Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with everything...started with ntos.exe (I think)


  • This topic is locked This topic is locked
5 replies to this topic

#1 ralphwolf

ralphwolf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 22 May 2009 - 10:35 PM

Thanks for any and all help. My issue has me quite troubled. I had AVG running constantly but somehow got a virus. I think it started with ntos.exe. Anyways, it has taken me 3 days just to get the internet working to be able to read and post. I am having to use the Ultimate Winboot disk to get windows to start in non-Safe Mode to use internet. So far, I have used Spybot, Malwarebytes, SuperAntiSpyware and AVG to try and clean my system.

After using them, my system stops at the WinXP splash screen. I have been using F8 to go into Safe mode but the viruses come right back. So, to use internet I have been using the UBCD to get into WinXP and the viruses return and they change often.

I tried to install Kaspersky and was forced to dump AVG and Spybot just to get an error code of 1500: another installation is in process.

I am stuck, frustrated and plea for help...my wife is a copy editor/writer and cannot work (3 day now) and the dog house is real wet in Florida right now.


Here I go...


DDS (Ver_09-05-14.01) - NTFSx86
Run by Wile E. Coyote at 23:18:45.59 on Fri 05/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2416 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\j0w5m0l.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\j0w5m0l.exe
svchost.exe C:\WINDOWS\TEMP\VRT54.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\xp-AntiSpy\xp-AntiSpy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Wile E. Coyote\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\sdjee3inf.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\sdjee3inf.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\sdjee3inf.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\sdjee3inf.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wilee~1.coy\applic~1\mozilla\firefox\profiles\pnxsv8qk.default\

============= SERVICES / DRIVERS ===============

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-7-4 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2007-7-4 17328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-2-29 378368]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-4 10384]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 9\incd\NBHRegInCDSrv.exe [2008-11-7 108568]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 25600]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 122880]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1558000]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-30 11520]
S0 mdjga;mdjga;c:\windows\system32\drivers\obraxmka.sys --> c:\windows\system32\drivers\obraxmka.sys [?]
S0 mpefxsi;mpefxsi;c:\windows\system32\drivers\ghpg.sys --> c:\windows\system32\drivers\ghpg.sys [?]
S0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2008-2-29 16640]
S0 oongycf;oongycf;c:\windows\system32\drivers\yaqymux.sys --> c:\windows\system32\drivers\yaqymux.sys [?]
S0 pewmlkx;pewmlkx;c:\windows\system32\drivers\mvgbjo.sys --> c:\windows\system32\drivers\mvgbjo.sys [?]
S0 zrhsh;zrhsh;c:\windows\system32\drivers\jrzfcsf.sys --> c:\windows\system32\drivers\jrzfcsf.sys [?]
S2 ioloFileInfoList;iolo FileInfoList Service; [x]
S2 ioloSystemService;iolo System Service; [x]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S3 NC100;Network Everywhere Fast Ethernet Adapter(NC100 v2);c:\windows\system32\drivers\NC100A.sys [2001-2-23 35013]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
UnknownUnknown restore;restore; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-22 23:03 61,440 a------- c:\windows\system32\drivers\clkcnjjv.sys
2009-05-22 22:53 0 a------- C:\5D.tmp
2009-05-22 22:53 0 a------- C:\5C.tmp
2009-05-22 22:53 0 a------- C:\5B.tmp
2009-05-22 22:53 60,929 a------- c:\windows\system32\reader_s.ex_
2009-05-22 22:53 0 a------- C:\56.tmp
2009-05-22 22:53 0 a------- C:\53.tmp
2009-05-22 22:53 0 a------- C:\52.tmp
2009-05-22 22:53 0 a------- C:\51.tmp
2009-05-22 22:53 0 a------- C:\50.tmp
2009-05-22 22:52 0 a------- C:\4F.tmp
2009-05-22 22:52 0 a------- C:\4E.tmp
2009-05-22 22:52 0 a------- C:\4D.tmp
2009-05-22 22:52 0 a------- C:\4C.tmp
2009-05-22 22:52 0 a------- C:\4B.tmp
2009-05-22 22:52 0 a------- C:\4A.tmp
2009-05-22 22:52 0 a------- C:\49.tmp
2009-05-22 22:52 51,712 a------- C:\2F.tmp
2009-05-22 22:52 15,000 a------- c:\windows\system32\sdjee3inf.dl_
2009-05-22 21:58 169,984 ac------ c:\windows\system32\dllcache\msconfig.exe
2009-05-22 21:53 0 a------- C:\48.tmp
2009-05-22 21:53 0 a------- C:\47.tmp
2009-05-22 21:53 0 a------- C:\46.tmp
2009-05-22 21:53 0 a------- C:\45.tmp
2009-05-22 19:25 0 a------- c:\windows\system32\3C.tmp
2009-05-22 19:25 120 a------- c:\windows\system32\39.tmp
2009-05-22 19:25 0 a------- C:\37.tmp
2009-05-22 19:25 0 a------- C:\36.tmp
2009-05-22 19:25 0 a------- C:\35.tmp
2009-05-22 19:25 0 a------- C:\34.tmp
2009-05-22 19:25 0 a------- C:\33.tmp
2009-05-22 19:25 0 a------- C:\32.tmp
2009-05-22 19:25 0 a------- C:\30.tmp
2009-05-22 19:25 0 a------- C:\2E.tmp
2009-05-22 19:25 0 a------- C:\2D.tmp
2009-05-22 19:25 0 a------- C:\2C.tmp
2009-05-22 19:24 0 a------- C:\2B.tmp
2009-05-22 19:24 0 a------- C:\2A.tmp
2009-05-22 19:24 0 a------- C:\29.tmp
2009-05-22 19:24 0 a------- C:\28.tmp
2009-05-22 19:24 0 a------- C:\27.tmp
2009-05-22 19:24 51,712 a------- C:\25.tmp
2009-05-21 06:24 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-20 22:52 0 a------- C:\16.tmp
2009-05-20 22:52 0 a------- C:\15.tmp
2009-05-20 22:52 0 a------- C:\14.tmp
2009-05-20 22:52 0 a------- C:\13.tmp
2009-05-20 22:52 0 a------- C:\12.tmp
2009-05-20 22:52 0 a------- C:\11.tmp
2009-05-20 22:52 0 a------- C:\10.tmp
2009-05-20 22:52 0 a------- C:\F.tmp
2009-05-20 22:52 0 a------- C:\E.tmp
2009-05-20 22:52 0 a------- C:\D.tmp
2009-05-20 22:52 0 a------- C:\C.tmp
2009-05-20 22:52 0 a------- C:\B.tmp
2009-05-20 22:51 0 a------- C:\A.tmp
2009-05-20 22:51 0 a------- C:\9.tmp
2009-05-20 22:51 0 a------- C:\8.tmp
2009-05-20 22:51 0 a------- C:\7.tmp
2009-05-20 22:51 51,712 a------- C:\6.tmp
2009-05-20 22:18 2,126 a------- c:\windows\system32\wpa.dbl
2009-05-20 06:38 <DIR> --d----- c:\program files\Trend Micro
2009-05-19 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-05-19 01:47 0 a------- c:\windows\EEventManager.INI
2009-05-18 20:17 <DIR> --d----- C:\SP3
2009-05-17 22:03 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-17 16:07 71 a------- c:\windows\PrintCD.INI
2009-05-16 22:06 12,189 a------- c:\windows\system32\EPPICResdb0000
2009-05-16 22:06 121 a------- c:\windows\system32\EPPICResdb
2009-05-16 21:58 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-05-16 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-05-16 21:55 86,528 a------- c:\windows\system32\E_FLBEMA.DLL
2009-05-16 21:55 78,848 a------- c:\windows\system32\E_FD4BEMA.DLL
2009-05-16 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-05-16 21:53 <DIR> --d----- c:\program files\Epson Software
2009-05-16 21:52 71,680 a------- c:\windows\system32\escwiad.dll
2009-05-16 21:52 9,216 a------- c:\windows\system32\escdev.dll
2009-05-16 21:52 44 a------- c:\windows\EPART800.ini
2009-05-05 21:56 <DIR> --d----- c:\docume~1\wilee~1.coy\applic~1\ErrorSmart
2009-05-02 07:48 4,767 a------- c:\windows\Irremote.ini
2009-05-01 22:14 19,096 a------- c:\windows\system32\drivers\InCDRec.sys
2009-05-01 22:14 129,944 a------- c:\windows\system32\drivers\InCDFs.sys
2009-05-01 22:14 41,880 a------- c:\windows\system32\drivers\InCDRm.sys
2009-05-01 22:14 48,152 a------- c:\windows\system32\drivers\InCDPass.sys
2009-05-01 22:14 <DIR> --d----- c:\program files\Nero
2009-04-30 19:27 <DIR> a-d----- C:\MyBook
2009-04-30 19:16 <DIR> --d----- c:\program files\Western Digital Corporation
2009-04-30 19:16 11,520 a------- c:\windows\system32\drivers\wdcsam.sys
2009-04-30 19:16 <DIR> --d----- c:\program files\Western Digital
2009-04-30 19:16 20,992 a------- c:\windows\jestertb.dll
2009-04-30 19:15 43,904 ac------ c:\windows\system32\dllcache\sbp2port.sys
2009-04-30 19:15 43,904 a------- c:\windows\system32\drivers\sbp2port.sys

==================== Find3M ====================

2009-05-22 23:03 986 a------- c:\program files\lpunou.txt
2009-05-19 01:44 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 09:35 1,693,928 a------- c:\docume~1\wilee~1.coy\applic~1\GDIPFONTCACHEV1.DAT
2008-12-07 20:57 87,608 a------- c:\docume~1\wilee~1.coy\applic~1\inst.exe

============= FINISH: 23:19:06.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:12 PM

Posted 23 May 2009 - 04:20 PM

Hello ralphwolf ,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:12 PM

Posted 24 May 2009 - 11:12 AM

Hello ralphwolf,

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 ralphwolf

ralphwolf
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 24 May 2009 - 07:36 PM

Awesome news !!! :/

Thanks for you help.

Would you like me to e-mail the virus came in that my wife opened? Along with this virus, you get a free 3-day / 4 night stay in Orlando. ;)

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,502 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:12 PM

Posted 24 May 2009 - 07:58 PM

Hello ralphwolf,

I think you can keep your trip! lol :thumbup2:

You can go here if you need help reinstalling,reformatting you machine

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:12 PM

Posted 25 May 2009 - 06:53 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users