Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie Shutting Down Instantly


  • This topic is locked This topic is locked
27 replies to this topic

#1 VinMan

VinMan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 19 September 2008 - 01:50 PM

Hello All,

Since yesterday, my computer has been slow and IE unable to start up. It shuts down as soon as I open it and gives a generic error message. The only way to keep it open (which is what I had to do so I could post this message) is to run CC Cleaner and CleanUp, and I have to do this every single time I start up the machine. I followed all the steps for before posting a HijackThis Log, ran all the programs, installed the firewall etc. The only thing I couldn't do was run SpyBot because the program just won't open. After running all the programs and killing the infections found by Adware and HouseCall, the speed of the computer and the browser is back to normal though.

And oh, Hijack This wouldn't open either, until I changed its name to my name (found this trick while surfing these forums). I hope I've done everything right so far. I would really appreciate any help in dealing with this. Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:41 PM, on 9/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Vineeta.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: Compaq Organize.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Compaq Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - .DEFAULT User Startup: Compaq Organize.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: www.gmail.com
O15 - Trusted Zone: www.hotmail.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/ho...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4EC99A0B-E57C-4FBE-B9C4-8428424FBF88} - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\cru629.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Password Validation Service ccPwdSvcseclogon (ccPwdSvcseclogon) - Unknown owner - C:\WINDOWS\System32\accwizo.exe
O23 - Service: Machine Debug Manager MDMShellHWDetection (MDMShellHWDetection) - Unknown owner - C:\WINDOWS\System32\accwizk.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Shell Hardware Detection ShellHWDetectionwuauserv (ShellHWDetectionwuauserv) - Unknown owner - C:\WINDOWS\System32\activedsn.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time W32TimeRpcLocator (W32TimeRpcLocator) - Unknown owner - C:\WINDOWS\System32\alrsvca.exe

--
End of file - 4816 bytes

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 19 September 2008 - 03:48 PM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). I am still in training, so my responses to you must be checked by a coach.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it may not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 19 September 2008 - 04:33 PM

Hi PP,

Thanks for helping me. I am not getting help from any other forum and promise to follow your instructions to the end. My browser has become slow again, and the only thing I did since posting the log was running adware again, which cleaned one instruction.

Thanks

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 21 September 2008 - 08:42 AM

Hello Vinman. Sorry for the delay.

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.

Disable Realtime Protection
We must disable your malware protection as it can interfere with the tools we need to run. If you are unable to access these programs to carry out the steps, skip this.

To disable Adware:
  • Right click on the Ad-Watch icon in the system tray.
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: This will turn Ad-Watch On\Off without closing it.
    • Automatic: Suspicious activity will be blocked automatically.
  • Uncheck both of those boxes.
  • (When done, you can re-enable it using the same steps but this time check both boxes.)
To disable Norton Antivirus.
  • Right click on thr Norton icon (Posted Image) beside your click and select Disable Auto-Protect.
  • Select a disabled duration of 5 hours to ensure that it will not interfere with this fix.
  • Click OK to apply the settings.
When done properly, you should recieve a pop-up warning saying that protection was disabled. The Norton icon should now look like Posted Image.

Install Recovery Console and Run ComboFix
Download Combofix from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

Posted Image
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Download the file and save it as it's originally named onto your desktop.
  • Drag the setup package onto ComboFix.exe and drop it.


    Posted Image
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click NO to skip the scan for now.
Posted Image
  • Close everything and save all work.
  • Click on your Start Menu, then Run.., then type:
    "%userprofile%\desktop\combofix.exe" /killall
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Have things improved after running ComboFix?

With Regards,
The Panda

#5 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 02:06 PM

Oh dear..

I do want to disinfect/reinstall.

Will follow all your instructions ASAP.

#6 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 03:20 PM

Stupid problem, I'm sorry, I couldn't get beyond the first step of disabling Adware and Norton. Neither of their icons are in my system tray. And right clicking on them on the desktop doesn't show me the two options that you are talking about. What to do?

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 21 September 2008 - 03:27 PM

Hello.

If you can't complete those steps, proceed to running ComboFix.

With Regards,
The Panda

#8 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 04:17 PM

Last question before I run combofix. I know I have SP1. Should I use this as an opportunity to upgrade to SP2? Or should I just download SP1 from the microsoft website?

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 21 September 2008 - 05:50 PM

Hello.

Do not install SP2 until you are free of malware. Doing so can cause problems.

With Regards,
The Panda

#10 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 06:23 PM

Hi PP,

So I ran Combofix as per instructions. It rebooted once in between. However, instead of a log at the very end after typing the code in "Run" it didn't give me a report (Combofix did run though, it showed). Instead, before that, another report popped up. Here it is:

winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

So after it was all done and I opened the explorer window, it opened without any problems, which was fabulous!! So thank you. What else do I need to do? Can you reccommend a way for me to not get these trojans anymore?

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 21 September 2008 - 06:42 PM

Hello Viman.

Can you see if this file exists:
C:\QooBox\ComboFix*.txt
(where * is a number)

If it is there, post back with it. If there are more than one, include all of them.

I've got my hands pretty full at the moment. I'll try to get back to you tomorrow. Thanks for your patience.

With Regards,
The Panda

Edited by PropagandaPanda, 21 September 2008 - 06:42 PM.


#12 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 06:53 PM

PP,

You've helped me so much already. There is no rush, please take your time!

Just want to get back to you though. In the Qoobox folder there are only two folders, one "Quarantine" and the other "BackEnv". Then there is something called LogA which doesn't really open. I also did a search for all .txt files, and nothing that began with Combofix showed up.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 21 September 2008 - 07:06 PM

Hello.

Then please take a log with this tool.

Download and Run RSIT
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both C:\rsit\log.txt (<<will be maximized) and
    C:\rsit\info.txt (<<will be minimized)
With Regards,
The Panda

#14 VinMan

VinMan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:55 AM

Posted 21 September 2008 - 07:23 PM

Here are the two logs (as attachments), and I also attached the Hijackthis log which saved automatically (just in case you wanted to see it too). Let me know if you can open them, otherwise I'll post them in the body of the message.

Attached Files



#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:55 AM

Posted 22 September 2008 - 11:02 AM

Hello Vinman.

Run ComboFix with CFScript
We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:


    KILLALL::
    File::
    C:\WINDOWS\System32\activedst.exe
    C:\WINDOWS\System32\acleditv.exe
    C:\WINDOWS\System32\accwizk.exe
    C:\WINDOWS\System32\alrsvca.exe
    C:\WINDOWS\System32\accwizo.exe
    C:\WINDOWS\System32\gzipmod(2)(2).dll

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\System Reserved]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]

    Driver::
    ShellHWDetectionwuauserv
    RasManW32TimeRpcLocator
    upnphostNetman
    W32TimeRpcLocator
    MDMShellHWDetection

    Rootkit::
    C:\WINDOWS\system32\gzipmod.dll

    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

You can refer to this page which has a visual of the instructions above.



Post back with:
-the ComboFix log
-the MalwareBytes log
-a new RSIT log (only log.txt will appear)

Please paste the logs directly into your post.

How is your computer running now?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users