Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Causing Major Problems


  • This topic is locked This topic is locked
4 replies to this topic

#1 souther32

souther32

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 28 July 2006 - 05:13 PM

My internet quit working for some random reason yesterday, Thursday. Everything else regarding the internet is working fine. Xbox 360 on Live, Wirless Laptop through my router (what im on) Aim, Outlook Express.But Whenever I try to go to a webpage an error always occurs. Page cannot be displayed... I downloaded many different programs to try and fix it, such as Spybot, Ad-Aware, AntiVir Personal, Microsoft Defender, Kill2Me, cwshredder, Genuine Check, and Hijackthis.
I was at majorgeeks.com for help, and they told me to download that stuff and run in under safe mode and I did. Found 3 objects with Microsoft Defender...

WinSofware.Winfixer
Catefory: Potentially Unwanted Software

Description:
This program has potentially unwanted behavior

Advice:
Remove this software immediately

Resources
File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\vrlkba04.default\Cache\ 6307B5C8d01

File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\5ua3ftpa.default\Cache. Trash\Trash\Cache\6307B5C8d01

File: C:\Documents and Settings\mom\Application Data\Netscape\NXB\Profiles\5ua3ftpa.default\Cache. Trash\Trash\Cache\851A1E9Bd01

PowerReg Scheduler

Resources
File: C:\Program Files\ Microsoft AntiSpyware\Quarantine\2A4C705D-5DCE-47AD-9ECF-FCE52C\4B441E8B-0626-4D15-Ac76-6660B2

File: C:\Program Files\ Microsoft AntiSpyware\Quarantine\9A1C314B-9F05-4F6F-B8B5-CFF590\B1C407D3-ABED-444E-A977-79B547

NewDotNet
file:
C:\Program Files\Microsoft AntiSpyware\Quarantine\7BBD6271-6586-4651-A37B-346761\AF6CB5B5-52AD-4B4F-BC7C-BF16B9

I just typed all that...
Also I have try getting webpages using IE, Firefox, and Opra

And here is my HJT

Logfile of HijackThis v1.99.1
Scan saved at 1:17:27 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\HJT\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6af208b1-33fd-492b-8c67-e8b471f39754} - (no file)
O2 - BHO: (no name) - {89ad7923-34f5-4b2f-8630-685a0b4ca66b} - (no file)
O2 - BHO: (no name) - {A2020B37-C382-B277-FC21-C8C9DEB56E95} - blank (file missing)
O2 - BHO: (no name) - {BA816159-3BC2-4D07-4BF4-7FBBCEF292ED} - blank (file missing)
O2 - BHO: (no name) - {C1ADD487-6A33-24E2-D9D8-7AA393078836} - blank (file missing)
O2 - BHO: (no name) - {caf1e97a-3a63-43f8-b7fa-9cf27c66b3d2} - (no file)
O2 - BHO: (no name) - {E07E4136-AED5-37AA-E491-F27424479DA5} - blank (file missing)
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: ChatSpace Full Java Client 4.0.0.325 - http://www.interactionsoftware.com/...va/cfs40325.cab
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://my.uga.edu/nps/portal/gadge...t/LocalExec.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: mad.dll
O20 - Winlogon Notify: awtsq - C:\WINDOWS\system32\awtsq.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: tvmexehzonvl (MsUpdate6) - Unknown owner - C:\WINDOWS\System32\msupd6.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:00 PM

Posted 28 July 2006 - 06:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Do you have access to the net through another computer? Can you download programs through that computer and move them to the infected computer?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 souther32

souther32
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:00 PM

Posted 28 July 2006 - 09:36 PM

I am on my wirless laptop which uses the same router that is connected to my computer if that is what your asking... I am leaning towards Re-Installing the OS. Im am also posting on other forums about my problem and that is what they said... Also, I do not have the OS Software Cd that came with my Dell Pentium 4 Computer. Would I be able to download it with my laptop, transfer it over using AIM and burned to a Cd?

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:00 PM

Posted 28 July 2006 - 09:51 PM

I don't think your situation is anywhere near dire enough to consider a format and reinstall of Windows.
You do have a few separate infections, but they should be fairly simple to remove as long as you can download a few small tools and move them over to the infected computer. Here's what we need.

Download and run this tool to remove the main infection.
http://www.jayloden.com/AIMFix.exe


============


Next you appear to have at least a partial Vundo infection.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In answer to your question, no you would not be able to download Windows. In order to reinstall, you do need an installation disc.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:00 PM

Posted 15 August 2006 - 08:25 AM

This topic has been closed due to a lack of response. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users