Having problems with viruses and nothing seems to work.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by andrewwhatever, Aug 28, 2005.

  1. andrewwhatever

    andrewwhatever Private E-2

    Hey.

    Got a virus a week or so ago. Tried Bitdefender, Spyware Doctor, Spybot, Stinger, Norton, actually tried all the stuff in the sticky up there except for the online scans, which would crash my computer when I tried the Bitdefender one (so I just downloaded the free version) and the other one it wouldn't even let me scan.

    Certain "bad" files that keep popping up...

    msupdate.pif
    wuauclt.exe
    lsass.exe
    winlogin.exe

    I know I on and off again over the last few days have CWS and Surf Accuracy on, some of the programs get them off but they keep coming back.

    Probably a lot more I missed, I'm pretty clueless about this stuff. I'm not sure if it was related to the virus and stuff but I can't get into safe mode and it got to the point where I couldn't even get into Windows, got...

    UNMOUNTABLE_BOOT_VOLUME

    error trying to get into Windows, finally got back in but not sure what was causing that. Still can't get into safe mode. I have Hijack This so I can post the log from that if anyone wants to look at it.

    And another maybe dumb question but I'm a bit ignorant... if I try some more stuff and I can't get this stuff off and I really don't care about salvaging files from this computer (it's mostly just used for surfing, don't have much software or files on here I care about...) is there a quick and easy way to just wipe it all clean and start over?
     
    andrewwhatever, Aug 28, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Was it winlogin.exe or winlogon.exe? All the other filenames are valid Windows files.

    Why can't you run the online scans? You must use IE to do them. So if you were using another brower, use IE. Also if you cannot do them in safe mode, do them in normal boot mode. What happens when you try to get into safe mode.

    Do you know how to re-install your OS and other system software and drivers from scratch?
     
    chaslang, Aug 28, 2005
    #2
  3. andrewwhatever

    andrewwhatever Private E-2

    I'm pretty sure it was winlogin back when I wrote it down, though now I noticed I have winlogon popping up inmy task manager too.

    As far as the online scans, I'm on a 56k which is bad enough, but the virus stuff is pretty much constantly running crap and making my computer virtually unworkable online. I get about 10-15 minutes online before everything just freezes up on me now. Actually I have to go online twice just to reply to threads here... once to see it, type it out, internet freezes before I finish, get offline, come back online, post... sigh.

    When I try to get into safe mode the system just freezes up with a blue screen and I get the error message...

    IRQL_NOT_LESS_OR_EQUAL

    As far as reinstalling my OS and system drivers I have never done it before, but if it would clear everything up I would definately try to figure it out.

    Thanks for the help.
     
    andrewwhatever, Aug 29, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do the below from normal boot mode:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Aug 29, 2005
    #4
  5. andrewwhatever

    andrewwhatever Private E-2

    Done.
     

    Attached Files:

    andrewwhatever, Aug 29, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No signs of a file named winlogin.exe

    Note: Your OS and IE versions are way out of date and represent a major security risk. After we fix any current problems you must get updated.

    You also have both BitDefender and Symantec Antivirus applications installed. You must use only one AV. Pick one and uninstall the other. Do this before continuing.


    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\windows\dsr.dll
    O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
    O4 - HKLM\..\Run: [Windows Security Service] windows.pif
    O4 - HKLM\..\Run: [winoaldap] winoaldap.exe
    O4 - HKLM\..\Run: [Windows DLL Verifier] xptl.exe
    O4 - HKLM\..\RunServices: [Win32 Help] wuihelp.exe
    O4 - HKLM\..\RunServices: [CPU Temp Control] wuitgurd.exe
    O4 - HKLM\..\RunServices: [Provan Security] psecure.exe
    O4 - HKLM\..\RunServices: [USB Driver4] UpdateXP6.exe
    O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
    O4 - HKLM\..\RunServices: [winoaldap] winoaldap.exe
    O4 - HKLM\..\RunServices: [Windows DLL Verifier] xptl.exe
    O4 - HKCU\..\Run: [Win32 Help] wuihelp.exe
    O4 - HKCU\..\Run: [CPU Temp Control] wuitgurd.exe
    O4 - HKCU\..\Run: [USB Driver4] UpdateXP6.exe
    O4 - HKCU\..\Run: [Windows Security Service] windows.pif
    O4 - HKCU\..\Run: [winoaldap] winoaldap.exe
    O4 - HKCU\..\RunServices: [Windows Security Service] windows.pif
    O4 - HKCU\..\RunServices: [winoaldap] winoaldap.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
    O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
    O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4053/ftp.coupons.com/r3302/cpbrkpie.cab
    O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\windows\System32\vbsys2.dll
    O23 - Service: Windows HWinfo Loader - Unknown owner - C:\windows\iexplre.exe (file missing)


    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\windows\dsr.dll
    C:\windows\System32\UpdateXP6.exe
    C:\windows\System32\windows.pif
    C:\windows\System32\winoaldap.exe
    C:\windows\System32\xptl.exe
    C:\windows\System32\wuihelp.exe
    C:\windows\System32\wuitgurd.exe
    C:\windows\System32\psecure.exe
    c:\ex.cab
    c:\eied_s7.cab
    C:\windows\System32\vbsys2.dll
    C:\windows\iexplre.exe


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Aug 29, 2005
    #6
  7. andrewwhatever

    andrewwhatever Private E-2

    Ok,

    I did all of that except I couldn't get into safe mode due to that problem I mentioned earlier where it just blue screens me and says IRQL_NOT_LESS_OR_EQUAL before even loading Windows. So I did it all in regular mode.

    As for deleting the files in Windows Explorer after doing the Hijack This stuff, only a few even showed up. Specifically...

    wuihelp.exe
    vbsys2.dll

    The rest seemed to be already gone? So I deleted those two.

    Right now everything *seems* to be running ok, though since I have gotten this virus stuff about a week or two ago every once in awhile I seem to temporarily clean it up for a few hours then it all comes back.

    Also in my Task Manager a few files that seemed bad or questionable are still running...

    lsass.exe
    csrss.exe
    msmsgs.exe
    services.exe
    winlogon.exe

    From my limited knowledge it seems like these are valid file names that are also being used by some viruses or something?

    Anyhow like I said everything seems to be working at least for the moment, so maybe now I should update my OS and IE? I'm not really sure how to do so. The weird thing is when I tried Windows Update a few days ago it froze up on me and I sort of instantly got hit with a bunch more virus problems...
     

    Attached Files:

    andrewwhatever, Aug 30, 2005
    #7
  8. andrewwhatever

    andrewwhatever Private E-2

    Looks like I spoke too soon, it's all messy and slow already not 10-15 minutes later.
     
    andrewwhatever, Aug 30, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below items are all valid Windows Processes:
    C:\windows\system32\csrss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\Program Files\Messenger\msmsgs.exe
     
    chaslang, Aug 30, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please provide more descriptive information! I do not know what "all messy" means. Also what aspects of using your PC are slow?

    Post a new HJT log, your last one was clean.
     
    chaslang, Aug 30, 2005
    #10
  11. andrewwhatever

    andrewwhatever Private E-2

    Oops sorry, by "all messy" I mean that when I go online (I'm on 56k) I will be doing nothing but my internet will be constantly sending information out to *something* and it makes my internet super slow, pretty much to the point where pages won't even load or will take a few tries just to load. Other than that my computer seems to run fine offline, except for that problem where I can't get into safe mode, not sure if that is related to this stuff or not. Also it freezes up when I try to shut down my computer sometimes, which it never did before I got this virus stuff.

    I think some of this stuff running while I'm online might be Bitdefender and its automatic updates? But it gets ridiculous, like I will be online for like 15 minutes and like 15 MB will have been SENT, whereas I get almost nothing back, so I doubt it is updates. And when I first noticed the viruses it would be all this stuff running in the background slowing everything down, it seems like I got most of that stuff off since but I'm not sure, something is still running.

    Anyway I am posting my new Hijack This log, but I should first say that after I did everything before both of these came back...

    O4 - HKLM\..\RunServices: [Windows Security Service] windows.pif
    O4 - HKCU\..\Run: [Windows Security Service] windows.pif

    So I deleted them through Hijack This again and checked for them on my hard drive, didn't find the file on there but I found that the prefetch file for this also came back so I deleted that again. I don't think they came back again yet since then, but if they did once I assume they will again...
     

    Attached Files:

    andrewwhatever, Aug 30, 2005
    #11
  12. andrewwhatever

    andrewwhatever Private E-2

    Hmm, I just ran it again when problems popped up, I attached the new log. This stuff seems new...

    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C145B0F-F81E-4CC2-B318-23696BF99CD9}: NameServer = 205.171.3.65 205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C145B0F-F81E-4CC2-B318-23696BF99CD9}: NameServer = 205.171.3.65 205.171.2.65
     

    Attached Files:

    andrewwhatever, Aug 30, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is the below your ISP? That's who the ISP's belong to.

    Code:
    OrgName:	Colorado SuperNet, Inc. 
OrgID:	 [url="http://ws.arin.net/cgi-bin/whois.pl?queryinput=O%20!%20CSN"][color=#0000ff]CSN[/color][/url]
Address:	950 17th Street
Address:	Suite 1900
City:	 Denver
StateProv: CO
PostalCode: 80202
Country:	US

    Try the belowto see if any required system files are missing. sfc is System File Check.

    Open a command prompt windows by clicking Start, Run, and enter cmd and click OK. Enter the below command follow by the enter key and describe what happens.

    sfc /scannow

    Let me know if this finds anything wrong.

    I think you need to get your Windows updates! Your log is clean. Goto the below thread and start at step 1:

    How to Protect yourself from malware!
     
    chaslang, Aug 31, 2005
    #13
  14. andrewwhatever

    andrewwhatever Private E-2

    That is not my ISP, mine is PNG USA.

    http://www.isp-listing.com/subject.phtml?id=1025

    I ran the scan now thing and it just sort of ran and finished and nothing came up, does that mean it is ok?

    I'll get on doing that stuff to protect the computer, but I'm pretty sure something is still here. The internet is still having problems where huge amounts of data are being sent out from my computer and slowing it down, which is going to make it tough to do much downloading to protect the computer. Also, I ran HJT again and these popped up this time...

    O4 - HKLM\..\Run: [MSDOS Security Service] msdos.pif
    O4 - HKLM\..\RunServices: [MSDOS Security Service] msdos.pif

    Are these valid files? I attached the log again so you can see it.
     

    Attached Files:

    andrewwhatever, Aug 31, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can fix those O17 lines then. FIx the new O4 lines too.

    But you need to go and do the first three steps (I think you already have # 2 though) of the HOW to protect thread immediately. You are going to keep having these problems until you get your updates and a firewall. In fact in your case, I would do step # 3 first and then do step 1.
     
    chaslang, Aug 31, 2005
    #15
  16. andrewwhatever

    andrewwhatever Private E-2

    Ok I got the Sygate firewall running now, got all my Windows updates done, cleared out that new stuff in Hijack This. I also updated Firefox. The only thing I couldn't get done is switching the Active X stuff in Explorer, when I go to that page the "custom" button is not clickable.
     
    andrewwhatever, Aug 31, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's see a current HijackThis log so we can see how far your updates went. I believe you mean iexplore not explorer. Are you logged on with Administrator priviledges?
     
    chaslang, Sep 1, 2005
    #17
  18. andrewwhatever

    andrewwhatever Private E-2

    I attached my new Hijack This files, these guys are still on there...

    O17 - HKLM\System\CCS\Services\Tcpip\..\{1C145B0F-F81E-4CC2-B318-23696BF99CD9}: NameServer = 205.171.3.65 205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\..\{1C145B0F-F81E-4CC2-B318-23696BF99CD9}: NameServer = 205.171.3.65 205.171.2.65

    I think they are causing problems.

    Right now I'm also having a new problem since I installed the firewall, I took out Sygate and put in ZoneAlarm but I'm still having this problem. Basically what happens is this... about 10 minutes into being online it won't let me access any new webpages. It just pops up with a message "can't find www.whatever.com" but it pops up instantly like it didn't even TRY to find it. The weird thing is that whatever site I'm on still works, it will send and recieve data for it, it just won't let me go to anywhere else. And with the ZoneAlarm running it seems like it stopped all that stuff running in the background so it isn't like it is being overloaded or anything. This problem happens with both firewalls not sure what is wrong.
     

    Attached Files:

    andrewwhatever, Sep 1, 2005
    #18
  19. andrewwhatever

    andrewwhatever Private E-2

    Oh, and I am an administrator on this computer.
     
    andrewwhatever, Sep 1, 2005
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not have any of the Windows Updates installed. Your HJT log still shows original Win XP:

    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
     
    chaslang, Sep 1, 2005
    #20
  21. andrewwhatever

    andrewwhatever Private E-2

    Hmm, I went to the Windows Update site by clicking my Windows Update thingy in my program menu, is this the right site?

    http://update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us

    Now I'm worried about if the virus hijacked it or something, I went there just yesterday and downloaded everything in the "express" (recommended) updates thing and it all downloaded and installed fine. Now it is saying I need the Windows XP service pack 2, which wasn't there yesterday.

    Which, by the way, it says is 75 MB and will take over 5 hours to get on my computer... I highly doubt my computer would last half that long online.
     
    andrewwhatever, Sep 2, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It may not have shown the XP SP2 update yesterday because other things were needed first. You can also click on Custom Install and do individual selections of updates. But you really do need to get to SP2 level. There are places where SP1 or SP1a can be downloaded but they are very big too. Dial-up is a problem when you need big updates like this. WinXP SP2 can be ordered on CD from Microsoft. The info for this may be on the Updates site or someone in the Software Forum can probably tell you how to order the update from MS.
     
    Last edited: Sep 2, 2005
    chaslang, Sep 2, 2005
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds