1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Being held hostage..

Discussion in 'Virus & Other Malware Removal' started by GOTJACKED, Apr 23, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. GOTJACKED

    GOTJACKED Thread Starter

    Joined:
    Apr 22, 2010
    Messages:
    2
    After a couple weeks of fighting a particularly malicious virus it's clear I
    can't win this on my own. Too time consuming....too frustrating...one step forward
    ..two steps back....help please.
    My problem is self-inflicted and began when I downloaded a piece of freeware.
    I was suspicious when it offered bonus programs (all of which I declined )but I did click
    that final "accept" button...then the problems began. Less than 5 minutes later in the
    early hours of 4-6-10 I began receiving alerts from a program calling itself "XP Defender Pro"
    or something of that nature and displaying a shield much like windows security..it started
    auto scanning my laptop...of course discovering numerous trojans etc and urging me to
    purchase the "authorized version" of their Ransomware.
    I instead purchased two avanquest products (retail) but have since realized that a post-virus
    installation may have rendered them ineffective...if they would have worked at all. They did ID some
    of the the problems as a virut and virut a/b among other trojan downloaders and false security ware.
    PereSvc.exe and RUNDLL.EXE also came up in the scans. The purchased software claimed to have
    identified-quarantined-removed the problems but in fact, I believe, caused other issues.

    The current state of my system includes the following problems:

    1-The key features of my control panel are non-functional including add-remove programs, windows
    firewall,system restore and task manager
    2- My browsers (I HAVE 2.. FIREFOX AND IE7) both redirect away from microsoft, windows update, and
    most antispyware or antimalware sites...IE7(default)seems particularly bad and seems to reinfect the system
    3- I cannot boot safe mode of any form...flashes a blue screen after driver-load and returns to the
    menu screen
    4- I do not have original windows disk "Xp Home Edition" not sure it was included with this Gateway
    Laptop Mx6027- I do believe there was a recovery console included with the installation itself.
    5- My command window is INaccessible

    I hope this is enough information to point you in the right direction and thank you in advance
    for any and all help.....sincerely...GOTJACKED

    MY hjt LOG FOLLOWS........

