Auto-disconect & others problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by chusma, May 19, 2006.

  1. chusma

    chusma Private E-2

    Nights,

    I have been following your indications on how to deal with virus problems for several hours, starting with "READ & RUN ME FIRST Before Asking for Support" and folowing with "Downloading, Installing, and Running HijackThis". I installed all and every app you recomended, and got blank logs from all except Panda and HJT, those two I attach.

    I have an XP SP2, I use IE and Mozilla Firefox, the antivirus came installed, I keep it updated but never found anything (Sorry I cant look up and dont remember the brand, none of the tipicall). I use XP firewall, and keep system more or less updated.

    But , I still get the folowing symptoms:
    - I start working on my pc , everything looks all right, at any moment I try to open a new window (an app or any other) or try get data from internet and the system seems to try and blocks.
    - I restart the pc and it still doesnt do a thing
    - I unplug it from internet and everything starts to work ok
    - Sometimes there appears a message like the one sasser used to show, informing that the system is about to close itself in 60 seconds, but the process failing is services.exe. The las time, it said "NtAuthority/System" was the origin of the problem.

    I need this pc because I work with it, please any help is welcome.


    Thanks
     

    Attached Files:

    chusma, May 19, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Note: The Windows firewall is not a true firewall and does not provide adequate protection. You will need to get a real firewall installed (we will do that at the end of your cleanup procedures).

    Some of your problems may not be due to malware!

    Serious Note: If you have files like ibm0001.exe on your PC, you could have a serious problem to deal with related to a password stealing trojan. Your financial accounts (passwords etc) may have been compromised. See this link:

    http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/


    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    O1 - Hosts: 213.96.253.198 gforge.unkasoft.com
    O1 - Hosts: 213.96.253.198 svn.gforge.unkasoft.com
    O4 - HKCU\..\Run: [Shell] "F:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00001.exe"
    O15 - Trusted Zone: http://www.gametrust.com
    O15 - Trusted Zone: http://mail.unkasoft.com

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    F:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\ibm00001.exe <--- delete all file that match ibmxxxxx.YYY where xxxxx can be any numbers and YYY can be any extension (like EXe, DLL, DAT)
    F:\Archivos de programa\Archivos comunes\Microsoft Shared\Web Folders\tmp.tmp
    f:\windows\uniq <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, May 19, 2006
    #2
  3. chusma

    chusma Private E-2

    I proceed to follow your instructions; First, I didnt remember to tell you, but everytime I restart the pc (with or without conexion) after I installed Windows defender I get the message "Windows defender fails to initialize
    0x800106ba". To be able to run it I did start it manually from services.
    From the lines in HJT you told me to fix, I ommited the following because I know they refer to a program I actually installed and use daily
    - gforge.unkasoft.com
    - svn.gforge.unkasoft.com
    - mail.unkasoft.com

    The files you told me to look for and delete were not there to be deleted, none of them.

    I did all that after initialiting whit no conexion to internet. When I restarted in normal mode to graba new Hjt log i did it with the cable on. It lasted loong to show the MSN login window (first thing usually) and the windows explorer.
    I check with HJT and save the log.
    Before I am able to do anything else the system blocks again.
    I do restart unplug from the internet, grab the created log and post it here from another pc.

    Thanks for your advice for the moment. Hope you see some logic on this, 'cos I cant.
     

    Attached Files:

    chusma, May 20, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you really sure you need to add these items to your hosts file and to the Trusted Zone to get them to work. Most of the time this in not necessary and it is not a good practice to do this unless 100% necessary.

    If Windows Defender is causing you problems, you can uninstall. You PC problems do not appear to be malware. I'll give you a couple more things to run but I have a feeling you have problems will software conflicts or something else not related to malware. I'm also not clear on exactly what your problem is. I don't know exactly what you mean by "system blocks". Do you mean you are having problems accessing the internet? Or do you mean some programs fail to run? Or do you mean something else?

    Run the below procedure with Ewido and attach the Ewido log:

    Running Ewido Anti-Malware


    Also run the below procedure and attach the runkeys.txt log.

    Using GetRunKey
     
    Last edited: May 20, 2006
    chaslang, May 20, 2006
    #4
  5. chusma

    chusma Private E-2

    The two first I am reasonably sure I need them in the Hosts file, the third not so much, but anyway iI dont think it is dangerous.

    The logs of the apps you recommended are attached, the symptoms of the problem are: I try to open a window of any app while working, or to change or update the internet page I am wieving, and the system seems to start thinking and keeps on it, never doing anything else. That is what I refer to as "system blocks".

    If the problems are not malware related, I guess I should try repairing the XP installation.

    Thanx a lot
     

    Attached Files:

    chusma, May 21, 2006
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs show no malware problems! You should check in the Software Forum for suggestions. Yes someone may suggest a repair at some point but I'm not sure if that should be the first thing attempted. Make sure you tell them you already had your system checked for malware in this forum.

    You should uninstall Ewido now to avoid the excess use of system resources.
     
    chaslang, May 21, 2006
    #6
  7. chusma

    chusma Private E-2

    Thanks a lot Chaslang.
     
    chusma, May 22, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    Now that we have fixed all of your malware issues, you do have some follow up work to complete. It is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, May 22, 2006
    #8
  9. chusma

    chusma Private E-2

    ok, thanks again!
     
    chusma, May 22, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, May 22, 2006
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds