Posted 14 June 2009 - 09:05 PM
The following is a list of bad stuff that happened to my computer. The first two occurred at the end of May. The rest started on the evening of June 8th. From that day on, I ran Avast, Spybot, Malwarebytes, and Lavasofts Adware over and over. I downloaded Comodo firewall when I realized that my Windows firewall had been turned off. I cleaned out all history, temp files, and cookies from both browsers. Finally as of yesterday, there were no more infections detected. I don't know if my system is really cleaned out or if something is still lurking around. I'm sorry the list is so long.
Microsoft Windows XP
Service Pack 3
Intel[R] 4 CPU 2.60GHz
2.59 GHz, 752MB of RAM
Firefox – 3.0 (it just updated itself tonight)
Internet Explorer – 8 (I upgraded from 7 a few weeks ago.)
Computer shutdown and restarts - windows serious error message
Avast - Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
The MCSTRM service failed to start due to the following error:
The system cannot find the file specified.
Event ID 7000
Source Service Control Manager
The IP address lease (gives my address) for the Network Card with network address (again gives my address) has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message). Event ID 1002 Source is Dhcp (I don't know if I should give out those addresses)
That evening, a half hour after anyone has used the computer, Avast started an alert that multiple emails were being sent out. I clicked the continue button thinking that it would take me to another screen to explain the problem. The next day I realized that was the wrong choice. After clicking the button, I shut the computer down for the night.
A suspicious file has been detected (using a heruistic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.
Recommended action: Ignore
avast! has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! scan all your datea in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer? I let it. There was no result from the scan.
Trying to connect to internet
First message at Firefox - server not found
Then Firefox - "The connection to the server was reset while the page was loading."
IE - not connected to Internet
IE - then started to display address not valid and address bar switches from correct google address to http:///
Avast Virus Warning
There are too many identical e-mails in appointed time.
Emails to addresses I didn't know - Avast showed them spewing out. I clicked the button to stop. The only email program on my computer is Outlook Express. I don't use it, I never configured it to work. The only time it ever came up was if I was trying to copy and paste an email address from Craigslist and it opened an OE blank message with the email address in the "To:" bar. I copied it and closed OE. That only happened a couple of times a long time ago. It appears that Outlook Express has been activated. There is even a "Welcome" letter in the inbox.
Avast - suspicious file found C\WINDOWS\System32\drivers\e5860352.sys (this kept popping up every now and then, I ran several of the suggested boot scans with no result.)
c:\documents and settings\Dave_2\local settings\Temp\~TM1C8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\local settings\temporary internet files\Content.IE5\WNLA5QCX\load.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\start menu\Programs\Startup\rncsys32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv931243627542.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Dave_2\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
Microsoft WindowsSecurityCenter_disabled ....I entry Security
(SBI $2E20C9A9) Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\wscsvc\Start[is not] W=2
Nurech ..............1entry, Trojans
(SBI $38173BA2)Autorun settings [ttool] ...........Registry value
I was attempting to find help, clicked a reputable website and McAfee Siteadvisor came up with this: mm.chitika.net/minimal?w=550 may cause a breach of browser security.
An Avast boot scan finds drivers infected with WIN 32: RUST NT R7K
Rootkit found - suspicious hidden object.
(Rootkits have been found a few other times.)
C:\Documents and Settings\Dave\Local Settings\Temp\WERea78.dir00\cfpconfg.exe.hdmp
Tried to move to chest, can't "The process cannot access the file because it is being used by another process.
It came up again, tried to move to chest again. Same error, so I chose the other option and deleted it.
File was successfully deleted says Avast.
[SBI$077B7AD9]Settings Registry Value
[SBI$2C56291A]Settings Registry Value
2 problems fixed
Lately I noticed 2 Firefox icons in my start menu. I don’t remember when the two first showed up. I noticed today, that one opens to my google start page and one opens to a blank page. I thought the top one opened to the blank page, so I unpinned it. I was wrong. So I unpinned the other one, too. Then I got a notice saying that if I wanted to put Firefox Internet and Firefox Email back on the start menu, I should right click start and choose properties. In the custom box, there was an area for Internet and for Email. Firefox was the grayed out Internet and Outlook Express was the grayed out email. But Outlook was never on the start menu.
I just don't feel secure that the problems are over, but I don't know how to find out for sure. Thank you for taking the time to go through this long post.