Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Access "my Computer" Or Internet


  • Please log in to reply
7 replies to this topic

#1 jimgolfs

jimgolfs

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 04 August 2008 - 03:46 AM

Hi - I'm a newbie from Oz and have struck problems. At the bottom right hand corner of my Desktop (to the right of the time display) the words VIRUS ALERT! appear. My START MENU has been altered and I am unable to access EXPLORER type items including MY DOCUMENTS AND MY COMPUTER. I am also unable to access CONTROL PANEL. When I go into Command Prompt in C:\Documents and Setttings I see the following display among other things:

30/08/2008 09:55: VIRUS ALERT! <DIR> .viv

Two dll files, three jpegs, a file described as "lib31.2" and a text file live in that directory. All other items listed have the tag VIRUS ALERT! beside them as well.

If I try to open a file from MY COMPUTER using EXCEL just returns a screen without the MY COMPUTER option - same goes for NOTEPAD.

My O/S is XP, I'm using AVG Anti Virus Free, Spybot, PC Tools and Comodo Firewall Pro. I have run all of the "tools" and they tell me there is no virus. Methinks BS as nothing has changed.

When I ran AVG it found Adload_r.N at C:\WINDOWS\eram.exe and Adload_r.R at C:\WINDOWS\grswptdll.exe - both have been deleted and still the machine doesn't work properly.

I've also noticed that my Automatic Updates have been turned off.
When I try to connect to Outlook Express Comodo tells me that C:\WINDOWS\system32\rundll32.exe has loaded bwmzwn.dll into explorer.exe by using a registry based hook. When I try to connect to the internet I get a similar message about rundll32.exe loading a dll.

Both my desktop computer (infected) and my laptop, which I'm using to contact BC are attached to a wireless hub. My laptop works fine, but the desktop unit is u/s.

Given that, to resolve this issue, I'm going to have to download some software, how can this be achieved? I also have a USB key which might help.

Over to you geniuses.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 PM

Posted 04 August 2008 - 09:07 AM

Since you cannot use your Internet, you are going to need access to another computer (family member, friend, etc) with an Internet connection. Download the following programs and save them to a flash (usb, pen, thumb, jump) drive or CD. Then transfer directly to the infected computer.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix". This program is for Windows 2000/XP ONLY.
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
-- Disconnect from the Internet and temporarily disable your anti-virus and any anti-malware real time protection before performing a scan.

When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply. Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

To fix the policy restrictions created by this infection, please open the SDFix folder or download XP_CodecRepair.inf and save it to your desktop. <- for Windows XP ONLY.
  • Right-click on XP_CodecRepair.inf and select Install from the Context menu.
  • Note: To download the .inf file, go to File, choose "Save page as" All Files and save XP_CodecRepair.inf to your desktop.
  • Then log off or reboot to apply the changes.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 jimgolfs

jimgolfs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 07 August 2008 - 03:42 PM

Thanks for your prompt response.

Here are both reports as requested.

SDFix: Version 1.212
Run by Jim Taylor on Wed 06/08/2008 at 21:29

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\nvrsul32.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 21:55:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

C:\Documents and Settings\Jim Taylor\Desktop\NASTY FOLDER\102-9413424-2055333[1].: 57289 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 28 Mar 2003 194 ..SH. --- "C:\BOOT.BAK"
Mon 19 May 2008 9,175,040 A..H. --- "C:\Documents and Settings\Jim Taylor\NTUSER.DAT.bak_jv16pt"
Mon 19 May 2008 1,572,864 A..H. --- "C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT.bak_jv16pt"
Mon 19 May 2008 1,572,864 A..H. --- "C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT.bak_jv16pt"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 27 Jul 2005 2,560 A..HR --- "C:\WINDOWS\system32\winstyle3.dll"
Mon 28 Mar 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\DRMv1.bak"
Tue 25 Jun 2002 1,228,872 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\CertMgrGUI.exe"
Tue 25 Jun 2002 1,216,574 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
Tue 25 Jun 2002 28,672 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\InstHelper.dll"
Tue 25 Jun 2002 1,237,066 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe"
Tue 25 Jun 2002 176,193 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\IPSecLog.exe"
Tue 25 Jun 2002 168,004 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\ipsxauth.exe"
Tue 25 Jun 2002 151,618 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\ppptool.exe"
Tue 25 Jun 2002 155,712 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\SetMTU.exe"
Tue 25 Jun 2002 180,288 A..H. --- "C:\Program Files\Cisco Systems\VPN Client\vpnclient.exe"
Sat 17 May 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Fri 30 May 2008 38,912 ...H. --- "C:\Documents and Settings\Jim Taylor\My Documents\PORT STEPHENS FM\~WRL2342.tmp"
Thu 15 May 2003 43,008 A..H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Fri 11 Jul 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\695c9577cb50850d8e388f3cadd1563d\BIT1.tmp"
Fri 16 May 2008 1,572,864 A..H. --- "C:\Documents and Settings\Jim Taylor\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.bak_jv16pt"
Fri 9 May 2008 1,310,720 A..H. --- "C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.bak_jv16pt"
Fri 9 May 2008 1,310,720 A..H. --- "C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.bak_jv16pt"

Finished!


Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3

3:49:28 PM 7/08/2008
mbam-log-8-7-2008 (15-49-28).txt

Scan type: Quick Scan
Objects scanned: 58954
Time elapsed: 6 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4ec66e48-b863-4413-bc91-463d9cca093b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ec66e48-b863-4413-bc91-463d9cca093b} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e95fce5-6562-457f-8437-f5a800255bfb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{19bfd453-1f53-4a16-95b1-e83bcb0662e7} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.bbks (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fdkowvbp.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4ec66e48-b863-4413-bc91-463d9cca093b} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\Fonts (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xhanfnhh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hhnfnahx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tchphvwk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\stejuz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aampwc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrtjieci.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jim Taylor\Local Settings\Temporary Internet Files\Content.IE5\1FGTQ991\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Fonts\ACADEMY_.PFB (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Fonts\ACADEMY_.PFM (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Fonts\ACADEMY_.TTF (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Good luck.

Jim

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 PM

Posted 07 August 2008 - 09:26 PM

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Do you recognize this folder/file on your Desktop?
C:\Documents and Settings\Jim Taylor\Desktop\NASTY FOLDER\
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jimgolfs

jimgolfs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 10 August 2008 - 11:39 PM

G'day Quietman

The log follows as requested:

Malwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3

2:23:58 PM 11/08/2008
mbam-log-8-11-2008 (14-23-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 140681
Time elapsed: 2 hour(s), 7 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yes, I recognise the "NASTY FOLDER" on my desktop. Some time ago I had a file that I couldn't delete - no matter what I did, so I Opened the NASTY FOLDER as a place to put this file so I would remember to try to get rid of it every now and then. I still can't get rid of it. The file's name is "102-9413424-2055333[1]." - size is zero bytes and size on disk is zero bytes. I have tried DELETE, SHIFT DELETE and even unsing the FILES SHREDDER in Spybot - all to no avail.

Rgds

Jim

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 PM

Posted 11 August 2008 - 08:20 AM

Your last log results look good. How is your computer running now?

BTW, MBAM has a built-in FileAssassin feature for removing stubborn malware files.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file(s) to remove using the drop down box next to "Look in:" at the top.
  • When you find the file(s), click "Open".
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully, however, I recommend you reboot anyway.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 jimgolfs

jimgolfs
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:51 PM

Posted 11 August 2008 - 08:37 AM

Thanks heaps Quietman

It seems my computer is operating correctly. I've updated and run all my virus and spyware paraphenalia and all seems clear as well.

I really appreciate your assistance.

On the matter of the "difficult" file. I tried Assassin and although it told me that it had successfully deleted the file, it was still there after I re-booted.

It's been there about 18 months now and not causing any problems, so I'm sure you have plenty more "customers" with greater problems than I.

Once again thanks heaps.

Jim

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:51 PM

Posted 11 August 2008 - 09:06 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
If you want to remove that file, there are more powerful tools than can be used but not in this forum. If you don't mind waiting, you can always read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, you can post your log in the HijackThis Logs and Malware Removal forum, NOT here, for a more thorough investigation of your system.

I would ask you to upload it to an online virus scan for analysis but since its "0" bytes, they don't upload.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users