[mike11237]

First of all hello everyone, I'm new. So anyway, I'm working on a friends computer that was infected with the System Security 2009 virus, and it also has some forms of Vundo, Rustock, Renos, and Virtumonde, according to Windows Defender. It is running Windows XP Professional SP2, I believe; IBM Thinkpad R51e, Pentium M processor. Because of the problems I am NOW having, I'm assuming one of them is a rootkit. So basically when logging on first, the System Security disabled the Task Manager and would not let me run any installers for antivirus. It also closed currently open antivirus software.

The computer would not boot in safe mode; it BSOD'd on mup.sys (which is not the problem... whatever the next process in the list is...) with STOP 0x0000007B (something about an inaccessible boot device.) What I ended up doing is opening task manager as I logged in and killed the malicious process before it had a chance to kill everything else. Then, a bunch of ads popped up and tasks such as o.exe or p.exe or random letters.exe started appearing, all of which I terminated. Then, the computer seemed fine.

I decided to try and kill this thing and immediately ran Ad-Aware, which was already on the system; it found a few tracking cookies... Next, I decided to install a trial of NOD32, which I swear by. It "could not complete the installation". Great. I disabled all startup entries of the bad software in msconfig (is it possible I unchecked something I shouldn't have? I don't think I did...) The AVG free software on the PC would not work for me at all. I figured I'd manually delete the files. Of course, I found out then that the folder options tab was missing (to enable viewing of hidden files), and since I was not the administrator, I could not change that or edit the registry.

I moved on to Spybot; it looked like it would take a while, so I went to get a snack. When I came back, I found that the computer had restarted way before the scan should have finished. I typed in the login info for the administrator, and it logged in fine, and all the icons, normal wallpaper, software, came on. And then, BAM. Bsod. STOP 0x0000008E. I restarted and tried to log in as the main user (not Admin) again. As soon as I hit "enter" after typing the password, bsod. Also 0x0000008E. I restarted in Recovery Console and ran CHKDSK. One or more errors found. Then did chkdsk /r to repair them. No difference. Safe mode still returns 0x0000007B (w or w/o networking). Last known good configuration results in STOP 0x00000050. Then I ran ClamAV through the Trinity Rescue Kit, which found 1 virus and quarantined it, but still no changes in startup.

I managed to get screens of the task manager when logged in as Admin right before the bsod, as sometimes the bsod takes longer to come up. As I can't run HijackThis, I'll name processes I know don't belong:
fsusbexservice.exe
reader_s.exe ---> I think this is a virus (Virut -- added by Troj/Agent-IUT) that stops a machine from running executables - might be the main problem.
sopidkc.exe ---> Installed by Avast antivirus... which was on the system
avast!antivirus.exe ---> Also part of problem... don't think it's legit
The random gibberish tasks were gone. That's all I'm able to get before the system blue screens.

Any help on what I'm dealing with or even how to get the computer to boot without bsod-ing would be GREATLY appreciated. Thanks in advance

[sludge3000]

You should click on report in the bottom left of your post and ask for this thread to be moved to the malware removal forum where someone can help you with your malware issues.

[mike11237]

Quote:

Originally Posted by sludge3000

You should click on report in the bottom left of your post and ask for this thread to be moved to the malware removal forum where someone can help you with your malware issues.

I did just that. Thanks!


Posted via Mobile Device

[sludge3000]

It may take a while before someone responds to your post so pelase read the IMPORTANT topics at the top of the malware removal forum and post a HJT log for them. Good luck getting your malware removed o/

[mike11237]

I wish there was some way I could get a HJT log.... the computer stays logged in for about 30 seconds maximum... usually closer to 5, before I get a bsod.

[mike11237]

Okay, I'm really not sure how I managed to do this... took five tries before it could finish without bsod-ing (time varies with every login), but I managed to get a HJT log by running HJT off a flash drive very quickly -- Again, I don't have time to do ANYTHING else, so I can't fix anything in HJT. Here is the log, posted with my friend's permission:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:16 PM, on 7/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\sopidkc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\userinit.exe
F:\HijackThis.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\ctfmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {25ae08dd-bf50-47b4-9c76-4330df06598d} - c:\windows\system32\xcekkjs.dll
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\system32\gsf83iujid.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [e15r_] c:\program files\e15r_mbi\csrss.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PortoLeone.com
O17 - HKLM\Software\..\Telephony: DomainName = PortoLeone.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PortoLeone.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PortoLeone.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: ,C:\Temp\4891375522mxx.dll
O20 - Winlogon Notify: beqdkivr - C:\WINDOWS\SYSTEM32\xcekkjs.dll
O20 - Winlogon Notify: __c00997D8 - C:\WINDOWS\system32\__c00997D8.dat
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ACU Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: sopidkc Service (sopidkc) - NewYork DVD LT - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 11405 bytes

[mike11237]

bump - I could really use some help

[mike11237]

bump

[mike11237]

Anyone?

[muppy03]

Hi Mike, sorry but bad news I am afraid.

Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

Quote:

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/Vir...spx?key=143034

Quote:

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, an expert for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows:

http://web.mit.edu/ist/products/winx...ll-format.html

[mike11237]

Thanks for the reply... that's a real bummer. Virut, huh? Would it be all right to back up all of the docs/pics/movies/songs by removing the HDD and connecting it to an OS X machine? I don't think it would be vulnerable to Virut, am I correct? Again, thanks for the help.

[muppy03]

Virut is highly infectious, I personally would not put the HD in any other machine. Also when you do finally put anything back on the machine once it formatted make sure you scan each and every item.

Sorry I cannot help you clean

[mike11237]

Wait, so you're saying Virut can spread to a machine it cannot execute on? I used a memory stick to run HJT on the infected machine and then analyzed the log on my Macbook Pro...

So basically there is no way to back up these files since I can't boot, correct?

Edit: The only file that is really important that I recover for my friend is a Word document. Would that be safe to transfer onto a memory stick if I'm able to?

[muppy03]

Hi Mike, Sorry for the delay I just wanted to check with those that know more about OS’s than I do.

The consensus is that is would be safe to back up all of the docs/pics/movies/songs by removing the HDD and connecting it to an OS X machine. Just do not launch any infected files.
That should be safe whether the computer is a PC or a Mac. The files will not execute simply by having the HD slaved to another machine. However, there is a possibility that the Mac may not read the PC's HD

Just remember Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

I hope this helps, good luck

[mike11237]

Okay, so just to clarify:

1. The virus cannot embed itself in Word documents, correct? Also, what are the chances that in the five hours my friend had this virus, a document would have been uploaded to the hacker? My friend is a bit concerned about his as he had some private info in a Word document.

2. By connecting the HDD as a slave drive to another machine, Virut will not automatically proliferate to files such as .html, .xml files on a Mac?

3. The virus would probably not spread to other machines connected to the same access point?

Thank you SO much for your help; I really appreciate it.