6 replies to this topic

[Garth]

Hi everyone and first of all, thank you very much for your help.

A couple of days ago I got infected by a Malware and I can't find the culpirit... I have various symptoms, the main ones are:

- I can’t neither access most antivirus/spyware sites nor update them (AVG, Spybot, Ad-Aware, Malwarebytes).
- Can’t execute Malwarebytes
- I get random errors executing programs
- After a Hijackthis scan I have identify more than one malware files

I’m quite sure I’m not going to find a good solution for this… I’m ready to format but I would like to save my personal files and I’m afraid I “back up” the malware if I do so.

Here is my Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:07:16, on 06/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\CTHELPER.EXE
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\nfsd\pmapd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Dani\Datos de programa\ptidle\ptidle.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
C:\Archivos de programa\nfsd\nfsd.exe
C:\Archivos de programa\FileBX\FileBX.exe
C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe
C:\Archivos de programa\Archivos comunes\Logishrd\KHAL2\KHALMNPR.EXE
C:\DOCUME~1\Dani\CONFIG~1\Temp\560.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programas\HiJackThissss.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Archivos de programa\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {41e23444-af80-4982-b656-1af3cd2f7453} - C:\WINDOWS\system32\guvumuso.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [jehuvivode] Rundll32.exe "C:\WINDOWS\system32\bohusika.dll",s
O4 - HKLM\..\Run: [CPM63f9c9d5] Rundll32.exe "c:\windows\system32\vutanoko.dll",a
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ptidle] "C:\Documents and Settings\Dani\Datos de programa\ptidle\ptidle.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [A00F5BA04C.exe] C:\DOCUME~1\Dani\CONFIG~1\Temp\_A00F5BA04C.exe
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [12ZFG94-F641-2SF-K31P-5N1ER6H6L2] C:\RECYCLER\S-1-5-21-0626014194-1734450689-956961927-2705\service.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKCU\..\Run: [A00F1BEB7.exe] C:\DOCUME~1\Dani\CONFIG~1\Temp\_A00F1BEB7.exe
O4 - HKCU\..\Run: [A00F13CA6.exe] C:\DOCUME~1\Dani\CONFIG~1\Temp\_A00F13CA6.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FileBox eXtender.lnk = C:\Archivos de programa\FileBX\FileBX.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Archivos de programa\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
O16 - DPF: {9E065E4A-BD9D-4547-8F90-985DC62A5591} (PlayerPT Control) - http://192.168.1.15:1024/PlayerPT.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A7A1B5-3BD6-40AB-9B9C-C57BDD6BAE7A}: NameServer = 85.255.112.117,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\..\{B138C3BD-BBE9-4DBE-AB53-BC38F689815B}: NameServer = 85.255.112.117,85.255.112.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.117,85.255.112.121
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.117,85.255.112.121
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.117,85.255.112.121
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\tapubanu.dll c:\windows\system32\vutanoko.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: __c0041924 - C:\WINDOWS\system32\__c0041924.dat
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vutanoko.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vutanoko.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Servicio de transferencia inteligente en segundo plano (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Archivos de programa\Archivos comunes\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NFS Server (NFSserver) - Dr. Hanewinkel -- www.haneWIN.de - C:\Archivos de programa\nfsd\nfsd.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SunRPC Portmap Daemon (PMAPDaemon) - Dr. Hanewinkel -- www.haneWIN.de - C:\Archivos de programa\nfsd\pmapd.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Archivos de programa\TVersity\Media Server\MediaServer.exe

--
End of file - 7760 bytes

Thanks a lot!

[miekiemoes]

I have bad news for you

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

[Garth]

Thanks a lot for the fast response, after I saw the Hijackthis log, even I'm not an expert, I knew something was very wrong.

I'll do what you say today, after that, is there anything I can do/check to be sure I have eradicated the thread before installing everything again?

Right now I have two HDD and my intention is to format just the one I have Windows installed in and delete all the excutable, compressed, html/xml files from the other one.

Thanks!

[miekiemoes]

Hi,

If you didn't run any executables from the other drives, then they are not infected. However, it's still no guarantee that the executables on the other drives are clean though. It's worth a try - you'll see after you have reinstalled Windows. Then install an Antivirus and let it scan all your drives.

Also, make sure this wont happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[Garth]

Great info on the prevention page, I think I'm ready to surf again with a fresh and up to date XP installation and, following your reccomendations, a protection pack based on Avira, Malwarebytes and Online Armor.

Now I have to do the same on the other 2 PCs I had on my network when I got the virus, they got infected as well...

Thanks a lot for the help

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.