Help with malware, virus, etc...

[d260]

Hello,

Last couple of days I've been infected with some kind of malicious software. I can't seem to open Task Manager, I've tried every single way. Also, Microsoft has been wanting to update, and it can't connect to Microsoft nor can I even go to Microsoft.com. I've also tried going to other anti-malware/spyware sites (avast, etc...) and I can't access those sites either. Almost seems like it automatically is blocking known anti-malware sites or sites that contain the words anti-spyware, anti-malware, etc...

I am running Avast (free edition) and it keeps going beserk and is showing me certain files in the Windows Temp and System 32 among others are infected. For example, wmdtc.exe keeps popping up on spybot and Norton. So far I've told Spybot to kill the process as it was making my computer run slow, and the others I've moved them to the Avasts chest as I have no idea whether these are legit or not. Just to mention, one of the files Avast said was infected was TaskMgr.exe so it is in the chest, which probably explains why I can't open it. I did try pausing the Avast Standard shield to see what would happen and I was able to get to my task manager (but only when Avast standard shield is turned off); however, I'm still having problems visiting security sites like Microsoft and I keep getting messages telling me certain files in my Windows 32 folder are malicious.

Here are the files inside the Avast chest right now (don't know if this helps):

10.tmp------->C:\WINDOWS\system32
Win32:MalOb-U [CRYP]

5.tmp-------->C:\WINDOWS\system32
Win32:MalOb-U [CRYP]

7.tmp-------->C:\WINDOWS\system32
Win32:MalOb-U [CRYP]

_CACHE_003_-->C:\documents and settings\user\local settings\Application Data\Mozilla\Firefox\Profiles\q72uhfii.default\Cache
JS:FakeCodec-G [Trj]

B.tmp-------->C:\WINDOWS\system32
Win32:MalOb-U [CRYP]

Dc14.tmp----->C:\RECYCLER\s-1-5-21-73586283-842925246-725345543-1004
Win32:Trojan-gen

hrtzzm.exe--->C:\Program Files\MSN Gaming Zone\Windows
Win32:Vitro

IDriver.exe-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\Intel3~1
Win32:JunkPoly [CRYP]

service.tmp-->C:\DOCUME~1\User\LOCALS~1\Temp
Win32:Rootkit-gen [Rtk]

stat.tmp----->C:\DOCUME~1\User\LOCALS~1\Temp
Win32:MalOb-V [CRYP]

taskmgr.exe-->C:\WINDOWS\system32
Win32:Vitro

UAC2cf9.tmp-->C:\documents and settings\user\local settings\temp
Win32:Patched-KT [Trj]

VRT7C.tmp---->C:\DOCUME~1\User\LOCALS~1\Temp
Win32:Clicker-C [Trj]

VRTA.tmp----->C:\WINDOWS\TEMP
Win32:Clicker-C [Trj]

VRTC.tmp----->C:\WINDOWS\TEMP
Win32:Malware-gen

I also ran Malwarebytes Anti-malware in safe mode and did a full scan and it removed I think 14 or so infected files but the log somehow did not save. I had this program last updated in the summer, and now it just freezes when I try to update it because it can't connect to the site. Although, I believe Avast updated today when I started my PC and I was able to do a manual update of Spybot (still can't get to the Avast website though), although I have not run an Avast or Spybot scan yet, just the Malwarebytes.

I'm running Windows XP Home SP3 (no CD's), Norton, Avast, Spybot.
Any help would be great. Thanks!

DDS.txt

DDS (Ver_09-10-13.01) - NTFSx86
Run by User at 16:34:35.36 on Tue 10/20/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1126 [GMT -7:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: avast! antivirus 4.8.1351 [VPS 091020-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Logitech\SetPoint II\SetPointII.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
svchost.exe C:\WINDOWS\TEMP\VRT5.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\User\Desktop\TechSupport\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.7\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.7\UIBHO.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\emergencyutils\Copy_of_MSConfig.exe /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [inixs] c:\windows\system32\minix32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoi~1.lnk - c:\program files\logitech\setpoint ii\SetPointII.exe
IE: &Download by Orbit
IE: &Grab video by Orbit
IE: Do&wnload selected by Orbit
IE: Down&load all by Orbit
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: ppctlcab - hxxp://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} - hxxp://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://ppupdates.ca.com/downloads/scanner/axscanner.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_6.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1160175093218
DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - hxxp://launch.gamespyarcade.com/software/launch/alaunch.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://solid.axiscam.net:2050/activex/AMC.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} - hxxp://kdx.kontiki.com/kdx/Client403/kdx.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\q72uhfii.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\q72uhfii.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\q72uhfii.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\q72uhfii.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPCltInstall.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-7-14 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-7-14 20560]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [2004-8-4 114688]
R2 Machnm32;Machnm32 Driver;c:\windows\system32\Machnm32.sys [2007-6-8 2304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-7-5 109616]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [2005-7-12 30984]
S3 SaiH0763;SaiH0763;c:\windows\system32\drivers\SaiH0763.sys [2008-9-18 135296]
S3 SaiH0BAC;SaiH0BAC;c:\windows\system32\drivers\SaiH0BAC.sys [2008-9-21 135168]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S3 TMHidF;Thrustmaster Afterburner Force Feedback HID Driver;c:\windows\system32\drivers\TMHIDF.sys [2005-7-12 25270]
S3 wntdos32;wntdos32;\??\c:\windows\system32\wntdos32.sys --> c:\windows\system32\wntdos32.sys [?]

