[Mrkrabz]

Right before we start, And before anyone says... I did not get this from Downloading, Porn, Websites, Or whatever the fuck else. I'm not even going to say.

Basically here is the logs.

http://pastebin.com/zrTdNayJ

It's infecting all .exe's That's the basics of it.
And before you say (YES.. That is a downloaded version of SA, But my Installation disk does not work. SO in a way it is not.)

Here are some hijack logs:

Код:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:48:02, on 10/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Avira\AntiVir Desktop\sched.exe
E:\Program Files\Avira\AntiVir Desktop\avguard.exe
E:\Program Files\Avira\AntiVir Desktop\avshadow.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Avira\AntiVir Desktop\avgnt.exe
E:\Program Files\TortoiseSVN\bin\TSVNCache.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Windows Media Player\WMPNSCFG.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\mIRC\mirc.exe
E:\Program Files\Spotify\spotify.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Skype\Plugin Manager\skypePM.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
E:\WINDOWS\system32\dllhost.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\Program Files\Notepad++\notepad++.exe
E:\Program Files\ClamAV for Windows\1.0.26\agent.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\Documents and Settings\Grant\Local Settings\Application Data\******\Chrome\Application\chrome.exe
E:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.229.50.14:3128
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "E:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] E:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [amd_dc_opt] E:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 5.3\THGuard.exe"
O4 - HKLM\..\Run: [Immunet Protect] "E:\Program Files\ClamAV for Windows\1.0.26\iptray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - E:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=3...1023752O17 - HKLM\System\CCS\Services\Tcpip\..\{D9B7AE08-9296-43FF-A75E-D0F0C46CE878}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - E:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AODService - Unknown owner - E:\Program Files\AMD\OverDrive\AODAssist.exe
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ClamAV for Windows (ImmunetProtect) - Immunet Corporation - E:\Program Files\ClamAV for Windows\1.0.26\agent.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mysql - Unknown owner - D:\xampp\mysql\bin\mysqld.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - E:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: wampapache - Apache Software Foundation - E:\wamp\bin\apache\apache2.2.11\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - E:\wamp\bin\mysql\mysql5.1.36\bin\mysqld.exe

--
End of file - 9383 bytes

The Trojan/Malware is called W32/Stanit, I'm also guessing this is a Network Worm.

[MWF2]

I have fixed a friends computer with that virus before.


1. How many computers are on the same network? Disconnect them. This virus effects networks and doesn't have to have started from your network. It could be from another computer. If not, it is from yours.

2. I used the AVIRA Removal Tool when i had to fix this virus. It works perfect but doesn't get rid of the whole thing. So..

Disconnect your internet, then scan with this tool (of course after you download it lol)

3. After the removal tool gets rid of some of the infection, try your own antivirus and if your using a pc go to run -> type MRT and use the microsoft malicious removal tool and see if it detects anything. If so, get rid of it.

4. If like i said before, your computer is connected to a network with other computers as well. Make sure before you connect your computer back to that network, you scan those computers for this virus as well.

[Mrkrabz]

Avira removal tool found nothing, already tried :3

Avira itself found all the .exe's infected but not the source

Trying MRT now.

[MWF2]

http://www.free-av.com/en/products/3...oval_tool.html


Is the spot i think i got it from last time.

[Mrkrabz]

W32/Stanit.A
W32/Stanit

I have the bottom one and it detects the top, Dunno if they are the same, but it don't detect it.

Oh and MRT found nothing

[Toni]

Just a random shot, have you tried system restore (so it can restore files before the infection) ?

[MWF2]

Really? wow...


If all the antivirus scans you try don't fix it. Try it in safemode. If that doesn't work. Try to find the files that it infected, and if they are not needed remove a lot of them.

If not, I have no idea lol. Worked for me..

reformat?

[Mrkrabz]

System restore is pointless, That's where the Trojan is Based. It's all infected. But thanks anyway.

I'm having a feeling it's just gone poof, because all virus alerts have gone, and everything is back to normal. We shall see what happens.

[joemomma53]

Re install windows, this way you are positive it's gone

[Mrkrabz]

I really cant be bothered, No sign's just now. So i'm not bothered.