-10-16 04:16:12 0 ----a-w- c:\windows\system32\usrprbda.exe
2012-10-16 04:16:10 0 ----a-w- c:\windows\system32\usrmlnka.exe
2012-10-16 04:15:27 0 ----a-w- c:\windows\system32\spnike.dll
.
============= FINISH: 11:05:01.65 ===============
The aswMBR Log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-16 11:06:47
-----------------------------
11:06:47.843 OS Version: Windows 5.1.2600 Service Pack 2
11:06:47.843 Number of processors: 1 586 0x304
11:06:47.843 ComputerName: HOME UserName:
11:06:48.078 Initialize success
11:09:15.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:09:15.796 Disk 0 Vendor: WDC_WD800BB-22JHA0 05.01C05 Size: 76319MB BusType: 3
11:09:15.796 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
11:09:15.796 Disk 1 Vendor: WDC_WD800BB-75JHC0 06.01C06 Size: 76293MB BusType: 3
11:09:15.812 Disk 0 MBR read successfully
11:09:15.812 Disk 0 MBR scan
11:09:15.812 Disk 0 unknown MBR code
11:09:15.812 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
11:09:15.828 Disk 0 scanning sectors +156296385
11:09:15.906 Disk 0 scanning C:\WINDOWS\system32\drivers
11:09:20.078 Service scanning
11:09:34.765 Modules scanning
11:09:43.156 Disk 0 trace - called modules:
11:09:43.171 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:09:43.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb0ab8]
11:09:43.187 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\0000004e[0x89baaf18]
11:09:43.187 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89c08940]
11:09:43.203 Scan finished successfully
11:10:11.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
11:10:11.734 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"
Randomly restarting.
Before I ran S&D I did a full system virus scan with avast. After no virus' found, I did a full system restore (I was wanting to do this anyway for a fresh start). Only I had to manually install SP3, had problems installing microsoft silverlight. When put on standby last night the computer turned "off", but the fan still ran (weird). When I rebooted I had a whole bunch of errors (can't remember them all) and then the computer would restart again, load up and the errors would pop up again then restart. It kept doing this until I inserted the restore disk and restored the comp again, only to have "extracting error"'s with adobe, real player, microsoft works and some others.
I was not able to install Avast. During the download an error would pop up and then the computer would restart. I was able to install and run S&D only to find that I had the virtumonde.sci Trojan which brought me to here.
P.S. For some reason I was not able to attach the zip file (bad login?)
Will try again after submitting this post.
Thank you for your help.
DDS log:
DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 6.0.2900.2180
Run by Owner at 11:04:35 on 2012-10-16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1670 [GMT -4:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.emachines.com/
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.emachines.com
uInternet Connection Wizard,ShellNext = hxxp://www.gocyberlink.com/registration/new/product/app_reg.jsp?Product=PowerDVD&Version=5.0&VersionType=OEM&CDKey=MV2993H79F9H8731&Language=Enu&SR=DVD040526-03&BuildNumber=5.00.1107&Hardware=Desktop%20PC&CustomerNO=2083&Channel=OEM
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - <orphaned>
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - <orphaned>
EB: Real.com: {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SSC_UserPrompt] c:\program files\common files\symantec shared\security center\UsrPrmpt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{D9CB0CC4-F7F9-4E28-AE7B-A76354F66B36} : DHCPNameServer = 192.168.2.1
Notify: igfxcui - igfxsrvc.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-10-16 13:21:36 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-10-16 13:21:36 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-10-16 04:22:37 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-10-16 04:22:33 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-10-16 04:22:32 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-10-16 04:22:27 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-10-16 04:22:25 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2012-10-16 04:22:24 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2012-10-16 04:15:59 323641 ----a-w- c:\windows\system32\usrdtea.dll
2012-10-16 04:14:58 58112 ----a-w- c:\windows\system32\drivers\vdmindvd.sys
2012-10-16 04:13:40 -------- d-----w- c:\windows\SMINST
2012-10-16 04:12:59 89600 ----a-w- c:\windows\system32\smlogsvc.exe
2012-10-16 04:11:59 815104 ----a-w- c:\windows\system32\mmc.exe
2012-10-16 04:10:59 9728 ----a-w- c:\windows\system32\gpkrsrc.dll
2012-10-16 04:09:59 68608 ----a-w- c:\windows\system32\access.cpl
2012-10-16 04:01:46 -------- d-----r- C:\Program Files
2012-10-16 04:01:07 -------- d-----r- c:\documents and settings\all users\Documents
2012-10-16 04:00:23 -------- d-----r- c:\windows\Offline Web Pages
2012-10-16 03:59:59 -------- dcsh--r- c:\windows\system32\dllcache
2012-10-16 03:59:04 -------- d-----w- c:\windows\CACHE
2012-10-16 01:52:00 -------- d-----w- C:\8a84e0d10c9273241caf17
2012-10-16 01:47:46 -------- d-----w- c:\program files\AVAST Software
2012-10-16 01:47:46 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-10-16 01:28:07 453152 ----a-r- c:\windows\system32\nvuninst.exe
2012-10-16 01:28:07 -------- d-----w- c:\windows\nview
2012-10-16 01:28:06 453152 ----a-w- c:\windows\system32\nvudisp.exe
2012-10-16 01:26:28 221184 ----a-w- c:\windows\system32\wmpns.dll
.
==================== Find3M ====================
.
2012-10-16 04:16:40 0 ----a-w- c:\windows\system32\usrvpa.dll
2012-10-16 04:16:12 0 ----a-w- c:\windows\system32\usrprbda.exe
2012-10-16 04:16:10 0 ----a-w- c:\windows\system32\usrmlnka.exe
2012-10-16 04:15:27 0 ----a-w- c:\windows\system32\spnike.dll
.
============= FINISH: 11:05:01.65 ===============
The aswMBR Log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-16 11:06:47
-----------------------------
11:06:47.843 OS Version: Windows 5.1.2600 Service Pack 2
11:06:47.843 Number of processors: 1 586 0x304
11:06:47.843 ComputerName: HOME UserName:
11:06:48.078 Initialize success
11:09:15.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
11:09:15.796 Disk 0 Vendor: WDC_WD800BB-22JHA0 05.01C05 Size: 76319MB BusType: 3
11:09:15.796 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
11:09:15.796 Disk 1 Vendor: WDC_WD800BB-75JHC0 06.01C06 Size: 76293MB BusType: 3
11:09:15.812 Disk 0 MBR read successfully
11:09:15.812 Disk 0 MBR scan
11:09:15.812 Disk 0 unknown MBR code
11:09:15.812 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
11:09:15.828 Disk 0 scanning sectors +156296385
11:09:15.906 Disk 0 scanning C:\WINDOWS\system32\drivers
11:09:20.078 Service scanning
11:09:34.765 Modules scanning
11:09:43.156 Disk 0 trace - called modules:
11:09:43.171 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:09:43.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb0ab8]
11:09:43.187 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> \Device\0000004e[0x89baaf18]
11:09:43.187 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x89c08940]
11:09:43.203 Scan finished successfully
11:10:11.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
11:10:11.734 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"