Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'system security" infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 loaderboy

loaderboy

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 15 March 2009 - 09:52 PM

Working on a friends computer. I can't run HJT or any other scan/repair programs.
I have tried to run malwarebytes and avast and they blink and close before I can use them.
If I try to go to any web site like trend micro the browser will close immediately.
A google search with hijackthis in the search box will close the browser also. This is with IE and FF.
When I first started to work on this I found the System security file in C:/documents and setting/all users/application data/system security.
I deleted that file and the "scan" quit running on boot.
The "program" was never in the /program folder and did not show up in add/remove programs.
The only thing that I can run as far as a scanner is RSIT.
All other malware/spyware programs do not run even in safe mode or Run as...admin.
I have even tried to check the system in PE mode but to no avail.

Win XPpro ver 2002 sp2

Any thoughts on this or help would be greatly appreciated.

I was told to run DDS and post the results here so here it is.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Shirley at 22:17:08.03 on Sun 03/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.176 [GMT -4:00]

AV: avast! antivirus 4.7.1098 [VPS 080725-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Shirley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\shirley\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: dfcefcfae - c:\windows\system32\dfcefcfae.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shirley\applic~1\mozilla\firefox\profiles\u2u7aezv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPView22.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\view22\version_4\NPView22.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-2-23 91841]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-2-9 140664]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-2-9 345464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-20 24652]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-03-14 18:40 <DIR> --d----- c:\program files\WhatsRunning
2009-03-14 17:54 <DIR> --d----- c:\windows\ERUNT
2009-03-14 17:48 <DIR> --d----- C:\SDFix
2009-03-14 09:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-14 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-13 21:48 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-13 19:06 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-13 18:47 <DIR> --d----- c:\program files\CleanUp!
2009-03-13 18:46 <DIR> --d----- C:\Opera
2009-03-13 15:48 <DIR> --d----- c:\program files\trend micro
2009-03-13 14:48 21,504 a------- c:\windows\system32\hidserv.dll
2009-03-13 14:48 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-13 14:38 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-03-13 14:38 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-03-10 22:21 <DIR> --d----- c:\docume~1\shirley\applic~1\MSNInstaller
2009-03-05 19:32 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-02-23 19:44 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 22:18:44.08 ===============

I have also attached; attach.txt
Thanks in advance for any help.

PS. I had to run DDS off a flash drive and post from my computer as the other one will drop any browser as soon as any page or entry displays the words hijackthis, virus,malware etc.

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:11:52 PM

Posted 27 March 2009 - 01:52 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 29 March 2009 - 09:10 AM

Thank you for your reply, I know that you are very busy. Still cannot run any A/V software or online scanners. Browsers will close if I try to run anything online or search for anything that hints at antivirus or malware removal.
Here is the new DDS logfile:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Shirley at 8:36:02.76 on Sun 03/29/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.187 [GMT -4:00]

AV: avast! antivirus 4.7.1098 [VPS 080725-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Shirley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\shirley\start menu\programs\imvu\Run IMVU.lnk
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: dfcefcfae - c:\windows\system32\dfcefcfae.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shirley\applic~1\mozilla\firefox\profiles\u2u7aezv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPView22.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\view22\version_4\NPView22.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-2-23 91841]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-2-9 140664]
S4 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-2-9 345464]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-20 24652]

============== File Associations ===============

scrfile="%1" %*

=============== Created Last 30 ================

2009-03-14 18:40 <DIR> --d----- c:\program files\WhatsRunning
2009-03-14 17:54 <DIR> --d----- c:\windows\ERUNT
2009-03-14 17:48 <DIR> --d----- C:\SDFix
2009-03-14 09:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-14 09:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-13 21:48 <DIR> --d----- c:\program files\Enigma Software Group
2009-03-13 19:06 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-13 18:47 <DIR> --d----- c:\program files\CleanUp!
2009-03-13 18:46 <DIR> --d----- C:\Opera
2009-03-13 15:48 <DIR> --d----- c:\program files\trend micro
2009-03-13 14:48 21,504 a------- c:\windows\system32\hidserv.dll
2009-03-13 14:48 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-13 14:38 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-03-13 14:38 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-03-10 22:21 <DIR> --d----- c:\docume~1\shirley\applic~1\MSNInstaller
2009-03-05 19:32 <DIR> --d----- c:\program files\Windows Media Connect 2

==================== Find3M ====================

2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-02-23 19:44 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 8:37:18.18 ===============
Thanks again for all your help

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 29 March 2009 - 09:36 AM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

I am assuming that you have access to a clean computer. Please download combofix and then change its name to multifix and burn it to a CD then take it to the problem computer, and copy it to the desktop, and reboot to safe mode and then run it.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 29 March 2009 - 06:53 PM

Hi Hoov, Thank you in advance for your help.
The original problem was "system security antivirus". I found that in documents and settings/all users/shared files and deleted it. That stopped the "virus scan" popup but the computer would still not run any A/V software.
I renamed combofix as requested and tried to run it but it came back with an error: could not run the program because the file WS2_32.dll could not be found.
I copied a good copy of that to a flashdrive and was going to put it in the c:windows/system 32 on the infected computer but when I got there I found the file that was there had been renamed WS2_32.dll.vir. Also the WSHELP_32 file had been renamed
to .vir.
I attempted to replace the file but could not because it is in use.
Should I try to use Unlocker to replace it or keep my fingers out of the pudding?

