Articles

Annoying Virus

February 16, 2009 at 09:37:52
Specs: Windows XP

Ok, I got a really annoying virus here...

It disables my Task Manager, Registry Editting, and appearently dont let me run services (as when I try to install BitDefender it says I dont have priviledges to do so)

Yes, I am an administrator account.

Tried to go into safe mode, but after it loads the dlls and stuff, I get a blue screen, so that's no help either.

I checked logs, and from what it looks, I removed all unknown stuff from there (well, at least I think I did), but theres still a random temporary file that keeps being created and run in the computer.

c:\docs&sets\myuser\Local Settings\Temp\win(insert_random_caracters_here).exe
Curiously though, after last restart it was created on C:\Windows\Temp\ folder instead

I always manage to close and delete it, but after a while another new file is created there, and is running again. It's constantly blocking the Task Manager and Registry Editting over and over. I'm really going crazy here, tbh... :D

I already tried to install Malwarebytes, AVG, BitDefender, and some other stuff. Malawarebytes worked, but no success in cleaning anything. AVG and BitDefender just didn't install because of services. My Spybot - Search and Destroy doesn't open either.

Really, never seen a virus as annoying as this, which btw, I have no idea how I got infected :P

Any quick responses would be appreciated!

Here goes the log:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Giovanni at 11:48:01.76 on Mon 02/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1242 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
D:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kxmixer.exe
C:\WINDOWS\system32\xRaidSetup.exe
D:\Program Files\Babylon\Babylon-Pro\Babylon.exe
D:\Program Files\VMware\VMware Workstation\vmware-tray.exe
D:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
D:\Program Files\Steam\Steam.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
D:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
D:\Program Files\No-IP\DUC20.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\TEMP\winrnekwo.exe
C:\Documents and Settings\Giovanni\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 127.0.0.1:8118
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IE to GetRight Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - d:\program files\getright\xx2gr.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Steam] "d:\program files\steam\Steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Vidalia] "d:\program files\vidalia bundle\vidalia\vidalia.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [kX Mixer] c:\windows\system32\kxmixer.exe --startup
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [RoxioDragToDisc] "d:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Babylon Client] d:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
mRun: [vmware-tray] d:\program files\vmware\vmware workstation\vmware-tray.exe
mRun: [VMware hqtray] "d:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\giovanni\startm~1\programs\startup\no-ipd~1.lnk - d:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - d:\program files\vidalia bundle\privoxy\privoxy.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Download with GetRight Pro - d:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - d:\program files\getright\GRbrowse.htm
IE: Translate with &Babylon - d:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211494144359
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211511992812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: sockspy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\giovanni\applic~1\mozilla\firefox\profiles\b4h50u3o.default\

============= SERVICES / DRIVERS ===============

R1 nltdi;nltdi;c:\windows\system32\drivers\nltdi.sys [2007-4-23 82200]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\jtmjnk.sys --> c:\windows\system32\drivers\jtmjnk.sys [?]
R3 kxwdmdrv;kX WDM Driver Service;c:\windows\system32\drivers\kx.sys [2008-4-4 568320]
S2 MsDtsServer;SQL Server Integration Services;d:\program files\microsoft sql server\90\dts\binn\MsDtsSrvr.exe [2008-12-18 284512]
S3 ddsxeiservice;ddsxeiservice2;c:\program files\valve\sxe injected\ddsxei.sys [2008-8-20 43392]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2009-02-16 11:17 <DIR> --d----- c:\program files\LIUtilities
2009-02-16 04:19 <DIR> --d----- c:\docume~1\giovanni\applic~1\Malwarebytes
2009-02-16 04:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-16 03:54 161,792 a------- c:\windows\SWREG.exe
2009-02-16 03:54 98,816 a------- c:\windows\sed.exe
2009-02-16 03:54 <DIR> --d----- C:\ComboFix
2009-02-16 03:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-02-16 03:49 <DIR> --d----- c:\program files\common files\Softwin
2009-02-16 03:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-02-16 01:54 <DIR> --d----- c:\program files\Trojan Remover
2009-02-16 01:37 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-02-12 16:03 <DIR> --d----- c:\program files\Unity
2009-02-12 00:28 40 a---h--- c:\windows\system32\ivireg.ivr
2009-02-11 23:02 <DIR> --d----- c:\windows\SQLTools9_KB960089_ENU
2009-02-11 23:01 <DIR> --d----- c:\windows\DTS9_KB960089_ENU
2009-02-11 23:00 <DIR> --d----- c:\windows\NS9_KB960089_ENU
2009-02-11 23:00 <DIR> --d----- c:\windows\OLAP9_KB960089_ENU
2009-02-11 22:58 <DIR> --d----- c:\windows\SQL9_KB960089_ENU
2009-02-11 16:57 <DIR> --d----- c:\program files\Seagate
2009-02-08 12:56 6,266 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-02-08 12:56 168 ---shr-- c:\docume~1\alluse~1\applic~1\37EE009DC7.sys
2009-02-08 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Corel
2009-01-31 04:07 139 a------- c:\windows\Hide-IP-Browser.INI
2009-01-28 01:47 4,096 a------- c:\windows\d3dx.dat
2009-01-28 00:32 182,272 a------- c:\windows\patchw32.dll
2009-01-26 02:56 <DIR> --d----- c:\windows\pss
2009-01-25 20:50 77,824 a------- c:\windows\system32\MagicTuneUser.exe
2009-01-25 20:50 40,960 a------- c:\windows\system32\nvgpio.dll
2009-01-25 20:50 36,864 a------- c:\windows\system32\nvapi9x.dll
2009-01-25 20:50 13,396 a------- c:\windows\system32\drivers\MTiCtwl.sys
2009-01-25 20:49 443,392 a------- c:\windows\system32\SliderExCtrl.ocx
2009-01-25 20:49 65,536 a------- c:\windows\system32\Gif89.dll
2009-01-25 19:52 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll
2008-12-16 00:32 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-24 09:32 57,344 a------- c:\windows\system32\ff_vfw.dll

============= FINISH: 11:48:14.34 ===============


See More: Annoying Virus

Report •


#1
February 16, 2009 at 10:28:16

Try to scan with Malwarebytes' Anti-Malware
http://www.malwaresupport.com/mbam/...

or Scan with
http://www.eset.eu/eos/eset-online-...


Report •

#2
February 16, 2009 at 10:42:13

I cant access any virus scan websites, and already used malwarebytes with no help...

When it tries to access the temps folder, it throws an exception error:

"Exception Processing Message c0000013 Parameters 75b6bf9c 75b6bf9c 75b6bf9c
Cancel Try again Continue"


Report •

#3
February 16, 2009 at 10:45:12

Malaware only finds what I know already, the Registry editted keys, which is of no help at all, since the virus keeps on putting that back after I remove it anyways...

Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 2

2/16/2009 1:43:49 PM
mbam-log-2009-02-16 (13-43-49).txt

Scan type: Quick Scan
Objects scanned: 73069
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

Related Solutions

#4
February 16, 2009 at 11:12:10

Check mail

Report •

#5
February 16, 2009 at 11:17:32

Already replied to your PM and sent the mail with your request

Report •

#6
February 16, 2009 at 11:31:47

Well, I replied to the post on mail!

Report •


Ask Question