1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

Discussion in 'Software' started by edward1121, May 28, 2005.

  1. edward1121

    edward1121 Private E-2

    I have completed all the necessary tasks that Major Geeks suggests to find a virus 3 times. Every setting or file is being changed on its own and this increases as I attempted to stop it. I cannot foward a log at this point because my computer willl not allow me to do anything. I am now in safe mode, ran HJ and found (it goes on forever, so I will do my best to post what I believe is important to attempt to create what is happening):

    - over 56,000 files including systemfiles hidden.
    -Enumerating Win9x VxD services (all I assume my d\: will not run)
    -User shell folders and shell folders altstartup *folder not found*
    -C:\windows\all users\start minu\programs\startup *no file*
    -Adware & Spybot have all been password protected
    -autorun entries from registry:
    -HKLM\Software\Microsoft\Windows\CurrentVersion\Run *no values found*
    -Registry or subkeys are not found
    -Enumerating active setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disable byy HKCU twin)
    [SetupcPerUser] *
    StubPath = rundll.exe c:\windows\system\setupx.dll,InstallHinfSections SetupcPerUser 64 c:\wndows\INF\setupc.inf (or) applets.inf (or) fonts.inf

    C:\Windows\Explore.exe: PRESENT
    c:\Explore.exe: not present
    c:\Windows\System\Explorer\Explore.exe: not present
    c:\Windows\System32\Explorer.exe: not presetn
    c:\Windows\Command\Explore.exe: not present
    c:\Windows\Fonts\Explore.exe:not present

    Winsock LSP files:
    NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
    Protocol #'s 1, 2, 3,4,5: imon.dll (file MISSING)
    Protocol #'s 6,7,8: C:\WINDOWS\SYSTEM\msafd.dll
    Protocol #'s 9 & 10: C:\WINDOWS\SYSTEM rsvpsp.dll
    Protocol #11: imon.dll (file MISSING)
    Protocol #13, 14, 15: C:\WINDOWS\SYSTEM\mswsosp.dll

    I hope this helps to get me to a point where I can forward a HJ which has nothing in it, I cleaned everything out which I rarely do. I have tried to re-install win98 and have done a step x step configuration many times. I ran scandisk and no errors are found. I am not sure what is next MG's help would be very appreciated I am way out of my league here and I think I may be creating a larger problem.

    edward1121
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you cant post a HJT log, copy and paste it inline and and I will convert it for you.

    [​IMG] Download HijackThis 1.99.1

    [​IMG] Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    [​IMG] Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    [​IMG]Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    [​IMG]Run HijackThis and save your log file.

    [​IMG] Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    [​IMG]Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
  3. edward1121

    edward1121 Private E-2

    I have done this on the computer w/the problem however, when I attempt to forward the attachment my server is locked up. I am on a laptop next to the desktop w/the problem. That computer is in safe mode and will not do anything eles, sorry.

    edward1121
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Without a HJT log or any other information there isnt much we can do about Malware. If the PC is locked up and will not do anything and thats all it will do then your most likely going to end up reinstalling clean.
     
  5. edward1121

    edward1121 Private E-2

    By reinstalling clean do you mean format my c:\ drive? Thank you for your help!

    edward1121
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Yes, but remember this will ERASE everything on your hard drive. This should be done ONLY if nothing can be done!

    We can try anything but first I need a HJT log or something to build on.

    When you power on, BIOS screen flashes...then what?

    Also, in Safe Mode...what happens here?


    The more details and specs you provide me with the better I can help you.

    Do you mean your log is very large or what do you mean?
     
  7. edward1121

    edward1121 Private E-2

    I was preparing to format my c:\ drive and Zone Alarm poped up a page w/instructions to get me to the internet. Which included renaming internet log to old log, vsdata search on both HD & Reg. to delete vsdata95 or vsdatant, deleting all log files (data base reasons), changing ZA "load at start-up & then establishing iexplore.exe again. I did learn that I have the ISRAZ.A worm which tears apart your entire operating system. I now have included my HJ. Would you still recomend cleaning the entire HD still or can this be fixed. My system is a complete mess, please advise,

    edward1121
     
  8. edward1121

    edward1121 Private E-2

    I do not see my HJT attachment in my post.

    edward1121
     
  9. edward1121

    edward1121 Private E-2

    I did a Symantec Secutity Scan and I am looking it over now and it says nothing about a ISRAZ.A worm. This scan found the following:

    Download.Adware
    Adware Roimoi
    Adware Margoc
    Adware.Begin2Search
    Adware.Ezula
    Spyware Eblaster
    Spyware.ClientMan
    Adware.iPend
    Adware.betterInternet
    Asware.Ezula
    Adware.CommonName
    Adware.VirtualBouncer

    I have ZoneAlarm Firewall, Ad-wareSE, Spybot, CCleaner, CWShredder, Nod32, MS ScriptDebuger, TweakNow Reg Clean, About Buster. I perform the online Trend & Symantic scans often & I follow my HijackThis regularly. Windows updates are daily, I might be a little overboard but this win98 has become my new hobby. I new NOTHING about computers & now I am looking for opportunities to troubleshoot. I do go on some questionable sites for the sport of it, to test my computer against attacks. During this time have all my internet & firewall settings all on high w/"prompt for cookies" both 1st & 3rd party with every thing else kicked in. This time I really got my butt kicked and have been trying to resolve this for days. I do have a laptop & desktop XP contected, wireless to a router. The win98 is contected w/the ethernet line to hi-speed cable modem. This is the only thing I can think of that would allow someone to exploit my system. Any ideas would be much appreciated .
     
  10. edward1121

    edward1121 Private E-2

    I have been on Microsoft TechNet reading some Security Bullentins and I should mention that this started when I increased my Internet, Local intranet, privacy & firewall security settings to high. I changed the anti-virus in this computer to/NOD32 and attempted to test this combination and its malware blocking ability on some questionable sites. It was not a very good combination.

    Also, I have recently been trying to understand the MS script debugging w/scripts written in VBScript JScript and Java. Several scripts popped up while on the internet for me to view and set breakpoints in certain areas. I also viewed the iexplore call stacks and selected to break at every statement. These were "read only" so I went through and assigned breakpoints. I had no clue what was going on & assumed this was a real-time hands on tutorial. I know very little about script debugging at this point but I am sure the errors that came up were snytex errors from a client script.

    Also, it was during this time my settings started to change w/out any doing on my part. The higher I stepped up any kind of security settings & the deeper I scanned into my computer, the greater & crazier the attack began. I stopped scanning at this point and started opening the properties files to find this worm/trojan/virus (anything ) and I this is when I noticed my system files were changed to HIDDEN, so I started removing the hidden value/attribute and this is when "it" started deleting my dll. & driver files. Then my D:\ drive stopped working and I stopped & posted here w/a wireless laptop.

    Sorry, for the additional posts I am just hoping the more info. I provide MajorGeeks, less time of yours, I will need to ask for.

    edward1121
     
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Lets try the below!

    Download the following two files, create a folder on your desktop, call it TSC. Save these 2 files there!

    Sysclean Package

    Pattern.zip

    Once you have these downloaded into the folder you just created, double click the file sysclean.com

    When the system cleaner loads, click SCAN to start the scanner.
     
  12. edward1121

    edward1121 Private E-2

    Thank you, here are the 2 scan logs from this scan.

    edward1121
     

    Attached Files:

  13. edward1121

    edward1121 Private E-2

    Here is a 3rd log from TSC.

    edward1121
     

    Attached Files:

  14. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    You was able to complete this scan, so the computer must be doing something now?

    What problems are you having at the moment?
     
  15. edward1121

    edward1121 Private E-2

    My screen & icons are enhanced to the same size & image you would see in safe mode. Aside from this nothing . I attached 2 HJT logs that I just completed. Should I reboot or continue looking for this problem?

    edward1121
     

    Attached Files:

  16. edward1121

    edward1121 Private E-2

    My computer froze so I rebooted. This is what took place and I attached the bootlog.txt for that startup.

    Like before the following devices needed to run Windows or applications were missing.

    System.ini
    nwredir.vxd
    nwlink.vxd
    nscl.vxd

    I continued and the same warning sign appeared by Netware that the system could not find or load the file specified : nwnp32.ddl.

    When the system booted I went into Windows Explore and the following are back to being hidden in my C:\ drive.

    Bootlog.prv
    Bootlog.txt
    ofidx.ffa
    ofidx.ffi
    ofidxo.ffx
    avg6db_.dat (left over from an unstall when I swithed to NOD32
    Dblspace.bin
    Dblspace.ini
    Detlog.old
    Detlog.txt
    Drvspace.bin
    lo.sys
    Msdos.---
    Msdos.bk
    Msdos.sys
    Suhdlog.bak
    Suhdlog.bat._
    System.1st
    Videorom.bin

    After the re-boot the display is the same as safe mode again. A few times last week this computer booted in this manner which is what start. One of the reasons I began looking for this intruder (I am not even sure what I have yet) . My best guess is it is a worm (W32.Mydoom.BU@mm). Then again at this point I have read the details about so many worms & trojans, I have really considered formating my HD to kill it .

    I hope this in someway can help.

    edward1121
     

    Attached Files:

  17. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    This sounds like driver problems, are your drivers installed correctly?

    Go into Control Panel, and select Device Manager and see if everything looks ok in there, meaning no yellow question marks anywhere.

    Now, lets try a little something I usually dont request but it may help.

    Download RegSupreme Pro 1.1

    Install this program, after you install you will be prompted to "defrag" you registry for best performance. You can go ahead and click YES, should take but a minute or so.

    After this completes at the top, click the REGISTRY CLEANER tab. Then click on "Aggressive" and let it scan. Afterwards you will see the total of invalid entries found. Once its complete, select ALL entries and select FIX. The program will then fix the ones that are fixable, the ones that are not will be removed. Type in a backup filename and save to an easy location just in case.

    Let me know the results! After you do this reboot and see if your running any better.
     
  18. edward1121

    edward1121 Private E-2

    Thank you, here are the results from that scan:

    835 Invalid Items
    43 Items Removed
    792 Items Removed

    While booting it still had the same problems locating :

    nwredir.vxd
    nwlink.vxd
    nscl.vxd
    nwnp32.dll

    The image remains in a safe mode style. I am will generate the following HJT logs for you to review:

    - startup w/a list of minor sections (full) & empty sections (complete).
    -standard HJT log ( 2 reg. entries are added).



    edwardchase1121
     

    Attached Files:

  19. edward1121

    edward1121 Private E-2

    I also wanted to include these additional logs from the SupremeReg scan:

    Shell ext.
    File types w/ext
    Installed software

    Many of these I do not reconize & w/o completely understanding what the ext or file is I hesitate to remove them just jet.

    Thanks,
    Edward
     

    Attached Files:

  20. edward1121

    edward1121 Private E-2

    Here is the 3rd.

    Thank You,
    edward1121
     

    Attached Files:

  21. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    RegSupreme is pretty good on what it detects, I would go ahead and remove all detected entries.

    Are you still having the freezing problem?
     
  22. edward1121

    edward1121 Private E-2

    I agree it is great!! By "all dectected" entries do you mean everything that RegSupreme detects from every individual setting tab?

    edward1121
     
  23. edward1121

    edward1121 Private E-2

    I am sorry, no my computer is not freezing. Still in the safe mode type image. But, it does not hang.

    Thanks,
    edward1121
     
  24. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Everything as in when you run the registry cleaner, all of those found entries.

    What problems are you currently having?
     
  25. edward1121

    edward1121 Private E-2

    RegSupreme now show 0 invalid entries in my registry.

    The past few days, I have written down any information that I would possibly need at a later time from this computer. Thank you, for this opportunity!! I could now format this C:\ outside of you seeing any problem w/any of the following information.

