winlogon.exe seems infected by something

Inspired · #1 (**permalink**) 31-08-2007, 08:35 AM

Hi folks,
It would seem that somehow my computer is infected with something.
Whenever I connect to the internet (by activating my wireless connection) NOD32 and Comodo report the following:

First off Comodo Firewall reports that:
C:\WINDOWS\system32\winlogon.exe is trying to connect to 81.95.149.101

Then there is a bunch of other things related to winlogon.exe trying to access files on the net which NOD32 is reporting as viruses.

Quote:

Date/Time :2007-08-31 18:58:48
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR616.tmp:81.95.153.109: :http(80))
Application: C:\WINDOWS\Temp\VRR616.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 81.95.153.109::http(80)

Date/Time :2007-08-31 18:58:47
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR616.tmp:194.146.206.27: :http(80))
Application: C:\WINDOWS\Temp\VRR616.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 194.146.206.27::http(80)

Date/Time :2007-08-31 18:58:43
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR616.tmp:81.95.153.109: :http(80))
Application: C:\WINDOWS\Temp\VRR616.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 81.95.153.109::http(80)

Date/Time :2007-08-31 18:58:42
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR616.tmp:194.146.206.27: :http(80))
Application: C:\WINDOWS\Temp\VRR616.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 194.146.206.27::http(80)

Date/Time :2007-08-31 18:58:37
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR616.tmp:81.95.153.109: :http(80))
Application: C:\WINDOWS\Temp\VRR616.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 81.95.153.109::http(80)

Date/Time :2007-08-31 18:34:18
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR47C.tmp:194.146.206.27: :http(80))
Application: C:\WINDOWS\Temp\VRR47C.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 194.146.206.27::http(80)

Date/Time :2007-08-31 18:34:17
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR47C.tmp:81.95.153.109: :http(80))
Application: C:\WINDOWS\Temp\VRR47C.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 81.95.153.109::http(80)

Date/Time :2007-08-31 18:34:13
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR47C.tmp:194.146.206.27: :http(80))
Application: C:\WINDOWS\Temp\VRR47C.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 194.146.206.27::http(80)

Date/Time :2007-08-31 18:34:11
Severity :Medium
Reporter :Application Monitor
Description: Application Access Denied (VRR47C.tmp:81.95.153.109: :http(80))
Application: C:\WINDOWS\Temp\VRR47C.tmp
Parent: C:\WINDOWS\system32\winlogon.exe
Protocol: TCP Out
Destination: 81.95.153.109::http(80)

Date/Time :2007-08-31 15:58:31
Severity :High
Reporter :Application Monitor
Description: Application Access Denied (winlogon.exe:81.95.149.101: :http(80))
Application: C:\WINDOWS\system32\winlogon.exe
Parent: C:\WINDOWS\system32\smss.exe
Protocol: TCP Out
Destination: 81.95.149.101::http(80)

I think that gives you the idea.

I told Comodo to block these access attempts although the files still triggered alerts from NOD32 suggesting they made it onto my computer.

Here's the details of what NOD32 has had to say today about all this:

Quote:

Time Module Object Name Threat Action User Information
31/08/2007 19:00:13 p.m. AMON file C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\9P1RWEQE\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.AWA trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 18:59:36 p.m. AMON file C:\WINDOWS\TEMP\VRR630.tmp probably a variant of Win32/TrojanDownloader.Small.AWA trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 18:58:43 p.m. IMON file http://85.114.140.107/~grander/dl.exe probably a variant of Win32/TrojanDownloader.Small.AWA trojan NT AUTHORITY\SYSTEM

31/08/2007 18:34:35 p.m. AMON file C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\MGD5V9ZL\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.AWA trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 18:34:29 p.m. AMON file C:\WINDOWS\TEMP\VRR482.tmp probably a variant of Win32/TrojanDownloader.Small.AWA trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 18:34:14 p.m. IMON file http://85.114.140.107/~grander/dl.exe probably a variant of Win32/TrojanDownloader.Small.AWA trojan NT AUTHORITY\SYSTEM

