Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware, Nortans will not scan [Moved]


  • Please log in to reply
7 replies to this topic

#1 Professor_7

Professor_7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 04 June 2009 - 06:45 AM

Hi, im brandon, and i recently removed some malware from my laptop,but some problems still perceist. It all started with Nortons 360 no longer scanning, just sits there saying checking, but no files ever get scanned. After this, i decided to download Malwarebytes anti malware, and i tried running this, but it would not run. By this time the infection was redirecting my internet browsing to various other sites, some advertising, some other search engines. I thought that the virus may be blocking many known antivirus scans, so i renamed the exe file for malwarebytes anti malware, and it worked. It remove something, and the internet browsing is fine now.
Still, nortons will not scan. Also, throughout all this, and still now, on startup, it displays something along the likes of 'waiting for PXE', and if i have my internet cable plugged in, (cable from the router to my computer), it pauses for a while, and then sais 'boot file not recieved, exiting PXE rom'. I did some research, and found that this was a network boot protocol, byt i NEVER even entered bios setup, let along set it up to attempt to boot from the network. Also, 50% or so of the time, during start up, (the screen that has the green bar scrolling across the bottom), it randomly freezes, although, maybe by coincidence,i have found that most of the time, having the network cable unplugged untill it has finished loading and starting up will fix this.....

Oh, and nortans will do everyting except a registry check,and the scan. It attempts to do a reg scan, byt comed up with an error saying it failed because it was unable to create a resore point.

I am about to start exams, and i have no backup of my system, so, is you require me to run anything (im assuming Hijack This, and ComboFix), i would like to know how long it will probably take, and what things MAY go wrong...

Thanks in advance.

PS. i have attatched a dxdiag.txt just in case you want to know my system specs etc.

Removed dxdiag.txt attachment as most information not necessary at this point and to allow room for other attachments later if they are needed. I have copied the only really necessary information from that log below. ~ OB

From the log:

Operating System: Windows Vista™ Ultimate (6.0, Build 6001) Service Pack 1 (6001.vistasp1_gdr.090302-1506)

Edited by Orange Blossom, 04 June 2009 - 07:03 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:00 PM

Posted 04 June 2009 - 07:05 PM

Hello Professor_7,

I am shifting this topic from the HiJack This forum to the Am I Infected forum as you haven't posted the kinds of logs restricted to the HiJack This log forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

It is impossible to say how long disinfecting your system may take, and without knowing the type of infection you have, we cannot say what the potential effects that disinfection will have. Please await for instructions from one of our first responders.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:00 PM

Posted 05 June 2009 - 08:19 PM

Welcome to BC

If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Professor_7

Professor_7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 June 2009 - 12:34 AM

sorry if i was not clear o what i had done, but i did explain in my original post that i had renamed the exe file and that made it work. I included this information because i thought it may help identify the problem.

As for not knowing how long it will take due to not knowing the infection, is there any tests that will not take long, and identify the infection?

I have more symptoms if you need to know, but i will leave them out until they are asked for, so i dont waste anyones time.

EDIT:
i will list basic descriptions of all strange behaviour, regardless of how irrelevant it may seem to me... maybeyou can make sence of it:
  • the first screen when i turn my laptop on sais something mensioning PXE rom, and will always try to get a boot file via the network cable i have, but never succeeds in recieving any files
  • sometimes, when it is at the screen where it is loading drivers (with the green light scrolling across the bottom), as soon as my mouse lights up, the light stops scrolling, and it all just stops. Holding down the power button is the only way to turn it off from thsi point, and then i try again until it works.
  • Nortons 360 is taking up 50% cpu according to task manager
  • Mortans 360 is taking up 101% cpu according to security task manager (i hope security taks manager is safe )
  • whenever i try a nortans scan, it just sits there and sais 'checking', and no files get scanned
  • when i scan the registry with nortans, it sais it failed because it was unable to create a restore point
  • right clicking and going scan with malwarebytes anti malware does nothing, it does not launch
  • i can get malwarebytes to run if i rename the exe file
  • i was previously getting redirected when browsing on the web, but a successfull malwarebytes scan removed a trojan and now i can browse without any problems
  • Most of the time whenever i do anything, like open a browsing page, or run some programs, an allert comes up saying "nortans 360 is processing threats", although i have no idea what this means, as it is not scanning, or anything

Edited by Professor_7, 08 June 2009 - 12:49 AM.


#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:00 PM

Posted 08 June 2009 - 05:48 PM

There seems to be quite a few topics mentioning the error "Norton 360 is processing threats" Perhaps you might want to have a look there
http://community.norton.com/norton/
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 Professor_7

Professor_7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 09 June 2009 - 03:54 AM

i just did a can with GMER (it scans for rootkit activity) and it found 2 things (highlighted in red) and i noticed they both started with "gxvxc". Looking at the log file it created, i noticed that my registry is loaded with "gxvxcserv", and i have previously manually removed "C:\windows\system32\gxvxccounter" but it always comes back...

hpe this helps, i can atatch the log file if needed, but will not do so until asked for (as advised above :thumbsup: )

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:06:00 PM

Posted 09 June 2009 - 08:39 PM

I'm afraid that these are your best two options:



Two options left-Post a HJT log or re-install

If you want to give removal of the infection a try, please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

====================================

Option 2
Some types of malware can result in a system so badly damaged that a Repair Install will NOT help!. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action.

In case you need help with this, please review:These links include step-by-step instructions with screenshots:Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr) or autorun (.ini) files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

Note: If your using an IBM, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it.

If you need additional assistance with reformatting, you can start a new topic in the Windows XP Home and Professional forum.

Good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 Professor_7

Professor_7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 11 June 2009 - 10:55 AM

I know what the initial infection is, and it is still there. It is the DNSchanger trojan, tha ti would have downloaded when i attempted to install a video codec. I have heard that avast will remove this infection, but i have no idea how to remove any possible backdoors and thus other trojans that may be present, along with rootkits. This expains the PXE at startup (the DNS has been changed), and the problems with nortans, as it cant update. Malwarebytes AntiMalware did remove the initial trojan.DNSchanger, but now i will attempt to remove the traces of it, such as gxvxc.............

ANY help will be much apreciated

EDIT:
i know this may be unadvised, but i did it anyway, and i do know what i am doing, at least i am pretty sure i do....
I ran combofix, and it deleted the registry entries concerning gxvxc.......... , and all the files.
Only thing i dont know is, what about the other things GMER listed. I have tried looking at these registry entries maually, but access is denied. I am an administrator on my system, and regedit is running as an admin. The permissions cant be viewed due to lack of permission, access is denied. I am guessing that these would be system entries, as the only thing that is higher than an admin is vista, and it is so far impossible for me to go any further.

I would like to know if there is anything remaining on my system that could be harmful, but dont know what logs to post, and where to post them.

GMER also stopps responding when scanning the 'devices', but, at least 360 scans now

everything is back to normal, and i have entered bios setup and changed the netwrok booting, so PXE is now disabled.

But i know, just because everything seems back to normal, doesnt mean that it really is, so this is why i am back here asking...

Edited by Professor_7, 12 June 2009 - 02:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users