Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus With An Attitude


  • Please log in to reply
9 replies to this topic

#1 infinity2206

infinity2206

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 18 January 2006 - 11:05 AM

:thumbsup:

Help please! There has to be away to fix this machine without wiping it. Suddenly on Sunday a blue screen appeared on my desktop stating that I have a virus, and in my system tray little red boxs appeared kind of looking like mines, popping up sparaticely stating I have a virus. My task manager was disabled, My DVD drive and CDRW has been disabled and the PC does not recognize my jump drive. If I try and run Adaware it starts and then it is killed in midstream...further upon locating the part of the virus in the registry it shuts down the registry so I can't delete...along with that it sits pretty in Windows\system32 and won't let me delete it there................Help, I put hijack this on a floppy and was able to get a log of the blimin rubbish, but I have no idea what to delete and where to go from here..........I have attempted going in 'Safe Mode' and that is how I reactivated my task manager, but even when deleted in safe mode...it comes back when I reboot....Help :flowers:



Mod Edit: Closed tags. ~tg~

Edited by tg1911, 18 January 2006 - 12:43 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:01 PM

Posted 18 January 2006 - 12:29 PM

Hi There :thumbsup:

I have read your post and I think it would be wise for you to post a HijackThis log for an expert to review. I bet you are wondering what HijackThis is. Well it's a program that is simply able to show others what's going on inside your computer, in terms of infection etc..

I recommend you follow the HijackThis preparation guide which can be found here. It is important that you follow the guide closely. A number of scans will be run which may well fix your problem.

As the guide says, after you have completed the scans that are recommended, please post your "HijackThis" log in a new topic in the forum found here. Please add your system infomation and also what problems you are having. Please wait for a few days and one of our experts will get onto fixing your computer for you.

Please be aware that this new year we have been swamped so it may take a week for a reply.

David

#3 infinity2206

infinity2206
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 January 2006 - 10:56 AM

I have used Hijack This, and I shall post a log if can just figure out how to get it to you. I have completely taken this pc off line. I put cleanup.exe on a floppy and as it copied over to the desk top the virus killed it at 5%. I tried putting SmitRem via a floppy same thing...it won't let me use a disk or a jump drive...the only thing I can think of is to boot into safemode with the command prompt and try and copy the data from the floppy to the desk top...glitch is I am weak when it comes to DOS syntax.

Is it safe to connect it to the Internet? I can't see it letting me download any of the files that I have come across as a fix to this mess. PC has adaware on it, but it does not locate the bloody thing. I have seen it in System32...but can't delete. If I opened my email on that pc wouldn't it infect my email or worse yet have more access to pswds and such....Help, this has really stomped me....But I shan't give in!

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:01 PM

Posted 19 January 2006 - 12:26 PM

All this issues are to do with security which i cannot really help you on. If you post a log in the forums an expert will be able to help.

I don't think it would be too awful if you connect to the internet in my opinion. Unless you have a keylogger or something like that, there is little that can be done. Do you have lots of important data that you need, as i was thinking about a possible reformat with all the problems going on. I think you should be safe to download the programs...

Do you have a firewall or AntiVirus?

David

#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:06:01 PM

Posted 19 January 2006 - 04:14 PM

Just a suggestion to help protect you.

Download a software firewall (here's a link to the free one that I use: http://www.majorgeeks.com/download.php?det=3356 ) Please be advised that this firewall is no longer supported by the manufacturer (but that shouldn't be a problem for the use that we'll put it to.

Then, install it on your system and make sure that it load when Windows starts. Then, go to the Security Center in your Control Panel and disable the Windows Firewall (it will conflict with the other firewall).

Then, when you hook up to the internet, don't allow anything to exit your computer. The firewall program will pop up and ask you about each program that tries to get out (and also those coming in). Usually it's called "Block" or "Deny". DO NOT check the box for always performing this action - you want it to ask you each and every time.

Then, send the report (and tell the firewall to allow it) and then shut down and reboot. This may take several tries to get the right combination on the firewall - but it'll ensure that you're safe, and the information will be able to get out.

Meanwhile, it's a good idea to keep it off the internet.

FWIW - the DOS syntax is fairly simple for a copy. It's just copy followed by a space, then the exact path to the file you're copying, then another space, and the exact path of where it should be copied to (including the file name that you want it to have.

For example:

"copy C:\Documents and Settings\FUBAR\Desktop\HJT.log F:\HJT2.log"
This will copy the file "HJT.log" on my Desktop to my jump drive (F: drive) with the filename of "HJT2.log"
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 infinity2206

infinity2206
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 19 January 2006 - 06:05 PM

This is my hijack log....desparate and running out of time.

ALogfile of HijackThis v1.99.1
Scan saved at 4:48:08 PM, on 01/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mummsies\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr__.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [tk48ksgv] C:\WINDOWS\System32\tk48ksgv.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\mummsies\Desktop\New Folder\iTunesHelper.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels64.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\mummsies\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122217538103
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136745462637
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iTunes\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:01 PM

Posted 20 January 2006 - 07:10 AM

You have posted in the wrong place. Please read the prepartation guide again and follow the instructions!
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
David

#8 infinity2206

infinity2206
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 20 January 2006 - 11:43 AM

:thumbsup: Oops I most certianly will attempt this the correct way.

To bring you guys up to date...I connected the infected system to the Internet and download CleanUp.exe in in safe mode. That was the only way I could down load it. I also ran it in safe mode. Upon rebooting the pc starts ok, runs for about two minutes then it automaticaly restarts. I can only get it to run in Safe Mode....obviously something serious got deleted....

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:01 PM

Posted 21 January 2006 - 10:40 AM

Hi infinity2206

If you get into a serious pickle and have continuous problems, then post back here and we can think of ways to solve your non-malware problems :thumbsup:

Try and post the log in the appropriate place though :flowers:

David

#10 infinity2206

infinity2206
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 21 January 2006 - 03:50 PM

Well at this point it's gone from bad to bloody worse ... I followed the directions that were given to another chap. Download, SmitRem, Ewido, Hijack this, and panda scan...

One I was already in safe w/networking because now that is the only way this sony Vaio w/ XP home Edition will boot. It tries to boot normal, gets as far as sometimes loading the desktop icons and then crashes and automatically restarts.

While in safe mode I adhered to the instructions. Followed each step, when I ran hijack this again...there was maybe about 5 files there...and one that was very evident of being a blimin pest winlogon notify browsela.dll

Now I saw Ewido scan pick that bloody thing up along with 95 other b.s items on this pc but each time I run hijack this there it is again...it is repetious of running each program and seeing it being deleted only to see it there again. But, now my dilemma is this safe boot. I shall reiterate: My pc can't run normal...Please, please help...I stayed up till 2:30 am trying everything that I could think of to know avail....I even ran the Ewido on two of my other pc's it found nothing on one and 3 cookies it didn't like on another...so great I shall buy the blimin program. But, my main focus in the Sony. I have cbt's, pictures from 2 years, study material for my MCSA...I can't loose this stuff...

Most certainly would appreciate your assistance here. I have only had one other virus and that was not a challenge compared to this...........Help! :thumbsup:

oh, one more thing when I try and connect to Microsoft to an update, for it is very much needed...it tells me something happened to the page, can't be located Yeah right!...something is still very much on that pc....thanks guys/david

Edited by infinity2206, 21 January 2006 - 04:03 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users