Trojan/Virus Help

[Inferno0032]

Well, i got something via a torrent. When it begins running, it just cycles the icons and task bar on and off. So it will turn off, then come back on for a second, then turn off. I can still run programs and i ran adaware and it picked up a trojan.something and and the one that remains is win32.hoax.renos. I click delete, and there's one file, called pipmon.exe which lies in the system32 folder of windows that it wont let me delete. It doesnt seem to be able to get rid of it after restart, and when i restart it reboots all the trojans. What should i do to get rid of it. It doesnt affect my PC once i run adaware to delete its other programs with it. Would system restore be good? A good program to get rid of these types of things? Do i need to go into the registry and do something with it? Also, when i close pipmon.exe in the task manager, it just pops up again if that helps. Thanks

 

[simondedalus]

load avast 4.7 home edition 60 days trial version .........search it in the google

or you can load prevex 2 90 days free trial version

 

[simondedalus]

this is a suggestion only<><><><><><><><><><><>><><><><>><><><><><><><><>
<>><><><><>><><><>><><><><><>><><><><><>><><>><><><><><><<><<>><><><

 

[mechBgon]

I'd start with System Restore and then scan the system with rootkit detectors, antivirus and antispyware programs for good measure, as well as running HijackThis and plunking the HijackThis log into http://hijackthis.de/en for analysis to help you determine what needs to be nuked.


For anti-rootkit scanning, try Panda Anti-Rootkit to start off with.

For antivirus detection, my suggestion is a trial version of Kaspersky Anti-Virus 7 with all settings maxed out in all of the different modules (go into SETTINGS, slide the sliders to MAXIMUM for each module, then hit the Customize button, go to Advanced and max out the heuristics for each module as well). Make sure you enable the RISKWARE detection in Threats & Exclusions as well. Kaspersky has one of the best detection rates available, especially with the heuristics switched on.

For antispyware scanning, use SUPERAntispyware and Spybot Search & Destroy to start off with.


Realize that you're still just playing the odds here. I know of malware that none of that stuff will detect. So maybe you should stop playing with fire, eh It won't be trivial if a keystroke logger picks off your WoW login credentials, or your PayPal or eBay log-in, or your credit-card number, etc. If all you got hit with was the usual WinFixer ads and such, consider yourself lucky.

Oh, and if you need further removal, John has a full malware-removal guide.

 

[Inferno0032]

As i expected, the trojan has messed up restore points so thats a no go. As for the other trojans that can be deleted that the win32.hoax.renos brings, is win32.trojandownloader.agent and win32.trojan.mailinject. Adaware picks it all up, but cannot delete the pipmon.exe and that's all i think i have to be able to do is get rid of it.

 

[RadiclDreamer]

housecall.antivirus.com

Go into safe mode and delete the file if this doesnt work

 

[Inferno0032]

OK, i seem to have gotten rid of the pipmon.exe file. I can no longer find it in the system32 folder and it is no longer in the running processes list in the task manager. BUT! I downloaded prevex 2.0 and each time i restart my computer, it catches 2 files, VRR1.TMP i think and VRR5.TMP. It catches them every time and i click cleanup. But even after cleanup they come back. How do i keep them from my machine? Are they trying to access through the internet?

 

[JustaGeek]

Get IE Privacy Keeper and clean all the temporary files.

Just uncheck the Prefetch Folder cleaning after the 1st time cleaning, or your computer will run slower. (one time is OK to clean, then "uncheck" the box).

http://www.browsertools.net/downloads1.html

 

[mechBgon]

Originally posted by: Inferno0032
OK, i seem to have gotten rid of the pipmon.exe file. I can no longer find it in the system32 folder and it is no longer in the running processes list in the task manager. BUT! I downloaded prevex 2.0 and each time i restart my computer, it catches 2 files, VRR1.TMP i think and VRR5.TMP. It catches them every time and i click cleanup. But even after cleanup they come back. How do i keep them from my machine? Are they trying to access through the internet?

You might also want to try the rest of my suggested plan of attack. Also, just on a hunch, run HijackThis and tell me if you have entries that look like this: http://home.comcast.net/~mechbgon/nmc.gif :camera:

 

[Inferno0032]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36, on 2007-09-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Prevx2\PXConsole.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.finderg.com/
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Editor plugin - {9F1D47EA-80B7-4f21-A9D3-3738F20596EE} - mountr.dll (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Programs\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Downloads\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] E:\Programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - E:\Programs\SASWINLO.dll
O22 - SharedTaskScheduler: COM+ Service - {3C49DDAC-3DA4-4743-AF6C-5974FEAF875C} - (no file)
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 5347 bytes

 

[mechBgon]

1. I see from the log that your system needs security updates. Get IE7 installed from this page at Microsoft, and check the system with Secunia's Personal Software Inspector too.
   
2. If you have any Office software (Word, Excel, PowerPoint, Outlook, Visio, Publisher, etc) then also run it through Office Update repeatedly until you're done.
   
3. How about scanning it with the free trialware of Kaspersky AntiVirus 7, too?
   
4. Fully enable Data Execution Prevention like this pic shows :camera: to use your CPU's hardware DEP to the max. To get this panel, right-click My Computer and choose Properties.

 

[Inferno0032]

Wow, i guess that was easy. Prevx2 has detected those files, and they were just TMP files. So just cleaned out the Temp folder in windows, and cleared the recycle bin, ta da, problem solved. Gonna restart now to make sure nothing comes back and ill let you know whats up.

 

[Inferno0032]

Well, guess not. Restarted, its ALL back.

 

[dclive]

Did you do all Windows updates, including IE7?

I also suggest doing an offline scan (so the virus isn't active when you start the scan). You can do this by attaching the hard drive to another computer and scanning from there, or from using a BartPE CD with a virus scanner you've placed on it.

 

[Inferno0032]

During the last restart. Hijack this killed the main pipmon.exe. Then cleaned out the other remnants of pipmon.exe and the temp files it creates. None of the aniti-spy programs ive run bring back anything. My system has all the updates, not sure if IE7 was included but i use firefox. Everything seems to be gone, but Prevx2.0 catches one temp file when it finds its way back to my system and automatically jails it, then i delete it.

 

[Inferno0032]

tried Secunia's Personal Software Inspector, only things it comes up with is adobe flashplayer, quicktime, and winRAR

 

[Inferno0032]

Will get IE7 as soon as i can. The MS site isnt loading.

 

[Inferno0032]

I may just backup a couple other files i want/need and just give my system a fresh XP install. Would you guys not recommend that?

 

[Inferno0032]

Went back into Active armor firewall and found 2 components unblocked, and blocked them. Im going to try again, and see if it can be done without prevx2 since i dont have the full version anyway and it seems to slow everything down alot.

 

[Inferno0032]

OK, i seem to be rid of it. If any remnants of it pop up again, ill let you know, but all seems back to normal.

 

[mechBgon]

Did you at any point try an actual antivirus product (Kaspersky for example)? If not, it's certainly recommended. It uninstalls cleanly when the trial period ends.

tried Secunia's Personal Software Inspector, only things it comes up with is adobe flashplayer, quicktime, and winRAR

That's plenty for the bad guys to work with to exploit your system. Get 'em fixed. If it were me, yeah, I'd reinstall Windows and secure it next time, but not everyone is quite that drastic

 

[Inferno0032]

Seems a temp file can get back, but everything seems slower, and i think ill just reformat and put a new copy of XP on it. Doesnt hurt to do that every now and then anyway. Sound okay?

 

[mechBgon]

Yeah, and if your WinXP CD happens to be pre-ServicePack2, then be sure to take precautions against worms (scroll down past the first big picture).

 

[Inferno0032]

Im pretty sure it has SP2 on it. and i ran kaspersky, and it turns up ALOT of system 32 files, i think its a pretty massive infection, so ill just reformat and reinstall one night when i have time. I have all the stuff that i want backed up, so no data will be lost. Not like i had any important documents or anything.

 

[Inferno0032]

Reformatted, have fresh copy of windows. Thanks for your help guys, mods can lock/delete this.