Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I cant solve this virus problem on my laptop, PLEASE HELP!


  • Please log in to reply
14 replies to this topic

#1 bodom_child

bodom_child

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 19 November 2008 - 08:13 PM

My laptop kept feezing, popups were coming up even though I had them all blocked and my searches on search engines were gettin redirected to random pages.

I went on yahoo answers because I didnt know what it was that was causing this and lots of people told me it was spyware so I downloaded super anti spyware, I scanned my computer and it found nothing so I turned my computer to safe mode and did it again, it found some adware and other stuff and I got rid of it.

Then...I scanned it with AVG and found FOUR TROJAN HORSES!!!!! I got rid of them also and now im still experiencing the same problems, ive dont everything I can and now I dont know what to do, I dont want to have to reboot it and lose all my data.

Please Help.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:03:57 PM

Posted 19 November 2008 - 08:24 PM

Welcome to BC.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 19 November 2008 - 08:46 PM

OK so heres the report.






Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 6.0.6000

20/11/2008 01:44:46
mbam-log-2008-11-20 (01-44-46).txt

Scan type: Quick Scan
Objects scanned: 53969
Time elapsed: 11 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 19 November 2008 - 08:58 PM

Oh and just to let you know.
I tried again and im still experiencing problems.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:57 PM

Posted 19 November 2008 - 10:22 PM

Your infection might be router based

http://blog.washingtonpost.com/securityfix...s_wirele_1.html

If so you would have to reset your router and enter strong login and password to keep the trojan from reinfected it and your computer
Chewy

No. Try not. Do... or do not. There is no try.

#6 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 November 2008 - 02:05 PM

Done that....still getting these problems :thumbsup: :flowers:

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:57 PM

Posted 20 November 2008 - 02:50 PM

You have to disinfect a computer completely, then with the router disconnected from all other computers and the internet, disinfect the router by reseting it and then setting strong password and login so the trojan can't reprogram the dns servers
Chewy

No. Try not. Do... or do not. There is no try.

#8 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 November 2008 - 06:35 PM

Ok I did another scan on my computer and I shall post this report for it in a minute but how come yesterday when I checked it, it said I got rid of everything and then today I got 6 of those trojan DNS changers showing up on the report.
Surely I couldnt have aquired these in a day could I?
They always seem to be in the registry where I get them.
How can I prevent this happeneing again.
The problems have cleared up now but why yesterday when it said I had got rid of all the infections were I still getting the same problems and then today they go?
I dont get it.


The report:


Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 6.0.6000

20/11/2008 23:18:55
mbam-log-2008-11-20 (23-18-55).txt

Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 121698
Time elapsed: 5 hour(s), 28 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{03c42ae9-2c0d-45ac-93ce-38eadde61976}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.122 85.255.112.106 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:57 PM

Posted 20 November 2008 - 06:45 PM

I don't pretend to understand all of this stuff but as soon as you connect a computer thru an infected router to the internet you will be attacked,

inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered


since they control all routing to your machine they can exploit activex, java, IE, firefox and windows vulnerabilities

and attack linux or mac machines if they want
Chewy

No. Try not. Do... or do not. There is no try.

#10 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 November 2008 - 06:53 PM

Okay right so should I reset my router again because I dont think I did it properly this time.
I dont know how to change the password and the name though.
I dont think I can, should I contact my internet service provider?

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:57 PM

Posted 20 November 2008 - 07:24 PM

By all means consult your ISP, most routers come with manual, we may be chasing a wild goose and your router/modem may not even be one of those that can be infected?

I am just trying to cover all the bases
Chewy

No. Try not. Do... or do not. There is no try.

#12 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 20 November 2008 - 07:50 PM

Okay well its better to be safe than sorry I suppose.

I will do that anyway because I really dont want to have to go through all this trouble again.

Whats the best way to keep my laptop secure? Do you have any advice?

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:57 PM

Posted 20 November 2008 - 08:13 PM

Tips to protect yourself against malware and reduce the potential for re-infection:


Quietman7 covers that quite well in his closing

http://www.bleepingcomputer.com/forums/ind...mp;#entry943994

Edited by DaChew, 20 November 2008 - 08:13 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#14 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 21 November 2008 - 12:43 AM

Okay so I must have been virus free for about an hour and these problems have come back again!!!

I really dont know what to do....ive done everything =/

#15 bodom_child

bodom_child
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:57 PM

Posted 26 December 2008 - 06:58 PM

I still have probelms!!! =[
Argh!!
I have these 6 trojan DNS changers I searched for them on removed them with super anti spyware but withing minutes the 6 trojans were back again.
I stupidly left them because I didnt know what to do and now when I scan I cannot find them =/
Im worried!
HELP!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users