OK everyone, here’s the situation:
I am currently trying to help my fiance get her computer back to a working state. I’ve managed to stop the infections from spreading I think but there are so many and ones that I don’t understand that I am lost as to what to do. I have run Avast in multiple modes, Ewido for quick scans and HiJackThis to figure out what I’m not seeing here. I have posted the HiJackThis log below as a txt attachment for analysis. If there is anything else anyone can suggest I would greatly appreciate it.
Currently Avast is detecting that she is sending too many duplicate emails at the same time, which I have prevented (I think) from actually being sent out. I can tell they are all virus generated but no idea how it’s doing it or how they got there. It has also come up with a suspicious file: 7efcd19.sys. It’s not sure what this is or what to do with it and it cannot be deleted. It’s located in the WINDOWS\Drivers folder.
The OS is not fully updated and patched, for instance you have not the latest ServicePack installed. You should do that after the machine is cleansed of the rogue antivirus malware.
You should then also consider to install a software firewall, no active firewall seems to be active there.
Here are the entries that should be cleansed with HJT:
You should fix the following entries:
O1 - Hosts: 82.98.235.133 browser-security.microsoft.com Must be fixed!
O1 - Hosts: 82.98.235.133 url.adtrgt.com Must be fixed!
O1 - Hosts: 82.98.235.133 best-click-scanner.info Must be fixed!
These unknown URLs should be fixed. Unknown entries within the HOSTS-file should be fixed.
O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com Malware -Must be fixed!
O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com Must be fixed!
O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com Must be fixed!
O1 - Hosts: 82.98.235.133 onlinenotifyq.net Must be fixed!
Unknown URLs should be fixed. Unknown entries within the HOSTS-file should be fixed.
O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com Must be fixed!
O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com Must be fixed!
O4 - HKLM..\Run: [Mkibud] rundll32.exe “C:\WINDOWS\iqatufumul.dll”,e Must be fixed!
O4 - HKLM..\Run: [CPMe34c845d] Rundll32.exe “c:\windows\system32\puvutabo.dll”,a Must be fixed!
O4 - HKLM\..\Run: [e07fb7c1] rundll32.exe "C:\WINDOWS\system32\jetebusu.dll",b Must be fixed!
O4 - HKLM\..\Run: [Pwecedidakip] rundll32.exe "C:\WINDOWS\Ayagujuqodihodu.dll",e Must be fixed!
O20 - AppInit_DLLs: C:\WINDOWS\system32\matehabu.dll c:\windows\system32\zaworido.dll c:\windows\system32\puvutabo.dll Must be fixed!
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\puvutabo.dll Must be fixed!
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\puvutabo.dll Must be fixed!
And see whether your third party software is fully patched and updated with Secunia PSI from here: http://secunia.com/PSISetup.exe
Do these fixes first and the MBAM full scan, report with a new HJT logfile txt and the MBAM report,
I later will give you a survey of the system tasks running on that machine,
Thanks so much for the advice. I am hopefully going to be able to do this yet tonight. I have very limited internet access as of where I live, so this might take me a while.
Ok, here is the MBAM log, the HiJackThis log and I am throwing in an Everest report too. Please let me know if there is anything else I need to look into on this.
Check this against virustotal.com: Background Intelligent Transfer Service (BITS)
A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware’s behaviour, if you have MSMSGS.EXE on that machine upload this to virustotal as well to see if this is a legit version, sometimes BITS can be used to rootkit a machine and own it completely.
…And you haven’t installed SP3 on this XP and apparently no active software firewall installed either,
the majority of the spyware and malware on the machine has been cleansed now,
see how it runs now, and give the virustotal results for the files you uploaded there,
Alright, I will check that out. I’ve run into a bit of a snag though as far as downloading SP3. It seems that the Automatic Updates has been disabled in the services and when I try to change it back to automatic it tells me that access is denied. There is only one account on this computer and it is set as the admin, so unless it’s a virus blocking permissions access I have no idea why it is doing this.
Ok, new situation has arose. I can’t install SP3. It keeps telling me a quarter of the way through the installation that “Access is Denied”. I’m lost. I’ve only experienced this once before and it was an OS permissions error that couldn’t be fixed because of an infected system root file. At least that’s what I remember. Any ideas? I can offer to perform a remote login for anyone willing to take a look at it.