Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Win32.delf.uc, Windows Login Loop


  • Please log in to reply
12 replies to this topic

#1 OuterRem

OuterRem

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 30 October 2007 - 04:14 PM

I went to a site 2 days ago that infected me, gave me a whole list of terrible stuff, and just as I was cleaning it off with spybot, Symantec (which I also have the full version of), popped up, froze my computer and I was forced to do a hard reboot. Since then, whenever I boot normally I get to the windows login screen, I login, my desktop background appears and it tells me that windows is loading. Immediately it tells me that I'm logging off, and it is saving my windows settings, and I'm back at the login screen. This happens every time.

I was able to start up in Safe Mode, and later in Safe Mode with Networking and acquire the following programs;

HijackThis! 2.0.2
ComboFix
VundoFix
VirtumundoBeGone

All latest versions. Spybot constantly picks up Virtumonde and even though it says it is removing it, it doesn't manage to. So instead, one of your members kindly pointed out the tutorial for VundoFix and VirtumundoBeGone. I've used VundoFix and after a few "Delete on Reboot" attempts, managed to clean everything it had found. However scanning with Spybot afterwards, I still found Virtumonde and then Win32.Delf.uc on my computer. I cleaned both but Virtumonde still shows up every time. My assumption is that I actually took care of it, but remnants of the virus are still showing up in scans. Any assistance in removing it, or what's left of it, will be appreciated. Also, as I am online using Safe Mode, I am constantly reinfecting myself with lesser adware and spyware. So I will not be able to maintain this connection for long.

Finally, this Windows Login -> Log off loop is killing me, but I don't know how to stop it. All I know for sure is it's related to Spybot being frozen by symantec in the middle of fixing all those problems the very first time I ran it.

Here is my HijackThis Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:05 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] H:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [bload] C:\WINDOWS\system32\bload.exe
O4 - HKLM\..\Run: [98febd22] rundll32.exe "C:\WINDOWS\system32\osajyrny.dll",b
O4 - HKLM\..\Run: [idohuxml] rundll32.exe "C:\Program Files\dubyvqls\bmnufcrs.dll",Init
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Sabin Jacob\Desktop\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Seol] "C:\DOCUME~1\SABINJ~1\APPLIC~1\F?Ints\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Vrou] "C:\Program Files\Common Files\?ecurity\s??oolsv.exe"
O4 - HKCU\..\Run: [DDC] C:\WINDOWS\system32\oefexblb.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O15 - Trusted Zone: http://arad.hangame.co.jp
O15 - Trusted Zone: http://id.hangame.co.jp
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169092947375
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pubarad/...er/arad_dis.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5791 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 30 October 2007 - 05:53 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum OuterRem :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

I've noticed you started a topic at Safer Networking Forums:
http://forums.spybot.info/showthread.php?t=19601

I suggest you carry on with the above topic,or at least let the guys there know you're recieving help elsewhere.

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

If you want us to go ahead and clean up your system then fair enough,but there’s no way I can guarantee your pc will be 100% safe once we’ve finished.
Let me know how you wish to proceed.
Posted Image
Posted Image

#3 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 30 October 2007 - 10:09 PM

Well I have two HDD's and I wonder if perhaps I have to format both;

C: (80 GB) (This is the drive I boot from, ALL installed programs are located on this drive. All WINDOWS system files and hardware drivers are on this HDD.)
D: (120 GB) (This drive has all Media, Music, Images and program/driver installers that I've backed up.)

So what if we Cleaned the C Drive, then I transfered all the files I want to save to my Seagate Portable HDD, then we Format the C: drive without formatting the D: drive.

Basically:
Would attempting that possibly spread the infection to my portable HDD?
& Would the infection also reside on the D: Drive such that I'd have to format it to?

I'm hoping to save as much as I can, if it turns out that this virus only sits in the Windows System Files.

If not, if I surely can't save anything because the Virus files could hide on either Drive and amongst my media files, then I'll format it all and start again.

-Thank you SO MUCH for your fast response. You can't imagine what this means to me. Or maybe you've had this experience yourself, I don't know.

Sincerely,
-Rem.

------------------------------------------
P.S. The only Financial Data I have on this computer... Once upon a time (months ago), I used to access my Bank's statements (Bank of America) on the web. However it never memorized my password or account information. So I don't have cookies that log me in the website as soon as I visit or a record of what my passwords to the Bank Website.

Edited by OuterRem, 31 October 2007 - 01:44 AM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 31 October 2007 - 07:27 AM

Ok,lets clean up your C:\ drive:

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK:
"%userprofile%\desktop\combofix.exe" /killall
Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*NOTE*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.


Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#5 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 31 October 2007 - 02:40 PM

I did exactly as you say, and after ComboFix started deleting virus related files it rebooted my computer. It got to the Windows XP Booting screen, with the logo in the middle and the loading bar underneath, then the screen went black and it's sitting like this.

Should I do a hard reset and try to boot into safe mode instead? After all, I don't think I can log in to windows normally anyway, so it's just a matter of whether it will do anything from this blank screen, or if that was an error.

::EDIT::
Hard Reseting... Safe Mode w/ Networking...

Edited by OuterRem, 31 October 2007 - 03:03 PM.


#6 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 31 October 2007 - 03:07 PM

There was no ComboFix.txt in the C:/ directory, so I'm assuming the program failed after what happened.

Here is the HijackThis log after renaming it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05, on 2007-10-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\abc.bat
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {25997E08-274A-4217-8F71-C89C754242C1} - C:\WINDOWS\system32\iifcaax.dll
O2 - BHO: (no name) - {4E9C8BD8-E3E9-4D6D-9351-B61D8D29FDBF} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [imjpmig] H:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [bload] C:\WINDOWS\system32\bload.exe
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Sabin Jacob\Desktop\vundofix.exe"
O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Seol] "C:\DOCUME~1\SABINJ~1\APPLIC~1\F?Ints\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Vrou] "C:\Program Files\Common Files\?ecurity\s??oolsv.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gamelink.dll
O15 - Trusted Zone: http://arad.hangame.co.jp
O15 - Trusted Zone: http://id.hangame.co.jp
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169092947375
O16 - DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} (CNeopleInstallAXCtlJap6 Object) - http://down.hangame.co.jp/jp/pudn/pubarad/...er/arad_dis.cab
O20 - Winlogon Notify: iifcaax - C:\WINDOWS\SYSTEM32\iifcaax.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6382 bytes

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 31 October 2007 - 04:41 PM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\SYSTEM32\iifcaax.dll
C:\WINDOWS\system32\bload.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {25997E08-274A-4217-8F71-C89C754242C1} - C:\WINDOWS\system32\iifcaax.dll
O2 - BHO: (no name) - {4E9C8BD8-E3E9-4D6D-9351-B61D8D29FDBF} - C:\WINDOWS\system32\ssttt.dll (file missing)
O4 - HKLM\..\Run: [bload] C:\WINDOWS\system32\bload.exe
O4 - HKCU\..\Run: [Seol] "C:\DOCUME~1\SABINJ~1\APPLIC~1\F?Ints\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Vrou] "C:\Program Files\Common Files\?ecurity\s??oolsv.exe"
O20 - Winlogon Notify: iifcaax - C:\WINDOWS\SYSTEM32\iifcaax.dll

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Copy and paste the contents of that report in your next reply.


Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Edited by RichieUK, 31 October 2007 - 04:45 PM.

Posted Image
Posted Image

#8 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 31 October 2007 - 09:42 PM

Ok I managed to use OTMoveIt. But I couldn't copy the results because it asked me to reboot and prevented me from getting around the Reboot dialog box. I didn't want to hit no and reboot it myself for fear that might make a difference so I can't post results, but I promise you there were two lines of results.

As for SuperAntispyware and DSS, I downloaded both, but it won't let me install SuperAntispyware, quoting me some garbage about "The Administrator has set it so that this program cannot be installed". Is this related to the fact that I can only boot into safe mode, or is it because my computer is hijacked and the virus has changed my program permissions...

I'm going to try to boot up normally but I can't guarantee that it will work. If I do get it to boot up and log in successfully, I will let you know right away.

::EDIT::
Apparently if I try to boot up normally, it just goes completely black after I get to the Windows XP loading screen, long before I get a dialog to log in. Man I'm screwed aren't I.

Edited by OuterRem, 31 October 2007 - 09:46 PM.


#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 November 2007 - 06:11 AM

Man I'm screwed aren't I.

It certainly looks like it.

If you have the Microsoft Windows XP installation disk try doing a Repair Install.
Configure your computer to start from the CD-ROM drive.
[Boot into the Bios and set your CD-Rom drive as first boot device].
For more information about how to do this,refer to your computer's documentation or contact your computer manufacturer.
Then insert your Microsoft Windows XP Setup CD,and restart your computer.
When the 'Press any key to boot from CD' message is displayed on screen, press a key.
Press ENTER when you see the message to setup Windows XP now, and then press ENTER displayed on the 'Welcome to Setup' screen.
Do not choose the option to press R to use the Recovery Console.
In the Windows XP Licensing Agreement, press F8 to agree to the license agreement.
Make sure that your current installation of Windows XP is selected in the box, and then press R to repair Windows XP.
Follow the instructions on the screen to complete Setup.
Posted Image
Posted Image

#10 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 01 November 2007 - 03:47 PM

Roger, I'll post back tonight with the results, after I get back from work. Regardless of if any of this works or not though, thank you for offering your support.

Even at the very worst case scenario, I will be able to recover everything I had from other sources. Even if I have to format D: as well as C:

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 01 November 2007 - 04:27 PM

Ok,keep me updated please,let me know how you get on,hope all goes well :thumbsup:
Posted Image
Posted Image

#12 OuterRem

OuterRem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:55 PM

Posted 03 November 2007 - 10:19 PM

Sorry to have disappeared for some time, however after some struggle, I managed to take complete inventory of all files; programs / media/ images / music /browser bookmarks on my computer and keep a list. I will be able to reinstall and/or download them over the course of a week. I feel that it's come to the point where, after taking a step back here and giving myself a bit of perspective, it makes no sense to be sentimentally attached to data. So I'm just going to format it.

All I have left to ask is, will formatting using the windows xp cd be enough? Or are there explicit instructions for formatting after a virus has infected you? I am going to get my IP address reassigned. My cable connection makes me semi-dynamic, in that if I reset, I get assigned a new one.

Thanks Richie, for all your help.

Sincerely,
Rem.

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 04 November 2007 - 08:09 AM

All I have left to ask is, will formatting using the windows xp cd be enough?

Yes,you should'nt have any problems at all once you've done.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users