Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus? Tries to Delete Startup Modules And Prevents Internet Access


  • Please log in to reply
7 replies to this topic

#1 fozzypeg

fozzypeg

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 05 November 2008 - 06:52 AM

I'm pretty much 100% sure a trojan has infected my computer. I had one a while ago (about a month) and although Kaspersky said it had neutralized it, judging by my computer's behaviour now there's something seriously wrong. I'm guessing it might have come from some custom content for Sims 2 that I downloaded, it seems the most high risk anyway. I don't know much about computers, so I'm not sure about the technical jargon, but I know this much:

Something consistently tries to delete startup modules, particularly when I try to connect to the internet. I think it might be writing itself into my hkey modules/files? It's often the files called hkey that try to delete the list of startup modules (sometimes it comes from the System 32 file or similar files) and Kaspersky intercepts it. Me, being stupid and before I realised it must be a virus, once allowed it to, and then, of course, the next time I booted up my computer, it wouldn't boot. :thumbsup: I managed to reverse it after some frustration thankfully, but I still have no idea how to get rid of a virus once it's infected my computer. Kaspersky won't identify it, nor does Windows Defender (no surprise there). Other than those programs the only other defensive program I have is PC Tools Spyware Doctor which naturally doesn't detect anything. I'm afraid to download any other programs which might help. I don't want to make things worse.

Also, the internet browsers won't work properly (Firefox doesn't even open. I click it and it does nothing. Internet Explorer opens and then stops responding). I managed to get them working today by restoring my computer to a different point and by sheer persistence (e.g. clicking the icon over and over and then reading a book until the program finally opened). They stopped working again, so I restarted my computer and it's all working all right for now, but I'm not sure for how long. I'm trying to post this before anything happens to the computer. Also, when I was connecting to the internet my computer would freeze, particularly when I opened Windows Explorer.

Finally, it also doesn't allow me to use Help and Support on my computer (the program wouldn't respond, which left me high and dry since I couldn't connect to the internet for help or use the offline help) and my internet connection icon has disappeared from my toolbar, the picture of the two little computers. That only disappeared when my computer started acting strangely.

To be honest, I'm not sure why it's all working for now, probably thanks to the system restore that finally worked and maybe because I was finally able to update and fix all the security problems that occurred from lack of internet, but I can still tell my computer isn't ok and that it's still in a fragile state. Can anyone help me?

I should perhaps also mention the rundll32.exe constantly crashes. It likes to open about 30-50 windows saying it's stopped running when I try and watch a film, and I just can't seem to make it actually stop trying to run. I don't know if that has anything to do with a virus. Anyway if anyone can help me, I'd be so grateful. :flowers: Thank you!

Edited by fozzypeg, 05 November 2008 - 06:57 AM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:02 AM

Posted 05 November 2008 - 11:00 AM

Hi Fozzypeg and welcome to BC :thumbsup:

While we have an active internet connection, please follow the procedure below.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 fozzypeg

fozzypeg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 06 November 2008 - 09:29 AM

Thank you for that advice. :thumbsup: I tried doing everything you said but Malwarebytes didn't detect anything. I also ran a full scan and it still didn't detect anything. I can't understand it. The virus is still doing its thing though. It took me about half an hour to get on the internet by restarting my computer and various programs. It seems when I connect to the internet the virus uses svchost.exe to try and delete my startup files, and then although Kaspersky intercepts it, it spreads throughout my system causing everything to crash. I guess if I didn't have Kaspersky, then Windows wouldn't be able to reboot when I restart my computer. Everything works fine as long as I don't connect to the internet, but like now, I've managed to get on the internet and that virus hasn't activated. Svchost.exe hasn't done anything yet. I'm guessing svchost.exe is part of windows so I haven't deleted it yet, but do you have any other advice? Is there any way I can manually hunt down this virus and remove it? Thank you so much for your help. :flowers:

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:02 AM

Posted 06 November 2008 - 10:44 AM

Can you run Kaspersky and post that log? What version of Windows are you running?

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 fozzypeg

fozzypeg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 07 November 2008 - 01:00 PM

Is this the log you mean?

08/11/2008 02:48:10 Process C:\Windows\system32\svchost.exe (PID: 1136): attempt to delete list of modules executed during system startup (key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\00001A7C, value , data ) blocked.

That's the error it comes up with and as soon as it does everything goes wrong. Somehow today it managed to get round Kaspersky and deleted the registry list. I had to do a system restore again because Windows wouldn't boot. It's Windows Vista I'm using. :thumbsup: Thanks.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:02 AM

Posted 07 November 2008 - 03:07 PM

Let's try this...

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 fozzypeg

fozzypeg
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 08 November 2008 - 02:13 AM

Ok, thanks. I've done that and here is the report. :thumbsup:

Scanning Report
Saturday, November 08, 2008 13:58:42 - 16:09:55
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 1 malware found
TrackingCookie.Atdmt (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 43634
System: 4032
Not scanned: 21
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\JAY\APPDATA\LOCAL\MICROSOFT\WINDOWS DEFENDER\FILETRACKER\{F7135D59-A4BB-4E4B-B0B5-FF9BAA5261A0}
C:\USERS\JAY\APPDATA\LOCAL\MICROSOFT\INPUTPERSONALIZATION\INKSTORE.MDB
C:\USERS\ALL USERS\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\81DC85A7F8ED4886331A701099CF532A_8E37F9C7-4C10-426E-A7DA-32B3457CF2A7
C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\81DC85A7F8ED4886331A701099CF532A_8E37F9C7-4C10-426E-A7DA-32B3457CF2A7
C:\BOOT\BCD

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:03:02 AM

Posted 08 November 2008 - 08:58 PM

Let's rerun Malwarebytes now. Please update! and post a new log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users