Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

a variety of probs including rootkit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

a variety of probs including rootkit

Unread postby ~Kira » March 27th, 2009, 3:05 pm

I have a variety of problems on my system, and have run several AV scanners and gotten rid of a few things here and there, but one problem seems to persist. It started when I noticed a file called reader_s.exe running and it came back after deletion. After running scanners yesterday and last night I noticed a file called reader_s.ex_ in either my system32 folder or docs&settings\owner\ folder and deleted it. SDFix will not run as it says not enough room on disk (after first run and reboot to normal mode).

I've blocked ports and the traffic has gone down but still my zonealarm goes crazy telling me that win32 generic host for windows asks permission to run (I can't get online with out it), but do I need 25 svchosts running at once? I've always had a lot. Then I notice it asks for new programs wanting to "connect to the internet" like something that wouldn't normally want to, and it says "This program has changed since the last time it ran."

Also I've found lots of instances of Internet Explorer running and I terminate them. I uninstalled IE so I don't know where it came from other than I guess uninstalling doesn't actually delete the files. Thanks Microsoft! So I finally renamed it to something else (exe2 or something) and it's stopped running.

The final item that alerted me that I still have a bug is that when I replied to an email in Outlook and a iframe was there in my sig with the url http://jL.chura.pl/rc/ in it. Obviously not good. :(

Any help would be much appreciated! I found this forum by searching for the above url found in the iframe. I suspect this is a recent outbreak of something and I want it gone!

----------------------------------------------------------------------

Here's my HT log

Logfile of HijackThis v1.99.1
Scan saved at 2:42:22 PM, on 3/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norman\Npm\Bin\Zanda.exe
C:\Program Files\Norman\npm\bin\nvoy.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
C:\Program Files\Norman\Npm\Bin\Nvcsched.exe
C:\Program Files\Norman\Npm\Bin\Njeeves.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
C:\Program Files\Skype\Skype.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Program Files\MailWasher Pro\MailWasher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\h32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\jjqllh.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://emachines.com/
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Owner\LOCALS~1\Temp\200573194816_mcinfo.exe /insfin
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe
O4 - Startup: MailWasher Pro.lnk = C:\Program Files\MailWasher Pro\MailWasher.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\AdobeOLD\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: http://www.free-codecs.com
O15 - Trusted Zone: profile.myspace.com
O15 - Trusted Zone: http://profile.myspace.com
O15 - Trusted Zone: http://profileedit.myspace.com
O15 - Trusted Zone: http://*.myspace.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe" /service (file missing)
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Elogsvc.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program Files\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norman NJeeves - Norman ASA - C:\Program Files\Norman\Npm\Bin\Njeeves.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Program Files\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norman Scanner Engine Service (nsesvc) - Unknown owner - C:\Program Files\Norman\Nse\Bin\NSESVC.EXE" -daemon (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Program Files\Norman\Nvc\Bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Program Files\Norman\Npm\Bin\Nvcsched.exe
O23 - Service: Norman Resource Provider (NVOY) - Norman ASA - C:\Program Files\Norman\npm\bin\nvoy.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
~Kira
Active Member
 
Posts: 2
Joined: March 27th, 2009, 2:45 pm
Advertisement
Register to Remove

Re: a variety of probs including rootkit

Unread postby flashh4 » March 27th, 2009, 5:14 pm

Hello ~Kira and welcome to the forums.

Please do not run any other programs with out my permission !!
Run all programs in the order posted !!!!!


My name is flashh4 and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
4. Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
5. Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
6. Please post all request .......... not as a Attachment.

If you can do those things, everything should go smoothly.

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Note: I am still in training at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.

I will be back as soon as possible with a fix !!
In the mean time can you give me an Uninstall list please !!


  1. Open HijackThis.
  2. Click on the Open the Misc Tools section button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post this log in your next reply.


*Notes*
1. It would be very helpful if you informed me of which Antivirus and Firewall you are running or if it's disabled.
2. There is a 5 day limit which you must respond to this topic or it will be closed. Then you will have to start a new topic.


Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: a variety of probs including rootkit

Unread postby flashh4 » March 30th, 2009, 1:04 pm

Hi ~Kira, i have some very bad news for you.
It is imperative that your system be reformated and your Windows operating system be reinstalled. This is necessary because Virut is a virulent file infector that will infect -.exe -.scr -web page files (.htm & .html and possibly .asp & .aspx files) -archived files (.rar and .zip also) with mentioned file types inside.. As an added "bonus," Virut is a poorly written and buggy file infector, which is why our scanners cannot properly disinfect the files and, since many of these infected files will be vital system files, they cannnot simply be removed.

So, the situation is that the files cannot be removed, nor can they be properly disinfected. This leaves only one choice, reformat and reinstall the Windows operating system.

Prior to reformatting the system, the hard drive could be removed and attached to another system as a "slave," thereby allowing you to remove and salvage your data files. No files should be saved other than documents and pictures. No screensavers, no executables, no program set-up files... just documents and pictures. Otherwise, the infection will be reintroduced to the newly reinstalled operating system. All data files should be scanned with anti-virus and anti-spyware programs prior to being returned to the hard drive after it has been reformatted. If you are not comfortable performing this procedure yourself, we would advise you to take the computer to a reliable, local, computer repair shop and have them do the work for you.

Should you have any questions, please feel free to ask.

Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: a variety of probs including rootkit

Unread postby ~Kira » April 1st, 2009, 3:59 am

Actually, I got rid of it. It took me a while to find the right scanner, but I downloaded rmvirut.exe and rmvirut.nt and put them on a cd, then booted in safe mode and copied them to the desktop and ran the exe and it cleaned every file. I rebooted in safe mode and ran again and it was clean. Then I replaced all the exe files from an old backup (plus all windows and system 32 exes in DOS so I could view logs and stuff), and no formatting was necessary.

I don't know how everyone else can just wipe their drives and lose all their work/email/photos etc. I can't do that. I will admit it took me almost a week to get rid of this, but only because I couldn't find the right removal tool or AV app and it kept reinfecting, so every reboot just added to the problem. Also, the scans take so long to run that just 2 or 3 take an entire day. The one I mentioned above though only takes about 2-3 hours, as it scans only the files it needs to and skips all the others. I think other people could benefit from this scanner, but they are supposed to get both parts and will have to do an internet search for that as the maker's site gives a 403 on the .nt file download.

Anyway, I just wanted you to know the problem is fixed and I do thank you for being here. I was really happy when I found this forum. It gave me hope, at least, that I would get it fixed, which I did! :flower:
~Kira
Active Member
 
Posts: 2
Joined: March 27th, 2009, 2:45 pm

Re: a variety of probs including rootkit

Unread postby flashh4 » April 1st, 2009, 8:14 pm

Hi ~Kira, i have discussed the removal of the Virut with my Teacher and he says its hard to believe that its removed 100%.
So lets do some checking.

* Please go to http://www.kaspersky.com/kos/eng/partne ... bscan.html and perform an online antivirus scan.
* Read through the requirements and privacy statement and click on Accept button.
* It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
* When the downloads have finished, click on Settings.
* Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases

* Click on My Computer under Scan.
* Once the scan is complete, it will display the results. Click on View Scan Report.
* You will see a list of infected items there. Click on Save Report As....
* Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
* Please post this log in your next reply.

Post the kaspersky log.
Thanks
Chuck
User avatar
flashh4
Regular Member
 
Posts: 2276
Joined: June 7th, 2005, 8:36 pm
Location: wyoming

Re: a variety of probs including rootkit

Unread postby Blade81 » April 6th, 2009, 8:04 am

Due to a lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware