Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected- XP sp3 Kaspersky won't even run anymore..


  • This topic is locked This topic is locked
13 replies to this topic

#1 meadams314

meadams314

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 10 February 2009 - 06:10 PM

I'm pretty sure I picked up some nasty malware somewhere along the line. I'm running Windows XP Home with Service Pack 3, System restore will not work- i can select a date to restore from, the first time I tried it restarted and gave me an error message now when I select a date to restore from and hit next, nothing happens. I try to start Kaspersky Internet Security 2009 (which should be running at startup but isn't anymore) and I get an hourglass for 1 or 2 seconds then nothing happens. Ad-Aware and Malwarebytes will not update, it tells me to check my internet connection even though i'm currently online. Also, when clicking on search links in google it takes me to random websites which I did not click on.

Off a fresh startup, I'm left with the following processes running-

wuauclt.exe
CCC.exe
usnsvc.exe
WindowsSearch.exe
RaUI.exe
msmsgs.exe
msnmsgr.exe
ctfmon.exe
AAWTray.exe
jusched.exe
MOM.exe
soundman.exe
AAWService.exe
svchost.exe
ati2evxx.exe
svchost.exe
svchost.exe
alg.exe
svchost.exe
svchost.exe
ati2evxx.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
wmiprvse.exe
smss.exe
unsecapp.exe
searchindexer.exe
wscntfy.exe
PnkBstrA.exe
PD91Agent.exe
NBService.exe
jqs.exe
explorer.exe
spoolsv.exe (yes, you read right- 5 svchost.exe processes open at once, i know there's gotta be something wrong there but i'd like to figure out this bug first)

I scanned with MalwareBytes (un-updated definitions file, as updates won't work) and got this-

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/10/2009 3:53:55 PM
mbam-log-2009-02-10 (15-53-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 110952
Time elapsed: 27 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ywkag (Adware.Navipromo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71e82bf7-d1db-4384-a7e7-0a6b734261f8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{826a344d-2ce4-4115-a057-7c20739eeacc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71e82bf7-d1db-4384-a7e7-0a6b734261f8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{826a344d-2ce4-4115-a057-7c20739eeacc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{71e82bf7-d1db-4384-a7e7-0a6b734261f8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{826a344d-2ce4-4115-a057-7c20739eeacc}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Matt Adams.MATT\Local Settings\Application Data\ywkag_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt Adams.MATT\Local Settings\Application Data\ywkag.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt Adams.MATT\Local Settings\Application Data\ywkag.exe (Adware.Navipromo.H) -> Delete on reboot.
C:\System Volume Information\_restore{B810EAEF-172E-40D6-A206-B11BFF76CE5D}\RP116\A0010953.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\windows.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

ALSO- I noticed someone else posted a similar problem, and it was recommended that they download and run SDFix but there were no more responses afterword. I downloaded and ran SDFix twice and it didn't find or fix anything.

Help would be greatly appreciated, usually I solve problems like this on my own but this time I'm stuck (short of doing a full format and re-install)

Edited by The weatherman, 10 February 2009 - 06:15 PM.
Moved to a more appropriate forum~TW


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:10 PM

Posted 10 February 2009 - 07:53 PM

Hi and welcome to BC. Please check your router. Make sure DNS is set to automatic. I also recommend changing the password of your router.

2)Please download SmitfraudFix

Disconnect your computer from the internet by unplugging your network cable from your router.
Double-click SmitfraudFix.exe
Select #5 Search and clean DNS Hijack
Please reboot your computer, reconnect your router, and then post the report found at the root of the system drive, usually at C:\rapport.txt

Click Start - Run. The Run dialog box will open.
Type cmd in the box and click Enter. A DOS window will open.
Type ipconfig /flushdns <=Note the spacing
Reboot your computer!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#3 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 10 February 2009 - 10:17 PM

Wow, thanks for your fast response. I did what you asked, here's the log file Smitfraud produced-

SmitFraudFix v2.395

Scan done at 21:03:02.75, Tue 02/10/2009
Run from C:\Documents and Settings\Matt Adams.MATT\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Hawking Technologies HWPG1 Wireless-G PCI Card #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{71E82BF7-D1DB-4384-A7E7-0A6B734261F8}: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Hawking Technologies HWPG1 Wireless-G PCI Card #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{71E82BF7-D1DB-4384-A7E7-0A6B734261F8}: DhcpNameServer=192.168.1.1



----------------------------------------------------------------------------------------------------------------------------------------------

Tried running update on malwarebytes, and it failed again. Gives me "Connection Error, check your settings" i'm so lost here...


EDIT: went to log on to the router (it's a netgear) but now www.routerlogin.net takes me to netgear's website instead of my router setup page, had to type in my router's IP addy instead. Password is now changed from default though. Should have done that from the start eh?

ALSO: Just noticed the clock in the bottom right hand of my desktop is now in 24 hour format instead of 12 hour. I know this is unimportant, just find it rather strange.

Edited by meadams314, 10 February 2009 - 10:31 PM.


#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:10 PM

Posted 10 February 2009 - 10:41 PM

If the router password is changed, you will have to reset it to alter the settings. The clock is a symptom of the infection.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#5 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 February 2009 - 11:26 AM

No, I meant i changed the password to something else in case someone got ahold of it. What would be my next steps to get rid of whatever infection I have? Antivirus/malware programs still not updating or running correctly, and system restore still isn't working either...

#6 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 February 2009 - 12:39 PM

Also tried installing SpyBot S&D, but it appears whatever i'm infected with is blocking the server connection needed to install the program. It gives me a connection error and will not install...

#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:10 PM

Posted 12 February 2009 - 12:46 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#8 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 February 2009 - 02:46 PM

Thanks for helping- Followed your instructions, and ran SDFix as requested- not too optomistic about it however, as this is the 3rd time i've ran it. Here's the logfile


SDFix: Version 1.240
Run by Administrator on Thu 02/12/2009 at 01:38 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 13:41:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Administrator\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe:*:Enabled:Call of Duty® 4 - Modern Warfare™"
"C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"="C:\\Program Files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe:*:Enabled:Medal of Honor Pacific Assault™"
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"="C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe:*:Enabled:Soulstorm"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"="C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe:*:Enabled:Battlefield 2"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Tue 3 Feb 2009 61,440 ..SHR --- "C:\RECYCLER\S-7-2-66-100010921-100008329-100000599-4866.com"
Mon 8 Dec 2008 0 A.SH. --- "C:\Documents and Settings\All Users.WINDOWS\DRM\Cache\Indiv01.tmp"
Wed 10 Dec 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bf30bb4ba3217393e4a71c3812925df8\BITA.tmp"

Finished!

Not sure what the deal with the disk errors is, i ran it with no antivirus/spyware programs running, and in administrator mode.

Also, a window has started popping up at startup telling me that Outlook Express can compress messages to save disk space. I understand this is a normal message, my dad gets it when he turns the computer off- however I don't use Outlook, and it's never popped that up before. My clock is still in 24 hour format as well. Strange.

Edited by meadams314, 12 February 2009 - 02:53 PM.


#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:10 PM

Posted 12 February 2009 - 03:59 PM

The disk errors signify problems with thr registry files. We need to back those up with ERUNT

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Let's retry SusperAntiSpyware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#10 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 February 2009 - 04:42 PM

Backed up my registry files with Erunt.. went to the super anti spyware website, and was blocked from downloading. I had to get a copy off of download.com in order to install it. Succesfully installed SAS, it downloaded definitions during the install properly- however once I got the program running and clicked update, it gives me another connection error. Running a complete scan anyway, will update with results.

Thanks so much for all your help!

#11 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 12 February 2009 - 05:09 PM

58 infected items-

56 Tracking Cookies
1 Rootkit.Agent/GEN-GAOPDX
1 Trojan.DNSChanger-Codec

All successfully detected and removed.

Rebooted my pc, still having the same problems, no antivirus/malware software will update, kaspersky won't run, windows restore still disabled, and clock still in 24 hour format (if that matters)

Just to see what happens, i'm gonna install zonealarm security suite 2009 and see what happens.

Edited by meadams314, 12 February 2009 - 05:23 PM.


#12 meadams314

meadams314
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 13 February 2009 - 01:19 PM

Installed and ran ZoneAlarm, no luck. My pc is blocked from communicating with the zonealarm download server, along with other antivirus update servers as well. Internet still acting funny, and now i've developed a lag period when rebooting- sometimes explorer crashes when turning my computer on.... anything else I can try?

#13 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:10 PM

Posted 13 February 2009 - 02:25 PM

It's time to refer you to the HJT forum. They have more powerful tools to help out in cases like this one.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. – Will Smith


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:10 PM

Posted 15 February 2009 - 04:31 PM

Hello meadams314,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/203382/hjt-log-continued-from-am-i-infected-forum/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users