Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many problems - Is computer really cleaned?


  • This topic is locked This topic is locked
3 replies to this topic

#1 rialta

rialta

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 14 June 2009 - 09:05 PM

Hi,

The following is a list of bad stuff that happened to my computer. The first two occurred at the end of May. The rest started on the evening of June 8th. From that day on, I ran Avast, Spybot, Malwarebytes, and Lavasofts Adware over and over. I downloaded Comodo firewall when I realized that my Windows firewall had been turned off. I cleaned out all history, temp files, and cookies from both browsers. Finally as of yesterday, there were no more infections detected. I don't know if my system is really cleaned out or if something is still lurking around. I'm sorry the list is so long.

Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3
Intel[R] 4 CPU 2.60GHz
2.59 GHz, 752MB of RAM
Firefox – 3.0 (it just updated itself tonight)
Internet Explorer – 8 (I upgraded from 7 a few weeks ago.)

Computer shutdown and restarts - windows serious error message
C:\DOCUME~1\Dave\LOCALS~1\Temp\WERc44e.dir00\Mini051809-01.dmp
C:\DOCUME~1\Dave\LOCALS~1\Temp\WERc44e.dir00\sysdata.xml

Avast - Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

The MCSTRM service failed to start due to the following error:
The system cannot find the file specified.
Event ID 7000
Source Service Control Manager

The IP address lease (gives my address) for the Network Card with network address (again gives my address) has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). Event ID 1002 Source is Dhcp (I don't know if I should give out those addresses)

That evening, a half hour after anyone has used the computer, Avast started an alert that multiple emails were being sent out. I clicked the continue button thinking that it would take me to another screen to explain the problem. The next day I realized that was the wrong choice. After clicking the button, I shut the computer down for the night.

C:\WINDOWS\System32\drivers\e5860352.sys
A suspicious file has been detected (using a heruistic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.
Recommended action: Ignore

avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your datea in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer? I let it. There was no result from the scan.

Trying to connect to internet
First message at Firefox - server not found
Then Firefox - "The connection to the server was reset while the page was loading."
IE - not connected to Internet
IE - then started to display address not valid and address bar switches from correct google address to http:///

Avast Virus Warning
Suspicious Message
There are too many identical e-mails in appointed time.
Emails to addresses I didn't know - Avast showed them spewing out. I clicked the button to stop. The only email program on my computer is Outlook Express. I don't use it, I never configured it to work. The only time it ever came up was if I was trying to copy and paste an email address from Craigslist and it opened an OE blank message with the email address in the "To:" bar. I copied it and closed OE. That only happened a couple of times a long time ago. It appears that Outlook Express has been activated. There is even a "Welcome" letter in the inbox.

Avast - suspicious file found C\WINDOWS\System32\drivers\e5860352.sys (this kept popping up every now and then, I ran several of the suggested boot scans with no result.)

Malwarebyes finds:
Files Infected:
c:\documents and settings\Dave_2\local settings\Temp\~TM1C8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\local settings\temporary internet files\Content.IE5\WNLA5QCX\load[1].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\start menu\Programs\Startup\rncsys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv931243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

Spybot finds:
Microsoft WindowsSecurityCenter_disabled ....I entry Security
(SBI $2E20C9A9) Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\wscsvc\Start[is not] W=2

Nurech ..............1entry, Trojans
(SBI $38173BA2)Autorun settings [ttool] ...........Registry value
HKEY_USERS\s-1-5-21-1123561945-329068152-682003330-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool

I was attempting to find help, clicked a reputable website and McAfee Siteadvisor came up with this: mm.chitika.net/minimal?w=550 may cause a breach of browser security.

An Avast boot scan finds drivers infected with WIN 32: RUST NT R7K

Avast
Rootkit found - suspicious hidden object.
C:\WINDOWS\System32\drivers\e5860352.sys
Wi???_
Later:
Rootkit found
Wi????????_? _»?u4u4__t'??O4__
(Rootkits have been found a few other times.)

Avast
C:\Documents and Settings\Dave\Local Settings\Temp\WERea78.dir00\cfpconfg.exe.hdmp
Win32:Delf-DNW [Trj]
Trojan Horse
090612-0,
Tried to move to chest, can't "The process cannot access the file because it is being used by another process.
It came up again, tried to move to chest again. Same error, so I chose the other option and deleted it.
File was successfully deleted says Avast.

Spybot: Trojans
PWS.Small.bs
[SBI$077B7AD9]Settings Registry Value
HKEY_USERS\S-1-5-21-1123561945-329068152-682003330-1005\Software\Microsoft\InetData\k1
[SBI$2C56291A]Settings Registry Value
HKEY_USERS\S-1-5-21-1123561945-329068152-682003330-1005\Software\Microsoft\InetData\k2
2 problems fixed

Lately I noticed 2 Firefox icons in my start menu. I don’t remember when the two first showed up. I noticed today, that one opens to my google start page and one opens to a blank page. I thought the top one opened to the blank page, so I unpinned it. I was wrong. So I unpinned the other one, too. Then I got a notice saying that if I wanted to put Firefox Internet and Firefox Email back on the start menu, I should right click start and choose properties. In the custom box, there was an area for Internet and for Email. Firefox was the grayed out Internet and Outlook Express was the grayed out email. But Outlook was never on the start menu.

I just don't feel secure that the problems are over, but I don't know how to find out for sure. Thank you for taking the time to go through this long post.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:39 AM

Posted 14 June 2009 - 09:20 PM

I guess you have decided against formatting. The next best course of action with all this infection is an HJT log.

You need to run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rialta

rialta
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:01:39 AM

Posted 14 June 2009 - 09:53 PM

Hi!

I was hoping I wouldn't need to reformat, but I think my hopes are dimming. I followed your instructions. I think it went well. I didn't have any problems. Thank you!

rialta

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:39 AM

Posted 15 June 2009 - 09:09 AM

Hi rialta,the log looks good. If you have any questions feel fre to PM me.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users