Results 1 to 5 of 5

Thread: Internet connection lost due to malware/virus

  1. #1
    Junior Member
    Join Date
    Mar 2009
    Posts
    3

    Default Internet connection lost due to malware/virus

    I got the malware from a file i downloaded, even though i scanned it before running (antivirus found nothing).

    I scanned the computer with NOD32, Spybot S&D, Malwarebytes Antimalware and AutorunRemover. NOD finds the following files and removes them, but they get regenerated after every restart (copied from NOD32's event journal, sorry for the mess):


    3/21/2009 10:29:11 PM Real-time file system protection file C:\WINDOWS\file.bat Win32/Joleee.NF worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\services.exe.
    3/21/2009 10:12:01 PM HTTP filter file http://iliketay.cn/dll/em.txt Win32/SpamTool.Agent.NAJ trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
    3/21/2009 5:53:21 PM Real-time file system protection file C:\WINDOWS\file.bat Win32/Joleee.NF worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\services.exe.
    3/21/2009 5:53:08 PM Real-time file system protection file C:\WINDOWS\file.bat Win32/Joleee.NF worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINDOWS\services.exe.
    3/21/2009 5:53:00 PM Real-time file system protection file C:\WINDOWS\file.bat Win32/Joleee.NF worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\services.exe.


    It also add a new process called "services.exe" (i dont remember such a process being present before) and when i try to end it it says its a critical system process and cant be ended even though its not a "SYSTEM" process.

    The malware stalled my internet connection and made the system slow and unstable. Apparently it messed up the svchost.exe process, as evidenced by NOD's log report.

    You can find the HijackThis log below.
    I hope i included all the needed info. If more is needed just let me know.
    And please respond ASAP.
    Thanks in advance.




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:22:17 PM, on 3/21/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    D:\Program Files\ABBYY Lingvo X3\LvAgent.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\System32\reader_s.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\Download Master\dmaster.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Dolphin\reader_s.exe
    C:\Program Files\Common Files\ABBYY\Lingvo\14.0\Licensing\NetworkLicenseServer.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\services.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R3 - URLSearchHook: Rambler-Annenoaio - {468CD8A9-7C25-45FA-969E-3D925C689DC4} - C:\Program Files\Rambler Assistant\ramblertoolbarU0.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\rpbrowserrecordplugin.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Rambler-Annenoaio - {468CD8A9-7C25-45FA-969E-3D925C689DC4} - C:\Program Files\Rambler Assistant\ramblertoolbarU0.dll
    O3 - Toolbar: DM Bar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3C} - C:\Program Files\Download Master\dmbar.dll
    O4 - HKLM\..\Run: [Lingvo Launcher] "D:\Program Files\ABBYY Lingvo X3\LvAgent.exe" /STARTUP
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
    O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [Download Master] C:\Program Files\Download Master\dmaster.exe -autorun
    O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Dolphin\reader_s.exe
    O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Dolphin\reader_s.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm
    O8 - Extra context menu item: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm
    O8 - Extra context menu item: Найти с помощью Рамблера - res://C:\Program Files\Rambler Assistant\ramblertoolbarU0.dll/search.htm
    O8 - Extra context menu item: Опубликовать в Дневнике - res://C:\Program Files\Rambler Assistant\ramblertoolbarU0.dll/planet.htm
    O8 - Extra context menu item: Перевести с помощью словарей Рамблера - res://C:\Program Files\Rambler Assistant\ramblertoolbarU0.dll/dic.htm
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
    O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: ABBYY Lingvo x3 Licensing Service (ABBYY.Licensing.Lingvo.Desktop.14.0) - ABBYY Software Ltd - C:\Program Files\Common Files\ABBYY\Lingvo\14.0\Licensing\NetworkLicenseServer.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 9637 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I have some bad news for you, see this:
    C:\WINDOWS\System32\reader_s.exe
    http://www.systemlookup.com/Startup/19425.html

    That is not all but unfortunately, that is the bad one, read about it here:
    http://free.avg.com/66558
    http://www.avast.com/eng/win32-virut.html
    http://www.ca.com/us/securityadvisor....aspx?ID=66586

    The only viable way to clean this file infector is a complete reformat:
    http://spyware-free.us/tutorials/reformat/
    http://www.cyberwalker.net/faqs/how-...stall-faq.html
    http://helpdesk.its.uiowa.edu/window...s/reformat.htm

    http://www.microsoft.com/security/po...=Win32%2fVirut

    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Mar 2009
    Posts
    3

    Unhappy

    What the FFF???
    How can there be no way of removing this ****?

    I read in another forum that RemoveIt Pro can fix it, should i try that?

    I really appreciate our help and effort, but i need you to understand, there are literally GIGABYTES of important files on the infected computer, my father uses it too and has tons of needed files on it, and i have no means of backing up that much data in reasonable time, i cant even copy them to my dads laptop through LAN b/c of the virus affecting the network.

    So, reformatting is a last-est resort option. Id rather try anything and everything than reformat.

    Please advise me ANYTHING that you can think of that will help me fix this crap.

    thx

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    I have provided what I consider the best possible advice. You can Google for additional information, good luck.

    Too late for it now but with the junk out here anymore, there should always be a clean backup. If you are going to try to save files, I suggest you read about this infection again.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Mar 2009
    Posts
    3

    Default

    Ok, thx very much

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •