Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Port Repair


  • Please log in to reply
12 replies to this topic

#1 DTH4EVA

DTH4EVA

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 16 March 2009 - 11:09 PM

Operating System: Windows XP Service Pack 2

How I got infected. One night I was surfing the internet and went onto one of my favorite adult sites, hentaifromhell.net. Due to a small lag spike, I couldn't close the usual pop-up fast enough.

The Virus. It replaced my desktop with a black background and a gray text box in the center. It had "WARNING!" flashing in all different colors. Below was "Your computer has been infected by a spyware virus" with some text below that was unimportant. It also opened in my system tray, a red circle with a white X in the middle telling me to "Download the Spyware Cleaner Tool". Though I no longer had my desktop image, my systems were functioning normally.

Aftermath. After purging the virus using Trojan Remover. It deleted all my C:\WINDOWS folder and killed my ports. I used both the Operating System Disk and Application/Driver Recovery Disk. I have all my functionality back except for internet plus 3 out of 4 of my USB ports are not working.

The Question. Short of buying a new laptop, is there anything that can be done to resolve this problem (like a port repair program)?

Thank you for reading this.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 17 March 2009 - 11:48 AM

Are you saying that the entire Windows folder (containing the OS files) on drive C was deleted? If so, then you cannot boot up, is that correct?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 17 March 2009 - 02:27 PM

Here's the thing. The only path was C:/WINDOWS/system, which had nothing in it. My computer still functioned and I could open Word, Warcraft, and other applications fine. But when I ran the OS Disk, I returned to see all the dll's, files, and folders were restored. I don't know how my computer was functioning without the files necessary to run it, but it still worked.

However, the only missing functionality seems to be my internet. I still have a connection, my router is not the problem and neither is my ISP. The reason I believe it is my ports is because only one of my USBs is working and neither is any software programs that use port numbers to work correctly.

Edited by DTH4EVA, 17 March 2009 - 02:28 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 17 March 2009 - 06:27 PM

Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with disinfection. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Temporarily disable such programs or permit them to allow the changes. Click this link to see a list of programs that should be disabled.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 23 March 2009 - 12:33 AM

Sorry about taking so long, I had some things at work diverting my attention.

I brought Malwarebyte's Anti-Malware over to my infected machine after following steps. Though the clean machine didn't have the Application Data folder to copy rules.ref, but I brought mbam-rules over and double-clicked it. It updated just fine on the infected machine.

When I executed mbam.exe, I got a messagebox with the title "VbAccelerator SCGrid II Control":
Run-Time Error '0'

Then after clicking ok, I got another messagebox with the title "Malwarebyte's Anti-Malware":
Run-Time Error '440': Automation Error

Did I miss a step? or is a virus blocking me? or is it something I don't know but you might?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 23 March 2009 - 08:35 AM

A list of error codes can be found in the MBAM Help file. That error usually indicates the installation was either incomplete or may have been altered by some program. The recommended solution is to uninstall, reboot your computer and try to reinstall.

If that does not resolve the error, then report it here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 24 March 2009 - 02:05 PM

Good news, I installed it on the infected machine rather than copy it over and IT WORKED! sorry for the caps, it was exciting.

Here is the report from the quick scan:

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/24/2009 10:10:13 AM
mbam-log-2009-03-24 (10-10-13).txt

Scan type: Quick Scan
Objects scanned: 73994
Time elapsed: 5 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b9f6e8eb-a4e3-478e-88a4-d3995b5c45c8} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b9f6e8eb-a4e3-478e-88a4-d3995b5c45c8} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\oinsearchtoolbar.oinsbarband.1 (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{61d75b23-e2a5-0727-63d8-044be1e59ec8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oinsearch (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b9f6e8eb-a4e3-478e-88a4-d3995b5c45c8} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{7b4455d3-0d3f-1033-0707-050502210001} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\OIN Search (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.0.26 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\WinAble (Trojan.Adloader) -> Quarantined and deleted successfully.
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Devon Deitsch\Local Settings\Application Data\yiyymse_navps.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Devon Deitsch\Local Settings\Application Data\yiyymse_nav.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Devon Deitsch\Local Settings\Application Data\yiyymse.dat (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Devon Deitsch\Local Settings\Application Data\yiyymse.exe (Adware.Navipromo.H) -> Quarantined and deleted successfully.
C:\Program Files\OIN Search\OINSearch.dll (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Program Files\OIN Search\Uninstall.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\Documents and Settings\Devon Deitsch\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors_RON.ico (Malware.Trace) -> Quarantined and deleted successfully.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 24 March 2009 - 02:26 PM

Your MBAM log still indicates you are using an outdated database version 1749.

You can manually download the definition updates (1863) from another computer, save to a usb stick or CD, then transfer to the infected computer and just double-click on mbam-rules.exe to install.Mbam-rules.exe is not updated daily. Another way to get the most current database definitions (1892) is to install MBAM on a clean computer, launch the program, update through MBAM's interface, copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
If you cannot see the folder, you may have to Reconfigure Windows to show it. Then perform a new Quick Scan in normal mode and make sure you reboot afterwards. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 24 March 2009 - 11:08 PM

Thank you for all your help. I know I haven't been quick to reply and I don't know if I caused you any undue stress because of it. I want you to know that your help is very much appreciated.

I updated my database, but no new infections were reported with the quick scan. Tomorrow morning, I will do a full scan when I awake and see if there were any that were missed.

Malwarebytes' Anti-Malware 1.34
Database version: 1863
Windows 5.1.2600 Service Pack 2

3/24/2009 10:29:50 PM
mbam-log-2009-03-24 (22-29-50).txt

Scan type: Quick Scan
Objects scanned: 77993
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 25 March 2009 - 07:57 AM

That's a good sign.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 27 March 2009 - 01:38 PM

Indeed it is, but the problem remains.

A little bit more explanation. When I load firefox, it takes about 20-30 seconds longer than usual. It brings up the window, the progress bar comes up for a split second and then disappears saying it is done, leaving me only with a white window.

When I log on to WoW, it brings up an error message telling me the game is unable to create sockets for the server-client relationship. The actual file name is WoWConnections.cpp

#12 DTH4EVA

DTH4EVA
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 18 April 2009 - 01:53 PM

i feel like a smuck. I did a purge, but it wasn't a complete purge. I am working on landline right now and I should have wireless working in a few minutes, only missing a driver to get it to work correctly. I would like to thank quietman7 for all the help given to me.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 PM

Posted 18 April 2009 - 10:19 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users