Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[malware] Can't defrag or update malware software


  • Please log in to reply
9 replies to this topic

#1 Overman

Overman

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 07 December 2008 - 04:40 PM

Hello from Overman
Running Windows XP w/ SP2... Inspiron 2200 laptop from Dell

I've got something (virus/trojan/malware I don't know) that's been messing around with me

I can't defrag, do system restore, run chkdsk, run disk cleanup, or any of that. It's blocking all my malware software from updating, so perhaps that's why nothing's finding it (see below). Also when I click on a search result, I get taken to a completely random page. I found out that my tcp/ip nameservers have been changed to 85.255.113.125 and whenever I change it to "Obtain DNS server address automatically" it gets changed back!! I mean, WHAT??!

I've done EVERYTHING. I've ran every program I could find - malware scanners, registry cleaners, anti-virus, and more. Some of it found trojans and got rid of em, but nothing's helping the actual situation. I've looked through all my processes and tried disabling each one and either I'm completely stupid or this thing was programmed by some kind of destructive evil genius For pete's sake, my friend was in safe mode for three hours and couldn't fix the darn thing.

Any help? Yes I am crying. Oh and if it helps, I disabled windows update a long time ago because I don't trust it

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 07 December 2008 - 04:49 PM

welcom :thumbsup:

to avoid duplication fo scanning tools can you tell us EXACTLY which scanners you have run?

Hopefully comboFix is not among them :flowers: so can you let us see any reports from those scans so someone can check them for you?

I disabled windows update a long time ago because I don't trust it


You have XP SP2 installed (?) but at this point in time when DID you last go TO the Microsoft windows update site FOR updates ?

Your ONE installed antivirus program is ?what?

#3 Overman

Overman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 07 December 2008 - 05:00 PM

welcom :thumbsup:

to avoid duplication fo scanning tools can you tell us EXACTLY which scanners you have run?

Hopefully comboFix is not among them :trumpet: so can you let us see any reports from those scans so someone can check them for you?

I disabled windows update a long time ago because I don't trust it


You have XP SP2 installed (?) but at this point in time when DID you last go TO the Microsoft windows update site FOR updates ?

Your ONE installed antivirus program is ?what?

Thanks for the reply,

No I have not used comboFix. I ran HJT, SmitfraudFix, Spyware Doctor, Spybot, MalwareBytes, SuperAntiSpyware, and FixWareout. (Malwarebytes froze in mid-scan and doesn't work anymore. I also used something else, called Malware Guard or something like that, but it caused my computer to freeze and I uninstalled it.)

My anti-virus is AVG. It found some trojans at first but after fixing them it's not finding anything, and the problem persists.

I last got a windows update about 10 months ago :inlove:

Here is my HJT report: *nevermind*



You see the nameserver stuff? Whenever I fix that, it just comes back.. I can give you other reports if you think it's necessary...

My computer was completely healthy two days ago, and now this virus/trojan/whatever is messing everything up! :flowers:

{Mod Edit: removed uneccesary posts to clean up topic~~boopme}

Edited by boopme, 07 December 2008 - 05:23 PM.


#4 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:05:43 PM

Posted 07 December 2008 - 05:43 PM

Could you kindly post the reports from these two programs only so they can be checked for you


Malawarbytes and superantispyware :thumbsup:

#5 Overman

Overman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 07 December 2008 - 06:11 PM

Report from superantispyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/07/2008 at 06:05 PM

Application Version : 4.22.1014

Core Rules Database Version : 3640
Trace Rules Database Version: 1623

Scan type : Complete Scan
Total Scan Time : 00:44:55

Memory items scanned : 461
Memory threats detected : 0
Registry items scanned : 5102
Registry threats detected : 3
File items scanned : 17428
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\***\Cookies\***@atwola[1].txt
C:\Documents and Settings\***\Cookies\***@advertising[1].txt
C:\Documents and Settings\***\Cookies\***@ar.atwola[1].txt
C:\Documents and Settings\***\Cookies\***@at.atwola[1].txt
C:\Documents and Settings\***\Cookies\***@revsci[2].txt
C:\Documents and Settings\***\Cookies\***@atdmt[2].txt
C:\Documents and Settings\***\Cookies\***@cdn.at.atwola[1].txt

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{63B1BAD1-38B4-4712-8962-007AB8A71FA2}#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}#NAMESERVER

Windows SearchAssistant
C:\DOCUMENTS AND SETTINGS\***\DESKTOP\STUFF\C++ FILES\OMNISCIENT\OMNISCIENT.EXE

I replaced my name with asterisks.

These results are useless because I can quarantine everything my anti-spyware finds, but it all comes back.

Malwarebytes, like I've said, doesn't work anymore. *edit* I reinstalled malwarebytes and here are the results of a quick scan:

Malwarebytes' Anti-Malware 1.31
Database version: 1471
Windows 5.1.2600 Service Pack 2

12/7/2008 6:32:26 PM
mbam-log-2008-12-07 (18-32-26).txt

Scan type: Quick Scan
Objects scanned: 50714
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 16
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{63b1bad1-38b4-4712-8962-007ab8a71fa2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8a60f6fa-2b35-457f-8b3c-2b4f023beea9}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.125;85.255.112.92 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msqpdxosvdbrsr.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\msqpdxriqpxfum.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\msqpdxpqltoiqh.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.


Thanks for your time.

***EDIT: After restarting my computer after running MalwareBytes, the infection seems to be gone. Thanks for your help everybody! I will make sure to come back here when I have further issues ;) ***

Edited by Overman, 07 December 2008 - 08:17 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 07 December 2008 - 11:43 PM

Before you go please just run this..
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Overman

Overman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 08 December 2008 - 05:28 PM

Oops...

SmitFraudFix v2.381

Scan done at 17:06:07.75, Mon 12/08/2008
Run from C:\Documents and Settings\****\Desktop\Maintenance\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\****\Desktop\Maintenance\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\****


C:\DOCUME~1\**~1\LOCALS~1\Temp


C:\Documents and Settings\****\Application Data


Start Menu


C:\DOCUME~1\**~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


RK



DNS

Description: Dell Wireless 1350 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8A60F6FA-2B35-457F-8B3C-2B4F023BEEA9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


Scanning for wininet.dll infection


End



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 09 December 2008 - 03:47 PM

oops and oops we are all human :thumbsup:. So looks good any more symptoms?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Overman

Overman
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:43 PM

Posted 09 December 2008 - 04:17 PM

No, nothing I've noticed. I'm so glad this got settled :thumbsup: Thanks for all your help!

Edited by Overman, 09 December 2008 - 04:17 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:43 PM

Posted 09 December 2008 - 04:32 PM

You're welcome from all at BC..

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users