Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NO DESKTOP ICONS and WIN LOGON SCREEN


  • This topic is locked This topic is locked
10 replies to this topic

#1 anadca

anadca

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 29 April 2009 - 09:31 AM

Hello Everyone,

I have been trying to get rid of a problem that has plagued me for the last 4 weeks.

Initially, I only noticed that there was a problem when Mcafee expired and I didn't renew it
because it had not blocked out all the spyware and malware that I previously had, such as the
Vundo virus 12 months ago. In fact, it did not even detect it. It was Superantispyware and Vundofix
that detected and removed it.

This time, however, I was starting Windows and a black blank screen came up with a Windows Logon.

Where did that come from? It had never been there before and it isn't the blue Windows Users Welcome Screen
either.

When I clicked on "OK", Windows proceeded to load the desktop background with no icons.

The CPU light is still ticking away there but I am unable to get into my desktop.

Using "Ctrl", "Alt" + "Del" would allow me to log-off and log back in whereafter the desktop icons
would appear, then over the next few restarts, it didn't matter what you did, the desktop icons did
not appear and right-click mouse is disabled so I could not bring up "Properties" or anything else.

Sometimes it would log me on, then off again, straight away. Back to the Windows Logon Screen.

This virus also corrupted my Nero 7.exe file and I was unable to burn anything.

Also, when trying to ask for Windows Help, it would not come up.

I have totally re-formatted the drive and installed a fresh copy of Win XP SP2 more than 10 or 15 times over the last
4 weeks (I've lost count. I'm getting dizzy from frustration.)

I have even upgraded to Win XP Service Pack 3 and downloaded all the windows updates. No difference.

I used Dr Web to do a boot scan and I deleted a lot of System Volume Information and Restore files that it
recommended me to delete, but the Windows Logon screen persisted.

I have used Avast!, Adaware, Spybot, Superantispyware, Comodo Firewall but I think I am getting confused now
because I really do not know what to delete and what to keep.

So I am back with a total format/reinstall and asking if someone could please help me. Now the whole desktop
has gone blank again (only the desktop background picture comes up) and I am writing this in Windows Safe Mode.

Has anyone come across this before?

Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:23 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
F:\Program Files\Netscape\Navigator 9\navigator.exe
F:\WINDOWS\system32\igfxsrvc.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blackjackballroom.com/referral....aff_id=aff77451
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\twext.exe,
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - F:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - F:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [COMODO SafeSurf] "F:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: F:\WINDOWS\system32\guard32.dll F:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe

--
End of file - 3767 bytes

Here is the DDS log:

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by ah at 23:39:55.21 on Thu 04/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2605 [GMT 10:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated)
FW: COMODO Firewall *enabled*

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
F:\Program Files\Netscape\Navigator 9\navigator.exe
F:\WINDOWS\system32\igfxsrvc.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\ah\Desktop\HIJACK THIS 2009\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Connection Wizard,ShellNext = hxxp://www.blackjackballroom.com/referral.asp?aff_id=aff77451
mWinlogon: Userinit=f:\windows\system32\userinit.exe,f:\windows\system32\twext.exe,
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - f:\program files\askbardis\bar\bin\askBar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - f:\progra~1\micros~2\office12\GRA8E1~1.DLL
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - f:\program files\askbardis\bar\bin\askBar.dll
uRun: [SUPERAntiSpyware] d:\program files\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] d:\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [COMODO SafeSurf] "f:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "d:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [MSConfig] f:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: E&xport to Microsoft Excel - f:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\spybot~1\SDHelper.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - f:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - d:\program files\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: f:\windows\system32\guard32.dll f:\windows\system32\cssdll32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - f:\progra~1\micros~2\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 cmdHlp;COMODO Internet Security Helper Driver;f:\windows\system32\drivers\cmdhlp.sys [2009-4-29 31504]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;f:\windows\system32\drivers\cmdguard.sys [2009-4-29 101776]
S1 SASDIFSV;SASDIFSV;d:\program files\sasdifsv.sys [2009-3-24 9968]
S1 SASKUTIL;SASKUTIL;d:\program files\SASKUTIL.SYS [2009-3-24 72944]
S2 cmdAgent;COMODO Internet Security Helper Service;d:\program files\comodo\comodo internet security\cmdagent.exe [2009-4-29 638712]
S3 hidshim;Service for HID-KMDF Shim layer;f:\windows\system32\drivers\hidshim.sys [2009-4-29 5632]
S3 SASENUM;SASENUM;d:\program files\SASENUM.SYS [2009-3-24 7408]
S3 winbondhidcir;Winbond HID CIR Receiver;f:\windows\system32\drivers\winbondhidcir.sys [2009-4-29 21504]

