Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Malware causing wireless internet to not connect - Hijack Logs included


  • This topic is locked This topic is locked
2 replies to this topic

#1 T_V

T_V

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 April 2009 - 01:51 PM

Hi,

I am desperate for help after about 4 weeks of lost time trying to fix my laptop.
I should have posted earlier but the problems kept compounding.
I have XP Professional on a Toshiba Portege (about 18 months old) and running AVG, Zone Alarms, Win Patrol and Spybot S & D. I can no longer connect to the internet and suspect some kind of malware due to the following problems:

1. About 4 weeks ago when Win Patrol kept producing the following message:
"Scotty has detected a change in the following monitored file...c:\windows\system32\drivers\etc\hosts
I rejected the change but the box kept coming, after a while it just stayed and wouldn't go no matter what I did.
I found later the host file had been completely changed to include all sorts of sites.
After this first popped up I then had a message saying new hardware had been installed when I had not installed any hardware. However all appeared ok with AVG & Spybot and I perform regular scans as the norm (at least weekly, sometimes daily).

2. I accidently went to a porn site and then a browser hijack took place.

3. But worst of all, at some point I lost all ability to connect to the internet with my wireless and even with an ethernet connection. This was related to the timing of the Win Patrol message noted above, as I observed that I would have internet functionality until this notification came up and then I would lose connection. I did many system restores which helped for a while as a band aid approach as I tried to research how to fix the problems on the net. But after some time of the system restore approach I lost all ability to connect to the internet.

When I try and do internet repairs or use the toshiba diagnostics it says:
"Says Windows could not finish repairing the problem because the following action cannot be completed:
Renewing your IP address. For assistance, contact the person who manages your network."

Also when I try and enter the WEP key for this wireless connection it does not remain in the properties as shown by a different number of characters.

4. Registry Defender - I accidently downloaded it and ran a scan, not knowing exactly what it was.

After all of this I decided to try a reinstall from the recovery disc but then discovered the DVD/CD Drive wasn't working.
Then I lost the ability to boot the laptop even into normal start up mode. It would only start in safe mode.

I am in a foreign country right now that does not speak English so communication can be difficult.
But I got the laptop to the repairers. They said the only problems were:
- DVD/CD drive and replaced it
- Potential driver issues
The hard drive was wiped and the OS was reinstalled.

A few days ago, I get my PC back and I'm reinstalling AVG, Zone Alarms, Win Patrol, Spybot. I scan with AVG and spybot and it removes suspicious dialers and some cookies etc. At this point I am only using the internet to update all of these programmes while I am setting up again.

I remove the fingerprints software(Truesuite), install SP3 and afterwards, I get the same Win Patrol Notification as before:
"Scotty has detected a change in the following monitored file...c:\windows\system32\drivers\etc\hosts"
I check the replacement file that is requesting to be put in its place and it is the same or similar to the old one with all the
problems. I reject the requested changes. It comes up again and I reject again.

And now, again, I find the same problem - I can't connect to the internet at all. Doing the system restore does not help as it wont go back to any after having installed SP3. So I cannot connect to the internet at all now, not even with an Ethernet LAN line.

I suspect I may still have malware given this requested change in the host file even after the fresh reinstall of the operating system.
I get the same error when trying to repair the wireless connection:
"Windows could not finish repairing the problem because the following action cannot be completed:
Renewing your IP address. For assistance, contact the person who manages your network."
When I run Network Diagnostics for Windows XP I get the following:
"The wirelesss Network key on this computer does not match the key settings on the wireless router or access point. To connect to the network, the keys must match"
However I tried changing the network key many times over yet after I insert the WEP key, when I go back into properties, It does not remain.

I dont know what else to do after all of these problems. I am at least a month behind in my work now and desperately need to get back on top of my work. I would greatly appreciate any advice that can resolve my issues asap.

Both hijack logs are included - DDS below and Attach attached.

With many thanks and best wishes

TV

----------------------------------------------------------------------------------
DDS Log


DDS (Ver_09-03-16.01) - NTFSx86
Run by emma at 20:08:38.42 on 19/04/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2039.1409 [GMT 1:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = 127.0.0.1
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [TosAutLk] c:\program files\toshiba\wirelesskeylogon\TosAutLk.exe -s
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [TFncKy] TFncKy.exe
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
dRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240069167703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-17 12552]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-17 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-17 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-17 107912]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-6-28 5888]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-4-17 394192]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-17 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-17 1362784]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-6-28 114688]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-4-17 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-6-28 36608]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-6-28 435072]
S2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2006-4-14 28933976]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-4-17 29208]

=============== Created Last 30 ================

2009-04-19 18:54 <DIR> --d----- c:\windows\Motive
2009-04-19 18:54 <DIR> --d----- c:\program files\common files\Motive
2009-04-19 18:54 <DIR> --d----- c:\program files\Alice ti aiuta
2009-04-19 18:54 <DIR> --d----- c:\windows\system32\en
2009-04-19 18:54 <DIR> --d----- c:\windows\system32\bits
2009-04-19 18:51 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-18 17:15 <DIR> --d----- c:\windows\system32\scripting
2009-04-18 17:15 <DIR> --d----- c:\windows\l2schemas
2009-04-18 17:12 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-18 17:10 <DIR> --d----- c:\windows\network diagnostic
2009-04-18 17:00 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-04-18 15:03 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-18 15:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-18 13:12 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-18 13:02 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-04-17 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-04-17 17:06 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 17:06 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-17 17:06 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-17 17:06 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-17 17:06 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-17 17:06 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-04-17 17:06 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-04-17 17:06 <DIR> --d----- c:\program files\AVG
2009-04-17 17:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-17 17:01 <DIR> --d----- c:\program files\BillP Studios
2009-04-17 17:01 <DIR> --d----- c:\docume~1\emma\applic~1\WinPatrol
2009-04-17 16:54 <DIR> --d----- c:\program files\Zone Labs
2009-04-17 16:53 <DIR> --d----- c:\windows\Internet Logs
2009-04-17 16:45 16 a------- c:\windows\system32\coh.cache
2009-04-16 13:25 0 a--shr-- c:\windows\system32\drivers\TOSHIBA_PORTEGE R500_05458-EN_PPR50E-04X04.MRK
2009-04-16 13:25 <DIR> --d----- c:\documents and settings\emma
2009-04-16 13:24 516,096 a------- c:\windows\system32\TOSCDSPD.cpl
2009-04-16 13:17 <DIR> --ds---- c:\documents and settings\emma\UserData
2009-04-16 13:15 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-04-16 13:15 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-19 17:06 155,995 a------- c:\windows\java\packages\8AI97DNB.ZIP
2009-04-19 17:06 2,232 a------- c:\windows\java\packages\data\DJTVJLVD.DAT
2009-04-19 17:06 2,678 a------- c:\windows\java\packages\data\7Z5NFDZB.DAT
2009-04-19 17:06 2,678 a------- c:\windows\java\packages\data\PRHNRL3R.DAT
2009-04-19 17:06 2,678 a------- c:\windows\java\packages\data\GBXVHFTV.DAT
2009-04-19 17:06 2,678 a------- c:\windows\java\packages\data\393XBTBZ.DAT
2009-04-19 17:06 2,678 a------- c:\windows\java\packages\data\813ZDFX7.DAT
2009-04-18 18:44 183,360 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-04-18 17:19 86,995 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-17 16:56 4,212 ----h--- c:\windows\system32\zllictbl.dat
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys

============= FINISH: 20:09:19.48 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:18 PM

Posted 04 May 2009 - 01:58 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:09:18 PM

Posted 08 May 2009 - 01:17 AM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users