Infected again, Redirects and unwarranted installs

**luckywayne** · 2010-08-08, 08:24

I ran CFix again, it went through it's steps and when it went for a restart I had the same errors that I have been having which stopped CFix from completing and therefore did not produce a log.

The boot errors came when I got infected and the problem is that there are a handful of programs that are in my startup that I have no idea of what they are and they are impossible to shut off. I uncheck them and restart and they come right back.

The one program that is causing the main issue start by installing what looks like an overlay and then it highlights all of my desktop icons and then gives me a fatal error (C000021a). So what I have to do is continually click these off and reboot until it allows me access to my machine again.

These program names are:

NvCpl (which seems to be the main one)
dumprep 0 -U
dumprep 0 -K
ifysy
misu
google task bar
b34b377..
Realsched

Like I said, I uncheck them and restart if IC an and they just check themselves right back. and no matter what we have done as far scans these have never gone away and semmingly undo what we have done.

I'll start backing my stuff up now. any insight you may have would be great.

**shelf life** · 2010-08-08, 15:49

I dont see a antivirus in any of the logs. Unchecking malware in msconfig wont work until more malware is removed.

Download, install and update one of these AV solutions below, then pull the plug on your ethernet connection and do a full scan. I would use the computer as little as possible until its clean and when not in use make sure theres no network connectivity.

Antivirus;
Avast:
http://www.avast.com/free-antivirus-download

Avira:
http://www.free-av.com/en/download/index.html

AVG:
http://free.avg.com/us-en/homepage

Dr Web is also good as a one time scanner you can use it also after one of the above.

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

**luckywayne** · 2010-08-09, 04:28

Downloaded and ran Avast, also ran Cure it quick and complete scans here are the logs:

Process in memory: C:\WINDOWS\System32\svchost.exe:1176;;BackDoor.Tdss.565;Eradicated.;
winlogon.exe;C:\WINDOWS\system32;Trojan.Starter.1510;Cured.;
kbdhid.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Will be cured after restart.;
7.tmp;C:\DOCUME~1\Wayne\LOCALS~1\Temp;Trojan.Packed.20807;Deleted.;
msvcr71.dll;c:\program files\java\jre6\bin;Win32.Rmnet;Cured.;
coreclr.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
npctrl.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
desktoplayer.exe;c:\program files\microsoft;Trojan.Packed.20343;Deleted.;
pcpitstopscheduleservice.exe;c:\program files\pcpitstop;Win32.Rmnet;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Rmnet;Cured.;
kbdhid.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;

**shelf life** · 2010-08-09, 22:34

You saw all those files that Dr. Web cured? Looks like a virus that infects the Windows .exe, .dll and htm extension. If you pulled any files off like to a usb drive then I would consider them infected also. Its possible that these infected files can spread from a usb drive to a computer the drive is inserted into. Dont transfer any of those files you pulled off to another computer just yet.

You might consider a reformat/reinstall of Windows. Looks like many files are infected.
I would run both Avast again and Dr Web for a second pass after checking for updates to each of them.

**luckywayne** · 2010-08-11, 19:27

Yeah, that last scan was a mess. I ran the scans again and they are alot cleaner. Here's the log:

f_000a4a\gziped.gz;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000a4a;Probably SCRIPT.Virus;;
f_000a4a;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache;Archive contains infected objects;Moved.;
f_000b1b\gziped.gz;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000b1b;Probably SCRIPT.Virus;;
f_000b1b;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache;Archive contains infected objects;Moved.;
b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data;Trojan.Hosts.1049;Incurable.Moved.;
ifysy.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data\Paevze;Trojan.Packed.20343;Deleted.;
wrk1.tmp_46.vir;C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17;Trojan.Hosts.1049;Incurable.Moved.;
wrk2.tmp_46.vir;C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17;Trojan.Hosts.1049;Incurable.Moved.;
A0034039.ocx;C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP3;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0034150.exe;C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP4;Trojan.Hosts.1049;Incurable.Moved.;

**shelf life** · 2010-08-11, 23:02

C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data;Trojan.Hosts.1049;Incurable.Moved.;

this is combofix's Quarantine folder so anything in there was already removed and is harmless

C:\System Volume Information\_restore

We will clean out system restore later.

Why dont you do a online scan also just for another opinion:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

**luckywayne** · 2010-08-12, 15:36

ESET scan complete:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f497784cecb004b9c9f9c48b1128493
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-12 01:33:31
# local_time=2010-08-12 09:33:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=6401 16777214 100 100 0 57337455 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=113371
# found=4
# cleaned=4
# scan_time=6626
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\wrk1.tmp_46.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\wrk2.tmp_46.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

**shelf life** · 2010-08-12, 22:49

Those files the online scan found are in Dr web quarantine folder. So hows it all looking on your end now?

**luckywayne** · 2010-08-12, 23:32

It seems clean, nothing strange happening at all. I still have those programs listed in my start up, but i can restart without an issue. Seems to have recovered ok i think.

**shelf life** · 2010-08-13, 01:32

I still have those programs listed in my start up

you mean they are listed in the msconfig utility under the startup tab?

Thread: Infected again, Redirects and unwarranted installs

Thread Tools

Display

Posting Permissions