Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lots of problems!! I don't know what to do!!


  • Please log in to reply
15 replies to this topic

#1 piperabo77

piperabo77

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 07:37 PM

So I am losing my mind over my computer this week, It all started on Thursday. All four of my Virus scan softwares (Spybot S&D, Malwarebytes, AVG and Spyware doctor) which i run on a daily basis found numerous threats and infections. My computer was running very slow and there were many pop ups, plus I had to download Malwarebytes again becuase there was a problem with mbam.exe.

As of Saturday night after running numerous scans with all the programs things started to look better, my computer was running normally and the scans were not picking up any viruses. Then on Sunday morning the scans picked up a few more trojans in System Volume Information. I have seen these before and knew that if you turn off system restore then it will get rid of them, yet when I tried the system restore tab was missing. I checked the services list and system restore was listed at started. I then read that if you change the name of system volume information i could solve my problem. When I right clicked on System Volume Information it said I couldn't rename it, access denied. I was also denied access when I just tried to open the folder, even though I am an administrator (guest login is turned off). I still have some of the threats quarentined that are from SVI, should I release them?

I also noticed that I could no longer go into safe mode. I tried to go into to safe mode to scan for viruses as well, but each time i tried a message popped up saying "We are sorry! if the computer was not shut off properly there maybe be some programs still running" or something, Ill double check the actually wording and post it up. It then asked me to use another way of logging into windows. (safe mode with command, last working settings, etc.)

Lastly as I was researching what to do most of my Google search results were redirecting me to advertising sites. This gave me the idea that there is still some threats, yet the Scans found nothing. Here are the websites that I am being directed too:
w3club.com
wwwfrys.com


I updated my Java as AVG found a threat to my old version during all this as well. I am using Mozilla Firefox on Windows XP. I am a bit scared to try Hijack This but will if necessary. Here are my symptoms again:
1. System Restore tab is missing and access is denied to the System Volume Information folder
2. I cannot go into normal safe mode
3. Search results are redirected to ads


I am unsure if any or all of these things are related with the same virus but I am to the point where I am losing sleep worrying about my security, so If anyone has any info I would be soooo thankful! THANK YOU VERY MUCH IN ADVANCE!!!

*sorry about the title i jumped the gun trying to get this stuff gone!*

Edited by piperabo77, 26 January 2010 - 08:46 PM.


BC AdBot (Login to Remove)

 


#2 Darthy

Darthy

    The red side of the Force


  • Members
  • 1,217 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Solar System of Ors
  • Local time:03:13 AM

Posted 26 January 2010 - 07:48 PM

To find your System Restore, go to the partition where you install the OS, click it and go to the folder that says Windows.
Open it and go to system32, click it go to Restore again open it and you will see "rstrui.exe" that is an application.
Double click it and you are are in the System Restore.
Good luck and tell something.
Εν οίδα οτι ουδέν οίδα - Socrates
Thanks John

#3 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 08:00 PM

Thanks Darthy, when I double clicked on it nothing opened up, the tab is still missing as well.

#4 Darthy

Darthy

    The red side of the Force


  • Members
  • 1,217 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Solar System of Ors
  • Local time:03:13 AM

Posted 26 January 2010 - 08:23 PM

In your desktop, go to my computer and right click on it.
Go to properties and click on it and see if your system restore is deactivated.
If so, forget your System Restore.

Edited by Darthy, 26 January 2010 - 08:23 PM.

Εν οίδα οτι ουδέν οίδα - Socrates
Thanks John

#5 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 08:31 PM

In your desktop, go to my computer and right click on it.
Go to properties and click on it and see if your system restore is deactivated.
If so, forget your System Restore.


That is one of the problems I am having, sorry if my original post wasn't clear enough.
When I do these steps to get into the system properties window there is no system restore tab. The only tabs present are advanced, general, computer name, hardware, remote and automatic updates.

Also, when I go into run... and type in services.msc, it says that the System Restore Service is started, I can stop it and restart it at any time too.

#6 Darthy

Darthy

    The red side of the Force


  • Members
  • 1,217 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Solar System of Ors
  • Local time:03:13 AM

Posted 26 January 2010 - 09:14 PM

I think you have a bad nasty one.
I'm thinking about it.
Εν οίδα οτι ουδέν οίδα - Socrates
Thanks John

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:13 PM

Posted 26 January 2010 - 09:19 PM

Have you scanned with Malware bytes? Do you have Safe or Normal mode?


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Darthy

Darthy

    The red side of the Force


  • Members
  • 1,217 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Solar System of Ors
  • Local time:03:13 AM

Posted 26 January 2010 - 09:31 PM

boopme, I think he has the Google redirect virus, what do you think about?

Edited by Darthy, 26 January 2010 - 09:31 PM.

Εν οίδα οτι ουδέν οίδα - Socrates
Thanks John

#9 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 09:47 PM

boopme, I think he has the Google redirect virus, what do you think about?


Google is the engine i use when these searches get redirected. Reading up on some other posts in this site ive noticed the google redirects might be rootkits. One of my programs did pick up on a rootkit virus, could this still be the problem? I believe it is still in a vault, i can look it up if need be.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:13 PM

Posted 26 January 2010 - 11:23 PM

I suspect , some vundo,some rogues,rootkits and downoaders. Now lets see what the scan finds so I know where to go rather than guess.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 11:24 PM

Have you scanned with Malware bytes? Do you have Safe or Normal mode?



I have run malewarbytes many times, it picked up some viruses on the 23rd, but none since then. I only have normal mode, I cannot get into safe mode.

I am gathering the logs and results i still haven't deleted yet now. I will post them up in abit

Edited by piperabo77, 26 January 2010 - 11:26 PM.


#12 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 11:38 PM

First MBAM scan on the 23rd
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/23/2010 9:36:49 PM
mbam-log-2010-01-23 (21-36-49).txt

Scan type: Quick Scan
Objects scanned: 129292
Time elapsed: 18 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\tifunalo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\dpibdst.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f4918b58-2a1f-4882-8424-9191f29aec0f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebodikis (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f4918b58-2a1f-4882-8424-9191f29aec0f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\wojonupiz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dpibdst.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tifunalo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tifunalo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dulosilo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tifunalo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wowinule.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yufarugo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\dpibdst.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\asnwmocrxe.tmp (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\awocenmrsx.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.YOUR-4DACD0EA75\Local Settings\Temp\xwamoesncr.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\RegGenieOnUninstall.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000028d1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\H8SRT2ab.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshlps.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


All the MBAM scan since then have come up clean.
On the same Date AVG found some infections, I do not know how to load up the log but here are the names of the viruses found:
Win32/Cryptor (this was found late 1/22)
SHeur2.CHBV
SHeur2.CHNW
SHeur2.CHQP
Downloader.Generic9.AJZY
Generic16.AMJQ
Downloader.Agent2.RAF
BackDoor.Agent.AFIY

These are all still located in AVG's vault. I will post Spybot's and Spyware doctors results as soon as i can. Is there a way i can post a log from AVG and the others like you can with MBAM or do i have to type it all out?

Edited by piperabo77, 26 January 2010 - 11:42 PM.


#13 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 26 January 2010 - 11:55 PM

Here is what Spyware doctor has Quarantined: I am not sure how to make a log of the actual files
Rootkit.TDSS
Trojan.Generic
Trojan.Pidief
Trojan.FakeAV

Again I do not know how to make a log of Spybot's results. I am sure that I deleted most of them out of the vault though. (bad idea I am thinking now!)

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:13 PM

Posted 27 January 2010 - 12:55 AM

Hi. OK,.. You do have/had a dangerous TDSS rootkit.. MBAM needs to be updated.
You cannot access safe Mode?

First then let me say this.

Some items found there are the TDSS and some are related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRC Bots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do


Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Where to draw the line? When to recommend a format and reinstall?


Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is another hidden piece of malware which has not been detected by your security tools that protects malicious files and registry keys (which have been detected) so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation. Let me know how you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 piperabo77

piperabo77
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 30 January 2010 - 01:41 PM

Reformatting sounds like a good idea since I do not use this computer for much besides storing pictures and going on the internet. I do not know how to do this or if I have the correct software disks to do this, but I will call a friend to see if they can help. Thank you very much for all your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users