    Because, I used my startup & installation disks while I had this infection to attempt to restore my system several times. Could these be infected? The installation disk is missing a few .cab files. Can, I retrieve the necessary clean discs someplace to re-boot & re-install Win98?


    While waiting for your reply I discovered that all my files in C:\Windows\Command were last modifided on 4/23/99, except for the C:\Windows\Command\Ebd file which was last modified on 10/11/04. However, all files inside this file were last modified on 04/23/99; these files are:

    Btcdrom.sys
    Btdosm.sys
    Command.com
    Config.sys
    Drivespace.bin
    Ebd.exe
    Extract.exe
    Fdisk.exe
    Findramd.exe
    Flashptl.sys
    Himem.sys
    Lo.sys
    Oakcdrom.sys
    Ramdrive.sys
    Readme.txt
    Setramd.bat

    Could I use these files (which appear to be when I must have purchased this computer) to restore my system from the "msdos promt only" startup, back to this date. I assume this would eliminate everything except for what was on original Win98 system at my time of purchase. Would this insure the infection is removed?

    My 1st choice would be to format, if I could purchase, download or burn clean disks.

    Your assistance is and has been very much appreciated.

    edward1121
     
  26. edward1121

    edward1121 Private E-2

    The problems I am still having is the computer still is in a safe mode type image and it is very slow when 2 applications are running at once. When I re-start I have the same problems w/the computer finding the nwredir.vxd, nw.ink.vxd, nscl.vxd and nwnp32.dll.

    edward1121
     
  27. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Since this most likely is going to be Software related I'm going to move this on over the the Software Forum. These guys will get you all fixed up!

    Good Luck!:)
     
  28. edward1121

    edward1121 Private E-2

    bjgarrick,

    Thank you and it is at this point. The same takeover and the same adding and hidding of files happened to my laptop and WinXP desktop. Same files added on and everything. I formated my win98 c:\drive and now I will be doing this to the laptop. I will have some questions about the WinXP so, this is perfect!!

    By Saturday, when I would log on or doing anything with my computer I woud go to the XP to see who was on the Wireless network and it was always the same two guys. Also, I still am not finding a single worm, virus or trojan horse, NOTHING. Everytime, I change something and it would get changed right back to the way it was. I saw these guys had their network settings set on security enabled and looked up how I could get my router settings set the same. I am thinking this has got to be what is happening to me.

    I downloaded this program called, Sysinternals and it lets you see what you are not seeing on your desktop. I began to track some of these paths & then the files in my Registry. I discovered somewhat similar IP & DSN#s hidden in about 25 different files titled "range"and numbered out of order. Instructions were everywhere in my registrys that appeared my computer s were programed to act from a remote setting and user(s). Than, I found a file w/the title "MyComputer" and one under it titled "YourComputer". One was tagged destination and the other was response. So, I thought I would rename these opposite of themselve to throw these guys off for a just a little bit, to give me a chance to start manipulating their changes back to my advantage and so that I can get ahead start on the security wireless network settings.

    I didnt go into the office today and spent a greater part of the day working on a counter attack plan. Listen to me, no wonder my family thinks I have gone off the deep end and they keep telling or begging me to just go and buy another compter. No way, I am going to format these drives anyways so why not go the distance this time w/these losers this time.

    So, I renamed name the files, attacked the registry (HKEY_DYN_DATA) in front of me, I flew thru my WindowsExplore and restored my important system files, from there I went for my System Configuration Utility and unchecked all the corupt lines in my Sys.ini and Win.ini the Startup was right there and removed the something about not loading my device drivers.

    I deleted all there bogus shell extentions from RegSupreme and Un-installed the programs that seemed to be the most corupt. and I went right for CCleaner. The plan worked great, I was able to change the settings w/very little problems on Linksys website and just in case there is a slim possibility that someone was on my system, I will leave these settings on for a few days so I can format and enable my wireless security settings again w/little problems.

    bjgarrick, thank you for all your help and for responding as quick as you did (w/in minutes) when this attack was getting way out of control.

    Salute!
    edward1121
     

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds