1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

Discussion in 'Software' started by edward1121, May 28, 2005.

  1. edward1121

    edward1121 Private E-2

    I have completed all the necessary tasks that Major Geeks suggests to find a virus 3 times. Every setting or file is being changed on its own and this increases as I attempted to stop it. I cannot foward a log at this point because my computer willl not allow me to do anything. I am now in safe mode, ran HJ and found (it goes on forever, so I will do my best to post what I believe is important to attempt to create what is happening):

    - over 56,000 files including systemfiles hidden.
    -Enumerating Win9x VxD services (all I assume my d\: will not run)
    -User shell folders and shell folders altstartup *folder not found*
    -C:\windows\all users\start minu\programs\startup *no file*
    -Adware & Spybot have all been password protected
    -autorun entries from registry:
    -HKLM\Software\Microsoft\Windows\CurrentVersion\Run *no values found*
    -Registry or subkeys are not found
    -Enumerating active setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disable byy HKCU twin)
    [SetupcPerUser] *
    StubPath = rundll.exe c:\windows\system\setupx.dll,InstallHinfSections SetupcPerUser 64 c:\wndows\INF\setupc.inf (or) applets.inf (or) fonts.inf

    C:\Windows\Explore.exe: PRESENT
    c:\Explore.exe: not present
    c:\Windows\System\Explorer\Explore.exe: not present
    c:\Windows\System32\Explorer.exe: not presetn
    c:\Windows\Command\Explore.exe: not present
    c:\Windows\Fonts\Explore.exe:not present

    Winsock LSP files:
    NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
    Protocol #'s 1, 2, 3,4,5: imon.dll (file MISSING)
    Protocol #'s 6,7,8: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #'s 9 & 10: C:\WINDOWS\SYSTEM rsvpsp.dll
    Protocol #11: imon.dll (file MISSING)
    Protocol #13, 14, 15: C:\WINDOWS\SYSTEM\mswsosp.dll

    I hope this helps to get me to a point where I can forward a HJ which has nothing in it, I cleaned everything out which I rarely do. I have tried to re-install win98 and have done a step x step configuration many times. I ran scandisk and no errors are found. I am not sure what is next MG's help would be very appreciated I am way out of my league here and I think I may be creating a larger problem.

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you cant post a HJT log, copy and paste it inline and and I will convert it for you.

    [​IMG] Download HijackThis 1.99.1

    [​IMG] Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    [​IMG] Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    [​IMG]Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    [​IMG]Run HijackThis and save your log file.

    [​IMG] Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    [​IMG]Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
  3. edward1121

    edward1121 Private E-2

    I have done this on the computer w/the problem however, when I attempt to forward the attachment my server is locked up. I am on a laptop next to the desktop w/the problem. That computer is in safe mode and will not do anything eles, sorry.

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Without a HJT log or any other information there isnt much we can do about Malware. If the PC is locked up and will not do anything and thats all it will do then your most likely going to end up reinstalling clean.
  5. edward1121

    edward1121 Private E-2

    By reinstalling clean do you mean format my c:\ drive? Thank you for your help!

  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, but remember this will ERASE everything on your hard drive. This should be done ONLY if nothing can be done!

    We can try anything but first I need a HJT log or something to build on.

    When you power on, BIOS screen flashes...then what?

    Also, in Safe Mode...what happens here?

    The more details and specs you provide me with the better I can help you.

    Do you mean your log is very large or what do you mean?
  7. edward1121

    edward1121 Private E-2

    I was preparing to format my c:\ drive and Zone Alarm poped up a page w/instructions to get me to the internet. Which included renaming internet log to old log, vsdata search on both HD & Reg. to delete vsdata95 or vsdatant, deleting all log files (data base reasons), changing ZA "load at start-up & then establishing iexplore.exe again. I did learn that I have the ISRAZ.A worm which tears apart your entire operating system. I now have included my HJ. Would you still recomend cleaning the entire HD still or can this be fixed. My system is a complete mess, please advise,

  8. edward1121

    edward1121 Private E-2

    I do not see my HJT attachment in my post.

  9. edward1121

    edward1121 Private E-2

    I did a Symantec Secutity Scan and I am looking it over now and it says nothing about a ISRAZ.A worm. This scan found the following:

    Adware Roimoi
    Adware Margoc
    Spyware Eblaster

    I have ZoneAlarm Firewall, Ad-wareSE, Spybot, CCleaner, CWShredder, Nod32, MS ScriptDebuger, TweakNow Reg Clean, About Buster. I perform the online Trend & Symantic scans often & I follow my HijackThis regularly. Windows updates are daily, I might be a little overboard but this win98 has become my new hobby. I new NOTHING about computers & now I am looking for opportunities to troubleshoot. I do go on some questionable sites for the sport of it, to test my computer against attacks. During this time have all my internet & firewall settings all on high w/"prompt for cookies" both 1st & 3rd party with every thing else kicked in. This time I really got my butt kicked and have been trying to resolve this for days. I do have a laptop & desktop XP contected, wireless to a router. The win98 is contected w/the ethernet line to hi-speed cable modem. This is the only thing I can think of that would allow someone to exploit my system. Any ideas would be much appreciated .
  10. edward1121

    edward1121 Private E-2

    I have been on Microsoft TechNet reading some Security Bullentins and I should mention that this started when I increased my Internet, Local intranet, privacy & firewall security settings to high. I changed the anti-virus in this computer to/NOD32 and attempted to test this combination and its malware blocking ability on some questionable sites. It was not a very good combination.

    Also, I have recently been trying to understand the MS script debugging w/scripts written in VBScript JScript and Java. Several scripts popped up while on the internet for me to view and set breakpoints in certain areas. I also viewed the iexplore call stacks and selected to break at every statement. These were "read only" so I went through and assigned breakpoints. I had no clue what was going on & assumed this was a real-time hands on tutorial. I know very little about script debugging at this point but I am sure the errors that came up were snytex errors from a client script.

    Also, it was during this time my settings started to change w/out any doing on my part. The higher I stepped up any kind of security settings & the deeper I scanned into my computer, the greater & crazier the attack began. I stopped scanning at this point and started opening the properties files to find this worm/trojan/virus (anything ) and I this is when I noticed my system files were changed to HIDDEN, so I started removing the hidden value/attribute and this is when "it" started deleting my dll. & driver files. Then my D:\ drive stopped working and I stopped & posted here w/a wireless laptop.

    Sorry, for the additional posts I am just hoping the more info. I provide MajorGeeks, less time of yours, I will need to ask for.

  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Lets try the below!

    Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

    Sysclean Package


    Once you have these downloaded into the folder you just created, double click the file sysclean.com

    When the system cleaner loads, click SCAN to start the scanner.
  12. edward1121

    edward1121 Private E-2

    Thank you, here are the 2 scan logs from this scan.


    Attached Files:

  13. edward1121

    edward1121 Private E-2

    Here is a 3rd log from TSC.


    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You was able to complete this scan, so the computer must be doing something now?

    What problems are you having at the moment?
  15. edward1121

    edward1121 Private E-2

    My screen & icons are enhanced to the same size & image you would see in safe mode. Aside from this nothing . I attached 2 HJT logs that I just completed. Should I reboot or continue looking for this problem?


    Attached Files:

  16. edward1121

    edward1121 Private E-2

    My computer froze so I rebooted. This is what took place and I attached the bootlog.txt for that startup.

    Like before the following devices needed to run Windows or applications were missing.


    I continued and the same warning sign appeared by Netware that the system could not find or load the file specified : nwnp32.ddl.

    When the system booted I went into Windows Explore and the following are back to being hidden in my C:\ drive.

    avg6db_.dat (left over from an unstall when I swithed to NOD32

    After the re-boot the display is the same as safe mode again. A few times last week this computer booted in this manner which is what start. One of the reasons I began looking for this intruder (I am not even sure what I have yet) . My best guess is it is a worm (W32.Mydoom.BU@mm). Then again at this point I have read the details about so many worms & trojans, I have really considered formating my HD to kill it .

    I hope this in someway can help.


    Attached Files:

  17. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    This sounds like driver problems, are your drivers installed correctly?

    Go into Control Panel, and select Device Manager and see if everything looks ok in there, meaning no yellow question marks anywhere.

    Now, lets try a little something I usually dont request but it may help.

    Download RegSupreme Pro 1.1

    Install this program, after you install you will be prompted to "defrag" you registry for best performance. You can go ahead and click YES, should take but a minute or so.

    After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to an easy location just in case.

    Let me know the results! After you do this reboot and see if your running any better.
  18. edward1121

    edward1121 Private E-2

    Thank you, here are the results from that scan:

    835 Invalid Items
    43 Items Removed
    792 Items Removed

    While booting it still had the same problems locating :


    The image remains in a safe mode style. I am will generate the following HJT logs for you to review:

    - startup w/a list of minor sections (full) & empty sections (complete).
    -standard HJT log ( 2 reg. entries are added).


    Attached Files:

  19. edward1121

    edward1121 Private E-2

    I also wanted to include these additional logs from the SupremeReg scan:

    Shell ext.
    File types w/ext
    Installed software

    Many of these I do not reconize & w/o completely understanding what the ext or file is I hesitate to remove them just jet.


    Attached Files:

  20. edward1121

    edward1121 Private E-2

    Here is the 3rd.

    Thank You,

    Attached Files:

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds