Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Joleee.NF Worm


  • This topic is locked This topic is locked
2 replies to this topic

#1 Crumply

Crumply

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 29 March 2009 - 07:51 PM

So, this virus infected my computer after plugging in an MP3 Player from an infected computer to my own. Now, I can't seem to get rid of it, at all and I'm going nuts trying to figure it out. I really do not want to do a low-level format. It's corrupting programs and other files and has left me without firefox & iexplorer, so I've been using Safari.

Here's the log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 22:19:08.51 on Sun 03/29/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.383.107 [GMT -4:00]


============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
E:\WINDOWS\system32\svchost -k rpcss
E:\WINDOWS\System32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k NetworkService
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
E:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\System32\TUProgSt.exe
svchost.exe E:\WINDOWS\TEMP\VRT2.tmp
E:\WINDOWS\System32\svchost.exe
E:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
E:\Program Files\Safari\Safari.exe
E:\Documents and Settings\Administrator\Desktop\dds.scr
E:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ca.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie_rsearch.html
uDefault_Page_URL = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie_rsearch.html
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=e:\windows\system32\userinit.exe,e:\windows\system32\undname.exe,
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: : {11b791b0-ecd6-4c36-9578-25905a4feb53} - e:\windows\system32\qtlocdt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - e:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: FB Toolbar: {a057a204-bacc-4d26-8988-34a187e2698b} - e:\progra~1\myfbtoolbar\myfbtoolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - e:\program files\windows live\toolbar\wltcore.dll
uRun: [msnmsgr] "e:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [services] e:\windows\services.exe
uRun: [reader_s] e:\documents and settings\administrator\reader_s.exe
mRun: [egui] "e:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [services] e:\windows\services.exe
mRun: [reader_s] e:\windows\system32\reader_s.exe
dRun: [reader_s] e:\documents and settings\administrator\reader_s.exe
dRun: [services] e:\windows\services.exe
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uExplorerRun: [services] e:\windows\services.exe
mExplorerRun: [services] e:\windows\services.exe
dExplorerRun: [services] e:\windows\services.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
mPolicies-explorer: StartMenuFavorites = 0 (0x0)
mPolicies-explorer: Start_ShowMyComputer = 1 (0x1)
mPolicies-explorer: Start_ShowMyDocs = 1 (0x1)
mPolicies-explorer: Start_ShowMyMusic = 0 (0x0)
mPolicies-explorer: Start_ShowRun = 1 (0x1)
mPolicies-explorer: Start_ShowSearch = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: qlufscqp - qtlocdt.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - e:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;e:\windows\system32\drivers\ehdrv.sys [2008-11-10 104456]
R1 epfwtdir;epfwtdir;e:\windows\system32\drivers\epfwtdir.sys [2008-11-10 92168]
S1 ethluosy;ethluosy;e:\windows\system32\drivers\ethluosy.sys [2009-3-28 137344]

=============== Created Last 30 ================

2009-03-29 22:10 <DIR> --d----- E:\ComboFix
2009-03-29 22:09 407,552 a------- e:\windows\system32\CF27398.exe
2009-03-29 22:08 407,552 a------- e:\windows\system32\cmd.execf
2009-03-29 21:21 <DIR> --d----- e:\program files\Trend Micro
2009-03-29 20:37 37,376 a------- e:\documents and settings\administrator\reader_s.exe
2009-03-29 20:37 29,696 a------- e:\windows\system32\16.tmp
2009-03-29 20:37 124 a------- e:\windows\system32\10.tmp
2009-03-29 18:46 37,376 a------- e:\windows\system32\reader_s.exe
2009-03-29 18:46 28,672 a------- e:\windows\system32\18.tmp
2009-03-29 18:46 37,376 a------- e:\windows\system32\13.tmp
2009-03-29 18:46 124 a------- e:\windows\system32\F.tmp
2009-03-29 16:15 <DIR> --d----- e:\program files\CCleaner
2009-03-29 16:01 267,284 a---h--- e:\windows\system32\mlfcache.dat
2009-03-29 15:57 28,672 a------- e:\windows\system32\A329.tmp
2009-03-29 15:52 124 a------- e:\windows\system32\A2D4.tmp
2009-03-29 15:34 28,672 a------- e:\windows\system32\A2AE.tmp
2009-03-29 15:34 9,685 a------- e:\windows\system32\A2AB.tmp
2009-03-29 15:34 65,536 a------- e:\windows\system32\A2A7.tmp
2009-03-29 15:34 160 a------- e:\windows\system32\A2A5.tmp
2009-03-29 10:56 124 a------- e:\windows\system32\1D.tmp
2009-03-29 07:28 124 a------- e:\windows\system32\E.tmp
2009-03-29 07:21 <DIR> --d----- e:\docume~1\admini~1\applic~1\hsnosotz
2009-03-29 07:15 124 a------- e:\windows\system32\D.tmp
2009-03-28 22:26 124 a------- e:\windows\system32\B.tmp
2009-03-28 22:14 124 a------- e:\windows\system32\A.tmp
2009-03-28 17:07 137,344 a------- e:\windows\system32\drivers\ethluosy.sys
2009-03-28 17:04 153,088 a------- e:\windows\system32\9.tmp
2009-03-28 17:03 124 a------- e:\windows\system32\7.tmp
2009-03-28 02:53 162,304 a------- e:\windows\system32\8.tmp
2009-03-28 02:53 128 a------- e:\windows\system32\6.tmp
2009-03-27 22:51 28,672 a------- e:\windows\system32\19.tmp
2009-03-27 22:45 162,304 a------- e:\windows\system32\5.tmp
2009-03-27 22:45 128 a------- e:\windows\system32\3.tmp
2009-03-27 19:38 28,672 a------- e:\windows\system32\C.tmp
2009-03-27 19:31 162,304 a------- e:\windows\system32\4.tmp
2009-03-27 19:31 128 a------- e:\windows\system32\2.tmp
2009-03-26 18:56 6 a------- e:\windows\_id.dat
2009-03-26 18:55 182,656 -------- e:\windows\system32\dllcache\ndis.sys
2009-03-26 18:55 130 a------- e:\windows\adobe.bat
2009-03-26 18:54 51,678 a------- e:\windows\services.exe
2009-03-26 18:54 0 a------- e:\windows\system32\578E.tmp
2009-03-26 18:52 8 a------- e:\windows\system32\comsa32.sys
2009-03-26 18:52 231,424 a------- e:\windows\system32\w.exe
2009-03-26 18:52 71,680 a------- e:\windows\system32\5757.tmp
2009-03-26 18:52 124 a------- e:\windows\system32\5755.tmp
2009-03-24 12:39 <DIR> --d----- E:\Incomplete
2009-03-21 11:38 <DIR> --d----- e:\program files\MediaMonkey
2009-03-21 08:33 <DIR> --d----- e:\program files\Xilisoft
2009-03-21 08:01 <DIR> --d----- e:\program files\iTunes
2009-03-21 08:01 <DIR> --d----- e:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-21 07:48 1,900,544 a------- e:\windows\system32\usbaaplrc.dll
2009-03-21 07:32 <DIR> --d----- e:\program files\Bonjour
2009-03-20 21:44 38,229 -------- e:\windows\system32\drivers\StMp3Rec.sys
2009-03-20 21:35 <DIR> --d----- e:\windows\Downloaded Installations
2009-03-20 20:22 <DIR> --d----- e:\program files\TagRename
2009-03-20 20:12 <DIR> --d----- e:\docume~1\admini~1\applic~1\Red Chair Software
2009-03-20 20:12 <DIR> --d----- e:\program files\Red Chair Software
2009-03-20 19:19 603,904 a------- e:\windows\system32\TUProgSt.exe
2009-03-20 19:19 27,904 a------- e:\windows\system32\uxtuneup.dll
2009-03-20 19:19 362,240 a------- e:\windows\system32\TuneUpDefragService.exe
2009-03-20 19:19 <DIR> --d----- e:\docume~1\admini~1\applic~1\TuneUp Software
2009-03-20 19:16 <DIR> --d----- e:\docume~1\alluse~1\applic~1\TuneUp Software
2009-03-20 19:15 <DIR> --d----- e:\program files\TuneUp Utilities 2009
2009-03-20 19:14 <DIR> --dsh--- e:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-20 17:59 107,368 a------- e:\windows\system32\GEARAspi.dll
2009-03-20 17:59 23,848 a------- e:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-20 17:58 <DIR> --d----- e:\program files\iPod
2009-03-20 17:50 <DIR> --d----- e:\windows\system32\ReinstallBackups
2009-03-20 17:49 36,864 a------- e:\windows\system32\drivers\usbaapl.sys
2009-03-20 17:26 <DIR> --d----- e:\program files\Music Rescue
2009-03-14 20:54 <DIR> --d----- e:\program files\T4_Internet _T4_ par_Internet_9.0
2009-03-14 20:38 <DIR> --d-h--- e:\program files\Zero G Registry
2009-03-14 10:02 <DIR> --d----- E:\Ipod
2009-03-14 09:10 <DIR> --d----- E:\The Big Bang Theory - Season 1 (Ipod)
2009-03-14 08:33 856,064 a------- e:\windows\system32\mpgfiltr.ax
2009-03-14 08:33 421,888 a------- e:\windows\system32\RealMediaSplitter.ax
2009-03-14 08:33 208,896 a------- e:\windows\system32\VideoEdit.ocx
2009-03-14 08:33 139,264 a------- e:\windows\system32\viscomqtde.dll
2009-03-14 08:33 81,920 a------- e:\windows\system32\viscomwave.dll
2009-03-14 08:33 <DIR> --d----- e:\program files\Plato Video To iPod Converter
2009-03-09 23:59 36,352 a------- E:\Table of Contents.doc
2009-03-09 23:44 22,016 a------- E:\Math Journals.doc
2009-03-09 23:38 442,487 a------- E:\Math Journals.pdf
2009-03-06 14:12 <DIR> --d----- e:\windows\BBSTORE
2009-03-06 14:11 333,312 a------- e:\windows\IsUninst.exe
2009-03-06 12:15 40 a------- e:\windows\disney.ini
2009-03-06 11:34 <DIR> --d----- e:\documents and settings\administrator\WINDOWS
2009-03-06 11:34 0 a------- e:\windows\SETUP32.INI
2009-03-06 11:34 69 a------- e:\windows\encore_launcher.ini
2009-03-04 23:21 <DIR> --d----- e:\docume~1\admini~1\applic~1\DVD Flick
2009-03-04 23:19 40,960 a------- e:\windows\system32\ssubtmr6.dll
2009-03-04 23:19 36,864 a------- e:\windows\system32\trayicon_handler.ocx
2009-03-04 23:19 662,288 a------- e:\windows\system32\mscomct2.ocx
2009-03-04 23:19 609,824 a------- e:\windows\system32\comctl32.ocx
2009-03-04 23:19 212,240 a------- e:\windows\system32\richtx32.ocx
2009-03-04 23:19 164,144 a------- e:\windows\system32\comct232.ocx
2009-03-04 23:19 28,672 a------- e:\windows\system32\mousewheel.ocx

==================== Find3M ====================

2009-03-26 18:55 182,656 a------- e:\windows\system32\drivers\ndis.sys
2009-02-19 19:03 361,344 a------- e:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-02-19 19:03 361,344 a------- e:\windows\system32\drivers\TCPIP.SYS
2009-02-19 19:03 361,344 a------- e:\windows\system32\dllcache\TCPIP.SYS
2009-02-06 18:52 49,504 a------- e:\windows\system32\sirenacm.dll
2009-01-31 16:04 2,188 a------- e:\windows\system32\d3d9caps.dat
2009-01-28 23:20 410,984 a------- e:\windows\system32\deploytk.dll
2009-01-16 16:37 499,712 a------- e:\windows\system32\msvcp71.dll

============= FINISH: 22:21:06.43 ===============

Attached Files


Edited by Crumply, 29 March 2009 - 08:33 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 PM

Posted 30 March 2009 - 12:08 AM

Hello Crumply,

I am sorry to say I have some bad new for you. :thumbup2:

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, an expert  for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows
:

http://web.mit.edu/ist/products/winxp/adva...all-format.html
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:46 PM

Posted 11 April 2009 - 10:07 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users