Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lost control of Vista and Internet


  • This topic is locked This topic is locked
13 replies to this topic

#1 ladrouk

ladrouk

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 21 May 2009 - 02:08 AM

I have a what seems to be a major infection on my computer, the symptoms are:

1. Windows Explorer: unable to access any file or folder, they are shown in windows explorer but when you try to open or access them explorer switches back to the main my computer screen.

2. Outlook: mail will download but all attachments are ubnable to be opened or moved, when the first mail is opened it will automatically open all the email shown above that one in the same window until it reaches the top of the list, it will then revert back to Outlooks main screen.

3. Internet Explorer: home page is Google, computer automatically shows a black diamond in the search box and the address bar, these are added at a faster and faster rate as you try to use it. The web can be accessed by using a direct link in a program but if you try to move away from that page it will open briefly then return straight back to the original page, this action gets faster as well.

4. Firefox: does exactly the same as IE7 above.

5. Windows Update: update window will load and the see details screen will open, but as soon as you attempt to select anything it will return to the main update screen and not allow any downloads.

In an attempt to fix this I have run the latest levels of the following:

Malwarebyte (normally run regularly)
ATF Cleaner
Paretoantivirus
Smitfraudfix (1 and 2)
Vundofix (nothing found)
Superantispyware
AVG 8
Kaspersky
Spysweeper
Windows Defender

All the above found nothing on any disk. Kaspersky did report that Firefox had over 500 open connections to the Internet at one point so I have physically disconnected the computer from the router.

I am running Windows vista Ultimate (fully patched) and Office 2007 (fully patched)

Can somebody try to help me to sort this mess out please, it has got way beyond my capabilities. Thank you.

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:37 AM

Posted 21 May 2009 - 06:52 AM

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program.
  • Cancel any prompts to download the latest CureIt version and click Start.
  • At the prompt to "Start scan now", click Ok. Allow the setup.exe/driver to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


#3 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 21 May 2009 - 12:12 PM

Ok ran DRweb Cureit as instructed everything went fine until I clicked on save report, I got an instant blue screen stating BAD_POOL_HEADER then system crash.
Windows recovered from an unexpected error states:
Problem event name. Bluescreen
OS Version. 6.0.6001.2.1.0.256.1
Locale ID. 2057
additioal information about the problem:
BCCode: 19
BCP1: 00000021
BCP2: BC000000
BCP3: 00049930
BCP4: 00000000
OS Version: 6_0_6001
Service Pack: 1_0
Product: 256_1

I am unable to retreive the minidump record due to the ongoing problem

I will try and run the scan againtakes about 4 hours due to number of files,

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 21 May 2009 - 02:03 PM

Try doing your scan in normal mode if it keeps crashing with a blue screen.

The speed of an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning for suspicious behavior or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted or unsafe programs (PUPs).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
To speed up your scans, uninstall unnecessary programs, clean out the temporary files or use ATF Cleaner first, close all open programs and do not use the computer during the scan.

Note: It is not unusal for an anti-virus or anti-malware scanner to be suspicious of some compressed, archived, .cab and packed files because they have difficulty reading what is inside them. These kind of files often trigger alerts by security software using heuristic detection because they are resistant to scanning (difficult to read). This resistance may also result in some scanners to stall (hang) on these particular types of files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 22 May 2009 - 02:54 AM

Ok tried to run Drweb Cureit in safe mode again and got exactly the same result as the first attempt, I will now run it in normal mode with as many programs terminated as possible
I'll post the log here as soon as I can, assuming I can get it off the computer.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 22 May 2009 - 06:26 AM

Ok.

If you can't find the log, try to write down what was detected/removed and provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 22 May 2009 - 10:57 AM

At last managed to run DWeb Cureit in normal mode and save the report.

New problem now though, I can not select, attach or paste anything into Outlook, I have managed to drag the report to a stick and am now using my daughters laptop to connect to the site.

Report pasted below.

folder-lock-ful0.exe\data016;C:\Documents and Settings\John\DoctorWeb\Quarantine\folder-lock-ful0.exe;Joke.Puncher;;
folder-lock-ful0.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
folder-lock-ful1.exe\data016;C:\Documents and Settings\John\DoctorWeb\Quarantine\folder-lock-ful1.exe;Joke.Puncher;;
folder-lock-ful1.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Tool.Prockill;Incurable.Moved.;
Relax in Stress Game.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Joke.Puncher;Incurable.Moved.;
restart.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Tool.ShutDown.14;Incurable.Moved.;
SmitfraudFi0.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine\SmitfraudFi0.exe;Tool.Prockill;;
SmitfraudFi0.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine\SmitfraudFi0.exe;Tool.ShutDown.14;;
SmitfraudFi0.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;
SmitfraudFi2.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine\SmitfraudFi2.exe;Tool.Prockill;;
SmitfraudFi2.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine\SmitfraudFi2.exe;Tool.ShutDown.14;;
SmitfraudFi2.exe;C:\Documents and Settings\John\DoctorWeb\Quarantine;Archive contains infected objects;Moved.;


Hope this will give some ideas

Thank you in advance

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 22 May 2009 - 03:56 PM

Is the Outlook issue the only one left?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 23 May 2009 - 05:23 AM

Hi Quietman7,

thanks for the advice so far.

Running Drweb has made no differeence what so ever, in fact things are now even worse.

Outlook now downloads ok but crashes when you try to open an email, IE7 will not run windows puts up a 'DATA PROTECTION ERROR' suspicious activity in memory.

I have run a scan using AVAST and it tells me that lots of folder in windows and other hard drives are now password protected and cannot be scanned.

I am truely in the deep stuff here it would appear!!

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 23 May 2009 - 07:20 AM

From what you describe, it appears to be an issue with Outlook and not malware so you may want to start a new topic in the Software forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 25 May 2009 - 12:37 PM

I have tried to do a repair of Vista with the original dvd and windows states there are no operating file problems, SFC scanner also states no file concerns.

As it is not just outlook that has problems, I am begining to wonder if this could be a hijack attempt or similar, I still can not open any folder or file via window explorer, every attempt to click on a folder justs returns the screen to my computer, all folders on seperate drives act the same way.
IE7 will not run due to the suspicious memory activity and firefox justs keeps returning to google home screen after opening the new address, any attempt to type in an address is stopped by the automatic addition of the black diamonds into the address.

I have re-run malwarebytes, DrWeb, Superantispyware etc. etc. and all report no trojan's, virus's etc.

What do you think?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 25 May 2009 - 01:13 PM

This issue will require further investigation. Before that can be done you will need you to create and post a DDS/HijackThis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 ladrouk

ladrouk
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hullbridge, England
  • Local time:12:37 PM

Posted 26 May 2009 - 08:48 AM

Thanks for all your help Quietman7 as requested I have opened a new topic in the hijack forum and linkled back to here.

Hijack topic link is here Hijack topic link

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:37 AM

Posted 26 May 2009 - 08:57 AM

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users