Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 Brazuca87

Brazuca87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 16 February 2009 - 11:51 AM

Ok, I got a really annoying virus here...

It disables my Task Manager, Registry Editting, and appearently dont let me run services (as when I try to install BitDefender it says I dont have priviledges to do so)

Yes, I am an administrator account.

Tried to go into safe mode, but after it loads the dlls and stuff, I get a blue screen, so that's no help either.

I checked logs, and from what it looks, I removed all unknown stuff from there (well, at least I think I did), but theres still a random temporary file that keeps being created and run in the computer.

c:\docs&sets\myuser\Local Settings\Temp\win(insert_random_caracters_here).exe
(Curiously though, after last restart, it created the file in c:\Windows\Temp as you can see in the log below)

I always manage to close and delete it, but after a while another new file is created there, and is running again. It's constantly blocking the Task Manager and Registry Editting over and over. I'm really going crazy here, tbh... :D

I already tried to install Malwarebytes, AVG, BitDefender, and some other stuff. Malawarebytes worked, but no success in cleaning anything. AVG and BitDefender just didn't install because of services. My Spybot - Search and Destroy doesn't open either.

Really, never seen a virus as annoying as this, which btw, I have no idea how I got infected :thumbup2:

Here goes the log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Giovanni at 11:48:01.76 on Mon 02/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1242 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
D:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\system32\xRaidSetup.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
D:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
D:\Program Files\Steam\Steam.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
D:\Program Files\No-IP\DUC20.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\TEMP\winrnekwo.exe
C:\Documents and Settings\Giovanni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 127.0.0.1:8118
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - d:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Steam] "d:\program files\steam\Steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "d:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [kX Mixer] c:\windows\system32\kxmixer.exe --startup
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [RoxioDragToDisc] "d:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Babylon Client] d:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [vmware-tray] d:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [VMware hqtray] "d:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\giovanni\startm~1\programs\startup\no-ipd~1.lnk - d:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - d:\program files\vidalia bundle\privoxy\privoxy.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download with GetRight Pro - d:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - d:\program files\getright\GRbrowse.htm
IE: Translate with &Babylon - d:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211494144359
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211511992812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: sockspy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\giovanni\applic~1\mozilla\firefox\profiles\b4h50u3o.default\

============= SERVICES / DRIVERS ===============

R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jtmjnk.sys --> c:\windows\system32\drivers\jtmjnk.sys [?]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2008-4-4 568320]
S2 MsDtsServer;SQL Server Integration Services;d:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2008-12-18 284512]
S3 ddsxeiservice;ddsxeiservice2;c:\program files\valve\sxe injected\ddsxei.sys [2008-8-20 43392]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-02-16 11:17 <DIR> --d----- c:\program files\LIUtilities
2009-02-16 04:19 <DIR> --d----- c:\docume~1\giovanni\applic~1\Malwarebytes
2009-02-16 04:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 03:54 161,792 a------- c:\windows\SWREG.exe
2009-02-16 03:54 98,816 a------- c:\windows\sed.exe
2009-02-16 03:54 <DIR> --d----- C:\ComboFix
2009-02-16 03:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-02-16 03:49 <DIR> --d----- c:\program files\common files\Softwin
2009-02-16 03:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-02-16 01:54 <DIR> --d----- c:\program files\Trojan Remover
2009-02-16 01:37 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-12 16:03 <DIR> --d----- c:\program files\Unity
2009-02-12 00:28 40 a---h--- c:\windows\system32\ivireg.ivr
2009-02-11 23:02 <DIR> --d----- c:\windows\SQLTools9_KB960089_ENU
2009-02-11 23:01 <DIR> --d----- c:\windows\DTS9_KB960089_ENU
2009-02-11 23:00 <DIR> --d----- c:\windows\NS9_KB960089_ENU
2009-02-11 23:00 <DIR> --d----- c:\windows\OLAP9_KB960089_ENU
2009-02-11 22:58 <DIR> --d----- c:\windows\SQL9_KB960089_ENU
2009-02-11 16:57 <DIR> --d----- c:\program files\Seagate
2009-02-08 12:56 6,266 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-08 12:56 168 ---shr-- c:\docume~1\alluse~1\applic~1\37EE009DC7.sys
2009-02-08 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-01-31 04:07 139 a------- c:\windows\Hide-IP-Browser.INI
2009-01-28 01:47 4,096 a------- c:\windows\d3dx.dat
2009-01-28 00:32 182,272 a------- c:\windows\patchw32.dll
2009-01-26 02:56 <DIR> --d----- c:\windows\pss
2009-01-25 20:50 77,824 a------- c:\windows\system32\MagicTuneUser.exe
2009-01-25 20:50 40,960 a------- c:\windows\system32\nvgpio.dll
2009-01-25 20:50 36,864 a------- c:\windows\system32\nvapi9x.dll
2009-01-25 20:50 13,396 a------- c:\windows\system32\drivers\MTiCtwl.sys
2009-01-25 20:49 443,392 a------- c:\windows\system32\SliderExCtrl.ocx
2009-01-25 20:49 65,536 a------- c:\windows\system32\Gif89.dll
2009-01-25 19:52 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-16 00:32 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-24 09:32 57,344 a------- c:\windows\system32\ff_vfw.dll

============= FINISH: 11:48:14.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Brazuca87

Brazuca87
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 16 February 2009 - 11:54 AM

Just wanted to add:
Whenever I try to access a page for like an online virus scanner, the page just doesnt load.

Never seen quite an annoying virus like this in my life :thumbup2:

#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 28 February 2009 - 05:03 AM

Hello Brazuca87,

I apologise for the delay, the forum is extremely busy.
Unfortunately there are a lot of people waiting for help, and we are doing our best.
----------------------------------------------
I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
  • If you fail to reply in 5 days period from now, this thread will close, and you will have to open another topic, and wait for another helper.
----------------------------------------------
So do you have Malwarebytes installed? Did you run it?
----------------------------------------------
Do you have access to another pc in case we need to download tools from sites you can't access?
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:01:43 AM

Posted 05 March 2009 - 02:22 PM

Due to the lack of feedback, this Topic is now closed and will not be reopened.
If you still need help, begin a new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users