MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Software
Register FAQ Members List Calendar Casino Mark Forums Read

Software Software such as operating systems like Windows XP, Windows Vista, Windows 7 etc., or specific programs.


Reply
 
Thread Tools Display Modes
  #1  
Old 05-28-05, 01:21
edward1121 edward1121 is offline
Private E-2
 
Join Date: Apr 2005
Location: Scottsdale, Arizona
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

I have completed all the necessary tasks that Major Geeks suggests to find a virus 3 times. Every setting or file is being changed on its own and this increases as I attempted to stop it. I cannot foward a log at this point because my computer willl not allow me to do anything. I am now in safe mode, ran HJ and found (it goes on forever, so I will do my best to post what I believe is important to attempt to create what is happening):

- over 56,000 files including systemfiles hidden.
-Enumerating Win9x VxD services (all I assume my d\: will not run)
-User shell folders and shell folders altstartup *folder not found*
-C:\windows\all users\start minu\programs\startup *no file*
-Adware & Spybot have all been password protected
-autorun entries from registry:
-HKLM\Software\Microsoft\Windows\CurrentVersion\Run *no values found*
-Registry or subkeys are not found
-Enumerating active setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disable byy HKCU twin)
[SetupcPerUser] *
StubPath = rundll.exe c:\windows\system\setupx.dll,InstallHinfSections SetupcPerUser 64 c:\wndows\INF\setupc.inf (or) applets.inf (or) fonts.inf

C:\Windows\Explore.exe: PRESENT
c:\Explore.exe: not present
c:\Windows\System\Explorer\Explore.exe: not present
c:\Windows\System32\Explorer.exe: not presetn
c:\Windows\Command\Explore.exe: not present
c:\Windows\Fonts\Explore.exe:not present

Winsock LSP files:
NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #'s 1, 2, 3,4,5: imon.dll (file MISSING)
Protocol #'s 6,7,8: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #'s 9 & 10: C:\WINDOWS\SYSTEM rsvpsp.dll
Protocol #11: imon.dll (file MISSING)
Protocol #13, 14, 15: C:\WINDOWS\SYSTEM\mswsosp.dll

I hope this helps to get me to a point where I can forward a HJ which has nothing in it, I cleaned everything out which I rarely do. I have tried to re-install win98 and have done a step x step configuration many times. I ran scandisk and no errors are found. I am not sure what is next MG's help would be very appreciated I am way out of my league here and I think I may be creating a larger problem.

edward1121
__________________
Edward Chase
Reply With Quote
Sponsored links
  #2  
Old 05-28-05, 01:25
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

If you cant post a HJT log, copy and paste it inline and and I will convert it for you.

Download HijackThis 1.99.1

Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

Run HijackThis and save your log file.

Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
Reply With Quote
  #3  
Old 05-28-05, 01:47
edward1121 edward1121 is offline
Private E-2
 
Join Date: Apr 2005
Location: Scottsdale, Arizona
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

I have done this on the computer w/the problem however, when I attempt to forward the attachment my server is locked up. I am on a laptop next to the desktop w/the problem. That computer is in safe mode and will not do anything eles, sorry.

edward1121
__________________
Edward Chase
Reply With Quote
  #4  
Old 05-28-05, 01:51
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

Quote:
Originally Posted by edward1121
I have done this on the computer w/the problem however, when I attempt to forward the attachment my server is locked up. I am on a laptop next to the desktop w/the problem. That computer is in safe mode and will not do anything eles, sorry.

edward1121
Without a HJT log or any other information there isnt much we can do about Malware. If the PC is locked up and will not do anything and thats all it will do then your most likely going to end up reinstalling clean.
Reply With Quote
  #5  
Old 05-28-05, 02:10
edward1121 edward1121 is offline
Private E-2
 
Join Date: Apr 2005
Location: Scottsdale, Arizona
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

By reinstalling clean do you mean format my c:\ drive? Thank you for your help!

edward1121
__________________
Edward Chase
Reply With Quote
Sponsored links
  #6  
Old 05-28-05, 02:18
bjgarrick's Avatar
bjgarrick bjgarrick is offline
MajorGeeks Admin - Malware Expert
 
Join Date: Oct 2004
Location: Southern Alabama
Posts: 16,069
Thanks: 0
Thanked 224 Times in 221 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

Yes, but remember this will ERASE everything on your hard drive. This should be done ONLY if nothing can be done!

We can try anything but first I need a HJT log or something to build on.

When you power on, BIOS screen flashes...then what?

Also, in Safe Mode...what happens here?


The more details and specs you provide me with the better I can help you.

Quote:
I am now in safe mode, ran HJ and found (it goes on forever
Do you mean your log is very large or what do you mean?
Reply With Quote
  #7  
Old 05-28-05, 06:34
edward1121 edward1121 is offline
Private E-2
 
Join Date: Apr 2005
Location: Scottsdale, Arizona
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

I was preparing to format my c:\ drive and Zone Alarm poped up a page w/instructions to get me to the internet. Which included renaming internet log to old log, vsdata search on both HD & Reg. to delete vsdata95 or vsdatant, deleting all log files (data base reasons), changing ZA "load at start-up & then establishing iexplore.exe again. I did learn that I have the ISRAZ.A worm which tears apart your entire operating system. I now have included my HJ. Would you still recomend cleaning the entire HD still or can this be fixed. My system is a complete mess, please advise,

edward1121
__________________
Edward Chase
Reply With Quote
  #8  
Old 05-28-05, 07:53
edward1121 edward1121 is offline
Private E-2
 
Join Date: Apr 2005
Location: Scottsdale, Arizona
Posts: 20
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: COMPUTER TAKEOVER HAPPENING (my computer, settings & files are being changed )!!

I did a Symantec Secutity Scan and I am looking it over now and it says nothing about a ISRAZ.A worm. This scan found the following:

Download.Adware
Adware Roimoi
Adware Margoc
Adware.Begin2Search
Adware.Ezula
Spyware Eblaster
Spyware.ClientMan
Adware.iPend
Adware.betterInternet
Asware.Ezula
Adware.CommonName
Adware.VirtualBouncer

I have ZoneAlarm Firewall, Ad-wareSE, Spybot, CCleaner, CWShredder, Nod32, MS ScriptDebuger, TweakNow Reg Clean, About Buster. I perform the online Trend & Symantic scans often & I follow my HijackThis regularly. Windows updates are daily, I might be a little overboard but this win98 has become my new hobby. I new NOTHING about computers & now I am looking for opportunities to troubleshoot. I do go on some questionable sites for the sport of it, to test my computer against attacks. During this time have all my internet & firewall settings all on high w/"prompt for cookies" both 1st & 3rd party with every thing else kicked in. This time I really got my butt kicked and have been trying to resolve this for days. I do have a laptop & desktop XP contected, wireless to a router. The win98 is contected w/the ethernet line to hi-speed cable modem. This is the only thing I can think of that would allow someone to exploit my system. Any ideas would be much appreciated .
__________________
Edward Chase
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 20:06.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger