Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple virus symptoms, please help


  • Please log in to reply
2 replies to this topic

#1 chubbyc

chubbyc

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 12 May 2010 - 11:46 AM

Hi, I use Windows XP on my laptop, and I use wireless internet.

This started just yesterday.

Weird processes I don't recognize in Task Manager:
Mbam.exe
Nsw.exe
rstrui.exe
BAsfIpM.exe
rundll32.exe
khvcol.exe
smss.exe
and a constantly moving lsass.exe pops up and down the list

it says CPU usage is constantly at 100%.

Steps I have taken:
Running Malwarebytes (had infections, cleaned/fixed them), Running SpyBot SD, Running HijackThis (not sure if I did this right)
Cursor has a constant hourglass next to it
The computer has slowed down immensely
System Restore doesn't work, says it has been Turned off by group policy, that I must contact a system administrator. I am the admin, I tried going into the regedit system and delete the Disable SR but it kept coming back and made no difference.
At one point Antimalware kept popping up but I think HijackThis took care of it.
Malwarebytes can't update


Do you recognize any processes as dangerous? How can I get SysRestore to work, or is there something else I scan with? Please help? Thank you!

EDIT: Moved from XP to more appropriate Am I Infected forum ~ Hamluis.

Edited by hamluis, 12 May 2010 - 12:39 PM.


BC AdBot (Login to Remove)

 


#2 roadclosed

roadclosed

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 12 May 2010 - 12:13 PM

As a starting point>>> can you please let us see the report from the Malwarebytes scan you did

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Please copy and paste the contents of that report in your next reply for someone to check for you and exit MBAM.


Also ....
You say you have run HJT? what exactly did you 'do' with that tool ?

#3 chubbyc

chubbyc
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 12 May 2010 - 01:10 PM

Malwarebytes Log:


5/11/2010 3:55:51 PM
mbam-log-2010-05-11 (15-55-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 213732
Time elapsed: 4 hour(s), 11 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 11
Files Infected: 15

Memory Processes Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf4133e9-c1d5-4322-9690-85050f5eff3e} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.5.0 (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.6.0.0 (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Application Data\Smart-Ads-Solutions\SmartAds\download (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.5.0 (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.6.0.0 (Adware.EzLife) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtahexbo.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Local Settings\temp\aorsewcmnx.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.5.5.0\uninstall.exe (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds\1.6.0.0\uninstall.exe (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Application Data\Smart-Ads-Solutions\SmartAds\download\bndl_1600.exe (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.5.0\uninstall.exe (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.6.0.0\uninstall.exe (Adware.EzLife) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Local Settings\temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Carolyn Collins\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
I don't remember exactly what I deleted from by prior HJT log, but I researched each item and presumably didn't delete anything important

Current Hijack This Log

HJT log removed as not allowed in this forum and not used much anyway. ~ OB

Edited by Orange Blossom, 12 May 2010 - 07:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users