31/08/2007 8:36:11 a.m. AMON file C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\MGD5V9ZL\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 8:35:58 a.m. AMON file C:\WINDOWS\TEMP\VRR60.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

31/08/2007 8:35:46 a.m. IMON file http://85.114.140.107/~grander/dl.exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan NT AUTHORITY\SYSTEM
31/08/2007 8:34:59 a.m. IMON file http://85.114.140.107/~grander/adv735.exe a variant of Win32/TrojanDownloader.Small.NRS trojan NT AUTHORITY\SYSTEM

I've scanned the computer with NOD32 and nothing comes up.
I've scanned with a-aquared free and it cleaned up a bunch of registry entries related to "blubster". It also removed the file "C:\program files\Common Files\Microsoft Shared\MSInfo\WinService32.exe" and stated it was the "Backdoor.Win32.SdBot.aad" trojan.

XsoftSpy also found teh Blubster stuff.

But none of this has fixed this issue with winlogon.exe doing this odd stuff.

Please advise what I should do.
Thanks a lot of your help.

Regards,

Jonathan

Neal · #2 (**permalink**) 31-08-2007, 09:02 PM

At the bottom of my signature is a link to hijackthis 2.0, click it and scroll down the page and follow directions for hijackthis and copy/paste it back into this thread and post the uninstall list as well please.

Inspired · #3 (**permalink**) 31-08-2007, 09:37 PM

Thanks.
I am doing the HJT scan shortly.
For the record, I just tried to run Tweaknow Powerpack 2006 (a great tool I've used for last couple of years) and it warned me that it's program file was corrupt and potentially infected with a virus. It then terminated itself. So I uploaded the particular file it was referring to at http://virusscan.jotti.org/ and the results were as follows:

Quote:

A-Squared -Found nothing
AntiVir -Found W32/Virut.U
ArcaVir -Found nothing
Avast -Found nothing
AVG Antivirus -Found nothing
BitDefender -Found Win32.Virtob.V
ClamAV -Found W32.Virut.Gen.B-55
CPsecure -Found nothing
Dr.Web -Found Win32.Virut.5
F-Prot Antivirus -Found nothing
F-Secure Anti-Virus -Found Virus.Win32.Virut.l
Fortinet -Found nothing
Kaspersky Anti-Virus -Found Virus.Win32.Virut.l
NOD32 - Found nothing
Norman Virus Control - Found W32/Virut.N
Panda Antivirus - Found nothing
Rising Antivirus - Found nothing
Sophos Antivirus - Found nothing
VirusBuster Found Win32.Virut.G
VBA32 Found nothing

The other thing I should mention is that yesturday NOD32 told me it's on-demand scanner file had a bad CRC check and may be virus infected. I reinstalled NOD32 and the issue has gone. I note, however, that in the last two days (since this issue arose) NOD32KRN.EXE is using an excessive amount of CPU resources. Basically the AMON scanner is constantly scanning files. I normally only scans files on access, so this suggests to me that something is accessing all the files on my computer -- potentially infecting them?

Jonathan

Inspired · #4 (**permalink**) 01-09-2007, 12:27 AM

Looks like I've got a major issue here.

Since NOD32 was not detecting this beast and the online scan showed that BitDefender (among others) was, I downloaded the free version of BitDefender 10. Scanning the system, nearly every .exe. file was coming up as infected with Win32.Virtab.V. They could not be cleaned though. So I tried the scan in safemode. Same issue. Obviously I can't have it delete all these files as many of them are system files.

So what I need is something that can clear the Win32.Virtab.V virus. BitDefender indicates in its virus info pages that it can disinfect this virus, but that is not the case in my experience.

Here is the HJT log:

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:38 a.m., on 1/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Microsoft & Windows Related\ProcessExplorer - Sysinternals\procexp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3 a.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Mail Direct Pro\MADYPRO.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Taskbar Activate\TaskbarActivate.exe
C:\Program Files\Softwin\BitDefender10\bdlite.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = E-Volution Enterprise
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local;<local>
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: CmjBrowserHelperObject Object - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IESessions.Manager - {6ECF15F0-468D-4E25-8997-1C710E80F5CD} - C:\Program Files\IESessions\IESessions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - C:\Program Files\IEForge\Inline Search\InlineSearch.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttach File - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: GVDownloader - {ae4df123-9140-4f93-9b32-ff0186389cc3} - mscoree.dll (file missing)
O3 - Toolbar: Ultra Recall - {C501607C-4A98-4f5e-B9AF-425E6BBD5186} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp 5a.exe" /source=HKLM
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis 3a.exe" /source=HKLM
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [Mail Direct] "C:\Program Files\Mail Direct Pro\MADYPRO.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DOpus] C:\Program Files\Directory Opus\DOpus.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\Directory Opus\dopusrt.exe" /dblclk
O4 - HKCU\..\Run: [FusionDesk] "C:\Program Files\FusionDesk\FusionDesk.exe" minimized
O4 - HKUS\S-1-5-18\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized (User 'Default user')
O4 - Startup: Xpert-Timer.lnk = C:\Program Files\XpertTimer\XpertTimer.exe
O4 - Global Startup: Taskbar Activate.lnk = C:\Program Files\Taskbar Activate\TaskbarActivate.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download the &current page with Offline Explorer - file://C:\Program Files\Offline Explorer\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download using Offline &Explorer - file://C:\Program Files\Offline Explorer\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To &Ultra Recall (copy) - C:\Program Files\UltraRecall\Integration\StoreFromIE.html
O8 - Extra context menu item: Send To Ultra &Recall (link) - C:\Program Files\UltraRecall\Integration\LinkFromIE.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll
O9 - Extra button: Copy to Ultra Recall - {24187A0F-0FDD-411b-80C6-F1F22F2ED10E} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
O9 - Extra button: Link to Ultra Recall - {FD1FF307-68BC-462f-8718-AAEDB6DB7EA2} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll
O9 - Extra button: Copy to Ultra Recall - {24187A0F-0FDD-411b-80C6-F1F22F2ED10E} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll (HKCU)
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O9 - Extra button: Link to Ultra Recall - {FD1FF307-68BC-462f-8718-AAEDB6DB7EA2} - C:\Program Files\UltraRecall\Integration\IEToolbar.dll (HKCU)
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted IP range: http://192.168.0.3
O15 - Trusted IP range: http://192.168.1.254
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4C57C98A-E582-46E4-8FD8-5EBDC94CEA39} - http://www.mindjet.com/viewer/eng/MjMmViewer.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1181246863908
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: nyf - {C4BA8816-8761-4164-8E33-56F3024A09E4} - C:\Program Files\MyBase\ienyf.dll (file missing)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bandwidth Monitor Pro - Unknown owner - -C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - -C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Unknown owner - -C:\Program Files\DynDNS Updater\DynDNS.exe (file missing)
O23 - Service: FinePrint Dispatcher v5 - FinePrint Software, LLC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5 a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Program Files\Nero 7\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSSQL$ACT7 - Unknown owner - -C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - -C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQLAgent$ACT7 - Unknown owner - -C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE (file missing)
O23 - Service: CYGWIN sshd (sshd) - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - Unknown owner - C:\WINDOWS\system32\vmnetdhcp.exe (file missing)
O23 - Service: VMware NAT Service - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\JelloDashboard\jelloDash.htm

--
End of file - 13179 bytes

Here is the uninstall list:

Quote:

