Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

do not know name of virus (honestly, I dont know how to approach)


  • This topic is locked This topic is locked
2 replies to this topic

#1 helpme01

helpme01

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 28 December 2008 - 09:01 AM

Hello, thank you, bless you, and just to let you know, I *do* worship the ground where BleepingComputer technicians walk.

I am attempting to fix a family computer that has several viruses. It was mostly used by a sibling, and it was when they were using it that all the viruses/malware contaminated the computer and made it inoperable. (or at least to them.) I did not give this computer much passing care because I have my own laptop (what I am typing on now) and since they had screwed themselves over, why should I bother? The sibling in question just took up my mother's laptop, and so my mother kinda lost her own computer. When the laptop was being squirrely (2 keys knocked out, etc) my mother sent it off to Best Buy, but it was only then that the dearth of computers was noticed. So, in an act of heroism and practicality, I attempt to repair the computer.

in media res P.S. - I am mediocre with the computer - I have enough technical skills to get me where I need to be, so the helpful god/goddess that responds doesnt have to dumb it down to, say, my mother's understanding.

It is a perfectly good computer from about 2005 (maybe 2006) with XP.

Computer is squirrely, slow, internet access is hindered (does not show pictures), there was a blue screen that said "there are malware or spyware detected on this computer. please download anti-virus software".

-First course of action was to use Spy Bot S&D 1.6.0 :
+downloaded fine, then all of a sudden I could not open applications.
-to remedy this, I googled the problem, and found exefix_xp as a solution.
+Applications now work
-went to internet, googled "hijackthis forum", recognized the website name, attempted to click it...
+could not access site. Got some cliche "internet doesnt work" page, (404? i think its called)
-at this point, I get frustrated, and decide to download all necessary de-bugging files on my laptop and use USB Flashdrive to transfer to bugged comp.
-Computer now has to restart b/c of SpyBot
+when it does restart, it takes multiple times, and only after about 5 cycles of it getting to the screen with a big "e" on it (this screen has the options for start-up options and BIOS settings) does it finally let me get to the black screen where I can decide what mode to start windows in.
-At this point I flip out, think that SpyBot has removed something important, so I go into SafeMode and uninstall Spy Bot S&D
-Now, still in SafeMode, I install the new apps. (Spy Bot again, and Hijack This) and run them.
+SpyBot cleans 17 viruses, and computer restarts.
-I run Hijack This (following Hijack this tutorial on the site) and get log.

--------------------------------------------------------------------------------

NEW symptom: cannot start windows in anything other than safemode

After following steps from previous misplaced post:

-I enabled firewall on the computer

-I used DDS to get DDS.txt and attach.txt

-tried to get the EXACT message on the background, but the computer would not let me access windows normally

--------------------------------------------------------------------------------

DDS (Version 1.1.0) - NTFSx86 NETWORK
Run by Administrator at 7:34:03.35 on Sun 12/28/2008
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.382.230 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.emachines.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = about:blank
mSearch Page = about:blank
mStart Page = hxxp://www.emachines.com
mSearch Bar = about:blank
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
mSearchURL = about:blank
mSearchAssistant = about:blank
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\opnkiFVo.dll
BHO: {87c435e2-2ccc-4991-9d4f-0a29d8f6b579} - c:\windows\system32\pmnmjJCu.dll
BHO: c:\windows\system32\jfiehayd.dll: {c5af49a2-94f3-42bd-f434-2604812c897d} - c:\windows\system32\jfiehayd.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [SpybotDeletingB4694] command /c del "c:\windows\system32\upmedia\ContentTool.dll"
uRunOnce: [SpybotDeletingD2897] cmd /c del "c:\windows\system32\upmedia\ContentTool.dll"
uRunOnce: [SpybotDeletingB7659] command /c del "c:\windows\system32\upmedia\SearchTool.dll"
uRunOnce: [SpybotDeletingD4598] cmd /c del "c:\windows\system32\upmedia\SearchTool.dll"
uRunOnce: [SpybotDeletingB7397] command /c del "c:\windows\system32\upmedia\uninstallSE.exe"
uRunOnce: [SpybotDeletingD5911] cmd /c del "c:\windows\system32\upmedia\uninstallSE.exe"
uRunOnce: [SpybotDeletingB6199] command /c del "c:\windows\system32\pmnmjJCu.dll"
uRunOnce: [SpybotDeletingD6965] cmd /c del "c:\windows\system32\pmnmjJCu.dll"
mRun: [service.exe] c:\windows\system32\service.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA2928] command /c del "c:\windows\system32\upmedia\ContentTool.dll"
mRunOnce: [SpybotDeletingC2169] cmd /c del "c:\windows\system32\upmedia\ContentTool.dll"
mRunOnce: [SpybotDeletingA1238] command /c del "c:\windows\system32\upmedia\SearchTool.dll"
mRunOnce: [SpybotDeletingC1355] cmd /c del "c:\windows\system32\upmedia\SearchTool.dll"
mRunOnce: [SpybotDeletingA5701] command /c del "c:\windows\system32\upmedia\uninstallSE.exe"
mRunOnce: [SpybotDeletingC2942] cmd /c del "c:\windows\system32\upmedia\uninstallSE.exe"
mRunOnce: [SpybotDeletingA5916] command /c del "c:\windows\system32\pmnmjJCu.dll"
mRunOnce: [SpybotDeletingC2566] cmd /c del "c:\windows\system32\pmnmjJCu.dll"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear wg311v2 adapter\wlancfg5.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: opnkifvo - opnkiFVo.dll
AppInit_DLLs: evqyle.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jfiehayd.dll: {c5af49a2-94f3-42bd-f434-2604812c897d} - c:\windows\system32\jfiehayd.dll
SEH: McAfee AntiSpyware Shell Extension: {f2a0229a-c4ca-4789-b606-973d24dcdd1c} - c:\program files\mcafee\mcafee antispyware\MssShell.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\opnkiFVo.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnmjJCu

============= SERVICES / DRIVERS ===============

S2 McAfeeAntiSpyware;McAfee AntiSpyware Real-Time Scanner;c:\program files\mcafee\mcafee antispyware\Msssrv.exe [2004-10-19 90112]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\mcdetect.exe [2006-1-26 126976]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-1-26 122368]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-1-28 245760]

=============== Created Last 30 ================

2008-12-27 20:53 <DIR> --d----- C:\Hijack This Files (do not delete, Alex)
2008-12-27 20:45 712,479 a--sh--- c:\windows\system32\uCJjmnmp.ini2
2008-12-27 19:31 <DIR> --d----- c:\documents and settings\administrator\WINDOWS
2008-12-27 19:31 <DIR> --d----- c:\docume~1\admini~1\applic~1\McAfee
2008-12-27 19:31 <DIR> --d----- c:\documents and settings\Administrator
2008-12-27 16:12 87,104 a------- c:\windows\system32\qnumxuoy.dll
2008-12-27 16:11 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-27 16:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-27 16:08 122,944 a------- c:\windows\system32\alleiacx.dll
2008-12-27 15:54 216,408 a------- c:\windows\system32\wuaucpl.cpl
2008-12-27 15:54 <DIR> --d----- c:\windows\LastGood.Tmp

==================== Find3M ====================

2004-07-02 11:19 40,960 a------- c:\windows\inf\wg311v2\imdinst.exe
2004-06-17 22:41 386,688 a------- c:\windows\inf\wg311v2\netwg311_XP.sys
2004-04-04 12:07 84,912 a------- c:\windows\inf\wg311v2\FwRad17.bin
2004-04-04 12:07 83,320 a------- c:\windows\inf\wg311v2\FwRad16.bin
2004-02-04 11:53 62,865 a------- c:\windows\inf\wg311v2\odysseyIM3.sys
2004-02-04 11:53 12,739 a------- c:\windows\inf\wg311v2\odNetInstall.dll

============= FINISH: 7:35:03.14 ===============


and here is the attach file:

If I need to add more info. please tell me

If I placed this in the wrong area, I apologize.

THANK YOU very much.

Attached Files



BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:26 AM

Posted 09 January 2009 - 08:10 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

This may seem repetitive, but we need to see the current status of your system, please.
Please Hold on it may take us a day or so to get back with you.

Regards,
Lusitano
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:26 AM

Posted 16 January 2009 - 09:56 AM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users