PDA

View Full Version : HELP win32.virut.NBL is taking over my computer!!!!



molsonrules
2009-03-04, 22:30
Logfile of HijackThis v1.99.1
Scan saved at 3:24:46 PM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\V0410Mon.exe
C:\WINDOWS\system32\ctfmon.exe
D:\uTorrent\uTorrent.exe
D:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Nero\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [V0410Mon.exe] C:\WINDOWS\V0410Mon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [uTorrent] "D:\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "D:\Skype\Phone\Skype.exe" /nosplash /minimized
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B16B527-2507-4A4A-8C0E-635999666821}: NameServer = 67.69.235.1,207.164.234.193
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~2\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: AppMgmt - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: AudioSrv - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: BITS - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Bonjour Service - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Browser - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: COMSysApp - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: CryptSvc - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Dhcp - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: dmadmin - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: dmserver - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Dot3svc - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: EapHost - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ekrn - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: Eventlog - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: EventSystem - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: hkmsvc - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: HTTPFilter - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: idsvc - Unknown owner - C:\WINDOWS\TEMP\VRT5F.tmp (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Last thing that happened is that the virus somehow stopped kernel from working for my Eset Nod23 Antivirus... ! So the only thing that was catching and sometimes quarantining the virus from spreading has been wiped out.... PLEASE PLEASE help me.

Oh and im running Windows XP Pro...

Eset Nod32 Antivirus ver. 3.0.650...though I thought I had updated.

AND

Hijackthis ver. 1.99.0.1

Okay... so now i have a bigger problem... I ran Ad-aware and Spybot S&D and I thought it cleaned up the bugs.... but now apparently its not detecting my sound card... my network connections shows nothing anymore... but I still have internet... and I can't install anything.. it comes up with the following message:
"The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mod, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."
This is a problem because both my Open Office and Antivirus program were knocked out .. so now I am unprotected.. and still vulnerable.

shelf life
2009-03-06, 00:10
Sorry for the bad news but you have a virus the infects all .exe on your machine as well as having possible backdoor functionality. While it may be possible to clean it up, its not recommended. It could leave behind damaged .exe that may cause problems later. Once a machine has become compromised to this extent- your safest bet is to reformat and reinstall Windows. The virus can also spread to and from USB drives and external HD.

http://free.avg.com/66558
http://www.avast.com/eng/win32-virut.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?ID=66586

molsonrules
2009-03-06, 22:45
OKay... I'll do that. One more thing, however... I have backed up some of my music files... a program or two and my pictures onto my ipod.... Will this carry the infection? If so is it only .exe files or do I have to delete absolutely everything off of my computer??

That would suck if it were the case.

shelf life
2009-03-07, 05:04
hi,

Yes, a infected .exe saved from your computer to a ipod can reinfect a computer via the ipod. The virus dosnt harm the ipod. The ipod just becomes the vector for spreading the virus. You probably should also reset the ipod back to factory defaults. I think this would wipe it clean but you should check the web site to make sure thats the case.
As for the computer, as far as I know the virus only infects .exe files and not files of other extensions. If you wanted to pull off .jpeg or .mp3 thats up to you.


I have to delete absolutely everything off of my computer??
Thats what a reformat would do: wipe the hard drive and reinstall windows.
You probably have hundreds of infected .exe's on your machine.

AVG makes a stand alone cleaner for this virus you can try if you want, but I dont know how up to date the cleaner is. New versions of the virus can be released also making the cleaner useless. Up to you if you want to try.
link here:
http://www.avg.com/virus-removal.ndi-67762
Create a new folder on your desktop to download both the .exe and .nt as explained on the web page, then run the .exe inside the folder.

molsonrules
2009-03-07, 21:17
Okay... thanks a lot for your time... Im just glad I can at least save my music and pictures. What a terrible, terrible virus. Oh well. I guess it's kind of good, in a way to be able to start over.. until I fill up my computer again, I guess.

Ill have to scan my Ipod with that AVG Antivirus program in the meanwhile... I think I should be fine though because there are no .exe files on it.. I'm scanning it presently. Do you think it's too risky not to restore the ipod?


Much appreciated.

shelf life
2009-03-08, 00:13
hi molsonrules,

as far as the ipod goes, as far as i know the virus only affects .exe extensions, if you dont have any of these stored on the ipod then i guess its ok, but i cant say with 100% certainty.
You can reformat your machine and reinstall Windows which would be the safest thing to do. A computer thats been badly compromised can no longer be trusted.

Or you can also try running Dr.Web CureIt on your machine to clean up the virus. You can read about it and download it here;

http://www.freedrweb.com/cureit/

download link is all the way at the bottom. It will be the latest version.
Save to desktop and click the icon, chose start. the default is a Express scan. After the express scan is done chose a complete scan and click the media player looking icon (>) to start the scan. If this is successful then we will also get another antimalware app to use. Up to you.

molsonrules
2009-03-08, 18:54
Yeah.. I think I'll just wipe out the drive completely and begin again.. there's too many things wrong with it and as you said it might be risky also. I'm just still a bit concerned about the fact that the virus can be carried through removable devices... Though I scanned my Ipod for .exe files in Windows search and used the AVG program to scan the drive and it came up with nothing... So hopefully it'll be okay. I'll be sure to get my virus protection up and running with the new OS before hooking up my ipod. What would you recommend for virus protection? I was using Eset Nod32 Antivirus but I had a problem updating the latest virus signatures and I think that's how I got the virus in the first place. I know that Norton has a huge following, but what has been the best/most up to date antivirus in your experience?

shelf life
2009-03-08, 22:52
hi molsonrules,

You can visit the computers manuf. website for more details on how to reformat and reinstall Windows unless you already know. Probably a simple procedure.

Nothing wrong with Eset AV, if you like it keep it. I coudnt say what one is the best, no doubt you would get a lot of opinions and thats just what there are: opinions of peoples personal views. There are some sites that rank AV based on there detection rates but I wouldnt put a whole lot of faith into it.
Having updated AV,Windows and software- is a necessity but also knowing the ways you can get malware in the first place will help to reduce your risk.
Good luck with the reformat/reinstall. Here are a few tips for reducing your risk:

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" possible vulnerabilities that could be exploited.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p (http://www.virusvault.us/p2p.html) networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.