=============== Created Last 30 ================

2009-04-30 23:36 <DIR> --d----- f:\program files\Trend Micro
2009-04-30 22:39 <DIR> --d----- f:\windows\pss
2009-04-30 22:08 184 a------- f:\windows\system32\brsvc01a.bsi
2009-04-30 22:06 <DIR> --d----- f:\program files\Brownie
2009-04-30 22:06 <DIR> --d----- f:\program files\Brother
2009-04-30 22:05 323,584 a------- f:\windows\IsUninst.exe
2009-04-30 22:05 <DIR> --d----- f:\documents and settings\ah\WINDOWS
2009-04-30 17:45 32,592 a------- f:\windows\system32\msonpmon.dll
2009-04-30 17:40 <DIR> --d----- f:\windows\SHELLNEW
2009-04-30 15:29 17,492 a------- f:\windows\system32\OP5400N.cah
2009-04-30 15:29 13,076 a------- f:\windows\system32\OPLO_M00.cah
2009-04-30 15:29 300 a------- f:\windows\OPLO.INI
2009-04-30 15:29 25,856 a------- f:\windows\system32\drivers\usbprint.sys
2009-04-30 15:26 57,344 a----r-- f:\windows\system32\OPSTDMON.DLL
2009-04-30 05:03 <DIR> --d----- f:\program files\Netscape
2009-04-30 05:02 <DIR> --d-h--- f:\windows\$hf_mig$
2009-04-29 13:09 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-29 13:08 <DIR> --d----- f:\docume~1\ah\applic~1\SUPERAntiSpyware.com
2009-04-29 13:08 <DIR> --d----- f:\program files\common files\Wise Installation Wizard
2009-04-29 12:56 <DIR> --dsh--- f:\windows\system32\twain_32
2009-04-29 12:56 0 a------- f:\windows\system32\5.tmp
2009-04-29 12:56 59,904 a------- f:\windows\system32\4.tmp
2009-04-29 12:56 40 a------- f:\windows\system32\3.tmp
2009-04-29 12:54 252 a------- f:\windows\wininit.ini
2009-04-29 12:41 <DIR> --d----- f:\docume~1\alluse~1\applic~1\_comodo_
2009-04-29 12:07 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-29 11:19 26,496 ac------ f:\windows\system32\dllcache\usbstor.sys
2009-04-29 11:19 249,592 a------- f:\windows\system32\cssdll32.dll
2009-04-29 11:19 <DIR> --d----- f:\program files\COMODO
2009-04-29 11:19 <DIR> --d----- f:\program files\AskBarDis
2009-04-29 11:18 147,192 a------- f:\windows\system32\guard32.dll
2009-04-29 11:18 101,776 a------- f:\windows\system32\drivers\cmdguard.sys
2009-04-29 11:18 31,504 a------- f:\windows\system32\drivers\cmdhlp.sys
2009-04-29 11:18 <DIR> --d----- f:\docume~1\alluse~1\applic~1\comodo
2009-04-29 11:09 940,794 a------- f:\windows\system32\LoopyMusic.wav
2009-04-29 11:09 146,650 a------- f:\windows\system32\BuzzingBee.wav
2009-04-29 11:09 <DIR> --d----- f:\windows\system32\Lang
2009-04-29 11:07 14,848 ac------ f:\windows\system32\dllcache\kbdhid.sys
2009-04-29 11:07 14,848 a------- f:\windows\system32\drivers\kbdhid.sys
2009-04-29 11:07 21,504 ac------ f:\windows\system32\dllcache\hidserv.dll
2009-04-29 11:07 0 a---h--- f:\windows\system32\drivers\Msft_Kernel_winbondhidcir_01005.Wdf
2009-04-29 11:07 21,504 a------- f:\windows\system32\hidserv.dll
2009-04-29 11:07 0 a---h--- f:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-04-29 11:07 23,856 a------- f:\windows\system32\spupdsvc.exe
2009-04-29 11:05 <DIR> --d----- f:\program files\CONEXANT
2009-04-29 10:49 <DIR> --d----- f:\windows\system32\ReinstallBackups
2009-04-29 10:47 <DIR> --d----- f:\documents and settings\ah
2009-04-29 10:27 <DIR> --ds---- f:\windows\system32\Microsoft
2009-04-29 10:18 8,192 a------- f:\windows\REGLOCS.OLD
2009-04-29 10:15 221,696 ac------ f:\windows\system32\dllcache\seo.dll
2009-04-29 10:14 1,677,824 ac------ f:\windows\system32\dllcache\chsbrkr.dll
2009-04-29 10:13 <DIR> --dsh--- f:\documents and settings\all users\DRM
2009-04-29 10:12 <DIR> --d-h--- f:\program files\WindowsUpdate
2009-04-29 10:12 <DIR> --d----- f:\program files\common files\MSSoap
2009-04-29 10:10 <DIR> --d----- f:\program files\Online Services
2009-04-29 10:10 <DIR> --d----- f:\program files\Windows Media Connect 2
2009-04-29 10:10 <DIR> --d----- f:\program files\Messenger
2009-04-29 10:10 <DIR> --d----- f:\program files\MSN Gaming Zone
2009-04-29 10:09 <DIR> --d----- f:\program files\Windows NT
2009-04-29 06:05 <DIR> --d----- f:\program files\common files\ODBC
2009-04-29 06:05 <DIR> --d----- f:\program files\common files\SpeechEngines
2009-04-29 06:04 <DIR> --d--r-- f:\documents and settings\all users\Documents

==================== Find3M ====================

2009-04-29 10:43 86,327 a------- f:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-29 10:11 21,640 a------- f:\windows\system32\emptyregdb.dat

============= FINISH: 23:40:09.65 ===============

My computer guy hasn't got a clue about what I am talking about. and he said it is impossible for a virus to
exist once you have reformatted the whole drive and that I was mad thinking that the virus hides
somewhere in the computer, waits for some internet instruction, then madly infects my computer
functions and self-replicates onto my flash drives and other drives. :thumbup2:

Thank you in advance for any help,
Anthony.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 29 April 2009 - 01:34 PM

Hi anadca,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\userinit.exe,F:\WINDOWS\system32\twext.exe,
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • I see on the log Ask Toolbar is installed on your computer:

    This program is known to be bundled with adware/spyware. You may read more about Ask Toolbars here:
    http://www.benedelman.org/spyware/ask-toolbars/

    To uninstall Ask Toolbar:

    Click "start" on the taskbar and then click on the "Control Panel" icon.
    Please doubleclick the "Add or Remove Programs" icon.
    A list of programs installed will be "populated" this may take a bit of time.
    If they exist, uninstall the following by clicking on the following entries and selecting "remove":

    Ask Toolbar

    Also remove the folder in bold: C:\Program Files\AskSBar

  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The log of MBAM.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#3 anadca

anadca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 30 April 2009 - 12:29 AM

Hello Farbar,

Many, many thanks for taking the time to help me.

I have followed your instructions and the logs for Malwarebytes and hijack this are below.

Here's what is happening to date (even after the scans):

1. On restart of the computer I got through the blue Welcome screen only to be stopped at the
(no icons) desktop with an error message:

"Data Execution Program: To help protect your computer, Windows has closed USERINIT LOGON
APPLICATION"

I then close the box and the desktop is blank and I cannot do anything except CTrl/Alt/Del and log-off.

Then the WIN LOGON BOX appears amidst a black background.

> "OK" (to log back on) > blank desktop (as above); can't do anything > SHUTDOWN > Safe Mode

> do nothing except wait till a functional safe mode desktop appears with all the icons then Start > SHUTDOWN again.

> START UP in NORMAL WINDOWS mode and everything is back to normal: icons appear and win logon is gone.

Why?

2. www.blackjackballroom.com ad keeps popping up every 20 minutes or so when the computer is functional, even if I am not using a browser.

3. WINDOWS HELP & SUPPORT is still not working. I think something is interfering with helpctr.exe

4. On startup of Windows, "VRTA.tmp" and "F.tmp" (and sometimes "rtv_winup.exe") continually try to access the internet by Comodo Firewall stops them.

Malwarebtyes log:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 2

5/1/2009 2:04:34 PM
mbam-log-2009-05-01 (14-04-34).txt

Scan type: Quick Scan
Objects scanned: 78530
Time elapsed: 4 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
F:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
F:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
F:\WINDOWS\Temp\rtv_winupd.exe (Virus.Sality) -> Quarantined and deleted successfully.

============================================================

HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:13 PM, on 5/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\system32\csrss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\COMODO\SafeSurf\cssurf.exe
D:\Program Files\Comodo\COMODO Internet Security\cfp.exe
D:\Program Files\SUPERAntiSpyware.exe
F:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Netscape\Navigator 9\navigator.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
F:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.blackjackballroom.com/referral....aff_id=aff77451
F2 - REG:system.ini: UserInit=F:\WINDOWS\SYSTEM32\Userinit.exe,F:\WINDOWS\system32\twext.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [COMODO SafeSurf] "F:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\Comodo\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: F:\WINDOWS\system32\guard32.dll F:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SASWINLO.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - D:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe

--
End of file - 3888 bytes


Thankyou, Farbar for your help,
Anthony.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 30 April 2009 - 02:53 PM

anadca,

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still try to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Besides the backdoor you have also a nasty file infector on your computer:

F:\WINDOWS\Temp\rtv_winupd.exe (Virus.Sality) -> Quarantined and deleted successfully.

I'm not sure if we can fight this one. I would rather reformat but if you want to give try I'll go ahead, but we might have to stop at one point if it didn't proved successful and we might be back to start again.

Removal Instructions
  • Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

  • Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    F2 - REG:system.ini: UserInit=F:\WINDOWS\SYSTEM32\Userinit.exe,F:\WINDOWS\system32\twext.exe,
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • Scan with DrWeb-CureIt as follows:
    • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
    • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the "Scan tab" and UNcheck "Heuristic analysis"
    • Back at the main window, click "Custom Scan", then Select drives (a red dot will show which drives have been chosen).
    • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
    • When done, a message will be displayed at the bottom advising if any viruses were found.
    • Click "Yes to all" if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your desktop.
    • Exit Dr.Web Cureit when done.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
  • Please download SDFix by AndyManchesta and save it to your desktop.
    When using this tool, you must use the Administrator's account or an account with "Administrative rights"
    • Double click SDFix.exe and it will extract the files to %systemdrive%
    • (this is the drive that contains the Windows Directory, typically C:\SDFix).
    • DO NOT use it just yet.
    Reboot your computer in Safe Mode[/color][/URL][/b]" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Open the SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
    • Copy and paste the contents of the results file Report.txt in your next reply.
  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The scan log of DrWeb.
  • The SDFix log.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#5 anadca

anadca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 01 May 2009 - 04:53 PM

Hello Farbar,

It's taking a bit more time to do a complete scan with Dr Web so I apologise that I am late in replying,
but all you requested will be posted once I have had the time to complete the tasks.

So far, Dr Web CureIt! scans have revealed the following infections:

- Win32.Virut56

- Infected objects: WinVnc

- Win32.HLLW.MyBot

More details will be posted when completed.

I am happy to keep going until we can possibly clean it (because, in this way,
I can learn more about how to keep it clean in the future, should it recur),
but I am also happy to do a complete re-format of the drive if we cannot clean it.

Is there any way to prevent these viruses from entering the system once a fresh install has been completed?

In other words, which anti-virus and firewall stops this from ever occurring again?

Kind Regards,
Anthony.

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 02 May 2009 - 02:18 AM

So far, Dr Web CureIt! scans have revealed the following infections:

- Win32.Virut56

Hi Anthony,

I'm afraid I've got bad news.

We had the nasty Sality before and now I see your system is infected with one of the nastiest file infectors:

Virut is a polymorphic file infector with some additional features. It spreads all around the drive and infects even files infected by another virus previously. The only symptoms are a strange HDD activity while infecting, and also unwanted TCP traffic. Virut tries to connect you into an IRC network under the user name "Virtu" and zombify you. Unfortunately, the cleaning of this virus is very difficult or almost impossible.

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

The virus remains resident in memory and infects executable files with ".EXE" and ".SCR" file extensions.


It's damage to the system is almost beyond repair as it disables Windows File Protection:

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.


http://www.ca.com/us/securityadvisor/virus...s.aspx?id=55141

Therefore all those running processes are most probably now the virus agent.

There is a claim by Grisoft that the following tool can remove the infection:

http://www.softpedia.com/get/Antivirus/Win...t-Remover.shtml

This claim is hard to believe. Not only almost all the running processes are infected but also their copy in i386 folder and in the dll cache are patched.

Therefore the only fast and safe answer to the virus is reformatting and reinstalling windows. You may backup non-executable (data) files and reformat the entire hard drive.

If you have any initial questions about reformatting I'll be glad to answer them.

#7 anadca

anadca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 03 May 2009 - 11:32 PM

Hello Farbar,

Thank you for ALL your help to date.

I have decided to reformat the whole drive as you suggested.

I would like to know, please, what steps I need to take to prevent a recurrence of this problem.

Which Firewall (free or commercial) will prevent the recurrence of Win32.Virut.56?

I FOUND THAT AFTER MANY FRESH INSTALLS OF WINDOWS & RE-FORMATS OF THE DRIVE (PRIOR TO CONTACTING YOU),
I WAS RE-INFECTING THE COMPUTER BECAUSE THE VIRUSES (ESPECIALLY WIN32.VIRUT.56) HAD COPIED
THEMSELVES ONTO EVERY SINGLE DRIVE (REMOVABLE OR IN-SITU.)

THEREFORE, I USED 'DR WEB' TO 'CURE' ALL THE FLASH/THUMB DRIVES AND REMOVABLE HARD DRIVES AND
SO FAR, SO GOOD.

I AM CONSIDERING BUYING THE FULL 'DR WEB' PACKAGE BECAUSE IT WAS THE ONLY ONE THAT HAS EFFECTIVELY
HELPED ME, SO FAR, APART FROM YOURSELF.

In the end, DR WEB found and 'cured' (or deleted) the following viruses on the various removable drives:

- Win32.Virut.56

- Win32.HLLW.MyBot

- Win32.HLLW.Autorunner.2132

- Win32.HLLW.Gavir.ini

- Backdoor.IRC.Sdbot3508

- Trojan.Reboot.40985

- Tool Prockill

- Trojan.Copyself

- Tool.DialupPass

- Trojan.Download.31348

- Trojan.Muldrop.4181

- Tool RemoveWGA

- Backdoor.Tdss.119

Re-scans with Dr Web revealed their absence.

I await your further advice on which anti-virus/firewall software I should use to prevent the recurrence
of this problem after re-formatting.

Kindest Regards,
Anthony.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 04 May 2009 - 03:02 AM

Hi anadca,

Lets give you a few tips about getting rid of this nasty virus.
To begin with, there is no remedy for Virut other than reformatting. The absence of it on the DrWeb log doesn't mean the computer is clean.
The first step is to back up non-executable data. So every file with com, exe, scr, and dll extension should not be backed up.
Reformat the entire partitions, drive, and external media like flash drive.
Install Windows, make sure the Windows firewall is on (it is by default on), update Windows and IE, then install antivirus and firewall.
Among the paid anti-viruses Kasperskey, Eset NOD32 and BitDefender are doing well at the moment. The Internet Security or Total Security version of them has also a good firewall.
Besides, you need a couple of anti-spyware/anti-malware programs. Malwarebytes' Anti-Malware and Spybot Search & Destroy are good to have on the computer. They need not to be started with Windows.
I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
I recommend installing this application for safe surfing: Javacoolsİ SpywareBlaster
SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
And one important thing: If you have a router you should rest it and protect it with a strong password. If you do all those things but your router is hijacked, the infection comes back again.

#9 anadca

anadca
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:07 PM

Posted 04 May 2009 - 06:55 AM

Hello Farbar,

I have now put a password on my wireless router and
I will read through your advice as I start from scratch.

Take Care and
Thank you for your all your help,
Anthony.

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 04 May 2009 - 07:08 AM

If the router settings is changed putting a password is not sufficient. It should be reset.
  • Consult this link to find out what is the default password of your router and how you can connect to internet after resetting the router to its factory default. You can print out the instructions for later reference: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • Now follow the steps you have already figured out in step 1 to use the default password, get connected and then set a strong password.

  • Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:07 AM

Posted 09 May 2009 - 07:11 AM

This thread will now be closed.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users