Severe xp virus infection

[computerdoc]

The machine has XP home sp3 on it.

When you try to login to the administrator account, it says unable to log you in because of an account restriction.

I installed malwarebytes and it finds lots of malware. When it finished the scan and I click ok to look at the log, the program terminates.

I can't get into safe mode. It hangs on mup.sys for a while and then it goes into chkdsk which fails and causes and infinite loop. I get out of it by hitting f8 and booting into the last known good configuration.

Ctrl atl del doesn't work. I can't get to task manager. I don't have access to an administrative account.

I tried to install reimage and the install gets killed.

I booted to an xp pro sp2 cd and installed xp pro into a winfix directory. I ran malwarebytes from there on the entire disk and it cleaned out some stuff but did not resolve the problem.

How can I get rid of the malware from the safe xp pro login using it against the original windows login?

How can I get administrative rights?

A hjijack this log follows:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:01:37 AM, on 6/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User 1\Desktop\dfdf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070323
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1036
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O2 - BHO: Verizon SMB Toolbar - {A057A204-BACC-4D26-DFC4-79A09BF76BC9} - C:\PROGRA~1\vzsmbtb\vzsmbtb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Radio-ISR Toolbar - {d0351f40-d0b6-4290-972f-9dcaff00aaab} - C:\Program Files\Radio-ISR\tbRad1.dll (file missing)
O2 - BHO: ISR Toolbar - {f9b71757-a493-4c57-b0ed-ded4280f7ffc} - C:\Program Files\ISR\tbIS1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ISR Toolbar - {f9b71757-a493-4c57-b0ed-ded4280f7ffc} - C:\Program Files\ISR\tbIS1.dll (file missing)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O3 - Toolbar: Radio-ISR Toolbar - {d0351f40-d0b6-4290-972f-9dcaff00aaab} - C:\Program Files\Radio-ISR\tbRad1.dll (file missing)
O3 - Toolbar: Verizon SMB Toolbar - {A057A204-BACC-4D26-DFC4-79A09BF76BC9} - C:\PROGRA~1\vzsmbtb\vzsmbtb.dll
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [rmlosnjcqnjaom] c:\documents and settings\user 1\local settings\application data\uyywii\iuurjtf.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [rmlosnjcqnjaom] c:\documents and settings\user 1\local settings\application data\uyywii\iuurjtf.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Netgear Wireless Domain Login Service (NWDLS) - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing)
O23 - Service: OneTouch 4.0 Monitor - Visioneer Inc. - C:\Program Files\Visioneer\OneTouch 4.0\OtService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sprint RcAppSvc (SprintRcAppSvc) - PCTEL - C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--
End of file - 9863 bytes

 

[NYJimbo]

You need to work on your skills. Malwarebytes should not be your only line of defense. You should also learn about things like ubcd4win.

Learn how to use this site http://www.hijackthis.de
it will help you decipher the hijackthis log if you don't know how to read it yourself.

 

[iptech]

Wow, you need to learn to be able to manually remove malware entries before you start charging customers for this stuff. Do you know how to read and interpret the HijackThis log? There's a very obvious infection showing up in there.

Do you know what this runnimng process is?

C:\Documents and Settings\User 1\Desktop\dfdf.exe

and you definately need to clean-up this baby, it couldn't be more obvious even if it had red flashing lights and a siren:

O4 - HKCU\..\Run: [rmlosnjcqnjaom] c:\documents and settings\user 1\local settings\application data\uyywii\iuurjtf.exe

TBH that laptop looks like it could do with a more experienced pair of hands, it needs a bit of a clean-up besides the virus infection.

 

[computerdoc]

dfdf.exe is my rename of the hijack this log so that the malware should not prevent it from running.

I want to get rid of the virus infection before I attempt any other cleanup.

I will delete that other rogue program.

 

[iptech]

Get rid of this as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:1036

 

[iptech]

I want to get rid of the virus infection before I attempt any other cleanup.

Why? That makes no sense, if you get rid of the unneccessary & redundant crap it's easier to see what else might be askew.

 

[onetech4all]

Re:

I case of extreme infections, I would just pave and nuke. I love it when I computer is disinfected, but you never know of any other dormant issues that might come up. I would hate to have the customer call me back because some application is not working or that suddenly he/she gets some file error.
Your call!