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:59:54 PM, on 4/22/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16981)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVANQU~1\DoubleAS\MXTask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
    C:\PROGRA~1\AVANQU~1\DoubleAS\mxtask2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\novavappu.exe
    C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\novavappk.exe
    C:\WINDOWS\System32\6115139.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe awxm.vho rlvgf
    O1 - Hosts: 91.212.65.122 knocker
    O1 - Hosts: 91.212.65.122 knocker
    O1 - Hosts: 74.125.45.100 4-open-davinci.com
    O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
    O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
    O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
    O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
    O1 - Hosts: 74.125.45.100 www.getavplusnow.com
    O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
    O1 - Hosts: 74.125.45.100 urs.microsoft.com
    O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
    O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
    O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
    O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: ADC PlugIn - {77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - C:\Program Files\adc32.dll (file missing)
    O2 - BHO: (no name) - {86b45f9a-d4cc-414b-82ee-3a6b48a043eb} - vinomisu.dll (file missing)
    O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Shared\lib.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [jenonipuvo] Rundll32.exe "dapotado.dll",s
    O4 - HKLM\..\Run: [rywwtq] RUNDLL32.EXE C:\WINDOWS\system32\msnvkrmf.dll,w
    O4 - HKLM\..\Run: [gbuekc] RUNDLL32.EXE C:\WINDOWS\system32\mslgqlaj.dll,w
    O4 - HKLM\..\Run: [higivarir] Rundll32.exe "c:\windows\system32\siveraja.dll",a
    O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
    O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,[email protected]
    O4 - HKUS\S-1-5-18\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020023 -9871.exe3.2 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~1.EXE -Update -1020023 -9871.exe3.2 (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://intel-drv-cdn.systemrequirementslab.com/multi/bin/sysreqlab_srlx.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261606314321
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261606288133
    O17 - HKLM\System\CCS\Services\Tcpip\..\{70EF0770-D802-45DB-B4EB-8A853341F3D6}: NameServer = 83.149.115.157,4.2.2.1,68.105.28.12 68.105.29.12 68.105.28.11
    O18 - Filter hijack: text/html - {fa4fb9c8-c79d-4d26-b79d-a0dc71eeb0c0} - C:\WINDOWS\default32.dll
    O20 - AppInit_DLLs: app_dll.dll nomifeyi.dll c:\windows\system32\siveraja.dll
    O20 - Winlogon Notify: novavappk - C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\novavappk.dll
    O20 - Winlogon Notify: novavappu - C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\novavappu.dll
    O21 - SSODL: fupefakub - {6b9f4f30-2435-4571-ba06-8bd74bb99067} - c:\windows\system32\polapoho.dll (file missing)
    O21 - SSODL: nizusatup - {abcf19d5-39e2-4f0e-a88d-cd70d5aca7b1} - c:\windows\system32\polapoho.dll (file missing)
    O21 - SSODL: viyonepil - {0648b8b2-38e6-4e21-a564-025b1ce09c9d} - c:\windows\system32\polapoho.dll (file missing)
    O21 - SSODL: sepimalal - {13d837d3-51f3-40b8-b267-c1eb1e7b3f0d} - c:\windows\system32\siveraja.dll
    O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - (no file)
    O22 - SharedTaskScheduler: kupuhivus - {6b9f4f30-2435-4571-ba06-8bd74bb99067} - c:\windows\system32\polapoho.dll (file missing)
    O22 - SharedTaskScheduler: gahurihor - {abcf19d5-39e2-4f0e-a88d-cd70d5aca7b1} - c:\windows\system32\polapoho.dll (file missing)
    O22 - SharedTaskScheduler: gahurihor - {0648b8b2-38e6-4e21-a564-025b1ce09c9d} - c:\windows\system32\polapoho.dll (file missing)
    O22 - SharedTaskScheduler: mujuzedij - {13d837d3-51f3-40b8-b267-c1eb1e7b3f0d} - c:\windows\system32\siveraja.dll
    O23 - Service: Adobe Update Service (AdbUpd) - Unknown owner - C:\Program Files\svchost.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Double Anti-Spy Task Manager - Avanquest Software - C:\PROGRA~1\AVANQU~1\DoubleAS\MXTask.exe
    O23 - Service: Fix-It Task Manager - Avanquest Software - C:\PROGRA~1\AVANQU~1\Fix-It\mxtask.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
    O23 - Service: Fix-It (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe

    --
    End of file - 8529 bytes
     
  2. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Hi there, welcome to the TSG Forums.


    Virut is a polymorphic file infector. Almost immediately it gets on a machine it infects all the exe files including essential system files and the tools we use as we use them.

    This link might be of interest to you.

    mekiemoes blog about file infectors

    I don't like to have to tell you this but it would be irresponsible of me or anyone else to attempt to help you clean a machine with this infection. The real fact is that trying to cure it will not work and will endanger other machines connected to the net. Not only that but in time, a reasonably short time, your machine is likely to become unbootable. This as the infection progresses.

    The latest version of Virut infects virtually all files, so backup is risky. Files ending in extensions .exe/.scr/.htm/.html/.xml/.zip/.rar/.doc/.jpg/.pdf have all been found to be infected and there may be others. If you back them up and replace them afterwards, it will infect your computer again.

    The only solution for your computer is a complete wipe of the hard drive i.e. re-format followed by re-installation.

    Go to WindowsXP Clean Install for instructions how to format and reinstall Windows.
     
  3. GOTJACKED

    GOTJACKED Thread Starter

    Joined:
    Apr 22, 2010
    Messages:
    2
    thanks Neon....I will heed your advice....my main regret is the responsible parties i.e. the malware creators and their ilk seem to skate away..from what is likely massive monetary damages on a WWW
    basis ...anyway take care and keep fighting the good fight..(no further posts) Gotjacked
     
  4. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    You're welcome. Again, I'm sorry about the bad news.

    I wish you good luck :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/918835

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice