Jump to content

System Volume Information virus

fonzy

By fonzy
in Resolved Malware Removal Logs

 Share

Recommended Posts

fonzy

fonzy

Posted
Posted

Hi everyone I need help to fix my computer.

it starts when I saw iexplore starts to opens by itself and also running in background all the time, it slows the computer and i tried to shut it down, but nothings happen.

I follow the instructions on - I'm infected - What do I do now?, Please follow these instructions to clean your system

I have eset nod32 antivirus, and I tried also Malwarebytes, but i still have some trojan that cant be deleted.

here is my post files, please help me.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4255

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

29/06/2010 18:53:35

mbam-log-2010-06-29 (18-53-35).txt

Scan type: Quick scan

Objects scanned: 149548

Time elapsed: 35 minute(s), 11 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

C:\System Volume Information\Microsoft\smss.exe (Trojan.Cycler) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System volume information\Microsoft\smss.exe (Trojan.Cycler) -> Delete on reboot.

DDS (Ver_10-03-17.01) - NTFSx86

Run by boaz at 19:02:05.37 on Tue 06/29/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13

Microsoft Windows XP Professional 5.1.2600.3.1255.972.1033.18.1023.358 [GMT 2:00]

AV: ESET NOD32 Antivirus 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

svchost.exe

svchost.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\00THotkey.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TFNF5.exe

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\box\chrome-win32\chrome.exe

C:\Documents and Settings\boaz\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ynet.co.il/

uSearch Bar = hxxp://www.toshiba.com/search

uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [Active Desktop Calendar] c:\program files\xemicomputers\active desktop calendar\ADC.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [00THotkey] c:\windows\system32\00THotkey.exe

mRun: [TFncKy] TFncKy.exe

mRun: [TFNF5] TFNF5.exe

mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe

IE: &????? ?? Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {C153B3D7-FC2F-4BE8-A5A1-63A8E3E774DB} - hxxp://www.technion.ac.il/GG/Iplugin.cab

DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boaz\applic~1\mozilla\firefox\profiles\ts3dpl4r.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.startup.homepage - hxxp://www.skip-search.com/?cfg=2-82-0-zDnV\n

FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\boaz\application data\mozilla\firefox\profiles\ts3dpl4r.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\documents and settings\boaz\application data\mozilla\firefox\profiles\ts3dpl4r.default\extensions\{5dc2c36d-747c-4fee-8bc3-e86c21981440}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\boaz\application data\mozilla\firefox\profiles\ts3dpl4r.default\extensions\{5dc2c36d-747c-4fee-8bc3-e86c21981440}\components\RadioWMPCore.dll

FF - component: c:\documents and settings\boaz\application data\mozilla\firefox\profiles\ts3dpl4r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll

FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

FF - plugin: c:\documents and settings\boaz\application data\mozilla\plugins\npPxPlay.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-29 114984]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2010-3-29 95872]

R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-3-29 810120]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-3-21 104000]

R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-15 27992]

R3 ttv300x;TOSHIBA PCI TV Tuner;c:\windows\system32\drivers\ttv300x.sys [2005-4-2 126592]

S3 EC168BDA;EC168BDA service;c:\windows\system32\drivers\ec168bda.sys --> c:\windows\system32\drivers\EC168BDA.sys [?]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

S3 SDTHelper;Helper driver for SDT-Tool;c:\box\_downloads\radix_installer\SDTHLPR.sys [2010-6-23 14873]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]

=============== Created Last 30 ================

2010-06-29 17:00:44 0 ----a-w- c:\documents and settings\boaz\defogger_reenable

2010-06-29 16:04:36 0 d-----w- c:\docume~1\boaz\applic~1\Malwarebytes

2010-06-29 16:03:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-29 16:03:55 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-06-29 16:03:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-29 16:03:53 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-29 14:36:09 0 d-----w- c:\program files\ESET

2010-06-29 14:15:07 77312 ----a-w- c:\windows\MBR.exe

2010-06-29 14:15:07 256512 ----a-w- c:\windows\PEV.exe

2010-06-29 14:15:07 161792 ----a-w- c:\windows\SWREG.exe

2010-06-29 14:15:06 98816 ----a-w- c:\windows\sed.exe

2010-06-29 12:03:33 0 d-----w- c:\program files\CCleaner

2010-06-24 15:37:47 0 d-----w- c:\program files\Freeware PDF Unlocker

2010-06-23 10:42:15 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-06-23 09:21:43 0 d-sh--w- c:\documents and settings\boaz\IECompatCache

2010-06-23 09:10:00 0 d-----w- c:\windows\pss

2010-06-22 19:09:30 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-22 19:09:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-10 16:11:51 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-25 14:53:58 323624 ----a-w- c:\windows\system32\wiaaut.dll

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-13 12:59:42 98304 ----a-w- c:\windows\DUMP2da2.tmp

2010-04-10 19:13:22 98304 ----a-w- c:\windows\DUMP0db6.tmp

============= FINISH: 19:04:19.12 ===============

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

Welcome to the forum

Download Bootkit remover to your desktop

This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop

Right click Remover.exe and select Run as Administrator

It will show a Black screen with some data on it

Right click on the screen and select > Select All

Press Control+C

Open a notepad and press Control+V

Post the resultant log here please

MrC

Link to post
Share on other sites
fonzy

fonzy

Posted
  • Author
Posted
Welcome to the forum

Download Bootkit remover to your desktop

This is a rar file if you do not have a programme to open it then download and install Peazip

Extract Remover.exe to your desktop

Right click Remover.exe and select Run as Administrator

It will show a Black screen with some data on it

Right click on the screen and select > Select All

Press Control+C

Open a notepad and press Control+V

Post the resultant log here please

MrC

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 33651d4929a84a7ab9d65c115ce1bdc0

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.

To inspect the boot code manually, dump the master boot sector:

remover.exe dump <device_name> [output_file]

To disinfect the master boot sector, use the following command:

remover.exe fix <device_name>

Press any key to quit...

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK, please do this:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

Make sure that RSIT.exe is on the your Desktop before running the application!

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt as a reply.

    ------------------------

    Can you answer these questions also:

    1. Does the computer have only one operating system?

    2. Is it a brand name computer

    3. Does it have a recovery partition?

    4. How many hard drives in the computer

    ------------------------------------

Thank you......MrC

Link to post
Share on other sites
fonzy

fonzy

Posted
  • Author
Posted

Hi, tanx for your reply.

I already run bootkit_remover to fix this problem, and I think that is Ok now, do you see another problem in my logs?

for your question:

1. there is only one operation system

2. toshiba laptop

3. I think that No

4. just 1

Link to post
Share on other sites
fonzy

fonzy

Posted
  • Author
Posted

this is what I see in the remover window now:

Bootkit Remover version 1.0.0.1

© 2009 eSage Lab

www.esagelab.com

\\.\C: -> \\.\PhysicalDrive0

MD5: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status

--------------------------------------------

93 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Press any key to quit...

fonzy

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

It looks OK, but I would like you to run ComboFix:

--------------------

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please let me know.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

5.Give it atleast 20-30 minutes to finish if needed.

MrC

Link to post
Share on other sites
MrCharlie

MrCharlie

Posted
Posted

OK looks good.

Uninstall ComboFix:

Go to start > run and copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

----------------------------------

It's very important to delete all your system restore points and create a new one.

You can find info on that in My Preventive Maintenance.

------------------------------------

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.