=============== Created Last 30 ================

2009-10-20 16:19 155,648 a------- c:\windows\system32\taskmgr.exe
2009-10-20 16:13 <DIR> --d----- C:\EmergencyUtils
2009-10-20 15:07 52 a------- c:\windows\system32\6.tmp
2009-10-20 06:17 47,104 a------- c:\windows\system32\kadg0.dll
2009-10-20 06:02 88,064 a------- c:\windows\system32\3657583.exe
2009-10-20 06:02 47,104 a------- c:\windows\system32\kapg1.dll
2009-10-20 06:02 36,133 a------- c:\windows\system32\klkg
2009-10-20 06:02 1,008 a------- c:\windows\system32\4869959.exe
2009-10-18 16:05 212,480 a------- c:\windows\system32\minix32.exe
2009-10-16 14:40 <DIR> --d----- c:\windows\SQL9_KB970892_ENU
2009-10-16 00:36 <DIR> --d-h--- c:\windows\PIF
2009-10-06 13:42 <DIR> --d----- c:\program files\HandBrake
2009-09-26 23:18 45,200 a---h--- c:\windows\system32\mlfcache.dat
2009-09-26 22:52 <DIR> --d----- c:\program files\iPod
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx0c.dll
2009-09-25 09:41 856,064 a------- c:\windows\system32\divx_xx07.dll
2009-09-25 09:41 847,872 a------- c:\windows\system32\divx_xx0a.dll
2009-09-25 09:41 843,776 a------- c:\windows\system32\divx_xx16.dll
2009-09-25 09:41 839,680 a------- c:\windows\system32\divx_xx11.dll
2009-09-25 09:41 696,320 a------- c:\windows\system32\DivX.dll

==================== Find3M ====================

2009-10-19 09:35 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-19 09:35 361,344 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-10-18 22:51 205,258 a------- c:\windows\system32\PnkBstrB.exe
2009-10-18 22:44 139,152 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-18 22:44 139,152 a------- c:\docume~1\user\applic~1\PnkBstrK.sys
2009-10-18 22:44 794,408 a------- c:\windows\system32\pbsvc.exe
2009-09-11 07:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 14:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-28 19:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll
2009-08-28 19:42 40,448 a------- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 01:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 19:52 1,193,832 a------- c:\windows\system32\FM20.DLL
2009-08-04 08:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 07:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-03 19:27 625,032 a------- c:\windows\system32\SymNeti.dll
2009-08-03 19:27 242,056 a------- c:\windows\system32\SymRedir.dll
2006-06-29 13:27 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLea.DAT
2006-04-18 19:38 61 ---sh--- c:\windows\cnerolf.dat
2009-01-15 19:37 1,004 a--sh--- c:\windows\system32\sys_drv.dat
2008-08-22 17:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082220080823\index.dat

============= FINISH: 16:38:00.87 ===============

[tetonbob]

Hello -

taskmgr.exe-->C:\WINDOWS\system32
Win32:Vitro

2009-10-20 16:19 155,648 a------- c:\windows\system32\taskmgr.exe

This is a bloated file which Avast has identified as Vitro, or Virut.

hrtzzm.exe--->C:\Program Files\MSN Gaming Zone\Windows
Win32:Vitro

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

See miekiemoes' blog for similar comments here:

http://miekiemoes.blogspot.com/2009/...-throwing.html

[d260]

ok thanks for the reply.

This virus is starting to mess up my internet as well, it'll shut my connection down completely and won't let me download anything so if I don't reply in the future, it's because I won't have access to the internet.

Instead of the hassle of re-formatting the HD, etc...Maybe it's easier and quicker to just trash this one and buy a new one? I know you said I can transfer docs but how about music from itunes and pictures/videos? Also, what about my favorites? btw, does this virus have the ability to log my keystrokes? and how could i have gotten this when i had norton and avast?

Say if I buy an external hard drive to temporarily move these files onto, and then buy a new internal HD, is there a way to scan the files sitting in the external HD before putting them on the new one?

Also, do you have any links as to how to re-install windows on a brand new hard drive? I just hook up the connections then turn on my computer and insert the windows CD and it should take over from there or what? I've never done this before.

Thank you for the help....and damn whoever made this virus
if i ever find out who makes these things

[tetonbob]

Seems easier and less costly to format your current drive, but ultimately the decision is yours.

A guide to installing Windows

http://www.techhandbook.com/windows/...g-Windows.html

Or, you can ask the folks in the Windows section of the forums for further guidance.

Quote:

and how could i have gotten this when i had norton and avast?

Well, a couple of ways. Contrary to some popular but incorrect thought, more than one AV protects you less, not more. Can cause conflict, and then inaction, on the part of both. Only have ONE antivirus installed.

Additionally, if someone lets the bad guy in the door when he knocks, there's no reason for the resident protection to argue. Meaning, Virut is almost 100% behavioral....it almost always comes from crack sites or pr0n sites...or p2p downloads. If your music is from such sources, dump it and rebuild from legit sources.

Recent variants have been known to infect all sorts of files, so it might not be worth keeping anything.

Quote:

does this virus have the ability to log my keystrokes?

It would be a prudent move to change all passwords used on the infected machine, from a known clean computer.

Quote:

is there a way to scan the files sitting in the external HD before putting them on the new one?

This is the conundrum with Virut, and why it's sometimes better to just cut one's losses and dump everything. By activating an external device on a new machine, if any Virut infected files have been backed up to that device, can start the whole circus over again. If you ONLY back up docs, you should be fine, but jpgs and mp3s, for example, have the potential for being infected. To scan them from your newly installed, properly protected machine, before restoring them, you'd want to first disable autoruns on the machine.

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Scroll to III. Solution

Then, scan the external. If the saved data get a pass, you should be ok...but again, with this infection, moreso than others, there are no guarantees.

Hope that helps.

[d260]

i appreciate all the help. one more question, I had document files on a flash drive from the infected computer and plugged it in to a clean computer not thinking it would carry the virus, but apparently it did, when I plugged the flash drive in Norton detected it and deleted it. I didn't unload any files, I just plugged it in to save something to the flash drive. Any chance that computer could be infected now even if Norton deleted it?

Also, I think I will re-format instead. Hopefully I'll be able to get this done over the weekend because I need my computer for school. I'm going to need step-by-step instructions first of all on how to back up any non-infected files to an external hard drive. Am I suppose to go to another forum or stay here?

Thanks again!

[tetonbob]

Quote:

Any chance that computer could be infected now even if Norton deleted it?

It's possible. Virut is also an autorun infection. Not knowing exactly what Norton deleted on that machine, it's hard to say without seeing detailed logs from it.

You can also run Flash_Disinfector on any machine/USB device to help disable autoruns.

Download Flash_Disinfector.exe from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.

Backing up files is a relatively straightforward process. An external drive will simply appear in My Computer as a new drive. You can copy/paste, drag and drop, etc...any files you wish to save from their current location, to the backup location.

See if the information here helps

Emergency Backup Procedure

Of course, due to the nature of this infection, you'll have to be more selective, but the principle is the same.

[d260]

ok, cool. I'll go ahead and get an external HD and back up documents and mp3's. Then re-install windows. Until then, can you keep this thread open, I'll be back once I get everything back up and running. I'll probably need help with disabling autorun, etc... and in scanning the external HD with the backed-up data on it to make sure those files aren't infected. Again, thanks for your help.

[d260]

ok, I got an external hard drive but before I plug it in, how can i prevent the virus from hopping onto the external hard drive through the usb port like it did with my flash drive?

[tetonbob]

Quote:

http://www.us-cert.gov/cas/techalerts/TA09-020A.html

Scroll to III. Solution

Quote:

You can also run Flash_Disinfector on any machine/USB device to help disable autoruns.

Download Flash_Disinfector.exe from here and save it to your desktop.

Run Flash_Disinfector on a different machine, with that external hdd active. Then, when you hook it up, nothing should autorun.

In truth, it may be more desirable just to be rid of everything and start over. There are no guarantees with Virut. I'd not hesitate.

[d260]

Hey there, managed to get my hd reformatted and xp reinstalled thanks to the links you provided. I'm up and running again, amzing how much faster my pc boots up now. I actually didn't even get the chance to back up any documents or files because the virus got so bad it started to freeze my computer as soon as my desktop appeared. I wasn't even able to get into safe mode either, as of yesterday, so my only option was to go ahead with the reformat/reinstallation. I lost about 500 itunes songs, but i still have them on my iPod, now I just got to figure out how to transfer them back onto my pc without itunes erasing them

May as well buy and install Windows 7 at student pricing, so off to the Windows 7 support forum I go. Fell free to lock this thread. Thank for your help

[tetonbob]

OK, stay safe out there, the internet's a jungle.

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.
  
  
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
  
  
• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• How did I get infected in the first place?
• PC Safety and Security--What Do I Need?

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.