Edited by loaderboy, 29 March 2009 - 06:54 PM.


#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 29 March 2009 - 07:19 PM

Lets try something else first. Reboot to safe mode with networking and then perform a scan with Trend Micro Housecall:
http://housecall.trendmicro.com/

[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]

1. Select your location and click the "Go" button if presented with this page.
2. Under "Scan your PC", please click "Scan now. It's free!"
3. Then again click "Scan now, it's free".
4. Read and put a Check next to "Yes, I accept the Terms of Use". Also put a check mark next to "I want to select a different HouseCall kernel".
5. Click the "Launching HouseCall>>" button.
6. This will give you to option to scan with Java-based or Browser plug-in:


* If Java support is disabled on your system or no Java runtime environment is installed, click "Starting HouseCall" under "Browser plug-in and using the HouseCall Kernel". Please be patient while Housecall downloads necessary components. You may receive a Security Warning "Do you want to install this software? Name: hcImpl.cab Publisher: Trend Micro..." Click "Install" when prompted.

* If Java support is confirmed, click "Starting HouseCall" under "Using Java-based HouseCall kernel". Please be patient while Housecall downloads necessary components. You may receive a Security Warning about the TrendMicro Java applet and asking if you want to run. Click "Yes" when prompted.

Again please be patient while Trend Micro HouseCall is updated or installed. This can take some time especially if you are using a dial-up connection.

7. Under "Scan complete computer for malware, grayware, and vulnerabilities" click the "Next>>" button. It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start. Once the scan is complete, it will take you to the summary page.
8. Under "Cleanup options" choose "Clean all detected infections automatically".
9. Click the "Clean now>>" button.
10. When presented with a notification "According to your instructions, all detected infections were cleaned...", click "OK".
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 29 March 2009 - 09:17 PM

well....... I tried to boot into safe mode w/networking but it goes into a reboot loop. Will not boot at all now.
I ran memtest and that is ok. I booted with an Ubuntu live cd and that worked. I am now trying to boot with UBCD4win.
That is hanging up at the moment but I will give it some time and let you know what happens. More tomorrow.
Thanks again for the help so far.

Edited by loaderboy, 29 March 2009 - 09:17 PM.


#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 29 March 2009 - 09:25 PM

Try Avira's Rescue CD you will to run it from a clean computer and use it to create a bootable CD.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 29 March 2009 - 09:26 PM

I'll do that now and try running it in the morning.

#10 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 31 March 2009 - 08:50 PM

Hoov,
I ran chkdsk /r in recovery console and got the avira rescue disk to run. tried to boot after that but couldn't.
I got my UBDC4win to run and am trying to run trendmicro system cleaner.
I apologize for the delay between posts but am busy at work and don't get much time to take care of this.
Will try to post tomorrow and update you on my progress.

#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 31 March 2009 - 08:56 PM

No worries, life happens.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 11 April 2009 - 01:05 AM

loaderboy, do you still need help?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 12 April 2009 - 10:02 AM

Hi Hoov,
I'm back. I had to go to Ga. for a week but I have my baseball bat at the ready. I currently have the HDD from the infected unit slaved to a good machine and am scanning the drive with Malwarebytes. If nothing else I can now copy all the photos and documents to a good drive and start from scatch.
If you have any suggestions for what I might acomplish while I have this set up let me know.
Your wish is my command.
Thanx again, Mark

#14 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:10:52 PM

Posted 12 April 2009 - 12:22 PM

I would also run a virus scanner on the harddrive. Also getting Trojanhunter may be worth it.

Please download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Download and scan with Spybot S&D 1.6.0
http://www.safer-networking.org/en/download/index.html

1. Install Spybot. Be sure to UNCHECK TeaTimer when presented with the option to install.
2. Run Spybot, go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
3. Click the button "Search for Updates".
4. If any updates are found, install them by placing a checkmark next to each one and clicking "Download Updates".If you encounter any error messages while downloading the updates, manually download them from here.
5. Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
6. Click the button "Check for Problems".
7. When Spybot is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
8. Make certain there is a check mark beside all of the RED entries ONLY.
9. Choose "Fix Selected Problems" and allow Spybot to fix the RED entries.
10. When the fix is done, right click in the white area of the report and select save results to file. Save the file and the attach it to your next post.
11. REBOOT to complete the scan and clear memory.

Note: After Windows loads, Spybot may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

If none of those programs can at least get you to the point where you can boot the harddrive and install and run scans from normal windows, then If you have everything backed up, then I would format and reinstall windows.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#15 loaderboy

loaderboy
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 15 April 2009 - 08:24 PM

Hoov,
Computer is now with its owner. I sent it home w/ 2 HDDs and told them to get everything off of it that they want to save.
When they are done with that I plan to wipe the drive and re-install the OS. I thank you for your help and if need arises I will open a new thread in the future.
Thanx again for all the help, Mark

You may close this thread

Edited by loaderboy, 15 April 2009 - 08:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users