How can I find out how these viruses are getting into this PC?

Discussion in 'Malware Help (A Specialist Will Reply)' started by docfxit, Nov 8, 2007.

  1. docfxit

    docfxit Private E-2

    I'd like to find out how I am getting Trojans on this PC.

    Today my AntiVirus caught / deleted three more files.
    C:\docume~1\UserName\Locals~1\Temp\yqlqmipk.dll
    C:\docume~1\UserName\Locals~1\Temporary Internet Files\Content.IE5\6992xxj5\mosx1024[1]

    Both infected with Win32/Darksma.FR

    Yesterday my antivirus caught three files infected with the Vundo trojan.

    I did remove the Vundo trojan but I'm still trying to get my wireless connection working.

    My question is how are these getting into my PC?

    I have ZoneAlarm Pro ver. 55_094_000 I know this is an old version. I didn't want the newer version because of the need to answer popup windows all the time.
    XP Pro sp1 with all updates.
    CA antivirus ver. 8.4.0.24 It's the latest version with the latest updates.
    I regularly run
    Ad-Aware 2007 with the latest updates
    Spybot ver. 1.4 with the latest updates
    I don't use Internet Explorer.
    I do use Firefox ver. 2.0.0.8
    I have removed all old version of Java from: C:\Program Files\Java
    The only version I have is: C:\Program Files\Java\jre1.6.0_03
    I don't have any email on this PC.

    Because something was caught in Temporary internet files something on my machine must be using IE.

    How can I find out how these viruses are getting into this PC?

    Thank you,

    Docfxit
     
    docfxit, Nov 8, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Perhaps you would like to do the READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Nov 8, 2007
    #2
  3. docfxit

    docfxit Private E-2

    Thank you for the suggestion. I have performed everything on the Malware Removal Guide.

    I currently have the LAN and the Wireless disabled. After executing all programs discribed in the Malware Removal Guide I am still seeing files being created on the system. I am finding them with SuperAntiSpyware.
    Adware.Vundo Variant

    I am not connected to a LAN or the internet so there must still be something creating these files on the system. I have run SuperAntiSpyware many times re-booting in between each run and new files come back every time.

    VundoFix and VirtumundoBeGone do not detect any files.

    I am also seeing Explorer.exe requesting a diskette during the boot process sometimes.

    Thank you very much for looking at this for me.

    Docfxit
     

    Attached Files:

    docfxit, Nov 15, 2007
    #3
  4. docfxit

    docfxit Private E-2

    Additional files attached.

    Thank you,

    Docfxit
     

    Attached Files:

    docfxit, Nov 15, 2007
    #4
  5. docfxit

    docfxit Private E-2

    Additional files attached.

    Thank you,

    Docfxit
     

    Attached Files:

    docfxit, Nov 15, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Using cracked software is one good way to get infected .....you also do not have service pack 2 installed...which is another security hole in your system.

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 1"
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 6"
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_07


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKeys
    HJT
    Avenger
     
    TimW, Nov 16, 2007
    #6
  7. docfxit

    docfxit Private E-2

    Thank you very much for taking the time to help me clean up this PC.

    I will let the owner know.

    I think it's time this gets upgraded to SP2


    I think I have completed all the tasks you listed.

    I am very grateful for all the help you are giving. I would like to give you a little feedback with the errors that came up upon re-boot.

    1. SWSA
    ISAKMP socket initalization failed.
    2. Mobile Devices Properties
    The TCP/IP network transport is not installed.

    Thank you for your help.

    Docfxit
     

    Attached Files:

    docfxit, Nov 16, 2007
    #7
  8. docfxit

    docfxit Private E-2

    One More file
     

    Attached Files:

    docfxit, Nov 16, 2007
    #8
  9. docfxit

    docfxit Private E-2

    I know you/we aren't done and I'm not trying to rush you. I thought you might like a little more feedback:

    I ran SuperAntiSpyware. It found three items:
    Vundo-Variant
    1. C:\Progra~1\HiJackThis\Backups\Backupxxxxx.dll
    2. C:\Windows\System32\hxitoszc.dll
    3. C:\Windows\System32\Jvtejwiq.dll

    Thank you,

    Docfxit
     
    docfxit, Nov 16, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Attach new logs for:
    ShowNew
    GetRunKeys
    HJT
    Avenger
     
    TimW, Nov 16, 2007
    #10
  11. docfxit

    docfxit Private E-2

    Thank you for the suggestions.

    I performed everything you suggested.

    I also deleted the file:
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk

    I added a slash to the following
    I changed the files to delete to:
    Files to delete:
    C:\WINDOWS\system32\hxitoszc.dll
    C:\WINDOWS\system32\hxitos~1.dll
    C:\WINDOWS\system32\jvtejwiq.dll
    C:\WINDOWS\system32\odjmiyhn.dll
    C:\WINDOWS\system32\xcectiah.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\nhyimjdo.ini

    Thanks for the help.

    Docfxit
     

    Attached Files:

    docfxit, Nov 17, 2007
    #11
  12. docfxit

    docfxit Private E-2

    Next File
     

    Attached Files:

    docfxit, Nov 17, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some days are better than others.....I'll have to go look for the missing slashes.:)D)

    I'm not sure what to tell you about the error messages that you got ....it could be from the cracked OS ...I just can't tell.

    You could try running (from a legit os cd) sfc /scannow to see if it replaces/repairs any system files.

    And I assume that you will be installing SP2?

     
    TimW, Nov 17, 2007
    #13
  14. docfxit

    docfxit Private E-2

    Thank you very much for your help.

    I think I'm ready to install SP2. I have an SP2 cd. I have backed up the PC. I thought I saw a post on preparing to install SP2 from CD. I can't seem to find it now. I thought I had it bookmarked.

    Does anyone know how I can prepare for the SP2 update so I will have the least number of problems?

    Thank you,

    Docfxit
     
    docfxit, Dec 1, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just create a restore point before you begin the download ...then it will also create its own restore point....you should have no problems.
     
    TimW, Dec 1, 2007
    #15
  16. docfxit

    docfxit Private E-2

    I ended up having all kinds of problems with the sp2 update. I was on the phone with MS support for 4 days and finally finished the clean up during the next 2 days.

    MS recommends not updating from CD. They recommend downloading the SP2 update and running it from the hard drive in Safe Mode. Luckily I did a Ghost backup before I started so I could restore everything after it was really messed up after the first update.

    You can download the update by going to the MS web site and putting "Download SP2" in the search box in the upper right. Select the second link.

    Thanks,

    Docfxit
     
    docfxit, Dec 11, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're xp sp2 cd must not have been good ....where did you get it?
     
    TimW, Dec 12, 2007
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds