malware type--- dropper

hello all… plz help… my pc is continuously being hit by many viruses…

malware type- dropper

when i try to delete or move to chest…it says “The operation is not supported for this type of archive”!!!

malware type- rootkit-gen
malware type-trojan horse
malware type- virus/worm

these types recoccur after deletion…

experts plz help!!!

Try scanning your computer with a arsenal of Malware removers like these

Malwarebytes Anti-Malware 1.41 http://filehippo.com/download_malwarebytes_anti_malware/

SuperAntiSpyware 4.29.1002 http://filehippo.com/download_superantispyware/

a-squared Free 4.5.0.11 http://filehippo.com/download_asquared/

come back and post scan logs here

hello…
i used MBAM and here are the scan logs…

Do a new full scan, when finished click on the button “remove selected” to quarantine everything found, restart and do a new scan to see if you are clean

OBS: update malwarebytes, you are using an old database 2775, latest is 2907

I see Windows 5.1.2600 Service Pack 2

WinXP SP3 has been available for over a year so you should go to Tools then Windows Update in Internet Explorer and install all updates as it provides performance enhancements and several Critical updates.

Go to Control panel then Automatic updates then at least enable Notify me but do not download updates.

Run Secunia Online Software Inspector to see what applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

hello…
i updated MBAM and did full scan with restart 4 times…it has deleted many malwares but there is one which i get every time after each startup…

malware name: Win32 Rootkit-gen
malware type: rootkit

and here is the last logfile

Malwarebytes' Anti-Malware 1.41 Database version: 2908 Windows 5.1.2600 Service Pack 2

10/5/2009 9:23:57 PM
mbam-log-2009-10-05 (21-23-57).txt

Scan type: Full Scan (C:|D:|E:|)
Objects scanned: 152350
Time elapsed: 1 hour(s), 18 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\Drivers\str.sys (Rootkit.Agent) → Delete on reboot.

and one more warning i get after reboot----“DrWatsonPortemDebugger has encountered some problem and…”
what is this?i didn’t installed any such type of software…

similar to this : http://forum.avast.com/index.php?topic=49277.0

i went through the thread but sorry sir i didnt get what you are trying to say!!! ??? ???

“try” doing things as said there. see if you can get rid of the malware.

ok.i had already done whatever is mentioned in that thread…still i am getting the warning…is that malware type doesnt do any harm( it never occured before)…i try to delete it or move to chest…but it popps up after 15-20 minutes…now what??? should i ignore it???

what is the file name ? c:\x-xxx\xxx\xxx.xxx ?

Download and scan with Hijack this, dont fix anything, and post the log here
http://filehippo.com/download_hijackthis/

Then somone who can read these logs will help you, maybe essexboy he is great when it comes to removing rootkits

OBS: and Dr.Watson is part of windows http://en.wikipedia.org/wiki/Dr._Watson_(debugger)

+1

hello…
i think there’s somethng wierd going on in my pc…all bcoz of this rootkit…as my net connection gets automatically disabled, some weird sites popps out automatically…and i get this avast warning on and on…of malware… plz help…

here are the hijackthis logfiles

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:41:10 PM, on 10/6/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\My Lockbox\flockbox.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title=“CorelDRAW Graphics Suite 12” /date=101009 serial=DR12WEX-1504397-KTY lang=EN
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0\bin\jusched.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [flockbox] C:\Program Files\My Lockbox\flockbox.exe /a
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKCU..\Run: [DownloadAccelerator] “C:\Program Files\DAP\DAP.EXE” /STARTUP
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-cooking-dash/CookingDashWeb.1.0.0.9.cab
O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-diner-dash-flo-on-the-go/ddfotg.1.0.0.33.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-delicious-2-deluxe/zylomplayer.cab
O16 - DPF: {F4EBFE42-D82A-48EB-B70E-7499FFEAFF3F} (CPlayFirstDressShopHControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-dress-shop-hop/DressShopHopWeb.1.0.0.9.cab
O17 - HKLM\System\CCS\Services\Tcpip..{FC412536-8230-4658-B7C4-30228A848A82}: NameServer = 192.172.1.1,202.56.215.54
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


End of file - 6650 bytes

someday,

were you hit with a bsod recently?

nmb

sorry…what is bsod?? is that some sort of malware???

see this :http://en.wikipedia.org/wiki/Blue_Screen_of_Death (click on the picture.)

no sir…


An analysis of your HJT log shows the following problems :

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

Platform: Windows XP SP2 (WinNT 5.01.2600)
A newer version of service pack is available. Service packs increase the safety of your system. Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

MSIE: Internet Explorer v7.00 (7.00.5730.0013)
IE8 has been out for many months and is more secure than IE7.

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
Unnecessary (deactivated) entry that can be fixed.

[b]O16 - DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} (GameHouse Games Player) - http://www.gamehouse.com/games/gamehouse/ghplayer.cab[/b]
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O17 - HKLM\System\CCS\Services\Tcpip..{FC412536-8230-4658-B7C4-30228A848A82}: NameServer = 192.172.1.1,202.56.215.54
Do you know the IP or Domain ‘192.172.1.1,202.56.215.54’? If not, fix this entry.
This is probably your ISP but you should check it to be sure.

[b]O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS[/b]
This is a fake Windows Update AutoUpdate Service and should be fixed.
Items listed as 023 are listings of non-Microsoft services. The list should be the same as the one you see in the Msconfig utility of Windows XP. Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves. The full name is usually important-sounding, like ‘Network Security Service’, ‘Workstation Logon Service’ or ‘Remote Procedure Call Helper’ or, as in this case, Windows Update AutoUpdate Service.
http://www.threatexpert.com/files/wuauserv.dll.html

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

Explorer.EXE
System task
Microsoft Windows Explorer

igfxtray.exe
Application
Intel Graphics configuration and diagnostic application

hkcmd.exe
Application
Intel multimedia devices

igfxpers.exe
Driver
Intel Common User Interface Module

SOUNDMAN.EXE
Backgroundtask
Realtek Avance Logic Inc

igfxsrvc.exe
Driver
Intel(R) Common User Interface

ashDisp.exe
Virusscan
Avast AntiVirus

jusched.exe
Backgroundtask
Sun Java Update Scheduler

realsched.exe
Application
RealNetworks Scheduler

flockbox.exe
Unknown task This security software from FSPro Labs allows you to password protect any folder on your computer.
Unknown task http://www.pcpitstop.com/libraries/process/i/flockbox.exe.html

DAP.EXE
Backgroundtask
Download Accelerator Plus from Speedbit.

ctfmon.exe
System task
Alternative User Input Services

spoolsv.exe
System task
Microsoft Printer Spooler Service

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

iexplore.exe
Application
Microsoft Internet Explorer

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

jucheck.exe
Backgroundtask
Sun Java UpdateChecker Module

HijackThis.exe
Application
Merijn Hijackthis


thanks sir CharleyO for replying…i wud like you to see this as when i google this malware it said that it disables firewall and affects network settings…

plz tell me how can i free my pc from it???