win32.delf.uc and win32.jolee.K, and possibly others :(

Hi folks, it seems that i've somehow caught a bunch of trojans and other annoying malware which seem quite stubborn. i've scanned using malwarebytes and it hasnt found anything. Spybot 1.6.2 found a handful of stuff

Upon bootup/login, i keep getting error messages about "Realtek HD Audio data rerouter" having encountered a problem and needs to close. The box is one of those which ask u to send it to Microsoft for crash evaluation. In the error signature it mentions appname: rtkbtmnt.exe, and Modname: ntdll.dll
This crashes at least 4 tiems (4 instances of the malware running?)

here's a DDS log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Julian at 2:33:26.03 on Tue 17/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.619 [GMT 11:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AAO Fan Control\AA1FanControl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\igfxext.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/sp/*http://au.yahoo.com
mDefault_Page_URL = hxxp://en.au.acer.yahoo.com
mStart Page = hxxp://en.au.acer.yahoo.com
uInternet Connection Wizard,ShellNext = hxxp://en.au.acer.yahoo.com/
uSearchURL,(Default) = hxxp://au.rd.yahoo.com/customize/ycomp/defaults/su/*http://au.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Acer Aspire One Fan Control] c:\program files\aao fan control\AA1FanControl.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [tjbtismw.exe] c:\windows\tjbtismw.exe
dRun: [reader_s] c:\documents and settings\julian\reader_s.exe
dRun: [vxsyvwwi.exe] c:\windows\vxsyvwwi.exe
StartupFolder: c:\docume~1\julian\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\taskma~1.lnk - c:\windows\system32\taskmgr.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\opanda\iexif 2.26\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\opanda\iexif 2.26\IExifCom.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julian\applic~1\mozilla\firefox\profiles\jmkoedgp.default\
FF - prefs.js: browser.startup.homepage - about:blank

============= SERVICES / DRIVERS ===============

R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-5-21 96856]
S0 rlutmyev;rlutmyev;c:\windows\system32\drivers\rlutmyev.sys --> c:\windows\system32\drivers\rlutmyev.sys [?]
S1 ethpjidw;ethpjidw;c:\windows\system32\drivers\ethpjidw.sys [2009-2-13 137920]

=============== Created Last 30 ================

2009-02-17 01:17 <DIR> --d----- c:\windows\ERUNT
2009-02-13 19:00 25,601 a------- c:\windows\system32\33.tmp
2009-02-13 09:22 31,744 a---h--- c:\documents and settings\julian\rwxxwg.exe
2009-02-13 09:22 67,072 ----h--- c:\windows\system32\secupdat.dat
2009-02-13 09:22 137,920 a------- c:\windows\system32\drivers\ethpjidw.sys
2009-02-13 09:04 0 a------- c:\windows\system32\115.tmp
2009-02-13 09:02 114,183 a------- C:\nxspv.exe
2009-02-13 09:02 0 a------- C:\xxmwr.exe
2009-02-13 09:01 0 a------- C:\nwpy.exe
2009-02-13 09:01 0 a------- C:\ubdvow.exe
2009-02-13 09:01 162,788 a------- c:\windows\system32\114.tmp
2009-02-13 09:01 172 a------- c:\windows\system32\113.tmp
2009-02-13 09:01 2 a------- C:\1081778760
2009-02-13 08:54 <DIR> --d----- c:\docume~1\julian\applic~1\Malwarebytes
2009-02-13 08:54 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 08:54 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 08:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-13 08:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 03:30 <DIR> --d----- c:\program files\FreeUndelete
2009-02-13 03:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\OfficeRecovery
2009-02-13 03:22 <DIR> --d----- c:\program files\Runtime Software
2009-02-13 03:14 <DIR> --d----- c:\program files\EASEUS

==================== Find3M ====================

2009-02-13 09:22 182,656 a------- c:\windows\system32\drivers\ndis.sys

============= FINISH: 2:34:14.04 ===============

Many thanks in advance,

-Julian

Hi,

I have bad news for you

I see you're dealing with Virut (or variant). In that case, it's unfortunately a lost case - Game over situation. This virus called Virut is a File infector and (mis)infects legitimate files - so these infected files may not be deleted, but disinfected instead. Only an Antivirus Scanner is able to disinfect files. There's nothing you can do about this manually.
The problem with File infectors is, even though Antivirus scanners can disinfect the files, in a lot of cases, the files become corrupted anyway, including needed system files. Especially if you're dealing with Virut since it actually "misinfects" the files in most of the cases, so scanners cannot disinfect them either. Also read here: http://www.sophos.com/security/blog/2009/02/3130.html

That's why I call this a lost case. Because it's really not worth to clean this up manually since a format and reinstall is the fastest and especially the SAFEST solution.

And, in case you want to clean this up manually (although I do not recommend this), there's no way we can guide you here, because there's nothing that can be done about this manually. It's up to the scanners here to disinfect the files if possible. Keep in mind that your Windows may be damaged afterwards, many programs won't work anymore and many errors may appear. And, on top, it's still no guarantee that your computer will be clean again, because 1 leftover may reinfect.
So please don't bother with a manual cleanup and format and reinstall instead. That's the only guarantee of a clean computer afterwards.

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

Edited by miekiemoes, 17 February 2009 - 03:25 AM.

Hi,
many thanks for your helpful yet saddening reply
i guess i will have to reformat it.. such horrible viruses, attacking pretty much what's most important to me!
many thanks again for your very helpful and knowledgeable reply
at least i wont be wasting much more time trying to fix it..

-Julian

Hi Julian,

I blogged about this infection a couple of minutes ago: http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html
That may explain why a format and reinstall is really the best solution

And for afterwards....

Please read my Prevention page with lots of info and tips how to prevent this in the future.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Edited by miekiemoes, 17 February 2009 - 08:41 AM.

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.