 

[shamrin]

I case of extreme infections, I would just pave and nuke.

Ready, Fire, Aim!

 

[vdub12]

Ready, Fire, Aim!

I was thinking the same thing.

 

[Siborg]

Ready, Fire, Aim!

I missed that first time around, very nice LOL. Another vote for a paveway here.

 

[JD1248]

What's to be learned by quickly PAVING & NUKING. This computer has very obvious signs the compudoc needs to be able to see and clean away quickly. He obviously needs to practice. Clean out the infection as best you can, if you are not confident you got all of it then blow it away. At least you will have learned something. BTW, make an image b4 doing anything else.

 

[B Trevathan]

Try some of the online automatic hijackthis log readers.
http://www.hijackthis.de/
http://hjt.networktechs.com/

Run a version of rkill right before you run MBAM, there are four different extensions if one doesn't work try the next one, rkill.exe .com .scr .pdf
http://www.technibble.com/rkill-repair-tool-of-the-week/

Do the same thing with SuperAntiSpyware, run rkill then SAS.

After you've ran those programs try running Process Explorer and Autoruns

 

[computerdoc]

I used ComboFix and followed with Malwarebytes. ComboFix did the heavy lifting and Malwarebytes cleaned a few residuals but now it's working fine.

Thanks to all.

 

[iptech]

I used ComboFix and followed with Malwarebytes. ComboFix did the heavy lifting and Malwarebytes cleaned a few residuals but now it's working fine.

Thanks to all.

...and you did? So it wasn't really that severe then, and no need for a pave and nuke.

Edit: added one-click-fix for all your short forum mesaage replies.

 

[computerdoc]

I did encounter a number of problems and made some errors along the way.

Malwarebytes failed and I couldn't get into safe mode so I tried installing a clean version of the operating system which had to do a full chkdsk to work. Ran malwarebytes from there on the entire system and it didn't work.


A local tech told me about ComboFix and went to bleepingcomputer.com to learn more about it. It can be scary so I tried some of bleepingcomputer's process reporting and rootkit finding (there were many) software first.

I guess the more experienced people here would have done this up front but the bottom line was really ComboFix and Malwarebytes.

 

[iptech]

I did encounter a number of problems and made some errors along the way.

Malwarebytes failed and I couldn't get into safe mode so I tried installing a clean version of the operating system which had to do a full chkdsk to work. Ran malwarebytes from there on the entire system and it didn't work.


A local tech told me about ComboFix and went to bleepingcomputer.com to learn more about it. It can be scary so I tried some of bleepingcomputer's process reporting and rootkit finding (there were many) software first.

I guess the more experienced people here would have done this up front but the bottom line was really ComboFix and Malwarebytes.

So you're not really a Doctor, more a nursing assistant? A Doctor will diagnose, you randonly applied drugs.

Let's hope the patient survives.

 

[TLE]

That’s great that you managed to remove it. I would however suggest that you virtualize a windows operating system with either VirtualBox or Virtual PC and infect the system (you can find sites such as http://www.malwareurl.com/ to infect your PC. This way you can learn to do manual removals, and learn to use the various tools correctly in a safe and contained environment before offering this service to your customers.

Good luck.

 

[Dark]

That’s great that you managed to remove it. I would however suggest that you virtualize a windows operating system with either VirtualBox or Virtual PC and infect the system (you can find sites such as http://www.malwareurl.com/ to infect your PC. This way you can learn to do manual removals, and learn to use the various tools correctly in a safe and contained environment before offering this service to your customers.

Good luck.

Excellent advice.
I need some virus removal practice.

 

[angry_geek]

You need a machine you can practice with removing these things. You should learn how to stop the many and varied executables these things employ, and be able to manually remove them. You'll find the cleanups go much quicker and are much more thorough. Then you can run your scanners to be on the safe side.


Sorry TLE. I missed your post. Do what TLE said.

 

[RegEdit]

+ 2 for Rkill
If you still can't do anything, even in safe mode, try Bit Defender's rescue CD. I recently tested it along with several others and it's my fav because it's free, it automatically updates, and it finds more viruses than the other free boot CD's out there.