Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/virus Problem


  • This topic is locked This topic is locked
68 replies to this topic

#1 draven

draven

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 21 July 2008 - 06:43 AM

Hello,

Im getting a pop-up in my taskbar for VirusRemover2008.

With this problem i cant update AVG, Ad-Aware and SuperAntiSpyWare software through the internet, because for some reason the firewall is not letting them through.

When i do a scan, the PC resets on its own.

Please Help. Thanks.

HijackThis Log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:36, on 21/07/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.freeserve.com/
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\SERVICES.EXE,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: (no name) - {1521D5C4-8974-423E-B02B-67E378B59F96} - C:\WINDOWS\System32\rsaenhp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\Dan\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\Run: [dmone.exe] C:\WINDOWS\System32\dmone.exe
O4 - HKLM\..\Run: [dmjbq.exe] C:\WINDOWS\System32\dmjbq.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158429433242
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA2DB896-A815-4CFB-BC5B-599283DEE889}: NameServer = 193.36.79.100 193.36.79.101
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvTlkki - tuvTlkki.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 4801 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 23 July 2008 - 04:20 AM

Hello Draven and welcome to BleepingComputer,

To be honest, running WinXp without having the SP1 & 2 installed is an open invitation for malware to take over.
I can only hope this multiple infection will cause you to reflect on that. :thumbsup:

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download FixwareOut from the following site:
http://download.bleepingcomputer.com/lonny/Fixwareout.exe
  • Save it to your desktop and run it.
    Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
    Then you will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads, a logfile will open. I need that one later.
    This log will be present in the C:\fixwareout folder with the name report.txt

    3. Please download Malwarebytes' Anti-Malware from Here or Here

    Doubleclick mbam-setup.exe to install the application.[list]
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

4. Restart your computer.

5. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 04:55 AM

Hello Thunder,

Thank you for the reply.

For The Windows Recovery Console, what version do i download?

Is Combofix safe to use?

#4 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 05:23 AM

Fixwareout Log -

Username "Dan" - 23/07/2008 11:05:39 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmone"
HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmjbq"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.85 85.255.112.147" <Value cleared.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "qojsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "jarsc" Value deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "vbbsc" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmksk.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmfxh.exe" Value deleted
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion "dmmmh.exe" Value deleted
HKCR\CLSID\{53AA2E31-11E9-4907-B163-144C2FD4521D}\_h\4 Deleted.
HKCR\CLSID\{D0123EA5-F066-4E42-B1DF-01A97835DFA3}\_h\4 Deleted.
HKCR\CLSID\{EA70E34E-71CD-404B-BF12-4D4B82044F2C}\_h\4 Deleted.
....
~~~~~ Misc files.
C:\Documents and Settings\Dan\Application Data\kc.tmp Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"wosa"="C:\\DOCUME~1\\Dan\\LOCALS~1\\Temp\\woso.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"svchost"="C:\\WINDOWS\\svchost.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~



Also i must mention, im getting errors when i visit websites, i get 'the page cannot be displayed' screen with this - res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm#


Also got i problem with Malwarebytes' Anti-Malware. I have download the mbam-setup.exe file, im double clicking it and nothing is happening?

Edited by draven, 23 July 2008 - 05:36 AM.


#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 23 July 2008 - 03:32 PM

Hello Draven,

Is there any reason why you didn't install the Security Packs in the past ?
DO NOT try to install them just now !

I suggest you run MBAM and ComboFix in safe mode first, to avoid as much as possible all interference :

Save this as a text file on your desktop or print it out first, since you can't come here while in safe mode.

Boot into Safe Mode:
Restart your computer and tap F8 before WinXP starts to load and choose Safe Mode (without network connection).
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Now run MBAM and/or ComboFix.

Upon reboot in normal mode, post the logs please.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 03:37 PM

Hello Thunder,

Thank you for the reply.

For The Windows Recovery Console, what version do i download?

Is Combofix safe to use?


The Windows Recovery Console wont causes other problems?, I DONT want to restall my PC.

Is Combofix safe to use?

Edited by draven, 23 July 2008 - 03:50 PM.


#7 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 03:40 PM

Also i must mention, im getting errors when i visit websites, i get 'the page cannot be displayed' screen with this - res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm#


Also got i problem with Malwarebytes' Anti-Malware. I have download the mbam-setup.exe file, im double clicking it and nothing is happening?


I cant even get MBAM setup because the exe is not working.

Edited by draven, 23 July 2008 - 03:41 PM.


#8 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 03:49 PM

Hello Thunder,

Thank you for the reply.

For The Windows Recovery Console, what version do i download?

Is Combofix safe to use?


The Windows Recovery Console wont causes other problems?, I DON'T want to restall my PC.

Is Combofix safe to use?


What does the The Windows Recovery Console do?, a backup?

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 23 July 2008 - 04:15 PM

Hello Draven,

Installing the Recovery Console is a completely safe procedure.
As a matter of fact it is to be considered an additional security precaution.

Just download the appropriate Windows XP original release file (Home or Pro, depending on your WinXp version) at the bottom of this page : http://support.microsoft.com/kb/310994
to your desktop and and then drag & drop it on ComboFix.exe, which will initiate an automatic installation.

This will add an additional boot option, to be used in case of severe problems.

Running ComboFix itself always contains a remote risk, hence the installation of the Recovery Console, which enables a complete restore in case of problems.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#10 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 04:20 PM

Got a problem with Malwarebytes' Anti-Malware downloading process. When i click mbam-setup.exe file to install nothing is happening.

#11 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 23 July 2008 - 04:35 PM

Hello Draven,

If one tool is blocked, then please continue with the next one, in this case ComboFix.
Just make sure ZoneAlarm isn't preventing a proper run. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#12 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 23 July 2008 - 05:40 PM

Hello Draven,

Installing the Recovery Console is a completely safe procedure.
As a matter of fact it is to be considered an additional security precaution.

Just download the appropriate Windows XP original release file (Home or Pro, depending on your WinXp version) at the bottom of this page : http://support.microsoft.com/kb/310994
to your desktop and and then drag & drop it on ComboFix.exe, which will initiate an automatic installation.

This will add an additional boot option, to be used in case of severe problems.

Running ComboFix itself always contains a remote risk, hence the installation of the Recovery Console, which enables a complete restore in case of problems.

Greetings,
Thunder


Do i just download the XP Pro file as i dont have SP1 or SP2 installed?

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 24 July 2008 - 02:48 AM

Hello Draven,

You need to use the "Windows XP original release" file.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#14 draven

draven
  • Topic Starter

  • Members
  • 136 posts
  • OFFLINE
  •  
  • Location:England
  • Local time:08:06 PM

Posted 24 July 2008 - 07:04 AM

I cant download The Windows Recovery Console for XP Pro because of the spyware problem -

im getting errors when i visit websites, i get 'the page cannot be displayed' screen with this - res://C:\WINDOWS\System32\shdoclc.dll/dnserror.htm#


Could you download the file below from the link and upload to megaupload.com so i download the file please.

http://www.microsoft.com/downloads/details...B7-4FED408EA73F

Edited by draven, 24 July 2008 - 07:05 AM.


#15 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:06 PM

Posted 24 July 2008 - 08:00 AM

Hello Draven,

Would you mind trying this out first :

Go to Start > Run and type services.msc and click OK
In the list, look for DHCP Client. Right click and choose Stop
Then right click DHCP Client again and choose Start.
Then look for DNS Client. Right click and choose Stop.
Once again right click DNS Client and choose Start.
Double click your Internet Explorer button and check if it's working now.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users