Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/trojan Start Menu Items Diabled Etc


  • Please log in to reply
8 replies to this topic

#1 Montarge

Montarge

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 05 June 2008 - 11:26 PM

Hello, first time poster here ready to spill my problems for the wiser to hopefully correct. So I downloaded a 14 day free trial of Dark age of camelot and noticed when it was done it didn't have the game icon on it so I scanned it using my current anti virus CA antivirus program. It found nothing so I clicked on it. instantly my firewall was disabled and started getting pop ups. Ran Virus scan and it said nothing was there so I uninstalled the program in my rage and installed Kaspersky. On restarting I could no longer bring up task manger, display panel, start menu items were gone such as my documents, control panel, run, and logoff. My background was changed to something saying I have spyware and screensaver was set to one minute and would have bugs crawling all over the screen.

Things I have learned since then....how to get run back and run gpedit.msc to re-able just about everything said above. Some trojans have been deleted but I still have problems. Most of the gpedit fixes I do have to be reedone when I restart. Also had Virus Alert next to time which I also found out how to fix.

Now I read a few things here including something saying download malwarebytes' Anti-Malware which I did. I am running in safe mode with networking and installed the program and am now running. It ran for about 2 minutes said it found 43 objects but says run-time error 9; subscript out of range. I clicked ok and clicked scan again but same error. So my questions is, do I need to enable some script function somewhere that got disabled or something.

Thanks much for your time and hope to hear from you soon.

Edit: noticed from other posts to add what OS I am using. Win XP sp2

Edited by Montarge, 05 June 2008 - 11:52 PM.


BC AdBot (Login to Remove)

 


m

#2 Montarge

Montarge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 05 June 2008 - 11:33 PM

Ok so I noticed the mbam error was when it was scanning extra and heuristics objects. I unsleceted that and it would complete the scan but instead of the 43 it only found 9.

here is the log
Malwarebytes' Anti-Malware 1.15
Database version: 833

9:29:56 PM 2008-06-05
mbam-log-6-5-2008 (21-29-56).txt

Scan type: Quick Scan
Objects scanned: 25225
Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9383002-fc55-4330-b9c9-67e03bc5c840} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{529f1e0d-e241-4642-a560-00bda0df44e6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f25c07d1-1c0e-416f-8147-20af5007a3f5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85c8bc13-7522-472a-aeb1-0c40d41b117e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e53a126b-cf56-4b0f-9d3b-aff0777fe7b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fece7a73-fbbd-43d2-9c9d-30a749dd6a3f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\esbq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\Local Settings\Temp\.tt29.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ben\Local Settings\Temp\.tt6.tmp (Rogue.Installer) -> Quarantined and deleted successfully.

Also just ran ATF-cleaner if that helps at all I have no idea but I did it.

Edited by Montarge, 05 June 2008 - 11:54 PM.


#3 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2008 - 12:23 AM

Hi,

Welcome to Bleeping Computer!

My background was changed to something saying I have spyware

Can you post a screenshot, please? :thumbsup:

Perform the next steps too:

1. Download ATF cleaner (by Atribune)

Doubleclick ATF cleaner to start the program.
At the tab "Main", place a mark at Select All.
Klick the button Empty Selected.

If you use FireFox:
Klick at the tab "Firefox", place a mark at Select All.
I you would keep the stored passwords in FireFox, please choose "No" at the window that opens.
(This deletes the mark at "Firefox saved passwords")
Klick the button Empty Selected.

If you use Opera:
Klick the tab "Opera", place a mark at Select All.
I you would keep the stored passwords in Opera, please choose "No" at the window that opens.
Klick the button Empty Selected.

Ga to the tab "Main" and click the button Exit to close the program.

2. Download the next programs, but do nothing more than that:3. Install the programs that are advised in step 2, and update them. :flowers:

4. Restart your computer in Safe Mode. See here for a tutorial how to do this.

5. Scan with the next programs:
  • Your anti-virusscanner.
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
    Post the results in your next answer
    Note: Delete everything the programs find.
6. Restart your computer again, but now in Normal Mode.

7. Go to Kaspersky Online Scanner.
Klick at the button Accept.
This scanner is only compatible with Internet Explorer 6 and higher !!
It could be you must click at a yellow beam to activate ActiveX files that Kaspersky needs to run and download. Accept this.
  • The program will now start downloading the latest definition files. After this you need to click Next.
  • Than click Scan Settings.
    Beneath the text Scan using the following antivirus database: you need to choose the second option: extended - protect your .....
    Beneath the text Scan options: you need to check the following boxes: Scan Archives .... and Scan Mail Bases ....
  • Than click OK.
  • Now start the scan by clicking the text My Computer.
    Posted Image
    Note that this scan may take a while.
  • When the scan is finished, you'll get the option to save the scan report.
    Click at the button Save Report As. Save the report at your Desktop with the name kavscan.txt
Post this report in you next reply.

8. Now, post the logs/results in your next answer. Tell which problems you still have. I need the following reports:
  • The results of your anti-virus program
  • Spybot S&D
  • Ad-Aware
  • Windows Defender
  • Kaspersky Online Scan
Good luck. :trumpet:

Edited by superbird, 06 June 2008 - 12:25 AM.


#4 Montarge

Montarge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 06 June 2008 - 12:41 AM

Ran SDfix and here is that report


SDFix: Version 1.188
Run by Ben on 2008-06-05 at 10:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
msupdate
msupdate

Path :
c:\windows\system32\mssrv32.exe

msupdate - Deleted
msupdate - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Ben\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Testy\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\Testy\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Ben\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Testy\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\Testy\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Ben\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Testy\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Testy\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\boqnrwdmdev.dll - Deleted
C:\Program Files\Common Files\svchost.exe - Deleted
C:\WINDOWS\atfxqogp.dll - Deleted
C:\WINDOWS\system32\mssrv32.exe - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dl_ - Deleted
C:\WINDOWS\vregfwlx.dll - Deleted
C:\WINDOWS\xmpstean.exe - Deleted
C:\SDFix\backups_old\Error Cleaner.url - Deleted
C:\SDFix\backups_old\Privacy Protector.url - Deleted
C:\SDFix\backups_old\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\system32\mssrv32.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 22:32:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:cf,f1,35,a8,dd,f8,af,03,57,e3,ea,09,03,ea,29,7f,0a,f6,73,34,76,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:cf,f1,35,a8,dd,f8,af,03,57,e3,ea,09,03,ea,29,7f,0a,f6,73,34,76,..
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:BitTorrent DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\AeriaGames\\Shaiya\\Updater.exe"="C:\\AeriaGames\\Shaiya\\Updater.exe:*:Enabled:Shaiya Updater"
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe"="C:\\Program Files\\Pinnacle\\Studio 11\\programs\\RM.exe:*:Enabled:Render Manager"
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe"="C:\\Program Files\\Pinnacle\\Studio 11\\programs\\Studio.exe:*:Enabled:Studio"
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe"="C:\\Program Files\\Pinnacle\\Studio 11\\programs\\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe"="C:\\Program Files\\Pinnacle\\Studio 11\\programs\\umi.exe:*:Enabled:umi"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Age of Mythology\\aomx.exe"="C:\\Age of Mythology\\aomx.exe:*:Enabled:Age of Mythology - The Titans Expansion"
"C:\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="C:\\Sins of a Solar Empire\\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™ "
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"="C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 21 Oct 2007 13 ...H. --- "C:\Documents and Settings\All Users\Application Data\YUAŽ3113>.sys"
Sat 20 Aug 2005 121,237 A..HR --- "C:\Program Files\THQ\Dawn of War\Disk1Check.EXE"
Sat 13 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
Tue 25 Nov 2003 4,348 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv1key.bak"
Wed 17 Dec 2003 20 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 25 Nov 2003 400 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv2key.bak"
Wed 17 Dec 2003 7,680 A..H. --- "C:\Documents and Settings\Ben\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 31 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 31 Dec 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"

Finished!

#5 Montarge

Montarge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 June 2008 - 12:44 AM

Also now that I am in normal mode in windows I ran mbam again with said above function turned on and it ran fine and found 2 more things and here is that report.

Malwarebytes' Anti-Malware 1.15
Database version: 833

10:42:36 PM 2008-06-05
mbam-log-6-5-2008 (22-42-36).txt

Scan type: Quick Scan
Objects scanned: 41791
Time elapsed: 3 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2008 - 08:52 AM

I didn't ask you to use SDFix. Please perform the steps I said. :thumbsup:

#7 Montarge

Montarge
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 06 June 2008 - 08:32 PM

Well sdfix and mbam fixed most my problems. That killed the virus or trojan I just have 2 problems remaining that I am not sure how to fix. One being I cannot enable my quick launch bar and two I can not install anything because it says there in another installer running.

So if you have any ideas on those, sweet! If not thanks a ton cause this site recommending sdfix and mbam saved my computer. = )

Edit: searched all night for both of these and found yet just searched now and found this link to fix my quick launch problem.
http://www.raymond.cc/blog/archives/2007/0...-area-problems/

Edited by Montarge, 06 June 2008 - 08:37 PM.


#8 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2008 - 02:17 PM

Good news. Do you still have any problems?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA

Posted 07 June 2008 - 08:32 PM

You are fortunate to have achieved an improved situation on your PC haphazardly running what you want and when. Many instances are that you could have rendered your PC useless. You were being assisted by a very helpful and capable individual. Yet for some reason you proceed on your own as if what they were recommending is of little value and consequence.

So are you asking a question for assistance or just going to keep telling this person what you've done. They could be working with another that may care for the replies and advice given. Sorry to be so terse but please give the folk a chance.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users