Jump to content

won't delete on reboot


Recommended Posts

I have been running my malware bytes anti-malware and it finds 7 viruses which all say they will delete on reboot. please help me asap. Here are all of my logs

-----------------------------------------------------------------------------

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 15:34 on 20/05/2010 (wagner)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

-------------------------------------------------------------------------------

DDS (Ver_10-03-17.01) - NTFSx86

Run by wagner at 15:34:47.87 on Thu 05/20/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1368 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Kaseya\Agent\AgentMon.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Intel\WiFi\bin\WLKeeper.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe

C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe

C:\Program Files\Kaseya\Agent\KaUsrTsk.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.ex

---------------------------------------------------------------------------------------------------------------------

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 3/12/2010 10:37:01 AM

System Uptime: 5/20/2010 3:21:00 PM (0 hours ago)

Motherboard: Dell Inc. | |

Processor: Intel® Pentium® M processor 1.73GHz | Microprocessor | 1729/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 120.061 GiB free.

D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/12/2010 10:41:11 AM - System Checkpoint

RP2: 3/12/2010 10:51:12 AM - Installed Broadcom 440x 10/100 Integrated Controller

RP3: 3/12/2010 10:55:28 AM - Software Distribution Service 3.0

RP4: 3/12/2010 11:08:07 AM - Software Distribution Service 3.0

RP5: 3/12/2010 11:32:56 AM - Software Distribution Service 3.0

RP6: 3/12/2010 2:07:24 PM - Software Distribution Service 3.0

RP7: 3/12/2010 5:57:47 PM - Installed Windows XP WgaNotify.

RP8: 3/12/2010 5:59:02 PM - Software Distribution Service 3.0

RP9: 3/12/2010 7:46:35 PM - Software Distribution Service 3.0

RP10: 3/12/2010 8:02:46 PM - Software Distribution Service 3.0

RP11: 3/12/2010 10:33:25 PM - Installed Microsoft Office Small Business Edition 2003

RP12: 3/12/2010 11:20:55 PM - Software Distribution Service 3.0

RP13: 3/13/2010 12:11:44 AM - Software Distribution Service 3.0

RP14: 3/13/2010 9:44:24 AM - Installed Adobe Reader 9.3.

RP15: 3/13/2010 9:51:21 AM - avast! Free Antivirus Setup

RP16: 3/13/2010 10:27:33 AM - Installed Intel® PROSet/Wireless WiFi Software.

RP17: 3/14/2010 12:00:37 PM - System Checkpoint

RP18: 3/14/2010 8:17:21 PM - Installed Kaseya Agent

RP19: 4/3/2010 12:03:48 PM - System Checkpoint

RP20: 4/3/2010 12:47:28 PM - Software Distribution Service 3.0

RP21: 4/4/2010 7:31:16 AM - Software Distribution Service 3.0

RP22: 4/4/2010 8:10:18 AM - Installed LogMeIn

RP23: 4/5/2010 8:46:19 AM - System Checkpoint

RP24: 4/6/2010 9:46:20 AM - System Checkpoint

RP25: 4/7/2010 8:45:42 PM - System Checkpoint

RP26: 4/8/2010 9:02:46 PM - System Checkpoint

RP27: 4/9/2010 10:02:46 PM - System Checkpoint

RP28: 4/10/2010 11:02:46 PM - System Checkpoint

RP29: 4/18/2010 9:27:35 AM - Software Distribution Service 3.0

RP30: 4/19/2010 9:49:50 AM - System Checkpoint

RP31: 4/20/2010 10:49:50 AM - System Checkpoint

RP32: 4/21/2010 11:49:50 AM - System Checkpoint

RP33: 4/22/2010 12:49:50 PM - System Checkpoint

RP34: 4/22/2010 7:00:32 PM - Installed Compatibility Pack for the 2007 Office system

RP35: 4/23/2010 3:00:14 AM - Software Distribution Service 3.0

RP36: 4/25/2010 12:51:45 PM - System Checkpoint

RP37: 4/28/2010 8:28:00 AM - Installed iTunes

RP38: 4/29/2010 3:00:07 PM - System Checkpoint

RP39: 4/30/2010 6:55:04 PM - System Checkpoint

RP40: 5/1/2010 7:41:04 PM - System Checkpoint

RP41: 5/2/2010 8:39:18 PM - System Checkpoint

RP42: 5/4/2010 3:12:44 PM - System Checkpoint

RP43: 5/5/2010 6:07:19 PM - System Checkpoint

RP44: 5/6/2010 7:23:49 PM - System Checkpoint

RP45: 5/7/2010 7:41:58 PM - System Checkpoint

RP46: 5/8/2010 8:08:33 PM - System Checkpoint

RP47: 5/9/2010 10:56:05 PM - System Checkpoint

RP48: 5/10/2010 11:27:00 PM - System Checkpoint

RP49: 5/12/2010 4:00:36 PM - Software Distribution Service 3.0

RP50: 5/13/2010 4:22:52 PM - System Checkpoint

RP51: 5/14/2010 5:20:29 PM - System Checkpoint

RP52: 5/16/2010 7:11:10 PM - System Checkpoint

==== Installed Programs ======================

Acoustica Effects Pack

Acoustica Mixcraft 5

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player Plugin

Adobe Reader 9.3

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Audacity 1.2.6

avast! Free Antivirus

Bonjour

Broadcom 440x 10/100 Integrated Controller

Browser Defender 2.0.6.15

CCleaner

Compatibility Pack for the 2007 Office system

Conexant D110 MDC V.92 Modem

DiskAid 3.24

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

Intel PROSet Wireless

Intel® Graphics Media Accelerator Driver for Mobile

Intel® PROSet/Wireless WiFi Software

iTunes

Kaseya Agent

LogMeIn

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB953297)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Small Business Edition 2003

Microsoft Silverlight

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

OGA Notifier 2.0.0048.0

QuickTime

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB976325)

Security Update for Windows Internet Explorer 8 (KB978207)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980232)

Spyware Doctor 7.0

TuneUp Companion 1.6.9

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB978506)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB978207)

WebFldrs XP

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Live ID Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player 11

Windows PowerShell 1.0

Windows Search 4.0

Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

5/14/2010 4:35:35 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde

5/14/2010 4:35:25 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

5/14/2010 2:54:14 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

5/14/2010 2:54:01 PM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {A4199E55-EBB9-49E5-AF1A-7A5408B2E206} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

==== End Of File ===========================

---------------------------------------------------------------------------------------------------------

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-05-20 15:39:19

Windows 5.1.2600 Service Pack 3

Running: cdrbobym[1].exe; Driver: C:\DOCUME~1\wagner\LOCALS~1\Temp\pxtdapow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA97DC322]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA97DC45C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

-------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4107

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

5/16/2010 8:08:11 PM

mbam-log-2010-05-16 (20-08-11).txt

Scan type: Quick scan

Objects scanned: 124476

Time elapsed: 10 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\wagner\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ares.exe (Backdoor.Bot) -> Delete on reboot.

C:\Program Files\Common Files\System\ieupdates.exe (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\utorrent.exe (Worm.AutoRun) -> Delete on reboot.

Link to post
Share on other sites

Hello and :)

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

Next,

BACKDOOR TROJAN

I'm afraid I have some bad news for you. Your computer is infected with BACKDOOR TROJAN. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an idea of the severity of the type of infection you have.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:

Post any question if you have.

Please let us know what you have decided to do in your next post.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.