1st Email Addres Harvester 2002 V1.20
1st MP3 Tag Editor 5.6
Abander TagControl
Account Xpress 3.3.4
AceMoney
Acronis Disk Director Suite
ACS PC Atlas
Adaptec UDF Reader
Ad-Aware SE Professional
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe Acrobat eBook Reader
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Fireworks CS3
Adobe Flash Player 9 ActiveX
Adobe Flash Player 9 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced eBook Processor
Advanced PDF Password Recovery Pro (remove only)
Advanced Security for Outlook
Advanced X Video Converter
Agendus for Windows Outlook Edition
AHV content for Acrobat and Flash
akFontViewer
ALi AGP Driver 1.80
ALi Audio Accelerator WDM Driver
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
Alien Skin Xenofex 2.0
AM-DeadLink 2.8.1
AMP Font Viewer
AnyDVD
ASAP Utilities
ASB Fastnet Office
Audio Catalog 3.3
Bandwidth Monitor Pro
BitDefender Free Edition v10
Blogg-X 2.12
BlogJet 2.0.0.9
BS.Player PRO
CCleaner (remove only)
CD Bank Cataloguer (remove only)
CD Collection 2.15
CDBurnerXP Pro 3
ClamWin Free Antivirus 0.91.2
CleanUp!
ClearType Tuning Control Panel Applet
Clock Patch V1.0
CmdHere Powertoy For Windows XP
CoffeeCup Google SiteMapper
Collectorz.com Book Collector
ColorImpact version 2.2
COMODO Firewall Pro
CompanionLink
Cool Timer 2.2
Copernic Agent Professional
Currency Converter FX 1.0
dBpowerAMP AAC to Mp4 Codec
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
Delete Duplicates for Outlook 2.4
dfg BackUp XP
DiamondCS APM
dMC AccurateRip
DreamSuite Gel
DreamSuite Series2
Driver Genius Professional Edition 2007
DriverGuide Toolkit
DrvClonerXP 2.1
DScaler 5 Mpeg Decoders
DVD Shrink 3.2
DVD-RAM Driver
DynDNS Updater 3.1
Easy DVD Player 2.0
EasyCleaner
EssentialPIM Pro
Exact Audio Copy 0.95b4
Excel to Image (GIF) Export & Convert Software 1.1
Extensis Suitcase 9.2.1
FeedDemon
FinalBurner Free v1.14.0.87
FinePrint
floAt's Mobile Agent 2
Free Download Manager 2.0
freebudget 4.1
Gammadyne Mailer
Genesis V2 PROps V2.00
Genie Backup Manager Pro 6.0
Genuine Fractals PrintPro Trial
GetDataBack for FAT
GetDataBack for NTFS
GoldWave v5.10
GoldWave v5.14
Google Video Player
GPL Ghostscript 8.56
GPL Ghostscript Fonts
GPSoftware Directory Opus
GrabIt 1.6.2 Beta (build 940)
GSiteCrawler
GSpot Codec Information Appliance
gSyncit
GVDownloader
HDCleaner
Helium Music Manager 2007 (build 5425)
HijackThis 2.0.2
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hyperhealth Pro 5.0 (2005)
IBP & ARELIS 9.5.1
IconPackager
IESessions 1.03
Image Resizer Powertoy for Windows XP
ImgBurn (Remove Only)
InBoxer for Outlook 2.4
Info Keep
Inline Search v1.3 for Internet Explorer (remove only)
Insert Code for Windows Live Writer
Insert Formatted Clipboard plugin for Windows Live Writer
Insert Links Smartly (WLW Plugin)
Insert Video V3
Insert Website Image Plugin
IObit SmartDefrag Beta3
IsoBuster 1.9.1
IZArc 3.6
IZArc Command Line Add-On 1.0
J2SE Runtime Environment 5.0 Update 7
K-Lite Codec Pack 3.2.5 Full
Logitech QuickCam Software
Logitech® Camera Driver
Lucent Technologies Soft Modem AMR
Macromedia Extension Manager
Macromedia FlashPaper 2
