Options
Infected good (Virut)
The one thing I can see by trying to fix my problem is that I am not alone. I have been working for 2 days to get my computer back and I seem to make some progress but it is still not fixed or close to. I have run a number of spy programs including malwarbytes, which took me a day to get running, superantispy, vundofix, ccleaner, dr. webcureit,cws shredder, and ad-aware 6.0. Many of them found things and were said to have removed them but I still have hijacking going on. I have checked to host file and changed and saved it many times but something contunies to change it. I have tried to run spybot but the attack seems to have not allowed the exe file to show and I can not get it to run although it looks to have installed everything else. I would truely appreciate someone that could help me.
0
Comments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:19 AM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\NAgent\NSCAGENT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\dc60d688-ff6c-453b-a53d-815ecfdf4ff4.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Cisco\CSAgent\bin\okclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wtukd32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\dncyool64.sys
C:\Documents and Settings\abecker\Desktop\HiJackThis.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\dc60d688-ff6c-453b-a53d-815ecfdf4ff4.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O8 - Extra context menu item: &windows live search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: add to windows &live favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01a88bb1-1174-41ec-accb-963509eae56b} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrixweb.mosescone.com/CitrixSessionInit/ICAWEB/icaweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093275714432
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://csa.mosescone.com/net6helper.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lohmueller.webex.com/client/T25L/webex/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: csauser.dll,c:\progra~1\ThunMail\testabd.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BITS - Unknown owner - Cf\WINDOWS\TEMP\VRT12.tmp (file missing)
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
O23 - Service: Intuit Update Service (intuitupdateservice) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iolo FileInfoList Service (iolofileinfolist) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (iolosystemservice) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (lexbces) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (mcafeeframework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton System Agent (NSDUAgent) - Unknown owner - C:\NAgent\NSCAGENT.EXE
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Dell Computer Corporation - (no file)
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9324 bytes
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present - Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Installed Programs
Please could you give me a list of the programs that are installed.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
!!ALEART!! It is not SATE to continue!
The contents of the Combofix package has been compromised.
Please download a fresh copy from:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Note: You may be infected with a file patching virus (Virut)
It does not allow me to continue after that.
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
ABBYY FineReader 5.0 Sprint Plus
Ad-aware 6 Personal
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Photoshop 7.0.1
Adobe Reader 8.1.2
Adobe Shockwave Player 11
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
Bonjour
Broadcom Management Programs
CallWave
CCleaner (remove only)
Cisco Security Agent
Citrix Presentation Server Web Client for Win32
Citrix Secure Access Client
Compatibility Pack for the 2007 Office system
Conexant SmartHSFi V92 56K DF PCI Modem
Crash Analysis Tool
CustomDSIContactControl
DAO
Dell Digital Jukebox Driver
Dell Picture Studio - Dell Image Expert
Dell Support
Digital Line Detect
DS21Patch
DVDSentry
Form Fill (Windows Live Toolbar)
FranklinCovey WorkCompass
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) Extreme Graphics Driver
iolo technologies' System Mechanic
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1_08
Java 2 Runtime Environment, SE v1.4.2
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Lexmark X6100 Series
LiveUpdate 1.7 (Symantec Corporation)
Logitech iTouch Software
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Modem Helper
Mozilla Firefox (2.0.0.20)
MSN Messenger 7.0
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
OneCare Advisor (Windows Live Toolbar)
Paint Shop Pro 7
PC Transact It
Pdf995
Popup Blocker (Windows Live Toolbar)
PowerDVD
Previous Versions Client
Print to Fax
QuickTime
RealPlayer
RegCure 1.5.2.7
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Office 2007 (KB947801)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Shipping Assistant 3.6
Shockwave
Smart Menus (Windows Live Toolbar)
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnciper
TurboTax 2008 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb953463)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
ViewMail for Outlook
Viewpoint Media Player
ViewSonic Windows XP Signed Files
WebEx
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:03 PM, on 5/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
C:\Program Files\Cisco\CSAgent\bin\leventmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\3361\SVCHOST.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\dhcp\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\NAgent\NSCAGENT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\abecker\reader_s.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Cisco\CSAgent\bin\okclient.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\abecker\Desktop\HiJackThis.exe
O1 - Hosts: 63.119.44.197 www.buyaphrodisiac.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINDOWS\system32\3361\SVCHOST.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\abecker\reader_s.exe
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\abecker\reader_s.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: Cisco Security Agent.lnk = C:\Program Files\Cisco\CSAgent\bin\okclient.exe
O8 - Extra context menu item: &windows live search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: add to windows &live favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: e&xport to microsoft excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01a88bb1-1174-41ec-accb-963509eae56b} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrixweb.mosescone.com/CitrixSessionInit/ICAWEB/icaweb.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093275714432
O16 - DPF: {7E0FDFBB-87D4-43A1-9AD4-41F0EA8AFF7B} (Net6Launcher Class) - https://csa.mosescone.com/net6helper.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lohmueller.webex.com/client/T25L/webex/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: BITS - Unknown owner - Cf\WINDOWS\TEMP\VRT12.tmp (file missing)
O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco\CSAgent\bin\CSAControl.exe
O23 - Service: Dhcp server (dhcpsrv) - Unknown owner - C:\WINDOWS\dhcp\svchost.exe
O23 - Service: Intuit Update Service (intuitupdateservice) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iolo FileInfoList Service (iolofileinfolist) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (iolosystemservice) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (lexbces) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (mcafeeframework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Norton System Agent (NSDUAgent) - Unknown owner - C:\NAgent\NSCAGENT.EXE
O23 - Service: Active Directory Migration Agent (OnePointDomainAdminService) - Dell Computer Corporation - (no file)
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9116 bytes
This machine needs to be formatted.
This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.
Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.
Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.
Recent variants also modify htm, html, asp and php files.
Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.
See miekiemoes' blog for similar comments here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html