Malware infection in XP

February 17, 2009 at 08:10:32
Specs: Windows XP

My Windows XP boots fine until the screen for the selection of the User account. When I select an account (doesn't matter which), the Taskbar/Desktop icons never appear.
But things seem to be working, though, as sometimes, some alerts from Panda Antivirus appear (but just advertisement. They don't reference any virus).

I can start the Windows Task Manager (via Ctrl+Alt+Delete) and I see that I have some malware processes running (e.g. 9129837.exe, xccef090131). I terminate them. I've also found that in the folder Windows/system32 there were some malware executables. I've also deleted them.

However, when I restart the computer, those malware processes/executables are created again.

I've also seen some messages saying that "msas2009.exe" and the application Utool has found some errors. These are also known malware.

Things I've tried: running Malwarebytes, but I can't install it. I go to Windows Task Bar -> File -> New Task (Run...) and try to run the setup for Malwarebytes, but nothing happens.
But, some executables I can run: I run the Command Prompt without any problems (via the same system).

I've also tried to terminate the explorer.exe process and re-running it. Still, no Taskbar appears.

Finally, I've run a full system scan with Panda Antivirus 2009... Nothing was found...

Anyone knows how I can remove this malware. Maybe by seeing the programs that are being run as Windows starts and eliminating some?

Help me, please.

NOTE: The same thing happens when I launch XP in Security Mode (by holding F8 at start-up).

See More: Malware infection in XP

Report •

February 17, 2009 at 10:17:14
You have to do everything you mentioned
before but in SAFE MODE. After all that
then REBOOT and again do the same
again. Don,t skip anything you do before. All
is right. If after all the MW still go to
Panda Web Site,do the online scan and
follow the instructions.

Report •

February 17, 2009 at 12:18:28
Like I said, the same thing happens in Safe Mode.

Report •

February 17, 2009 at 13:39:38
Sorry! Do you try to run MSCONFIG if
you can and look there for a possible fix on
boot start.

Report •

Related Solutions

February 17, 2009 at 15:10:52
Start by disabling system restore (all restore points will be lost). Then boot into safe mode & try running your malware scan...if MalwareBytes doesn't work or won't install, try something else. And get a decent anti-v program.

Report •

February 17, 2009 at 15:48:51
Thanks for your answers. I'll try to run MSCONFIG later.

Meanwhile, I've run Malwarebytes and 53 infected files were reported. I've removed them. Now (after rebooting), it can't find any more infected files, however, nothing seems to have changed (still no Taskbar/desktop icons).

Afterwards, I've run HijackThis. The log produced is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:18:14, on 17-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Programas\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Programas\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\Programas\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Programas\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\Programas\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url][/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url][/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url][/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url][/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url][/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url][/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\ArLima\vyfitan.exe \s,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programas\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programas\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programas\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [THotkey] C:\Programas\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programas\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programas\Ficheiros comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Programas\Malwarebytes' Anti-Malware\RENAMEDmbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programas\Ficheiros comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programas\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_1_0 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Programas\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ttool] C:\WINDOWS\9129837.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url][/url]
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsua Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Ajuda e suporte helpsvcRpcLocator (helpsvcRpcLocator) - Unknown owner - C:\WINDOWS\system32\adsmsextd.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programas\Power Translator 12\LogoMedia TranslateDotNet Server.exe
O23 - Service: NBService - Nero AG - C:\Programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programas\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programas\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

End of file - 10422 bytes

Report •

February 18, 2009 at 05:35:14
maybe create a batch or exe file to delete the processes then embed it in the startup files

Report •

February 27, 2009 at 03:59:14
My computer was infected with Virus.Win32.Virut.ce.
The computer used to have Panda Antivirus installed. But since it proved inefficient and since Kaspersky recognized Virut (and could disinfect files infected by it), I uninstalled Panda and installed Kaspersky 2009. The installation went fine until I rebooted my computer.

Besides only seeing the desktop. I couldn't access the Windows Task Manager. I couldn't run any program.

So I ended up using a bootable CD to copy the files I wanted and reinstalled Windows.
All is well now.

Report •

Ask Question