Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I cant remove this virus!


  • Please log in to reply
3 replies to this topic

#1 Jarv

Jarv

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 07 October 2011 - 05:10 PM

Hi

I have a virus on my laptop that I cannot seem to find anyway of removing. Ill try to keep this as short as possible so to start from the beginning:

I last used my laptop a couple of days ago and it was running fine and seemed perfectly normal. I then turned it on today and once the desktop had loaded up I was greeted with an AVG window popping up telling me that I had loads of trojans and some other viruses. I ran hitman pro (I had it installed after haveing one of those fake virus pop up window viruses before) and it picked up on a lot of trojans and a couple of other things with the file names lexcrbxa.exe, mrxsmb and ati2evxx.exe. I removed all of these with hitman and then rebooted. Once back in I tired to run Malware bytes but it wouldnt let me. Insted I had two windows popping up with the messages MBAM_ERROR_EXPANDING_VARIABLES (0,453) and MBAM_ERROR_MISSING_FILE (3,0 mbamswissarmy.sys) in that order. I have tried to run rkill but nothing happened and then when trying to run Malwarebytes again I get the same messages again. Hitman pro has also dissapeared from my desktop. The laptop still lets me go on the internet and normal search results appear when I search for something on Google. The only problem is when I click on a search result I am re-directed to some cheap/fake looking comparison sites etc. Also in general the laptop freezes often. It is like I can get to the desktop and see all of my icons but it is then almost like a 'dead' computer.

Does anyone have any ideas on this or can anyone help me to solve the problem? Im O.K with computers but not great so if you could keep any advice as basic as possible I would be most grateful.

Thanks in advance for any help.

Jarvis

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:12 AM

Posted 07 October 2011 - 07:27 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Jarv

Jarv
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:12 AM

Posted 08 October 2011 - 04:31 AM

Hi

Thanks for the reply. I have downloaded all three of these and run each of them, the results are as follows:

1) Security check was run and during this I recieved an error message saying - netshexe-The procedure entry point mgrate winsock configuration could not be located in the dynamic library mswsock.dll. The notepad results are as follows:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 9.0
McAfee Security Scan Plus
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Adobe Flash Player
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgnsx.exe
``````````End of Log````````````

2) MiniTool Box - I ran this and recieved the same error message as above and also an error message called nslookup.exe - The ordinal 1108 could not be located in the dynamic library wsock32.dll. The notepad results of the scan are as follows:

MiniToolBox by Farbar
Ran by Jarv (administrator) on 08-10-2011 at 10:10:01
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================



127.0.0.1 localhost

========================= IP Configuration: ================================The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : Jarvis

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-40-D0-9E-2B-23



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection #2

Physical Address. . . . . . . . . : 00-18-DE-7C-D4-B3

Ping request could not find host google.com. Please check the name and try again.

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 d0 9e 2b 23 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
0x3 ...00 18 de 7c d4 b3 ...... Intel® PRO/Wireless 3945ABG Network Connection #2 - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
255.255.255.255 255.255.255.255 255.255.255.255 3 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/08/2011 10:03:42 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 10:01:12 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 07:38:43 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 07:38:32 PM) (Source: Application Error) (User: )
Description: Faulting application tomtomhome.exe, version 1.3.308.0, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x0001ab0a.
Processing media-specific event for [tomtomhome.exe!ws!]

Error: (10/07/2011 07:17:19 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 06:54:56 PM) (Source: Application Hang) (User: )
Description: Hanging application , version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (10/07/2011 06:43:05 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 04:00:32 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/07/2011 03:50:22 PM) (Source: Application Error) (User: )
Description: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.
Processing media-specific event for [drwtsn32.exe!ws!]

Error: (10/07/2011 03:50:18 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.2647, faulting module unknown, version 0.0.0.0, fault address 0x73e7056c.
Processing media-specific event for [explorer.exe!ws!]


System errors:
=============
Error: (10/08/2011 10:10:15 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:09:15 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:08:47 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:08:06 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:08:03 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:07:37 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:07:19 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:05:31 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:05:19 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (10/08/2011 10:05:15 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (10/08/2011 10:03:42 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 10:01:12 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 07:38:43 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 07:38:32 PM) (Source: Application Error)(User: )
Description: tomtomhome.exe1.3.308.0ntdll.dll5.1.2600.35200001ab0a

Error: (10/07/2011 07:17:19 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 06:54:56 PM) (Source: Application Hang)(User: )
Description: 0.0.0.0hungapp0.0.0.000000000

Error: (10/07/2011 06:43:05 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 04:00:32 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c

Error: (10/07/2011 03:50:22 PM) (Source: Application Error)(User: )
Description: drwtsn32.exe5.1.2600.0dbghelp.dll5.1.2600.21800001295d

Error: (10/07/2011 03:50:18 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.2647unknown0.0.0.073e7056c


=========================== Installed Programs ============================

Adobe Flash Player 10 ActiveX (Version: 10.1.82.76)
Adobe Reader 6.0.1 (Version: 006.000.001)
Adobe Shockwave Player (Version: 10.1.4.20)
Apple Application Support (Version: 1.4.1)
Apple Mobile Device Support (Version: 3.3.0.69)
ATI - Software Uninstall Utility (Version: 6.14.10.1014)
ATI Display Driver (Version: 8.223-060207a3-031219C)
ATI Parental Control & Encoder (Version: 3.0)
AVG Free 9.0
Azureus (Version: 2.5.0.2)
Bonjour (Version: 2.0.4.0)
CIR Device Driver
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Google Chrome (Version: 14.0.835.202)
Google Toolbar for Internet Explorer
Google Update Helper (Version: 1.3.21.69)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
Hitman Pro 3.5 (Version: 3.5.9.130)
HP Deskjet 1050 J410 series Basic Device Software (Version: 22.50.231.0)
HP Deskjet 1050 J410 series Help (Version: 140.0.66.66)
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software (Version: 10.01.0000)
J2SE Runtime Environment 5.0 Update 6 (Version: 1.5.0.60)
J2SE Runtime Environment 5.0 Update 8 (Version: 1.5.0.80)
LimeWire 4.12.6 (Version: 4.12.6)
LS_HSI (Version: 1.0.22.1)
Malwarebytes' Anti-Malware
McAfee Security Scan Plus (Version: 2.0.181.2)
mCore (Version: 5.40.0000)
mDriver (Version: 5.40.0000)
mDrWiFi (Version: 5.40.0000)
mEoU (Version: 5.40.0000)
mHelp (Version: 5.40.0000)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Word Viewer 2003 (Version: 11.0.8173.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Word 97
Microsoft Works (Version: 08.05.0818)
Microsoft Works 4.5
Microsoft Works Setup Launcher
mIWA (Version: 5.40.0000)
mLogView (Version: 5.40.0000)
mMHouse (Version: 5.40.0000)
mPfMgr (Version: 5.40.0000)
mPfWiz (Version: 5.40.0000)
mProSafe (Version: 9.00.0000)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
mWlsSafe (Version: 9.00.0000)
mXML (Version: 5.40.0000)
mZConfig (Version: 5.40.0000)
O2Micro Flash Memory Card Windows Driver V2.00 (Version: 2.00)
PhotoPad Image Editor
PhotoStage Slideshow Producer
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 2.03)
Roxio CinePlayer (Version: 2.2.0)
Soft Modem with SmartCP
SopCast 1.1.1 (Version: 1.1.1)
Synaptics Pointing Device Driver (Version: 8.2.9.0)
TomTom HOME (Version: 1.3.308)
Veetle TV 0.9.18 (Version: 0.9.18)
WebFldrs XP (Version: 9.50.7523)
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Live Messenger (Version: 8.0.0812.00)
Windows Media Format Runtime
Windows XP Hotfix - KB834707 (Version: 20040929.110854)
Windows XP Hotfix - KB867282 (Version: 20050127.090417)
Windows XP Hotfix - KB873333 (Version: 20050114.005213)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB885250 (Version: 20050118.202711)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB886185 (Version: 20041021.090540)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB888113 (Version: 20041116.131036)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB890047 (Version: 20041221.124506)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
Windows XP Hotfix - KB893056 (Version: 20050126.164313)
Windows XP Hotfix - KB894194 (Version: 20050204.184436)

========================= Memory info: ===================================

Percentage of memory in use: 52%
Total physical RAM: 1022.04 MB
Available physical RAM: 488.49 MB
Total Pagefile: 2460.61 MB
Available Pagefile: 1971.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1937.89 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:53.41 GB) (Free:23.55 GB) NTFS
3 Drive e: () (Removable) (Total:3.73 GB) (Free:3.72 GB) FAT32

========================= Users: ========================================

User accounts for \\JARVIS

Administrator ASPNET Guest
HelpAssistant Jarv SUPPORT_388945a0


**** End of log ****

3)My laptop crashed when running GMER and now will not let me back in.

Thanks again for the help.

Jarvis

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:12 AM

Posted 08 October 2011 - 10:10 AM

Are you saying you can't boot in any mode?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users