Virus + Trojans present

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by silverman, Jan 28, 2006.

  1. silverman

    silverman Private E-2

    Hello again

    This time I have had the misfortune of stumbling on a website which caused something be downloaded and temporarily opened an image file while doing so. After this I didn't notice anything suspicious, until I switched on my computer again the next day. Windows wouldn't load properly, it got to the log on point, and when I logged on it wouldn't (or rather wont) load up the desktop properly, prefering to hang at just a screen with the wallpaper and nothing else. So I restarted windows in safe mode, did a spybot s&d scan which came up with a few things and successully cleared them. Windows still wouldn't load properly after this , so I restarted again and chose the "last known good configuration" option.
    It worked fine but I noticed something odd - massive ping when playing Battlefield 1942. I knew something was up, and so engaged in the famed 1-6 steps of the "read and run me" post. I did spyware/virus scans etc, in safe mode restarted the comp and no luck I was back to square one, desktop isn't loading properly, game still has a massive ping.

    I have had to run the browser from task manager in order to able to post this desperate cry for help.

    Well anyway I have included panda, bit defender and hijack this logs for you to mull over if you can find the time + motivation, it would be much appriecated if so. panda "disinfected" a virus and detected a load of trojans, and bit defender alleges it deleted and updated a bunch of infected files.

    thankyou for all your help.
    I would like to contribute to this forum in some way.
     

    Attached Files:

  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Welcome to MajorGeeks.com!

    Please see the below threads on how to install and run Spy Sweeper and Ewido Anti-Malware. After you ran both programs, attach the logs to your next post along with a fresh HJT log from normal mode.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I see you are still running this illegal copy of Windows. You are going to remain more susceptable to malware problems until you can get your OS updated which cannot be done on an illegal copy. While getting updated will not make you totally immune (security starts with the end user), it does help alot.

    This time you have a WareOut infection.
     
  4. silverman

    silverman Private E-2

    slight problem - I have aldeady used spysweeper and my trial has run out, not sure ewido will work either, same reason - got any other options?!
     
  5. silverman

    silverman Private E-2

    ah well, I still haven't been bothered to go out and get a new copy due to their expense, but I will set some money aside and see what I can do - maybe rack up a second hand copy, as it seems that it will indeed be worth it in the long run.

    So um, how oh how do I go about exorcising this baby? Please don't tell me it can only be done with ewido and / or spysweeper, unless there is a way to get around the expired trial period problem.

    Thanks for all your help.
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, you need to obtain a legit copy of XP so you will not have these problems.

    1. Download and Install CCleaner
      • Note that, when asked to run CCleaner, you should run ONLY the default scan (Windows Tab). Do Not “Scan For Issues”!

    2. Download FixWareout by Lonny and save it to your Desktop.

      Reboot into Safe Mode and then procede with the rest of this fix!

    3. Please locate your download of FixWareout and INSTALL it.
      • Be sure that Run fixit is checked.
      • Click Finish to begin the fix.
      • Follow the prompts and Reboot when asked to do so.
      • Upon Reboot, follow the prompts and HijackThis should open.

    4. After HJT opens, Click Scan and then Check the boxes for the following, if they should remain:

      O17 - HKLM\System\CCS\Services\Tcpip\..\{149AB171-5B42-4818-9024-CAC5F850D9B8}: NameServer = 85.255.113.140,85.255.112.88
      O17 - HKLM\System\CS1\Services\Tcpip\..\{149AB171-5B42-4818-9024-CAC5F850D9B8}: NameServer = 85.255.113.140,85.255.112.88
      O17 - HKLM\System\CS2\Services\Tcpip\..\{149AB171-5B42-4818-9024-CAC5F850D9B8}: NameServer = 85.255.113.140,85.255.112.88
      O17 - HKLM\System\CS3\Services\Tcpip\..\{149AB171-5B42-4818-9024-CAC5F850D9B8}: NameServer = 85.255.113.140,85.255.112.88


    5. Now, run CCleaner, Be sure you only run the Default Scan (Windows Tab) and select Run Cleaner. Do not run any other options from other tabs.

    6. After ALL of the above has been completed, please REBOOT to normal Windows, scan with HijackThis and ATTACH that log. Please save and attach the log found at C:\fixwareout\report.txt as well.
    Let me know of any problems you may have encountered with the above instructions and how your computer is running now.
     
  7. silverman

    silverman Private E-2

    I was able to run an ewido scan in safe mode before doing what you asked, so I have included a log of that.

    Well I followed the steps you gave, they seemed to work, there weren't any problems, well except the wareout fixer required an internet connection so I had to boot into safe mode with networking.

    Computer seems to be working normally now :) .

    Thanks for all your help.

    Couple of questions though - thing is I have another problem on another PC, should I start up a new thread for that?
    Also how to you become so good with fixing malware? Do you work in the software industry, or just have much experiance of the internet or something like that?
     

    Attached Files:

  8. silverman

    silverman Private E-2

    Oh dear, I spoke to so soon, the computer seems ok, except that I still have a massive ping on BF1942.
     
