TechSpot

Virus infections include rootkit, psvrr.exe

By WMW
Jul 17, 2009
  1. Hi everyone,

    So my computer has been infected with viruses like Haxdor, Backdoor, Virantix.B, psvrr.exe, Heuristics, Koobface, Malpak.B, google Installer and I think professional help is needed here to get rid of the viruses completely as they keep recurring. I have attached the log files generated by Hijackthis and dds,scr and as indicated I have installed multiple softwares to get rid of the viruses and after every scan and removal procedure , the viruses keep springing up again even if I do the scan like 5 minz after the first one. I have also installed a firewall to try and contain the spread and protect my computer further and it seems to be working fine except that I recently discovered that some of the files of my firewall were infected with the heuristic virus. I have read online that these viruses hide themselves in the computer in such a way that the user is unable to detect them and that the only way to get rid of it is to format my PC. For that I know I will need to do a clean format but I want to consider that as a last resort since I don't have the time to go searching for my computer's drivers one-by-one. Nevertheless, I am willing to do whatever it takes to make my computer and my personal information secure again. Any help would be greatly appreciated.
     
  2. cosmido

    cosmido TS Rookie Posts: 20

    Hi,

    Download HaxFix : http://users.telenet.be/marcvn/tools/haxfix.exe
    • Run haxfix.exe
    • press a key to contine
    >> Check "Launch HaxFix" is hook
    • Select 1. Make a logfile
    • At "Searching the whole C:" - select Y
    >> the report will appear
    Post the report (c:\haxfix.txt)
    _____________________________________________________________________

    Download : Ad-Remover (de C_XX) [​IMG]

    Disactivate your antivirus.
    • Install Ad-remover , a shorcut will be create on your desktop [​IMG]
    • Run Ad-remover, select F
    • Close Internet connection and all open applications,
    • Select [S – Scanner] and press <Enter>
    >> Wait.., when scan complete, press a key for open report,
    Post the report (C:\Ad-Report-SCAN.log)

    Reactivate your antivirus.
    _____________________________________________________________________

    Follow them instructions for malwarebytes and ccleaner (make step 4 and step 2) >> here
    And posted the reports of malwarebytes too

    P.S: for your next topic "if that happen", begin by follow this (UPDATED 8-step ........) at the top of this forum section !
     
  3. WMW

    WMW TS Rookie Topic Starter

    can I get an english version of the Ad-remover software since I don't understand French and it would be difficult for me to manage the application...thanks
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    IT would be best if you followed the steps set up by TechSpot:

    Please run Malwarebytes, Superantispyware and then rescan with HijackThis. Attach all 3 logs.

    Remaining instructions and links can be found here: Virus and Malware Removal Steps.

    I will review all three logs.
     
  5. WMW

    WMW TS Rookie Topic Starter

    8 steps completed.....

    Ok, I have uploaded the logs that you requested...anticipating further malware removal protocols.
     
  6. cosmido

    cosmido TS Rookie Posts: 20

    Oups..
    • Run Ad-remover, select F = French
    Should be
    • Run Ad-remover, select..E = English
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    WMW, again I ask that you do not download the Ad-Remover at this point.

    Please take the following programs off of Startup: This is best done in Safe Mode:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Once in Safe Mode, UNCHECK each of the processes I have put in BOLD as follows:

    Start> Run> type in msconfig> enter> Selective startup> Startup tab> UNCHECK each process for the program:
    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    C:\Program Files\UnHackMe\hackmon.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\UnHackMe\UnHackMe.exe
    C:\Program Files\STOPzilla!\STOPzilla.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
    C:\WINDOWS\System32\TuneUpDefragService.exe
    Any processes for "advanced-virus-remover2009"

    After unchecking them all> Apply> OK

    Reboot the computer into Normal Mode. NOTE: Ignore the nag message and close it after checking 'don't show this message again'. Stay in Selective Startup


    In spite of having all these programs, your system is badly infected. You have a rogue host hijacker, a Rootkit, MyWebSearch and others. We need to be sure that the programs I tell you to run will not be affected by these.

    Once you have done thatL
    Please reopen HijackThis to 'do system scan only'.
    Check each of the following if present. Note. Do not click on 'Fix Checked' until you have checked all on the list:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O1 - Hosts: 92.241.176.188 advanced-virus-remover2009.com
    O1 - Hosts: 92.241.176.188 www.advanced-virus-remover2009.com
    O2 - BHO:  - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\dtx.dll
    O3 - Toolbar: ooVoo Toolbar - {A1FB2F9A-D35E-11DD-8935-E46A56D89593} - C:\Program Files\oovootb\dtx.dll
    O4 - Global Startup: humyo.com Client.lnk = C:\Program Files\humyo.com Client\HrfsClient.exe
    O8 - Extra context menu item: Save Image To humyo.com - C:\Program Files\humyo.com Client\download.html
    O8 - Extra context menu item: Save Target To humyo.com - C:\Program Files\humyo.com Client\download.html
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - (no file)
    O23 - Service: 1237279262 (.1237279262) - - (no file)


    Close all Windows except HijackThis and click on 'Fix Checked.'


    Download and run LSP-Fix

    • 1)[Download LSP-Fix HERE and Save to its own directory on the desktop.. http://www.bleepingcomputer.com/files/lspfix.php
      2) Double-click on the file to open.
      3)In the Keep box on the left, you should see one or more instances of "is3lsp.dll".
      [o[Click on each to highlight
      [o] Click the arrow in the middle of the screen that points to the right>>>
      4)This will move the filename to the right-hand column labeled Remove
      [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"
      5) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
      [o]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
      6) When you are done click Finish
    After you've run LSPFix, you can then delete this file --> c:\program files\common files\is3\anti-spyware\is3lsp.dll

    Please reboot, the rescan with HijackThis. Attach a new log. We will then go to the next step.
     
  8. WMW

    WMW TS Rookie Topic Starter

    Hello again,

    I unchecked all the startup processes in safe mode but I had to uninstall stopzilla to stop it from loading on startup. With Avast, Im only going to disable it since I can't get it to stop loading on startup either. Anyways, thats taken care of.

    I did the Hijack this 'system scan only' and fix checked all the processes listed except for one which wasnt listed (O4 - Global Startup: humyo.com Client.lnk = C:\Program Files\humyo.com Client\HrfsClient.exe).

    I downloaded LSP fix but I couldn't find any instance of is3lsp.dll.

    All that was listed in the KEEP pane were;
    mswsock.dll Tcpip
    winrnr.dll NTDS
    mdnsNSP.dll mdnsNSP
    rsvpsp.dll (Protocol Handler)....

    I didn't take any action with regards to LSP fix...
     
  9. WMW

    WMW TS Rookie Topic Starter

    Ive attached the log files from hijack this...btw, isnt is3 associated with stopzilla?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I looked through your attachment of installed programs- properly should have done that at the beginning:

    P2P Warning:
    I see you are using at least one P2P or file sharing program:
    Vuze : Formerly called Azureus: It is a Bittorrent Client

    File sharing and malware go hand in hand. I suggest you uninstall this and any other P2P programs on the system. If you decide not to, please do not use these programs during cleaning. IF you do and I see it is adding to the malware, I will withdraw my support.

    You have an incredibly large number of programs installed. It is likely that the groupings of similar programs will cause some conflicts on the system.

    You have the ALOT Toolbar which is an adware program that integrates a fake toolbar on Internet Explorer and generate fake security reports prompting user to download and register security programs.

    You have the [MyWebSearch Plugin]

    I need you to tell me specifically what the current problems are:
    What doesn't work?
    Does anything pop-up? What?
    Are you getting any error messages? What?


    You have programs installed that you need to find most recent updates and uninstall the earlier versions. Many programs update for security purposes. Keeping them on the system presents vulnerability: Some of them are:
    Java(TM) 6 Update 13>> most current is v6u14
    Java(TM) 6 Update 2> uninstall
    I don't know which of these you need or if you need them all, but suggest you check:
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft .NET Framework 2.0

    There are 2 listing for Norton: But you are now using Avira> You need to use the Norton Removal Tool and completely remove this:
    Norton Security Scan
    Norton Security Scan (Symantec Corporation)

    Please look through the rest of these programs. If there are others you don't need or use, uninstall them.

    When you finish and I want you to do the abover first:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    After Combofix, rescan with HijackThis. Attach new log and the report from Combofix.
     
  11. WMW

    WMW TS Rookie Topic Starter

    I updated the java and had gotten rid of vuze while going through the 8 steps. I have also un-installed any programs that are not used very often.

    The problem seems to be the google update/ installer trying to access the internet every now and then even when I am using the Safari browser and no apparent process seems to be using the google service. I cannot use safari anymore because it slows down or gets stuck sometimes. Im also a little concerned about third-party monitoring or tracking my online activities. I also found two IP addresses trying to connect directly to my computer without representing a service. However, since I've implemented the anti-malware softwares, gotten rid of the p2p client and installed the firewall everything seems to be working fine except for the google update and the stopzilla scans telling me I have spywares. Does this mean stopzilla isnt a credible software and that my computer is safe and that I shouldn't worry about online tracking? Afterall, it was stopzilla that revealed I had psvrr.exe and the other viruses like Malpak.D and what not. Oh and I think I remember stopping the psvrr.exe process from running through the task manager after it alerted me of its presence. Also, I want to ask is it possible to still use p2p's from here on because it seems to me that all these viruses seem to be coming through the client software?

    I've attached the logs from Hijackthis and combofix after rescanning....
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You are free to run any P2P programs you want. But understand> you will get malware when you participate in file sharing.

    For some reason, Google thinks it should update it's toolbar. I don't. I stopped it the day I first saw it:

    Take it off of Startup. Uninstall the 'notifier' in Add/Remove Programs.

    Any software that you allow to auto-update will contact the internet several times during a 24 hour period, 'looking for an update.' For myself, the only program I allow to auto-update is my AV program. But it depends how much control a user wants over the system. I want as close to total control as I can get. Others don't want to be bothered and set everything to auto-update.

    But music downloading and game playing aren't big issues for me.

    I covered the Google part for you. You will have to be more specific about what Stopzilla is finding. I've never used that program. There is a lengthy discussion of the program here, ending with the comment:
    http://www.techspot.com/vb/all/windows/t-51017-Is-Stopzilla-a-rogue--antispyware-product.html

    From the Stopzilla site:
    True Real-timeTM Protection: this may sound good and in some instances it may be good. But any programs running in 'real time' has the potential to cause conflicts. But if you want this, Spybot S&D has TeaTimer> free. There are other programs, like Spywareblaster, that work in the background to prevent malware and it's free

    It's boasts of "Most advanced Pop-up blocker available"- I don't agree. The Google Toolbar has the best one available! And it's free.

    "Frequent Auto-updates". I covered that ..
    "Kills all forms of Malware..." That is not correct. It has no antivirus capabilities, only spyware/adware> they are NOT the same. It costs $9.95 a year.

    The following are good and free:
    Antivirus: Avira or Avast
    (Many of us used and recommended AVG but since they went to v8, most of us don't use t or recommend it> the others are much better.
    Firewall: Comodo or Kaspersky
    Spyware/Adware: Spywareblaster, Spybot Search & Destroy, AdAware and others.

    About Malpak.D: I can't identify it as either a virus or spyware. If it was a virus, Stopzilla couldn't remove it. Here is a comment I found, made by someone with malware.
    About Psvrr.exe: it is Trojan/Backdoor. Any good, up to date spyware/adware should either PREVENT this or find and fix it, depending on which type of program it is.

    Please run a full system scan with Avast. Save the log and attach it to next reply. If it's clean, I'll have you remove the cleaning tools and old restore points.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...