Hi Tom's Hardware,
First of all i'd like to clarify just simply what this thread is regarding, (In atleast what I can) considering I hardly know myself.
Clarification
Ok, well it was about a year or so ago when a friend of mine infected my computer with a complete bastard of a virus. So I decided well I suppose i'll just format, not to long after literally 10 - 15 formats I did believe it was gone (It was a virus that infecting every exe file on my computer then if I was to take those exe files anywhere else obviously it would start again).
Now I did not ever determine just what this virus was named (Nor did I even really investigate it at all much back then) i simply formatted and thought well to hell with this thing if it doesn't want to be removed by almost any bloody Anti-Virus program that I have used.
Things were fine for a year or so though recently in the past few months the same friend has started giving me files and what not again (Mostly media files though via a external HDD).
Lately my virus programs AVG & NOD32 (I switch quite often because I don't believe AVG works very well and NOD32 seems to bloody well completely ruin any port-forwarding via uTorrent anyways that's another story).
The virus programs have started picking up Trojan alerts in my system volume folders, which brings me to think that could definitely be the way this Trojan gets around (Since it goes via Flash-drives & External HDD's and what not)
Now finally we are getting back to where this topic title was originated (DrWatson Postmortem Debugger) i've recently read quite a few articles on several websites on the net saying that it's possible that DrWatson Postmortem Debugger can be used as a mask for Trojans's....
AceBot
AceBot...... supposedly one of the largest virus's and most bastard of them all out there (atleast for SP2) it's probably quite old now, I am running SP3 though i'm wondering since I was running SP2 at one point in time is it possible that the virus is still effecting me?
Conclusion
In the past few weeks i've been experiencing some serious malfunctions in my computer i'll list as many as I can think of.
[In order of most common]
1. All around computer speed just being decreased in some cases taking literally 1 - 3 minutes to open ANY application.
2. Windows Live Messenger crashing very often. (This sometimes triggers the DrWatson Error)
3. My browser can only access HTTPS websites not ANY HTTP website at all.
4. Alot of my Java application also seem to crash & error quite a lot.
5. AVG crashed and was asking for error reports to be send to AVG.
To conclude what i'm really asking for is your opinion & help regarding anything that is wrong with my computer.
Logs
HijackThis
ESET NOD32 Antivirus
Malwarebytes' Anti-Malware
Thanks in advance,
RevolutionTT.
First of all i'd like to clarify just simply what this thread is regarding, (In atleast what I can) considering I hardly know myself.
Clarification
Ok, well it was about a year or so ago when a friend of mine infected my computer with a complete bastard of a virus. So I decided well I suppose i'll just format, not to long after literally 10 - 15 formats I did believe it was gone (It was a virus that infecting every exe file on my computer then if I was to take those exe files anywhere else obviously it would start again).
Now I did not ever determine just what this virus was named (Nor did I even really investigate it at all much back then) i simply formatted and thought well to hell with this thing if it doesn't want to be removed by almost any bloody Anti-Virus program that I have used.
Things were fine for a year or so though recently in the past few months the same friend has started giving me files and what not again (Mostly media files though via a external HDD).
Lately my virus programs AVG & NOD32 (I switch quite often because I don't believe AVG works very well and NOD32 seems to bloody well completely ruin any port-forwarding via uTorrent anyways that's another story).
The virus programs have started picking up Trojan alerts in my system volume folders, which brings me to think that could definitely be the way this Trojan gets around (Since it goes via Flash-drives & External HDD's and what not)
Now finally we are getting back to where this topic title was originated (DrWatson Postmortem Debugger) i've recently read quite a few articles on several websites on the net saying that it's possible that DrWatson Postmortem Debugger can be used as a mask for Trojans's....
AceBot
AceBot...... supposedly one of the largest virus's and most bastard of them all out there (atleast for SP2) it's probably quite old now, I am running SP3 though i'm wondering since I was running SP2 at one point in time is it possible that the virus is still effecting me?
Conclusion
In the past few weeks i've been experiencing some serious malfunctions in my computer i'll list as many as I can think of.
[In order of most common]
1. All around computer speed just being decreased in some cases taking literally 1 - 3 minutes to open ANY application.
2. Windows Live Messenger crashing very often. (This sometimes triggers the DrWatson Error)
3. My browser can only access HTTPS websites not ANY HTTP website at all.
4. Alot of my Java application also seem to crash & error quite a lot.
5. AVG crashed and was asking for error reports to be send to AVG.
To conclude what i'm really asking for is your opinion & help regarding anything that is wrong with my computer.
Logs
HijackThis
Code:
Logfile of HijackThis v1.99.1
Scan saved at 2:25:53 AM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\drivers\itech4\itech.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
E:\bootcd\wintools\autorun.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Aaron\Desktop\Extreme Virus Removal\HijackThis\HijackThis.exe
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [WD Drive Manager] C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [itech4] C:\WINDOWS\system32\drivers\itech4\itech.exe
O4 - HKLM\..\Run: [Malwarebytes Piracy] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /piracy
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Quick Hide Windows] C:\Program Files\CronoSoft\Quick Hide Windows\qhw.exe -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O4 - Global Startup: SoundMAX Control Panel.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\drivers\itech4\imonlsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url=http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238633442281[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{73F6C600-AF72-41B3-BFBE-F97DD489C94B}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3BA4602-0A62-4FCC-A61A-96EF6B5C7664}: NameServer = 203.12.160.35,203.12.160.36
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Service.exe" -service (file missing)
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
ESET NOD32 Antivirus
Code:
[b]Date:[/b] 4/7/2009
[b]Time:[/b] 4:28:20 PM
[b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP43\A0013337.exe
[b]Size:[/b] 126976
[b]Reason:[/b] probably a variant of Win32/Agent Trojan
[b]Date:[/b] 4/7/2009
[b]Time:[/b] 4:23:25 PM
[b]Directory:[/b] C:\System Volume Information\_restore{D3695F7F-6197-4762-9134-CA0B8E551470}\RP27\A0011389.dll
[b]Size:[/b] 590792
[b]Reason:[/b] Win32/Adware.WhenU.SaveNow application
Malwarebytes' Anti-Malware
Code:
Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 3
4/7/2009 12:02:19 AM
mbam-log-2009-04-07 (00-02-19).txt
Scan type: Quick Scan
Objects scanned: 75378
Time elapsed: 11 minute(s), 0 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\WINDOWS\services.exe (Backdoor.Bot) -> Failed to unload process.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\services.exe (Trojan.Agent) -> Delete on reboot.
Thanks in advance,
RevolutionTT.