Infected with everything...started with ntos.exe (I think)

Thanks for any and all help. My issue has me quite troubled. I had AVG running constantly but somehow got a virus. I think it started with ntos.exe. Anyways, it has taken me 3 days just to get the internet working to be able to read and post. I am having to use the Ultimate Winboot disk to get windows to start in non-Safe Mode to use internet. So far, I have used Spybot, Malwarebytes, SuperAntiSpyware and AVG to try and clean my system.

After using them, my system stops at the WinXP splash screen. I have been using F8 to go into Safe mode but the viruses come right back. So, to use internet I have been using the UBCD to get into WinXP and the viruses return and they change often.

I tried to install Kaspersky and was forced to dump AVG and Spybot just to get an error code of 1500: another installation is in process.

I am stuck, frustrated and plea for help...my wife is a copy editor/writer and cannot work (3 day now) and the dog house is real wet in Florida right now.


Here I go...


DDS (Ver_09-05-14.01) - NTFSx86
Run by Wile E. Coyote at 23:18:45.59 on Fri 05/22/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2416 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Nero\Nero 9\InCD\InCDSrv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 9\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\j0w5m0l.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\TEMP\j0w5m0l.exe
svchost.exe C:\WINDOWS\TEMP\VRT54.tmp
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\xp-AntiSpy\xp-AntiSpy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Wile E. Coyote\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\sdjee3inf.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\sdjee3inf.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\sdjee3inf.dll: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953} - c:\windows\system32\sdjee3inf.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wilee~1.coy\applic~1\mozilla\firefox\profiles\pnxsv8qk.default\

============= SERVICES / DRIVERS ===============

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2007-7-4 110128]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2007-7-4 17328]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 CachemanXPService;CachemanXP;c:\progra~1\cachem~1\CachemanXP.exe [2008-2-29 378368]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-2-4 10384]
R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 9\incd\NBHRegInCDSrv.exe [2008-11-7 108568]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-8-4 25600]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-7-24 122880]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1558000]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-4-30 11520]
S0 mdjga;mdjga;c:\windows\system32\drivers\obraxmka.sys --> c:\windows\system32\drivers\obraxmka.sys [?]
S0 mpefxsi;mpefxsi;c:\windows\system32\drivers\ghpg.sys --> c:\windows\system32\drivers\ghpg.sys [?]
S0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2008-2-29 16640]
S0 oongycf;oongycf;c:\windows\system32\drivers\yaqymux.sys --> c:\windows\system32\drivers\yaqymux.sys [?]
S0 pewmlkx;pewmlkx;c:\windows\system32\drivers\mvgbjo.sys --> c:\windows\system32\drivers\mvgbjo.sys [?]
S0 zrhsh;zrhsh;c:\windows\system32\drivers\jrzfcsf.sys --> c:\windows\system32\drivers\jrzfcsf.sys [?]
S2 ioloFileInfoList;iolo FileInfoList Service; [x]
S2 ioloSystemService;iolo System Service; [x]
S3 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S3 NC100;Network Everywhere Fast Ethernet Adapter(NC100 v2);c:\windows\system32\drivers\NC100A.sys [2001-2-23 35013]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
UnknownUnknown restore;restore; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-22 23:03 61,440 a------- c:\windows\system32\drivers\clkcnjjv.sys
2009-05-22 22:53 0 a------- C:\5D.tmp
2009-05-22 22:53 0 a------- C:\5C.tmp
2009-05-22 22:53 0 a------- C:\5B.tmp
2009-05-22 22:53 60,929 a------- c:\windows\system32\reader_s.ex_
2009-05-22 22:53 0 a------- C:\56.tmp
2009-05-22 22:53 0 a------- C:\53.tmp
2009-05-22 22:53 0 a------- C:\52.tmp
2009-05-22 22:53 0 a------- C:\51.tmp
2009-05-22 22:53 0 a------- C:\50.tmp
2009-05-22 22:52 0 a------- C:\4F.tmp
2009-05-22 22:52 0 a------- C:\4E.tmp
2009-05-22 22:52 0 a------- C:\4D.tmp
2009-05-22 22:52 0 a------- C:\4C.tmp
2009-05-22 22:52 0 a------- C:\4B.tmp
2009-05-22 22:52 0 a------- C:\4A.tmp
2009-05-22 22:52 0 a------- C:\49.tmp
2009-05-22 22:52 51,712 a------- C:\2F.tmp
2009-05-22 22:52 15,000 a------- c:\windows\system32\sdjee3inf.dl_
2009-05-22 21:58 169,984 ac------ c:\windows\system32\dllcache\msconfig.exe
2009-05-22 21:53 0 a------- C:\48.tmp
2009-05-22 21:53 0 a------- C:\47.tmp
2009-05-22 21:53 0 a------- C:\46.tmp
2009-05-22 21:53 0 a------- C:\45.tmp
2009-05-22 19:25 0 a------- c:\windows\system32\3C.tmp
2009-05-22 19:25 120 a------- c:\windows\system32\39.tmp
2009-05-22 19:25 0 a------- C:\37.tmp
2009-05-22 19:25 0 a------- C:\36.tmp
2009-05-22 19:25 0 a------- C:\35.tmp
2009-05-22 19:25 0 a------- C:\34.tmp
2009-05-22 19:25 0 a------- C:\33.tmp
2009-05-22 19:25 0 a------- C:\32.tmp
2009-05-22 19:25 0 a------- C:\30.tmp
2009-05-22 19:25 0 a------- C:\2E.tmp
2009-05-22 19:25 0 a------- C:\2D.tmp
2009-05-22 19:25 0 a------- C:\2C.tmp
2009-05-22 19:24 0 a------- C:\2B.tmp
2009-05-22 19:24 0 a------- C:\2A.tmp
2009-05-22 19:24 0 a------- C:\29.tmp
2009-05-22 19:24 0 a------- C:\28.tmp
2009-05-22 19:24 0 a------- C:\27.tmp
2009-05-22 19:24 51,712 a------- C:\25.tmp
2009-05-21 06:24 664 a------- c:\windows\system32\d3d9caps.dat
2009-05-20 22:52 0 a------- C:\16.tmp
2009-05-20 22:52 0 a------- C:\15.tmp
2009-05-20 22:52 0 a------- C:\14.tmp
2009-05-20 22:52 0 a------- C:\13.tmp
2009-05-20 22:52 0 a------- C:\12.tmp
2009-05-20 22:52 0 a------- C:\11.tmp
2009-05-20 22:52 0 a------- C:\10.tmp
2009-05-20 22:52 0 a------- C:\F.tmp
2009-05-20 22:52 0 a------- C:\E.tmp
2009-05-20 22:52 0 a------- C:\D.tmp
2009-05-20 22:52 0 a------- C:\C.tmp
2009-05-20 22:52 0 a------- C:\B.tmp
2009-05-20 22:51 0 a------- C:\A.tmp
2009-05-20 22:51 0 a------- C:\9.tmp
2009-05-20 22:51 0 a------- C:\8.tmp
2009-05-20 22:51 0 a------- C:\7.tmp
2009-05-20 22:51 51,712 a------- C:\6.tmp
2009-05-20 22:18 2,126 a------- c:\windows\system32\wpa.dbl
2009-05-20 06:38 <DIR> --d----- c:\program files\Trend Micro
2009-05-19 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-05-19 01:47 0 a------- c:\windows\EEventManager.INI
2009-05-18 20:17 <DIR> --d----- C:\SP3
2009-05-17 22:03 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{92E7A367-8E12-4830-AA70-29C32E331A81}
2009-05-17 16:07 71 a------- c:\windows\PrintCD.INI
2009-05-16 22:06 12,189 a------- c:\windows\system32\EPPICResdb0000
2009-05-16 22:06 121 a------- c:\windows\system32\EPPICResdb
2009-05-16 21:58 <DIR> --d----- c:\program files\ABBYY FineReader 6.0 Sprint
2009-05-16 21:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-05-16 21:55 86,528 a------- c:\windows\system32\E_FLBEMA.DLL
2009-05-16 21:55 78,848 a------- c:\windows\system32\E_FD4BEMA.DLL
2009-05-16 21:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\EPSON
2009-05-16 21:53 <DIR> --d----- c:\program files\Epson Software
2009-05-16 21:52 71,680 a------- c:\windows\system32\escwiad.dll
2009-05-16 21:52 9,216 a------- c:\windows\system32\escdev.dll
2009-05-16 21:52 44 a------- c:\windows\EPART800.ini
2009-05-05 21:56 <DIR> --d----- c:\docume~1\wilee~1.coy\applic~1\ErrorSmart
2009-05-02 07:48 4,767 a------- c:\windows\Irremote.ini
2009-05-01 22:14 19,096 a------- c:\windows\system32\drivers\InCDRec.sys
2009-05-01 22:14 129,944 a------- c:\windows\system32\drivers\InCDFs.sys
2009-05-01 22:14 41,880 a------- c:\windows\system32\drivers\InCDRm.sys
2009-05-01 22:14 48,152 a------- c:\windows\system32\drivers\InCDPass.sys
2009-05-01 22:14 <DIR> --d----- c:\program files\Nero
2009-04-30 19:27 <DIR> a-d----- C:\MyBook
2009-04-30 19:16 <DIR> --d----- c:\program files\Western Digital Corporation
2009-04-30 19:16 11,520 a------- c:\windows\system32\drivers\wdcsam.sys
2009-04-30 19:16 <DIR> --d----- c:\program files\Western Digital
2009-04-30 19:16 20,992 a------- c:\windows\jestertb.dll
2009-04-30 19:15 43,904 ac------ c:\windows\system32\dllcache\sbp2port.sys
2009-04-30 19:15 43,904 a------- c:\windows\system32\drivers\sbp2port.sys

==================== Find3M ====================

2009-05-22 23:03 986 a------- c:\program files\lpunou.txt
2009-05-19 01:44 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-13 09:35 1,693,928 a------- c:\docume~1\wilee~1.coy\applic~1\GDIPFONTCACHEV1.DAT
2008-12-07 20:57 87,608 a------- c:\docume~1\wilee~1.coy\applic~1\inst.exe

============= FINISH: 23:19:06.70 ===============

Hello ralphwolf ,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

Hello ralphwolf,

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Awesome news !!! :/

Thanks for you help.

Would you like me to e-mail the virus came in that my wife opened? Along with this virus, you get a free 3-day / 4 night stay in Orlando. ;)

Hello ralphwolf,

I think you can keep your trip! lol

You can go here if you need help reinstalling,reformatting you machine

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.