Macromedia FreeHand MX
Macromedia Shockwave Player
Magic DVD Ripper V5.0.1
Mail Direct Pro 2.6
Media Catalog Studio 5.5
MediaMonkey 2.5
MediaMonkey Script - Backup 4.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Mindjet MindManager 6 Route Mapping
Mindjet MindManager External Reference Smart Map Part
Mindjet MindManager Map Explorer
Mindjet MindManager Pro 7
MindManager Pro 6 OPML Editor
Mobile Master Outlook AddIn
MOBILedit! 2.3
MobileMaster
MozBackup 1.4.5
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (2.0.0.3)
Mozilla Firefox (2.0.0.6)
Mozilla Thunderbird (2.0.0.6)
MP3TagEditor
MSN Messenger 7.5
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
myBase Desktop 5.3 (Unicode Build)
MyLife Organized 1.8.0 BETA (Evaluation)
MySQL Tools for 5.0
MySQL-Front 3.2
NeoTrace Pro 3.25
Nero 7 Ultra Edition
Neuro-Programmer 2 Professional
Neuro-Programmer Professional 2.3.5
Nitro PDF Professional
NOD32 antivirus system
NVIDIA Windows 2000/XP Display Drivers
O&O DiskRecovery
O2Micro Smartcard Driver
Open Workbench
Orbit
Outlook Attachment and Picture Extractor
PayPal Payment Request Wizard (for Outlook)
pdfFactory Pro
PHP Designer 2007 - Professional - version 5.3
PowerPlayer II
PremiumSoft Navicat 8.0 for MySQL
PSPad editor
QNewsletter 2.51
QuickBooks Pro: Professional Business 2006/07
QuickTime
Rapid PDF Count
Real Alternative 1.51 Lite
RealMedia (remove only)
RIA-Media Addins
R-Studio 3.5
Sansa Media Converter
Sansa Updater
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Sentinel System Driver
Shareaza version 2.2.3.0
Sitemap Generator 1.0.0.0
Skype 2.5
SmartFTP Client
SnagIt Screen Capture Plugin for Windows Live Writer
Social Bookmarking Tool for WLW
Sony Ericsson Communications Suite
Spybot - Search & Destroy 1.4
StationRipper 2.33C
StuffIt Deluxe
SUPER © Version 2007.bld.22 (Mar 14, 2007)
Super Mp3 Recorder Professional v6.0
SWF Extractor 2.2
Synaptics Pointing Device Driver
SyncMyCal
SyncToy
TagRunner 2.0
Taskbar Activate
Template Plugin for Windows Live Writer
The Core Media Player 4.0
TreeSize Professional 4.0.2
Tweak UI
TweakNow PowerPack 2006 Professional
TypingMaster Pro
UltimateDefrag
Ultralingua 6.0
Ultralingua 6.0
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb936644)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Word 2007 (KB934173)
VideoLAN VLC media player 0.8.5
VIP Organizer
Visual Studio 2005 Tools for Office Second Edition Runtime
w.bloggar 4.00
Web Data Extractor 6.0
Web Sources Tagger for MediaMonkey (some alpha version)
WebEx
WhereIsIt? 3.83
WIDCOMM Bluetooth Software
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Live installer
Windows Live Writer
Windows Live Writer Backup
Windows Live Writer Blog This for Mozilla Firefox
Windows Media Format Runtime
Windows Media Player 10
WinImage
WinSnap
Winternals Administrator's Pak
WinUHA 2.0 RC1 (2005.02.27)
WLW Paste As
WLW Related Post Plugin
WLW Text Templates
XoftSpy
Xpert-Timer Version 1.5.3.274 (English)
XPlite PROFESSIONAL
XQDC X-Setup Pro 8.0.100
YouTube Downloader 2.2
ZipGenius 6 (6.0.1.1010)
Zoom Player (remove only)
Zortam Mp3 Media Studio 6.66
Zoundry Blog Writer

For now I am able to limit the amount of further spreading of the virus by using Process Explorer to identify and kill the processes that it is using to propogate itself. Although it has infected nearly every .exe process running it seems to only be able to proliferate using those processes that can open/access .exe files (like Opus and Explorer).

Thansk for your help. I get the impression this is quite serious and am hoping I can clean it off without a full reinstall. As you can see, I use quite a wide range of applications (IT consultant among other things) and reinstalling takes what feels like days.

Jonathan

Inspired · #5 (**permalink**) 01-09-2007, 05:27 AM

UPDATE:
PC is almost completely crippled now.
Takes about 30 mins to get into it after a restart and onto the net.
Tried installing CA Anti-virus to remove the virus (as they indicated it would) but no luck. Didn't detect anything.
NOt sure what to do.
Can't access the internet in Safe mode as I only have wireless connection (via a USB wireless adapter) and that won't load in safe-mode. Also can't use any of my boot repair utility discs because again I can't update the virus scanners on them (no net connection).
Tricky.
Please advise.
Jonathan

Neal · #6 (**permalink**) 02-09-2007, 12:02 AM

Sounds bad, sounds like your computer is on it's last leg.

Try this scanner below, normally is is a quick scan but in your case proabably a long time.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:

* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Good luck.

Inspired · #7 (**permalink**) 03-09-2007, 03:25 AM

Hi Neal,
DrWeb found the win32.virut.5 virus in over 2000 exe files.
It cleaned them from all but 10 or so files, which I have moved to quarantine.

The system no longer tries to download virus/trojan infected files from the net when I turn on the wireless. Apps I am running also no longer try to access and infect every exe file on the computer when the PC is running in normal mode.

I do note that the system is taking over 3 minutes, however, to kick into life after I log in. The screen is blank for about 3 mins, then it takes another 2 mins for the desktop and apps to fully load.

It is necessary to post the DrWeb log? It is rather enormous.

Here's the list of files it could not cure:
split.exe;C:\cygwin\bin;Win32.Virut.5;Incurable.Mo ved.;
KnockOut.exe;C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office;Win32.Virut.5;Incurable.Moved.;
Take10!Timer.exe;C:\Documents and Settings\Jonathan\Desktop;Trojan.MulDrop.8512;Dele ted.;
1.exe;C:\Documents and Settings\Jonathan\Local Settings\Temp;Trojan.PWS.LDPinch.1413;Deleted.;
2.exe;C:\Documents and Settings\Jonathan\Local Settings\Temp;Trojan.MulDrop.4164;Deleted.;
dl[2].exe\data001;C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\MGD5V9ZL\dl[2].exe;Trojan.DownLoader.31840;;
dl[2].exe;C:\Documents and Settings\Jonathan\Local Settings\Temporary Internet Files\Content.IE5\MGD5V9ZL;Archive contains infected objects;Moved.;
IDriver.exe;C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32;Win32.Virut.5;Incurable.Moved.;
FontExpert.exe;C:\Program Files\FontExpert;Win32.Virut.5;Will be cured after reboot.;
gm.exe;C:\Program Files\Gammadyne Mailer\22.1.2 backup;Win32.Virut.5;Incurable.Moved.;
QuaskPoll.exe;C:\Program Files\Quask\Shared;Probably WIN.WORM.Virus;;

Regards,

Jonathan

Neal · #8 (**permalink**) 03-09-2007, 08:10 PM

Very good,

I see you have CCleaner, run a scan useing the windows tab only up front by default and let it clean what it finds.

Have you checked to see if you need to defrag?

Also you add/remove program is showing this:

BitDefender Free Edition v10
ClamWin Free Antivirus 0.91.2
NOD32 antivirus system

Way to much anti-virus protection which will slow down your PC and actually lower your protection. Suggest you remove all but one then do a search on your PC for any existing files or folders maybe left behind from the two you uninstall.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please.

Inspired · #9 (**permalink**) 03-09-2007, 09:17 PM

Hi Neal,
Implementing all that in a moment.
With regards to the multiple virus scanners.
My understanding is this. Of the three there, only NOD32 is an active file monitor (an active resident scanner/monitor). ClamAV and BitDefender 10 (free version) are both passive (scan on demand) scanners. When I use either of these scan-on-demand scanners, I temporarily turn off the NOD32 AMON component (so that it does not check each file that the passive scanner is checking at the same moment). Then when the passive scanner has done its thing, I turn AMON (NOD active monitor) back on.

Is there something wrong with that way of going about things that I should know about?

Cheers,
Jonathan

Neal · #10 (**permalink**) 04-09-2007, 08:48 PM

As long as only one is running in the back ground your ok.