Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having A Problem...


  • This topic is locked This topic is locked
13 replies to this topic

#1 dj_wonderdog

dj_wonderdog

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 09:16 AM

Mistake #1 - Downloading a program from a messageboard.

Mistake #2 - Trying to fix the problem myself. (I'm pretty computer illiterate.)

Mistake #3 - Not coming on here first. (even though I never heard of this site until after mistake #2)


I was infected w/ spyware and Virtumonde. Downloaded Spybot S&D and got rid of some. Spybot detected Virtumonde but would not delete it. I ran HiJack this and it found a few bad files, and with input from a friend, was told what files to delete. I could not delete this file b/c when I did, it said it was running with another program and could not be deleted. Downloaded Virtumonde deleter (F-vmonde) from www.f-secure.com and it took care of that problem (or so I thought, I'm not sure). After removing Virtumonde, the file my friend said to delete was not on the HiJack this report anymore, so I thought my problem was fixed.

The problem I am still having is that I cannot visit sites like Bleepingcomputer.com or any other tech sites for help. I cannot download any security apps from online. Google links for help cannot be opened. Notepad shuts down immediatley upon opening. I have downloaded and installed Firefox (to use instead of IE) and it will not open, even when run as Admin. Many web pages take forever to open if they open at all.

Oh, and I'm running Vista Home Premium. My computer is an HP only 6 months old.

I am posting this from my computer at work b/c I cannot access this site from home. Another question that might be related (I don't know): My monitor went down recently and I purchased a brand new LG 19" monitor, but have not hooked it up yet. My question, can anything that is infected my computer compromise my new monitor or not? I would hate to hook it up, only to have it become infected as well.

PLEASE PLEASE PLEASE help me.

BC AdBot (Login to Remove)

 


#2 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 01:49 PM

Can anybody help??

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 June 2008 - 01:53 PM

a first question; you say the comp is only 6 months old; can you check the warranty detail?

is it still under warranty?

may one ask if the friend is trained with HJT logs and how to read them as to remove any one wrong line can be disasterous ; please advise

#4 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 01:56 PM

a first question; you say the comp is only 6 months old; can you check the warranty detail?

is it still under warranty?

may one ask if the friend is trained with HJT logs and how to read them as to remove any one wrong line can be disasterous ; please advise


My friend was the one who told me to download and try HiJack This and asked me to post the log (in a different non-tech messageboard)

I guess I never thought to check the warranty info b/c I downloaded something and assumed that would void any kind of warranty. I will have to look at it.

Any clue to my problems though?

#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 June 2008 - 02:32 PM

do BOTH comps have have a USB port and a cd reader?

you may need to use a USB pen or cd to transfer program exes and updates to the infected comp

do you have these facilities available?

is the HJT log still running on the other board and if so ,where ,please?

#6 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 02:41 PM

This is my HiJack This log from 5-24-08. I know it's no good anymore. Also, I had to open it with wordpad b/c notepad wouldn't open:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:56 PM, on 5/24/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Users\Piper Home\Desktop\HiJackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\PIPERH~1\AppData\Local\Temp\awtqrrPF.dll, c
O4 - HKCU\..\Run: [BMe7abe592] Rundll32.exe "C:\Users\PIPERH~1\AppData\Local\Temp\lppyxybq.dll ",s
O23 - Service: Intel® Alert Service (AlertService) - Intel® Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel® Viiv™ Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel® Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 4217 bytes


My friend's reply was this:

That log doesn't look complete to me, although it is probably the spyware that's causing it to look like that.

Before you do anything, create a folder for HijackThis on your desktop and run it from there in future, rather than running it straight from the desktop.

Download VundoFix from here (left click): -

http://www.atribune.org/ccount/click.php?id=4

Run it and press the "Scan for Vundo" button and let it do its thing. If it finds infected files, hit the "Fix Vundo" button to have it remove them. If VundoFix isn't compatible with Vista or it won't run for some reason, just move on to the next step.

Next, run HijackThis and hit the "Do a system scan only" button. If these two entries appear on the list, check the box to the left of each of them them, make sure your web browser is completely closed down, then hit the "Fix checked" button: -

O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\PIPERH~1\AppData\Local\Temp\awtqrrPF.dll, c
O4 - HKCU\..\Run: [BMe7abe592] Rundll32.exe "C:\Users\PIPERH~1\AppData\Local\Temp\lppyxybq .dll ",s

Reboot your computer, then delete these files if they still exist: -

C:\Users\PIPERH~1\AppData\Local\Temp\awtqrrPF.dll
C:\Users\PIPERH~1\AppData\Local\Temp\lppyxybq.dll

Those are the only two infected files in your log, but there could be more. See how your computer runs after doing that, and if you're still having problems, come back and post a new HijackThis log.


I also could not get Vundofix to run.

#7 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 02:44 PM

do BOTH comps have have a USB port and a cd reader?

you may need to use a USB pen or cd to transfer program exes and updates to the infected comp

do you have these facilities available?

is the HJT log still running on the other board and if so ,where ,please?


Yes, I have those facilities available. Unfortunately, I will be leaving work in about 20-30 minutes.

Also, I hate to sound really stupid, but in my first post I asked if this stuff will infect my new monitor if I hook it up, and in order to run a new hijack this scan or anything else, I need to know this info. Thanks

Edited by dj_wonderdog, 04 June 2008 - 02:47 PM.


#8 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 June 2008 - 03:00 PM

See how your computer runs after doing that, and if you're still having problems, come back and post a new HijackThis log.


can you please give a LINK to the site where the log is posted ; we do NOT wish to give confusion between forums

you may wish to go back TO that site to continue the clean up there?

Edited by ruby1, 04 June 2008 - 03:04 PM.


#9 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 03:16 PM

The forum where it was posted was not a "tech" site. http://djforums.com/forums/showthread.php?t=146365 <- is the link. I don't know if you will be able to see the page without signing up for the forum. I am downloading the links on a flashdrive now and will try them when I get home. Thanks for your help.

#10 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 03:18 PM

Wait, what happened to your post with the instructions?? I never got to download those applications!!

#11 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 04 June 2008 - 03:19 PM

See how your computer runs after doing that, and if you're still having problems, come back and post a new HijackThis log.


can you please give a LINK to the site where the log is posted ; we do NOT wish to give confusion between forums

you may wish to go back TO that site to continue the clean up there?


I do NOT want to go back to the other site to get help b/c they were only helping a little and they were not that interested in helping completely. This site looks like it will actually help.

#12 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:08:45 PM

Posted 04 June 2008 - 03:29 PM

sorry

had to go off line for a mo

please try these two programs if the comps will let you


Superantispyware; guide on how to install and run



If you have not already got a Downloads folder , I suggest you create a new folder in My Documents, and name it Downloads ;

Installing superantispywareSuperantispyware is found here


http://www.superantispyware.com/index.html

Download to the Downloads folder the free exe to superantispyware from here


http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

you install superantispyware by clicking on the icon in the downloads folder ;
it will launch the installation process;
follow the instructions and I suggest you ask for a default installation ;
ensure it creates a desktop icon for you ;
once the program has been installed it should ask you if you wish to update the program ; say YES

if it does not ask you , you need TO fully update the definitions by opening the program and find the ‘check for updates ‘tab in the bottom left of the menus you see; click on it and it will do the update for you ;
I suggest you ask it to check for updates again once the first update is complete just to be sure


please then reboot your computer ; it is preferable to run the scan in your computers safe mode;

please open this program from the desktop icon
please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

go to the preferences tab on the right
on the General tab I suggest you disable the scan on start up

on the Hijack protection tab I suggest you tick BOTH items; this enables the program to give you a Hijack home page alert if your home page gets changes ; if you DO get a home page hijack, when you boot up the computer superantispyware will open and tell you the home page has changed and will ask you if this is a legitimate change;

in statistics/logs- go to the bottom and you will see two boxes asking about keeping a log of scanning results and saving empty logs?

Tick both of them

Then go back to the main screen and see the tab that says scan your computer? Do you see that ?

Click on it

A screen will open ;on the left hand side ensure your FIXED drive ( most probably the C drive) is ticked;
Also tick in there any other section that is used and attached .
On the right had side you see three scanning options?; please click the Complete scan option

OK; you are now set to scan

Please then click on the ‘next’ tab and let the scan run please run the scan while you are OFF line and do not have the computer doing any other work while the scan runs

From my experience running this program the complete full scan CAN take many hours to run depending on how much is on your computer so be patient and let it run; maybe go for a cuppa or watch a favourite program while this one runs

Once the scan IS complete you will be presented with a box telling you what the scan has found ( if anything); if harmful objects have been found click on the OK button ; on the next screen all the harmful objects should have a check mark beside them, ; click ‘next’


A notification should appear that

‘quarantine and removal is complete’

click ‘ok’
and then the Finish button to get returned to the main menu


If you have run the scan in computers safe mode you will need to reboot to computer normal mode

If you have run in computer’s normal mode I suggest you reboot to enable the ‘fix’ the program has performed to consolidate

You then need to retrieve the scan result

Open the program and return to the statistics /logs section ; locate the most recent log ; left mouse click on it to highlight it and click the ‘view log’ tab

The log should appear in maybe note pad ; you need to copy and paste that log for examination
Once you have posted the log please close the superantispyware program
....................................

malawarebytes
you need to be ON line to start this process and please run the scan in computer’s NORMAL mode

http://www.besttechie.net/tools/mbam-setup.exe


alternate download link 1

http://malwarebytes.gt500.org/mbam-setup.exe


alternate download link

2
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html




suggest; download the exe to your downloads folder so you know where to find it;

create from that folder a shortcut to your desktop

.
Double-click on the to install the application.
The installation is relatively straight forward; just follow the prompts and do not make any changes to default settings.

When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
The Program will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, you may manually download them from
here
http://www.malwarebytes.org/mbam/database/mbam-rules.exe

On the main interface you will see different tabs at the top of the program?

Select each to see what they ask of you and what they each represent;
When you are ready to scan you will be asked to select the drives you wish to scan? The program should recognise ALL your drives ; if it does not I suggest you select all drives

You will be asked to select either a quick scan or a full computer scan my recommendation is to do a full scan so your search does not miss anything

Click the start button and let the scan run; it will show you how it is progressing, what section it is on and the elapsed time I ran a full trial scan on my relatively empty XP for a ‘sampling ‘ ;your scan may take about an hour or so to run;


When the scan is complete a message box will say "The scan completed successfully. Click on 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
On the Main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Ensure everything is checked,

click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log should be saved automatically and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.


Note: please be aware ;

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


if you can post the two reports , one from each of the programs , for examination we can try that

#13 dj_wonderdog

dj_wonderdog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:45 PM

Posted 05 June 2008 - 07:27 AM

I didn't see this before I left work yesterday, so I will download these two tonight and get back to you with the results, although that might not be until tomorrow when I get to work again.

Last night I noticed a problem with Internet Explorer. I couldn't log onto my email (hotmail.com), but when I ran IE as administrator that page loaded without a problem (although I still cannot load bleepingcomputer.com, mcafee.com or any other tech sites).

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:45 PM

Posted 05 June 2008 - 05:17 PM

Hello dj_wonderdog and welcome to BC :thumbsup:

I do NOT want to go back to the other site to get help b/c they were only helping a little and they were not that interested in helping completely. This site looks like it will actually help.


Please go to that site and inform them that you are receiving help elsewhere and want your thread there closed.

I see that you have a HiJack This log posted here: http://www.bleepingcomputer.com/forums/t/150679/hijack-this-log/ I am going to edit that post to include the link to this topic as the information may be important for your HJT helper to know. Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users