Results 1 to 3 of 3

Thread: "Antivir" virus problem

  1. #1
    Junior Member
    Join Date
    Sep 2008
    Posts
    15

    Default "Antivir" virus problem

    Hello all,

    I am having some issues with a virus on a friend's computer. When running normally (i.e. not in safe mode), the virus continually pops up warnings of infection, instructing me to purchase their software to remove them. It also blocks me from running any programs/executables (unless I'm in safe mode). I am currently scanning the computer with spybot S&D, and wanted to post the DDS here as well to see if there's anything else that would be beneficial to do.

    DDS:


    DDS (Ver_10-03-17.01) - FAT32x86 NETWORK
    Run by Administrator at 13:51:46.45 on Tue 08/10/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.766.373 [GMT -4:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2OKMNO4B\HijackThis[1].exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://lenovo.live.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
    BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    BHO: 1 (0x1) - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRunOnce: [NeroHomeFirstStart] "c:\program files\common files\nero\lib\NMFirstStart.exe"
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [VTTimer] ;;;VTTimer.exe
    mRun: [Chrome3] c:\program files\s3graphics\chrome3\Chrome3.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BisonMnt] c:\windows\bisonc07\BisonM07.exe
    mRun: [IdeaNotesUser] c:\program files\ddni\lenovo idea notes\DDNIMSGUser.exe
    mRun: [VeriFaceManager] c:\program files\lenovo\verifaceiii\PManage.exe
    mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
    mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
    mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
    mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [LXBXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBXtime.dll,_RunDLLEntry@16
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [ojljnoql] c:\documents and settings\lois anne davis\local settings\application data\gxutgtxuw\rtsvixvtssd.exe
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ps-link.lnk - c:\program files\airlink101\airlink101 ps software\PsLink.exe
    IE: {6096E38F-5AC1-4391-8EC4-75DFA92FB32F} - http://www.lenovo.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2009-10-29 9472]
    R3 BusRMUSB;Remote USB Bus;c:\windows\system32\drivers\BusRMUSB.sys [2010-2-11 43008]
    R3 vcrdrx32;VIA MSP Cardreader Host Controller;c:\windows\system32\drivers\vcrdrx32.sys [2009-10-29 93440]
    S2 DDNIMSGService;DDNIMSGService;c:\program files\ddni\lenovo idea notes\DDNIMSGService.exe [2009-1-17 172720]
    S2 DDNIService;DDNIService;c:\program files\ddni\dibs\DDNIService.exe [2009-10-29 160432]
    S2 DvmMDES;DeviceVM Meta Data Export Service;c:\qstart.sys\config\DVMExportService.exe [2009-3-26 315392]
    S2 FHPService;FHPService;c:\program files\lenovo\onekey app\onekey recovery\FHPService.exe [2008-7-23 169256]
    S2 S3LoadSv;S3LoadSv;c:\program files\s3graphics\chrome3\s3loadsv.exe [2009-10-29 69632]
    S2 System_Repair_UpdateMonitor;System Repair Windows Update Monitor;c:\program files\lenovo\onekey app\system repair\UpdateMonitor.exe [2009-10-29 430080]
    S2 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-10-29 48144]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-29 1684736]
    S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2009-10-29 560640]
    S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2009-10-29 82928]

    =============== Created Last 30 ================

    2010-08-10 17:15:35 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-08-10 17:15:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-08-10 17:10:38 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
    2010-08-10 17:09:46 0 d-sh--w- c:\documents and settings\administrator\IETldCache
    2010-08-10 16:59:52 0 d-----w- c:\docume~1\admini~1\applic~1\ID Vault
    2010-07-18 02:09:49 0 d-----w- c:\program files\iPod
    2010-07-18 02:09:31 0 d-----w- c:\program files\iTunes
    2010-07-18 02:09:31 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-18 01:59:08 0 d-----w- c:\program files\Bonjour
    2010-07-14 02:05:58 0 d-sh--w- C:\FOUND.006

    ==================== Find3M ====================

    2010-07-27 06:30:36 8462336 ----a-w- c:\windows\system32\dllcache\shell32.dll
    2010-06-14 14:31:20 744448 ----a-w- c:\windows\system32\dllcache\helpsvc.exe
    2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2009-10-29 18:54:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2009-12-26 05:13:42 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122620091227\index.dat

    ============= FINISH: 13:53:11.50 ===============



    Thanks for you help,

    Chris

    update:

    spybot scan completed and deleted several files. The malware doesn't appear to be affecting the computer any longer (no more pop ups, warnings, etc. and executables/other programs run fine). However, it appears as though the internet no longer works. I have a strong connection and have tried all the usual tricks but to no avail, just get the 'internet explorer cannot find this page' page.


    Thoughts?

    Thanks,

    Chris

    Still no luck getting the internet to run. Is it possible some bit of the malware is still affecting the system? Should I post another log?

    After some searching I found some others on this forum with the same malware, and found the step-by-step on bleeping computer. Would it be advisable to go through these steps even though antivir doesn't appear to be active (visually, at least)?

    Thanks again,

    Chris
    Last edited by Blade81; 2010-08-18 at 20:54. Reason: Three posts merged. Helpers look for topics with 0 replies so don't add more posts, please.

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Please post fresh dds.txt & attach.txt contents.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •