Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Infected with IHAUPD.exe


  • Please log in to reply
5 replies to this topic

#1 regvw

regvw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 17 December 2009 - 05:47 PM

Hi,
Firstly I am delighted to have found your site and am hoping you will be able to help me with my problem.

A few days ago I noticed a pop up on my PC stating Ihaupd.exe had encountered a problem and needed to close. I noticed my PC was running very slow and looked around the c drive. I found Ihaupd.exe in the start up folder and deleted it, this done me no good and the PC was as slow as ever. I think Ihaupd.exe is now back in the start up folder again. I opened the task manager and I can see svchost is running multiple times and taking up 98% of the cpu between the different instances.

The PC is so slow I am connected to the internet on another PC, to run the logs you requested I had to put the infected PC on safe mode.

Also I could not run the RootRepel.exe as I get an error message stating RootRepel is not a valid win 32 application.

I am running Win XP on my PC


Here is my log.


DDS (Ver_09-12-01.01) - NTFSx86 MINIMAL
Run by Administrator at 21:40:34.78 on 17/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.353.1033.18.493.294 [GMT 0:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dwwin.exe
E:\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.google.ie
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
mWinlogon: Taskman=c:\recycler\s-1-5-21-0436744625-3055703904-048057964-7434\wnzip32.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SiS Tray] c:\windows\system32\sistray .EXE
mRun: [SiS KHooker] c:\windows\system32\khooker.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_11\bin\jusched.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [TRUUpdater] "c:\program files\sierra wireless inc\webupdater\TRUUpdater.exe" /bkground
mRun: [AirCardEnabler]
mRun: [WatcherHelper] "c:\program files\sierra wireless inc\3g watcher\WaHelper.exe"
mRun: [AS00_Gear511] c:\program files\netgear\wg511scu\utility.\Gear511.exe -hide
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Microsoft Driver Setup] c:\windows\ccdrive32.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [sysgif32] c:\windows\temp\~TMD.tmp
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [reader_s] c:\documents and settings\localservice\reader_s.exe
mExplorerRun: [Microsoft Driver Setup] c:\windows\ccdrive32.exe
IE: {40B2063F-DB01-4962-BE63-59435C01283C} - c:\progra~1\paddyp~1\client.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113509699152
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-12-16 207792]
S0 00905a4d;00905a4d;\SystemRoot\\SystemRoot\System32\drivers\00905a4d.sys --> \SystemRoot\\SystemRoot\System32\drivers\00905a4d.sys [?]
S0 ckrvby;ckrvby;c:\windows\system32\drivers\ckrvby.sys [2009-12-15 0]
S1 6a81472e.sys;6a81472e.sys;\??\c:\windows\system32\drivers\6a81472e.sys --> c:\windows\system32\drivers\6a81472e.sys [?]
S1 b0506cdb.sys;b0506cdb.sys;\??\c:\windows\system32\drivers\b0506cdb.sys --> c:\windows\system32\drivers\b0506cdb.sys [?]
S1 qnl1131;qnl1131;c:\windows\system32\drivers\qnl1131.sys [2009-12-15 153728]
S1 qol0796;qol0796;c:\windows\system32\drivers\qol0796.sys [2009-12-15 153728]
S2 ALGNWDLS;Application Layer Gateway Service ALGNWDLS;c:\windows\system32\adodcq.exe srv --> c:\windows\system32\ADODCq.exe srv [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-12-16 112592]
S2 BrowserSSDPSRV;Computer Browser BrowserSSDPSRV;c:\windows\system32\1025q.exe srv --> c:\windows\system32\1025q.exe srv [?]
S2 dmserverALGNWDLS;Logical Disk Manager dmserverALGNWDLS;c:\windows\system32\acelpdeck.exe srv --> c:\windows\system32\acelpdeck.exe srv [?]
S2 ImapiServiceSharedAccess;IMAPI CD-Burning COM Service ImapiServiceSharedAccess;c:\windows\system32\12520437h.exe srv --> c:\windows\system32\12520437h.exe srv [?]
S2 IrmonOracleMTSRecoveryService;Infrared Monitor IrmonOracleMTSRecoveryService;c:\windows\system32\accwizv.exe srv --> c:\windows\system32\accwizv.exe srv [?]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-12-16 312592]
S2 MSDTCwscsvc;Distributed Transaction Coordinator MSDTCwscsvc;c:\windows\system32\12500852w.exe srv --> c:\windows\system32\12500852w.exe srv [?]
S2 MSDTCwscsvcwinmgmt;Distributed Transaction Coordinator MSDTCwscsvc MSDTCwscsvcwinmgmt;c:\windows\system32\ac3filtera.exe srv --> c:\windows\system32\ac3filtera.exe srv [?]
S2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
S2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
S2 RDSessMgrWmiApSrv;Remote Desktop Help Session Manager RDSessMgrWmiApSrv;c:\windows\system32\admwproxa.exe srv --> c:\windows\system32\admwproxa.exe srv [?]
S2 RSVPwscsvc;QoS RSVP RSVPwscsvc;c:\windows\system32\acctrese.exe srv --> c:\windows\system32\acctrese.exe srv [?]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-12-16 359624]
S2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-12-16 1141712]
S2 Shell32;Shell32;c:\windows\system32\com\oboe32\shell32.exe [2003-1-2 2113024]
S2 Shell32iPodService;Shell32 Shell32iPodService;c:\windows\system32\accwizvt.exe srv --> c:\windows\system32\accwizvt.exe srv [?]
S2 Winlogon;Winlogon;c:\windows\system32\com\oboe32\rundmc.exe [2003-1-2 306304]
S2 WZCSVCLmHosts;Wireless Zero Configuration WZCSVCLmHosts;c:\windows\system32\12520860i.exe srv --> c:\windows\system32\12520860i.exe srv [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2009-10-10 16194]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\googledesktop.exe [2009-12-16 40960]
S3 IPN2220;Wireless-G Notebook Adapter ver.4.0 Driver;c:\windows\system32\drivers\i2220ntx.sys [2005-10-30 117248]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys [2009-10-10 488992]
S3 SWNC8U90;Sierra Wireless MUX NDIS Driver (UMTS90);c:\windows\system32\drivers\swnc8u90.sys [2008-12-2 173312]
S3 SWUMX90;Sierra Wireless USB MUX Driver (UMTS90);c:\windows\system32\drivers\swumx90.sys [2008-11-17 145280]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]

=============== Created Last 30 ================

2009-12-17 08:11:50 40960 ----a-w- c:\windows\system32\soundman.exe
2009-12-17 07:55:53 54272 ----a-w- c:\windows\system32\reader_s.exe.delme804
2009-12-17 07:55:53 54272 ----a-w- c:\windows\system32\reader_s .exe
2009-12-17 07:53:48 40960 ----a-w- c:\windows\system32\nerocheck.exe
2009-12-16 20:58:26 40960 ----a-w- c:\windows\system32\khooker.exe
2009-12-16 20:58:06 40960 ----a-w- c:\windows\system32\sistray .exe
2009-12-16 20:50:27 4 ----a-w- c:\program files\reader_s.exe476835.dat
2009-12-16 20:27:06 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit
2009-12-16 20:26:27 0 d-----w- c:\program files\IObit
2009-12-16 20:07:21 882 ----a-w- c:\windows\RegSDImport.xml
2009-12-16 20:07:21 880 ----a-w- c:\windows\RegISSImport.xml
2009-12-16 20:07:21 767952 ----a-w- c:\windows\BDTSupport.dll
2009-12-16 20:07:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-12-16 20:07:21 131 ----a-w- c:\windows\IDB.zip
2009-12-16 20:07:20 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-12-16 20:07:20 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-12-16 20:07:20 1152444 ----a-w- c:\windows\UDB.zip
2009-12-16 20:06:52 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-12-16 20:06:52 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-16 20:06:12 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-16 20:06:12 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-12-16 20:06:12 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-12-16 20:06:12 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-16 20:05:47 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-12-16 20:05:47 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-12-16 20:05:25 0 d-----w- c:\program files\Spyware Doctor
2009-12-16 20:05:25 0 d-----w- c:\program files\common files\PC Tools
2009-12-16 20:05:25 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-12-16 20:00:38 124 ----a-w- c:\windows\system32\uses32.dat
2009-12-16 20:00:38 100 ----a-w- c:\windows\system32\flags.ini
2009-12-16 19:57:31 0 d-sh--w- c:\windows\system32\lowsec
2009-12-16 19:57:05 9728 ----a-w- C:\ivas.exe
2009-12-16 19:57:01 16384 ----a-w- C:\vpvymo.exe
2009-12-16 19:57:00 192512 ----a-w- C:\wouvs.exe
2009-12-16 19:36:46 716288 ----a-w- c:\windows\system32\drivers\wdfgh.sys
2009-12-16 19:36:20 43936 ----a-w- c:\windows\system32\drivers\00905a4d.sys
2009-12-16 19:36:08 65536 ----a-w- c:\windows\system\svchost.exe
2009-12-16 19:35:59 40960 ----a-w- C:\qwghr.exe
2009-12-15 21:48:23 153728 ----a-w- c:\windows\system32\drivers\qnl1131.sys
2009-12-15 21:43:31 153728 ----a-w- c:\windows\system32\drivers\qol0796.sys
2009-12-15 19:00:14 0 ----a-w- c:\windows\system32\drivers\ckrvby.sys
2009-12-15 19:00:01 591 --s-a-w- c:\windows\system32\2592662183.dat
2009-12-15 18:59:51 65536 ----a-w- C:\meglhe.exe
2009-12-15 18:59:51 119296 ----a-w- C:\stwgjpw.exe
2009-12-15 18:59:41 40960 ----a-w- c:\windows\ccdrive32.exe.delme220
2009-12-15 18:59:41 102400 --sha-r- c:\windows\ccdrive32 .exe
2009-12-15 18:59:41 102400 --sh--r- c:\windows\ccdrive32.exe

==================== Find3M ====================

2009-12-16 19:49:55 40960 ----a-w- c:\windows\system32\sistray.exe
2009-12-15 19:12:36 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2006-03-23 00:27:10 488992 ----a-w- c:\windows\inf\wg511nd5.sys

============= FINISH: 21:41:27.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 18 December 2009 - 08:58 AM

Its looks like Virut, lets run some scanners and if I found that it indeed Virut, I'm sorry but reformat is the only way.. Lets do this one first..

Please download The Comedian.exe by Rorschach112 to your desktop
  • Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished
STOP! if you can't complete this step.. Tell me more about it..



Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running our fixes.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download this program by sUBs and save it to your Desktop. Then after you disable all security programs, simply run it (double-click it)

If the program asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while the program is running.. Just let it finishes..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 regvw

regvw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 22 December 2009 - 04:11 PM

Thanks Fenzo for looking at my problem I am going to try and run those scanns now.

I will try and download the programs you mentioned on the infected PC. To get the logs I had previously posted, I first downloaded the apps tpo a different PC and transferred via a usb key. However once I put the key back in the good PC the virus protection software detected there was a worm virus on the key. So I will not be trying this again as I do not want to get a virus on the other PC.

I will see if I can run teh scans and post another reply then.

Thanks again
Reg

#4 regvw

regvw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 22 December 2009 - 04:49 PM

Hi fenzo,
had no luck trying to run the scans. The PC willl not connect to the internet if it does it immediately gives and internet explorer error and closes down
I have some vb code on teh pc that I really need to keep, will I be able to save this if i have to do a clean install.

Could this code be infected by the virus if i do save it

Thanks
Reg

#5 regvw

regvw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:41 PM

Posted 22 December 2009 - 04:52 PM

ntvdm.exe is now running at 98% on the infected PC

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 23 December 2009 - 06:17 AM

First of all, uninstall these programs from your computer (if present)

Anti-Virus Professional v5.0
IObit Security 360
Java 2 Runtime Environment, SE v1.4.2_11
Spyware Doctor 7.0

second, make sure you backup all your data first including your vbcode.. The reason I asked you to do that is I suspect the computer is infected with Win32.Virut and if its true, the only way is to reformat..

third, can you at least run ComboFix via Safe Mode?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users