Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware and possibly a virus


  • This topic is locked This topic is locked
6 replies to this topic

#1 Orange Devil

Orange Devil

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 27 July 2010 - 03:22 PM

Heya,

About a week ago my girlfriends laptop suddenly got infected with a fraud I can't recall the exact name of but rather similar to malware doctor. After some attempts to remove it, her laptop started acting up worse and worse, but it was already rather old and had issues before (it is often used in a lab environment, so the hardware generally doesn't last all that long) and eventually broke down completely 2 days ago. Then yesterday, my desktop PC suddenly gets hit with a cocktail of malware as malware doctor and the other similar fraud I can't remember the name of pop up. After some searching around and scans from my AV (AVG free), spybot S&D and Malwarebyte's Anti-Malware, these frauds seem to have been removed. Unfortunately, since then I've had 2 types of problems in my browser (Firefox 3.5.11). The first is mainly when using google searches, I'll click the link I get through the search and end up on a completely different website. These can be all kinds of sites, but most commonly is what looks like the Ask Jeeves site with a search already filled out. The second is that seemingly randomly another browser window opens up on a seemingly random website. Lastly, during the AVG scan it found a number of infections it classifies as Trojans, including 1 in svchost that it was unable to remove or disinfect, as far as I could tell.

I'm really hoping you guys can help me because I am at a total loss as to what to do. Many thanks in advance.

Sorry, I accidentially clicked post before adding the logs, I've edited them in below. The GMER program took quite a long time to scan and still seemed nowhere near finished and also took so much system resources as to prevent me from doing anything else with my PC. Unfortunately I require my PC at the moment, so I stopped the scan. I will scan again ASAP and include the logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Merijn at 22:45:26,56 on di 27-07-2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.3327.2388 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
C:\Program Files\InstallShield Installation Information\{3A94E148-9C8B-4FE9-99DD-93072F99BE20}\AMBSPISyncService.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
svchost.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\DT\Speedport W 102 Stick\UI.exe
C:\DOCUME~1\Merijn\LOCALS~1\Temp\Sound_Blaster_X-Fi_MB_Cleanup.0001
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Tunngle\TnglCtrl.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\XMBLicensing.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Rundll32.exe
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
C:\Documents and Settings\Merijn\Bureaublad\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.

Edited by Orange Devil, 27 July 2010 - 04:20 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:08:52 AM

Posted 05 August 2010 - 01:30 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Orange Devil

Orange Devil
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 06 August 2010 - 01:09 PM

I initially got hit by malware doctor and a similar fraud, scanned with malwarebytes, spyware search and destroy and AVG antivirus. Since then I got no more popups from those malware programs, but I did start getting SVChost errors pretty much every time I booted up my PC, as well as redirects to malicious websites when using google search, as well as randomly an extra tab opening in firefox bringing me to the same sorts of websites. Also upon shutting down and booting up, I occasionally encountered blue screens. The above scans couldn't get rid of any of these problems.

I started running the DDS scan and then the GMER scan as soon as I saw your reply to this thread, making sure to carefully follow all your directions. The GMER scan was running for 20 hours until I got a blue screen with the following error: DRIVER_IRQ_NOT_LESS_OR_EQUAL. I tried to reboot my PC, but it hangs on a black screen right as windows (XP, Dutch version) is supposed to boot up. Normally if I want to turn off my PC I have to keep the button to turn it off pressed for several seconds, on this screen however, it shuts down almost right away when I press it. It doesn't give me any error messages or any other indication that anything is wrong, but windows isn't booting up currently. Because of this I also can't post the DDS logs, and I'm pretty sure the 20 hours of scanning with GMER didn't result in any logs...

Please help sad.gif

#4 Orange Devil

Orange Devil
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 06 August 2010 - 02:04 PM

I know bumping is probably frowned upon here, but I really need my PC and before this at least I could use it, although with a lot of problems, but right now I'm really desperate and with no idea on what to do, I'd probably be reinstalling windows right now if my CD wasn't in a different country.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:52 AM

Posted 06 August 2010 - 09:43 PM

Hi, Orange Devil smile.gif

welcome.gif

Lets give this a try throughout an External Environment, which simply means you will need to burn a boot CD with especial tools. You will also need a flash drive to move information from the troubled computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Please print this guide for future reference!

Step 1
  1. Download the PE Builder to your desktop
    • Double-Click on the PE Builder that you just downloaded to your desktop.
    • Follow all of the instructions/prompts that come up.
  2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
    • Double-Click on PE Builder.exe located on your desktop.
    • Click NO to Search for Windows Installation Files
    • Make the following selections from the Main Screen that pops up:
      • Builder
        • Source:(path to Windows installation files)
        • Enter the path to the drive where your XP CD is located.
        • You can click on the "..." button on the right to navigate to the path as well.
        • Custom: (include files and folders from this directory)
        • No information is necessary, leave blank.
        • Output:
        • Keep the default
        • Media output
          • Choose Create ISO image
          • Do not choose Burn to CD/DVD
            • Download the RunScanner plugin and save it to your desktop
            • Press the Plugin button on the PE Builder interface
            • Press the Add button and navigate to the location of the RunScanner plugin to install
            • Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner. This is important!!!
          • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
          • When your done press Close and the PE Builder interface will re-appear
    • Click on the "Build" button
      • You will see the Windows EULA message. Click on I Agree
      • You will now see the Build Screen. Let it run it's course
      • When the Build is finished you can click close, then exit
    • Burn your ISO file to CD
      • Please Click Here for information on how to burn an ISO to CD.

    Step 2

    From your clean computer, please download OTLPE.zip from any of the following links:

    Link 1
    Link 2

    Save this file on your desktop, but extract its contents to the Flash Drive.

    Plug your flash drive into your sick computer now and do as instructed below..

    1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
    • Insert the CD in the CD/DVD drive.
    • Restart your computer.
      • The computer should choose to boot from the CD automatically.
        Note : For information click here
    • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
      • Click on No
    • After BART PE loads, you can chose your screen resolution that fits your monitor by following these steps:
    • Click on Go
    • Then on System
    • Then on Display
    • Then on Screen Resolution
    • Select the resolution that fits your monitor.
    Then follow these steps to run OTLPE.
    • Click on Go
    • Select Programs
    • then A43 File Management Utility
    In A43File Management you should be able to see your flash drive
    • Navigate to the OTLPE folder that you saved to your flash drive.
    • Open the OTLPE folder and double click Start.cmd.
    • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
    • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start. Change the following settings
      • Change Drivers to All
      • Change Standard Registry to All
      • Under the Custom Scan box paste this in

        /md5start
        UXTHEME.DLL
        eventlog.dll
        scecli.dll
        netlogon.dll
        cngaudit.dll
        sceclt.dll
        ntelogon.dll
        logevent.dll
        iaStor.sys
        nvstor.sys
        atapi.sys
        IdeChnDr.sys
        viasraid.sys
        AGP440.sys
        vaxscsi.sys
        nvatabus.sys
        viamraid.sys
        nvata.sys
        nvgts.sys
        iastorv.sys
        ViPrt.sys
        eNetHook.dll
        ahcix86.sys
        KR10N.sys
        nvstor32.sys
        ahcix86s.sys
        nvrd32.sys
        userinit.exe
        explorer.exe
        ntoskrnl.exe
        /md5stop
        %SYSTEMDRIVE%\*.*
        %systemroot%\*. /mp /s
        %systemroot%\System32\config\*.sav
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive.
    • Please post the contents of the C:\OTL.txt file in your reply.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif


    #6 Orange Devil

    Orange Devil
    • Topic Starter

    • Members
    • 4 posts
    • OFFLINE
    •  
    • Local time:02:52 PM

    Posted 07 August 2010 - 08:44 AM

    Hey, thanks for the reply, but I've just dropped my PC off at a repair shop for a hardware check and fixing and cleaning it.

    #7 JSntgRvr

    JSntgRvr

      Master Surgeon General


    • Malware Response Team
    • 11,173 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Puerto Rico
    • Local time:08:52 AM

    Posted 07 August 2010 - 02:15 PM

    Very well. Thanks for the feedback.

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

    If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

    Everyone else please begin a New Topic.

    No request for help throughout private messaging will be attended.

    If I have helped you, consider making a donation to help me continue the fight against Malware!
    btn_donate_SM.gif





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users