A big problem again, please, help!!!

Discussion in 'Malware Help (A Specialist Will Reply)' started by maxijanko, Mar 17, 2007.

  1. maxijanko

    maxijanko Private E-2

    Heavy problem in my PC, please, help!!!

    Hi, all

    Since yesterday I have my PC damaged. I was navigating in internet when suddenly one virus entered my computer without being blocked by Zone Alarm firewall. An exclamation icon in red appeared at the bottom (right) of the screen advising of the presence of malware in computer. Afterwards, a message appeared in the center of the screen signaling the presence of a Trojan: Trojan Adware.W32.ExpDwnldr and by choosing yes, a software would be installed in computer in order to remove it, I remember something about a web called onlinestability.com . Of course, I chose no, but after a few minutes the red signal of exclamation appeared again, as well as the message of Trojan and this happened repeteadly. The fact is that appeared in the screen 3 theoric software to remove malware:eek:ne of them called WinDoctor if I'm not wrong.
    As a result of all of this, I started to run my antispyware programs: Ad-aware, Spybot, AVG antispyware, a-squared. I run Hijackthis to see the processes running. Moreover, I was looking for software which could remove this malware, Error Safe and Drive Cleaner were also detected for the first time since the last scan, which I did a few days ago.

    After a while, a blue screen appeared and the computer restarted itself. By choosing safe mode, normal mode, or the last good configuration of the system, the PC always restarts itself. In safe mode, the Windows screen of loading doesn't appear and the computer restarts before. In normal mode or the last good configuration, the windows loading screen is showed but after some seconds, the load is blocked and the system restarts.


    The problem is that now I don't have access to the Windows session to remove the malware I have mentioned. I don't know if it is usual not having access in safe mode, in other ocassions I had access in safe mode and fortunately I was able to solve the problems, this time I'm quite worried.

    I need extremely urgently your help, any advice you could give me, any explanation of what may have happened would be appreciated. Interesting links you know.

    Thank you very much for your help. I carry on finding possible solutions.
     
    maxijanko, Mar 17, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Re: Heavy problem in my PC, please, help!!!

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    TimW, Mar 17, 2007
    #2
  3. maxijanko

    maxijanko Private E-2

    During the weekend I was fighting in order to have the computer working properly, It crashed on last friday after entering my computer a trojan called Trojan Adware.W32.ExpDwnldr.
    I have a heavy problem. I thought I had repaired partially the computer because I was able to access Windows normal session without problems 2 days ago. I ran all the antispyware software in order to clean the computer and remove all the spyware. Today it has crashed again and I have the same problem as some days before: I can't access to the Windows session, impossible.
    With SpywareDoctor I detected Clean Driver and Adware.Sogou but I was unable to remove them. The crash is because of them? Maybe, I have a big problem.

    This is the log of Hijackthis of 2 days ago, after starting the computer in normal mode and having ran all the antispyware software.

    Edit: removed inline hijackthis log
     
    Last edited by a moderator: Mar 20, 2007
    maxijanko, Mar 20, 2007
    #3
  4. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    you will need to complete the guide TimW posted above and attach the logs, for our malware experts to be able to assist you in removing your malware.
     
    DavidGP, Mar 20, 2007
    #4
  5. maxijanko

    maxijanko Private E-2

    I cant' follow TimW instructions because I can't boot in safe mode.
    The only way to give you some information is by posting the log of Hijackthis of last sunday.

    I put you a previous explanation in order to help you a little more.

    I have a heavy problem. I thought I had repaired partially the computer because I was able to access Windows normal session without problems 2 days ago. I ran all the antispyware software in order to clean the computer and remove all the spyware. Today it has crashed again and I have the same problem as some days before: I can't access to the Windows session, impossible.

    As I have mentioned in the other message, with SpywareDoctor I detected Clean Driver and Adware.Sogou but I was unable to remove them. The crash is because of them? Maybe, I have a big problem.

    This is the log of Hijackthis of 2 days ago, after starting the computer in normal mode and having ran all the antispyware software.




    Logfile of HijackThis v1.99.1
    Scan saved at 23:27:55, on 18/03/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
    C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
    C:\Archivos de programa\SpyCatcher 2006\SpyCatcher.exe
    C:\Archivos de programa\SpyCatcher 2006\Protector.exe
    C:\Archivos de programa\SpyCatcher 2006\Scheduler daemon.exe
    C:\Archivos de programa\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Xavier\Mis documentos\Mis_documentos\Antispyware\Hijackthis\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Archivos de programa\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar3.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.5000.1021\es\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.5000.1021\es\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar3.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Archivos de programa\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AgenteADSL_15] C:\Archivos de programa\Telefonica\KitAIM\AimExDll.exe AimGestA.dll 10 run
    O4 - HKLM\..\Run: [SunServer] C:\Archivos de programa\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Archivos de programa\SpyCatcher 2006\SpyCatcher.exe" reminder
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - Global Startup: Inicio rĂ¡pido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: SpyCatcher Protector.lnk = C:\Archivos de programa\SpyCatcher 2006\Protector.exe
    O16 - DPF: {39D420B3-E0EB-424C-89AA-C24F8DE7EF79} (KooPlayer Control) - http://www.vivitv.com/KooPlayer.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://mire1989.spaces.live.com//PhotoUpload/MsnPUpld.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: interceptor.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
    maxijanko, Mar 21, 2007
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'm having a slight difficulty understanding you ......so we need to be alittle more specific with each other....:)

    Are you saying that you cannot get into either safe or normal mode? Have you done a "Repair installation" with the original CD? Where are you at right now? No "Windows xp", Loads to a certain point then stops? Goes to a BSOD and crashes when you try to start up?

    This is all that is in your HJT log:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing

    But if you can't start you system ...then a fix for those items won't be possible.

    This shows infection ..but it also indicates that it is a "past" infection. That does not mean there isn't more ....but we need to know where to start.
     
    TimW, Mar 21, 2007
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds