Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help. Too Much Virus For My Pc..


  • This topic is locked This topic is locked
7 replies to this topic

#1 cryptstone

cryptstone

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 23 August 2008 - 07:56 AM

i cant even install any antivirus because the virus itself prevents avg or McAfee from working and updating. My computer also autorestart itself. Its very annoying.. please help me. I tried many ways in removing these viruses but it comes back. I hope to hear from you.. Please help me. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:10 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = windowsupdate.microsoft.com;v4.windowsupdate.microsoft.com;
download.windowsupdate.com
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216348586878
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: lxdcCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdcserv.exe (file missing)
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2919 bytes

BC AdBot (Login to Remove)

 


#2 cryptstone

cryptstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 23 August 2008 - 10:58 AM

bump.. no help yet. kindly help me please.

#3 cryptstone

cryptstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 24 August 2008 - 01:35 AM

This is my Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 05:56:50
Records in database: 1139033
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\owner\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 31523
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:26:38


File name / Threat name / Threats count
C:\WINDOWS\system32\fool2.dll Infected: Trojan-GameThief.Win32.OnLineGames.sjoc 1
C:\WINDOWS\system32\kxvo.exe Infected: Trojan.Win32.Vaklik.cfc 1

The selected area was scanned.

#4 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:01 PM

Posted 05 September 2008 - 08:29 PM

Hello cryptstone,

My name is Mas_pogi(mark,mp) and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Thanks for your patient and we'll get back to you :thumbsup:

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

With Regards,
mas_pogi

#5 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:01 PM

Posted 07 September 2008 - 03:41 AM

hi.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue. PLease do the following:
  • We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix


    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.


  • Browse to this directory C:\QooBox
    Find the Add-Remove Programs.txt. Post this one as well.

In your next reply, please post the C:\ComboFix.txt, C:\QooBox\Add-Remove Programs.txt and fresh HijackThis log. Do not attach it. COPY/PASTE it in your reply.




mp

#6 cryptstone

cryptstone
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:01 PM

Posted 08 September 2008 - 12:31 PM

hi mas_pogi. Thanks for your reply.
I think the virus only hacked the online game i played in my computer which is "cabal online".
So what i did was i change my password and it works. Another problem occur in my computer.
Yahoo Messenger doesn't work in my computer. I already tried to install and uninstall it many times but it does not work.
another problem is that i cant visit this page which is needed in combofix "http://support.microsoft.com/kb/310994"
i cant start combofix without this right? how can i visit that site? i dont have a cdrom for my winXP cd.
please help me. thanks a lot.

#7 mas_pogi

mas_pogi

    Carpal Tunnel of Love


  • Members
  • 1,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tokyo, JP
  • Local time:10:01 PM

Posted 09 September 2008 - 08:27 AM

hi.

Sorry for the delay.

Please try to download it from other computer. You can USB set to read only before sticking it to your computer. Or you can burn that to CD after you downloaded it.

Please try it and tell me if went ok.

If yes, please proceed with the instructions.

Mark

#8 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:01 AM

Posted 14 September 2008 - 03:39 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users