HELP! W32/Virut.gen and W32/Cholera
My pc is getting out of control. Please help. Here's the log:
It's very urgent. Please prioritize. Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 1:11:13 AM, on 12/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\update.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Documents and Settings\End User\Desktop\hijackthis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [EPSON Stylus C59 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_SB3.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB004" /M "Stylus C45"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R230 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P30 "EPSON Stylus Photo R230 Series" /O6 "USB007" /M "Stylus Photo R230"
O4 - HKLM\..\Run: [EPSON Stylus Photo R230 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 1)" /O6 "USB008" /M "Stylus Photo R230"
O4 - HKLM\..\Run: [EPSON Stylus Photo R230 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIP.EXE /P39 "EPSON Stylus Photo R230 Series (Copy 2)" /O6 "USB009" /M "Stylus Photo R230"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
It's very urgent. Please prioritize. Thanks.
0
Comments
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.
Please be patient as my posts to you have to be checked before I reply, so they make take longer.
Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
- Click OK
- Now under select a target to scan select C:\Windows
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post.
With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.+ Extended(If available otherwise Standard)
+ Scan Archives
+ Scan Mail Bases
You are operating your computer with multiple Anti Virus programs running in memory at once:
McAfee & AntiVir
Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.
If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
There are basically two types of these programs:
On-Access and On-Demand
On-Access Scanners
As the name implies, it runs in the background all the time the PC is turned on and running. The main function of an on-access scanner is to monitor activity on your machine.
On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine.
Please disable one or the other so they do not conflict then post a new HijackThis log to show this has been done.
Download and Save ComboFix
- Download this file from below:
- Save it to your Desktop.
- Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
- Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
- When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.
Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stallHere
or
Here
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
Hijack This log:
When replying, please just copy and paste the logs, and dont use the quote boxes.:smiles:
Step 1:
Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\IvanTsang.psd
Click Send.
Please post the results of this scan to this thread.
Do the same for the following:
C:\diret model.psd
C:\WINDOWS\CDER230.ini
C:\z31.psd
Step 2:
Download Flash_Disinfector from here and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts.
Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
Step 3:
Remember to disconnect from the Internet and disable your anti-virus before carrying out the next instruction, and to reenable the anti-virus before reconnecting to the Internet
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C
File:: C:\WINDOWS\system32\unpr.sys F:\smss.exe Registry:: [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cdb9298-96f4-11dc-a8e4-0050fcf01b80}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{46cf1bf3-a3d8-11dc-a8f8-0050fcf01b80}] Driver:: UNPRGo to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
Refering to the picture above, drag CFScript into ComboFix.exe
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
In your next reply post:
Virustotal results
ComboFix.txt
New HJT log taken after the above scan has run