|
Answer» I was cruising some unscrupulous sites (my fault, so I partially deserve his) and clearly picked up something that was quite strong.
Managed to partially stop it (I think) before it fully got working but it has blocked me from opening any programs (other than Hijack this for some reason) and I can't boot into safe mode.
Typing this on my laptop since I can't open Firefox/IE/etc on the desktop.
Hijack This pops up a bunch of stuff that I'm fairly certain shouldn't be there, but obviously a little leery of just removing some files that MAY be needed w/o further input.
RUNNING Windows XP. Have disabled my internet also on the desktop in case it's trying to download stuff to expand/continue.
Got an alert that at least in part it was Virus.Win32.Gpcode.ak trying to come in, along with a couple of others. Any suggestions as to how I can best get info to you guys? Managed to get a clean HJ Report off via mobile drive. Happy to provide more as possible/requested. Thanks for any help you can provide.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:44 AM, on 7/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\kn2jp7hf9.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\kn2jp7hf9.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\f.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\kn2jp7hf9.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\fonts\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\DOCUME~1\Ryan\LOCALS~1\Temp\b.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F3 - REG:win.ini: load=C:\WINDOWS\system32\msohqxlm.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msqta.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\system32\gsf83iujid.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,[emailprotected]
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [] C:\DOCUME~1\Ryan\LOCALS~1\Temp\kn2jp7hf9.exe
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\Ryan\LOCALS~1\Temp\kn2jp7hf9.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Ryan\LOCALS~1\Temp\smss.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\Ryan\protect.dll,[emailprotected]
O4 - HKCU\..\Run: [ColdWare] C:\DOCUME~1\Ryan\LOCALS~1\Temp\f.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Ryan\LOCALS~1\Temp\b.exe
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msmsbm.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\kiuft40lou.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\kiuft40lou.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\debug.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,[emailprotected] (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - EXTRA context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PokerSites\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PokerSites\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ,C:\DOCUME~1\Ryan\LOCALS~1\Temp\38314765517mxx.dll
O20 - Winlogon Notify: __c0087625 - C:\WINDOWS\system32\__c0087625.dat
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: B-Service - Unknown owner - C:\Documents and Settings\Ryan\Application Data\Mikogo\B-Service.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 10474 bytesThe logs show that you are infected by an infection called Virut or Sality. Virut/Sality is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus.
There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise and Virut and other File infectors - Throwing in the Towel? for more information.
Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.
Backing up files before formatting
If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.
Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.
I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
-) Dr.Web CureIt!
-) AVG Win32/Virut Removal Tool
-) Symantwc W32.Virut Removal Tool
-) McAfee Avert Stinger
-) Microsoft Windows MALICIOUS Software Removal Tool
If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/
Very important, do the following immediately or as soon as possible!
If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.
From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.
DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
Thanks Evil
Looks like only one solution, so I'll carefully try and salvage what I can before wiping clean and starting over.
|
