Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Killed My Computer


  • This topic is locked This topic is locked
14 replies to this topic

#1 Uzumaki1994

Uzumaki1994

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 01 July 2008 - 09:07 PM

Hello, im only 14 years old and i need some expert help.
Two nights ago my computer was attacked by what Kaspersky calls Trojan.Win32.Monder.Gen
I have removed it from my system and all the other malware it spread throughout my computer.
After it was removed, i attempted to access the internet, but internet explorer and Firefox both say the page can not be displayed.
i have checked my network connections, i am connected but sending very small packets of data, and not receiving any.
I rang my service provider and they told me it was a malware issue.
I am also now getting on start up an error message saying "error loading C:\WINDOWS\system32\nylkxnke.dll The specified module could not be found."
My Spybot has also been saying something about a Kernal Fault Check, and everytime i click ok the computer shows a blue screen for a split second and then restarts.
Could anyone please help me?
Is Kaspersky blocking the ionternet? (installed three days ago)
or is there still a trojan in my system?
if i am in the wrong thread please direct me in the right way, im new to this.
any help would be appreciated,
Thanks :thumbsup:



[edit] oh would a hijackthis log help you understand my problem?

Edited by Uzumaki1994, 01 July 2008 - 09:09 PM.


BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 02 July 2008 - 12:48 AM

Run a full system scan with Malwarebytes' Anti-Malware and post the log back here.

As for your internet connection problem, most of these arise out of corrupt Winsock settings due to the installation of a networking software or Malware infestation. If your ISP provider insists that your connection is coming through, the problem must be at your end.

Log on as an administrator, go Start > Run and type: "cmd". In the window that appears type: "netsh winsock reset". When the program is finished, you will receive the message: "Successfully reset the Winsock Catalog. You must restart the machine in order to complete the reset." Close the command box and reboot your computer.

Go Start > Run > type: "cmd" In the window that appears type: "ipconfig /flushdns". Close the command box.

Go Start > Control Panel > Network Connections. Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties. Double-click on the Internet Protocol (TCP/IP) item. Select the radio button that says "Obtain DNS servers automatically". Reboot. Warning: Some Internet Service Providers need specific DNS settings. You need to make sure that you know if such DNS settings are required before you make this change.

Typically when you get a virus it makes an entry in your registry instructing your computer to run the virus every time you start. Kaspersky found the virus and deleted it, but this nylkxnke.dll entry is still in your registry, which is why you are getting the error message. Using the AutoRuns utility you should be able to locate this entry and delete it.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 July 2008 - 12:53 AM

Thankyou so much,
i will reply with details as soon as im done :thumbsup:

#4 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 July 2008 - 03:48 AM

ummm...well
the malware bytes anti-malware scan found 2 infected items
Trojan.Vundo
and
some adware program
i removed both and it saved two logs.

First Log.
Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

6:40:14 PM 2/07/2008
mbam-log-7-2-2008 (18-40-03).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239547
Time elapsed: 57 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4cb20f17 (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Local Settings\Temp\GLKC.tmp (Rogue.EvidenceEliminator) -> No action taken.


Second Log
Malwarebytes' Anti-Malware 1.19
Database version: 899
Windows 5.1.2600 Service Pack 2

6:40:17 PM 2/07/2008
mbam-log-7-2-2008 (18-40-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 239547
Time elapsed: 57 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4cb20f17 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)


when i removed both infections my Spybot S&D popped up and said four different things ablut the registry. One was about the .dll file i mentioned before, but before i could click anything it dissapeared.

Also how do i find out if DNS settings are required with my service internet provider?


Thanks :thumbsup:

#5 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 July 2008 - 04:52 AM

THANKYOU :thumbsup:
my internet is now working
the error message is gone
and i think the trojan is gone.
To check its gone i should jsut keep running Malwarebytes antimalware?
Im currently running AVG 8.0 free, Spybot search and destroy, super anti spyware and Malwarebytes
I was running Kaspersky but removed it after it failed to find anything that the others did.
Could you reccommend some other security software so this wont happen again?

I cant thankyou enough,
I really appreciate your help :flowers:

#6 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 July 2008 - 06:30 AM

no...wait
Vundo is back LOL
and theres alot of adware aswell.
The internet doesnt wrok either, same problem, connected but internet and firefox "page can not be displayed" error.
The error message at startup is gone though.
Also AVG detects over 100 warnings, no infections just warnings in the registry, but it cant remove them.

Any more help would be apreciated lol :thumbsup:

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 02 July 2008 - 04:26 PM

Try running another full system scan with Malwarebytes' Anti-Malware.

After that run a full system scan with SuperAntiSpyware in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 02 July 2008 - 10:55 PM

hi :thumbsup:
well i ran malwarebytes scan, found nothing
i ran SUPERantispyware in safe mode, it found one tracking cookie.
and the internet is working again...BUT...
i have noticed my computer is very sluggish and my homepage keeps changing to msn.com
i have also noticed my cpu usage is rapidly changing from 1%, then to 97%, then to 41%, and then stays at 1% for a while, then starts again.
Am i just paranoid?
or is there something wrong?

Thanks :flowers:

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 02 July 2008 - 11:53 PM

What process in the Task Manager is using the high CPU?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 03 July 2008 - 12:43 AM

SVChost.exe
VSmon.exe
Generic.exe
and um the top part fo task manager, where the tabs that say applications, proccesses performance and etc, yer it jsut disappeared.

*generic.exe - i had a trojan called Trojan.Generic, when i try and end the process it just comes back.

Edited by Uzumaki1994, 03 July 2008 - 12:46 AM.


#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 03 July 2008 - 01:10 AM

Try running SDFix, which is a program that can remove many different types of Trojans and Worms.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 03 July 2008 - 07:24 AM

i havnt run SDfix yet, is it safe to do so?
A warning comes up at the start...
anyway
while trying to scan with Super anti spyware a blue screen rapidly flashed up which i was able to just read the woprds memory dump, i think. also on restart i have the Kernaul Fault check warning again. Is this blue screen that blue screen of death thing?
if it is does it mean i have to do a fresh Windows install and reformat my system?

What is wrong with this thing, its driving me nuts.

Thanks for all the help you have given me so far :thumbsup:

[edit] oh by the way, i installed Zonealarm pro after being recomended to, it has detected and blocked 92 access attempts, 5 of which are rated very high. Is there any way to view these attempts?

Edited by Uzumaki1994, 03 July 2008 - 07:30 AM.


#13 Uzumaki1994

Uzumaki1994
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 04 July 2008 - 08:27 AM

Please help
The internet randomly started working again, everything seems fine, computer is at normal speed, norrmal cpu usage. BUT, after about 30 minutes of using the computer, a blue screen appears for a split second, i can read the words physicall error system memory dump, or something along those lines. Then the computer restarts itself. On reboot windows says there has been a critical system error, it says it has created a log of the error.

"The following files were included in the issue:
C:\DOCUME~1\ARGY\LOCALS~1\Temp\WERfc8a.dir00\Mini070408-04.dmp
C:\DOCUME~1\ARGY\LOCALS~1\Temp\WERfc8a.dir00\sysdata.xml


The erorr signature is:
BCCode : c2 BCP1 : 00000007 BCP2 : 00000CD4 BCP3 : 02060003
BCP4 : 8A3CAE40 OSVer : 5_1_2600 SP : 2_0 Product : 768_1


And now as i type this from my laptop, my computer is making that error notification sound , there should be a pop up, but nothing there.

Any help pleeaasseee, this is driving me crazy :thumbsup: .

Should i just get my system wiped and reformatted?


please help :flowers:

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:05 PM

Posted 04 July 2008 - 09:02 AM

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

For the issue with sysdata.xml, see "Examining Errors".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,714 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:05 PM

Posted 04 July 2008 - 11:28 PM

Hello Uzumaki1994,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/155829/trojan-has-caused-many-many-issues/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users