  9. silverman

    silverman Private E-2

    I noticed that after I used the bitdefender scan that went away temperorarily yesterday, but can back some hours later - could it be another infection?
     
  10. silverman

    silverman Private E-2

    Did another bit defender scan, which claimed to delete some malicious files, and the high ping went also - but I'm not entirely convinced I'm free of the virus/trojan, how can I be sure? also the problem on my other PC is fairly serious and of an urgent nature. I'll mention a few of the symptoms on this thread anyway to give you guys a rough idea of whats been going on in any case, and carry it to new thread if you so wish.

    The PC was being used to browse when it suddenly shut down, instantly. It was switched back on, and worked fine for a short while until it suddenly crashed. When it was restarted windows refused to load up at all, hanging at the splash screen, even in safe mode it hung at the bit where it lists the files its loading. I did a basic repair installation of windows hoping it would allow me in and also maybe fix the problem. Well it did allow me in but it was very slow and I couldn't use excel or windows installer and so I did another, more comprehensive repair install which made things worse.
    Now it takes ages to load up, and there is no taskbar, the image is scratchy, because the colour is set at 4 bit and resolution is at 800 by 600 and cant be set any higher. Also when I try to open excel it says "Cannot use object linking and embedding" and an hour glass appears upon loading any file and it remains frozen like this. Internet explorer takes long to load up and sometimes the entire system freezes and unfreezes after some seconds repeatedly for a few minutes. spy sweeper will not work, it froze during the ewido scan and Spybot S&D scan came up with nowt. trend microscan and bitdefender wont work 'cause they wont load up properly, firefox ask for a disk from the floppy drive for trends scan, and bitdefender wont load cause the link to start the scanner wont work. Internet works fine.
    I'll try and get a hijack this log to you when I can.
     
  11. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Run another scan with Bit Defender and Panda, afterwards attach those logs with a fresh HJT log.

    Then see the below thread on how to run WinPfind and attach the log.
     
  12. silverman

    silverman Private E-2

    Did what you asked. Observed after leaving comp on for a long time with a download its wireless connection which allows it to access the internet stopped working, and wouldn't until restarting. Wireless card software wouldn't work at all.

    What about my problem with my other PC, should I start a new thread for that or what? :confused:
    Also I can't seem to be able to copy or paste on that PC - the other symptoms are mentioned above in my last post.


    Thanks for your continued help.
     

    Attached Files:

  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Download Pocket KillBox
    • Save it to your desktop or a place easy to find.
    • Do not run it yet
    Now, please look in Add/Remove Programs for the following and uninstall them if found:

    Spy Sweeper

    Ewido


    Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\belk\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d

    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    Again, make sure ALL browser windows are closed when you click FIX.

    Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

    C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine Delete everything in this folder!

    C:\WINDOWS\mui Delete everything in this folder!

    C:\WINDOWS\PIF Delete everything in this folder!

    Next, run CCleaner to clean up cookies and temp files.

    Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.

    Note: Remember to get all updates before doing the scans.


    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    • Temporary Files
    • Temporary Internet Files
    • Recycle Bin
    And Click OK.


    After you complete the above, REBOOT and proceed with the rest of this fix...


    Locate PocketKillbox
    (Procede with this step even if they do not show in blue)

    Now, Copy and Paste C:\ms32.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\WINDOWS\system32\shdocsvc.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

    Now, Copy and Paste C:\Documents and Settings\SJ\Application Data\uns.tmp into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

    • If you get an error message about Pending Operations, just reboot your computer manually.
    After you complete the above, procede with the rest of this fix below...

    Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:


    • Disable and Re-enable System Restore

    • Turn OFF System Restore to flush any bad Restore Points.

    • Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.
    After you complete the above reboot once more and then scan with HijackThis and attach the new log.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
  14. silverman

    silverman Private E-2

    Followed the steps you gave me, things seemed to go well.

    However when I restarted my PC sometime before that I got the the windows installer opening and message that norton internet security doesn't support repair install , please reinstall completely. Suspicious, I did a bitdefender scan, which tried to delete some malicious files present.

    Well anyway here's the HJT log, hope its useful in determining the nature of the problem.
     

    Attached Files:

  15. silverman

    silverman Private E-2

    P.S. that message with the installer comes upon the desktop loading
     
  16. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your HJT log looks good, for the other issue I would post that in the software forum.

    Are you having any further malware problems?
     
  17. silverman

    silverman Private E-2

    oh , uh I kinda started a thread on that just now on this forum. errr...sorry
     
  18. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    The problem I was referring to was the NIS issue you mentioned. Is your other thread malware related for another computer or is it NIS related?
     
  19. silverman

    silverman Private E-2

    To answer your question it is my belief the other problem is malware related, but hopefully you guys should be able to ascertain fairly well if it is or isn't? All the symptoms seem to suggest that to me................ thanks again for your help on this issue
     
  20. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your other thread has been asnwered so I guess this one is complete.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds