Infected, can't reach AV sites or Windows Update

Discussion in 'Malware Help (A Specialist Will Reply)' started by Trevise425, Aug 30, 2009.

  1. Trevise425

    Trevise425 Private E-2

    IXP000.TMP (File Folder - 08/26/2009) (folder is empty)
    MPTelemetrySubmit (File Folder - 08/28/2009) (folder is empty)
    avginfo (ID File - 08/16/2009) 1 KB
    bprmydaejo (application - 08/26/2009) 398 KB
    cpcxtprnvu (application - 08/26/2009) 398 KB
    CPSSMasterCatalog (Configuration Settings - 08/27/2009) 1 KB
    hpqddsvc (Text Document - 08/27/2009) 69 KB (HP Printer update log)
    inlgvpkgws (application - 08/26/2009) 398 KB
    jokvmmrgsj (application - 08/26/2009) 397 KB
    lmupnuylio (application - 08/26/2009) 397 KB
    mpj97299.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mpj101165.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    MpSigStub (Text Document - 07/21/2009) 18 KB (Windows Defender Update log)
    mqnlabqvrh (application - 08/26/2009) 397 KB
    mta13187.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mta82335.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mta88593.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mvhlnwtiib (application - 08/26/2009) 398 KB
    nwpfsrpuyd (application - 08/26/2009) 397 KB
    pcrnxgbevn (application - self-extractor - Microsoft - 08/26/2009) 240 KB
    qrxnniojav (application - 08/26/2009) 398 KB
    qvkwyqfvrb (application - 08/26/2009) 397 KB
    stlrjimktm (application - 08/26/2009) 398 KB
    uxynypgsxh (application - 08/26/2009) 398 KB
    vibrdexlfo (application - 08/26/2009) 397 KB
    VRT1BAA.tmp (TMP File - 08/26/2009) 13 KB
    VRT3ED3.tmp (TMP File - 08/26/2009) 13 KB
    VRT514A.tmp (TMP File - 08/26/2009) 13 KB
    VRT757E.tmp (TMP File - 08/26/2009) 13 KB
    VRT3571.tmp (TMP File - 08/26/2009) 13 KB
    VRTD32D.tmp (TMP File - 08/26/2009) 13 KB
    vtblhtkbnh (application - 08/26/2009) 397 KB
    vtxyjrkpnl (application - 08/26/2009) 398 KB
    vycefpxeim (application - 08/26/2009) 397 KB
    wxbwnyctov (application - 08/26/2009) 398 KB
    x1c69075.dll (versin 8.0.6001.18813 modified 7/21/2009) 1,181 KB
    yuxoehsqss (application - 08/26/2009) 397 KB
     
    Trevise425, Aug 30, 2009
    #1
  2. Trevise425

    Trevise425 Private E-2

    AMMENDED: Infected, can't reach AV sites or Windows Update

    My girlfriend's son got on my laptop (I wasn't here) and now it's infected. Below is what was in the WINDOWS\TEMP directory:

    IXP000.TMP (File Folder - 08/26/2009) (folder is empty)
    MPTelemetrySubmit (File Folder - 08/28/2009) (folder is empty)
    avginfo (ID File - 08/16/2009) 1 KB
    bprmydaejo (application - 08/26/2009) 398 KB
    cpcxtprnvu (application - 08/26/2009) 398 KB
    CPSSMasterCatalog (Configuration Settings - 08/27/2009) 1 KB
    hpqddsvc (Text Document - 08/27/2009) 69 KB (HP Printer update log)
    inlgvpkgws (application - 08/26/2009) 398 KB
    jokvmmrgsj (application - 08/26/2009) 397 KB
    lmupnuylio (application - 08/26/2009) 397 KB
    mpj97299.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mpj101165.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    MpSigStub (Text Document - 07/21/2009) 18 KB (Windows Defender Update log)
    mqnlabqvrh (application - 08/26/2009) 397 KB
    mta13187.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mta82335.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mta88593.dll (Application Extension - Microsoft - 07/21/2009) 1,181 KB
    mvhlnwtiib (application - 08/26/2009) 398 KB
    nwpfsrpuyd (application - 08/26/2009) 397 KB
    pcrnxgbevn (application - self-extractor - Microsoft - 08/26/2009) 240 KB
    qrxnniojav (application - 08/26/2009) 398 KB
    qvkwyqfvrb (application - 08/26/2009) 397 KB
    stlrjimktm (application - 08/26/2009) 398 KB
    uxynypgsxh (application - 08/26/2009) 398 KB
    vibrdexlfo (application - 08/26/2009) 397 KB
    VRT1BAA.tmp (TMP File - 08/26/2009) 13 KB
    VRT3ED3.tmp (TMP File - 08/26/2009) 13 KB
    VRT514A.tmp (TMP File - 08/26/2009) 13 KB
    VRT757E.tmp (TMP File - 08/26/2009) 13 KB
    VRT3571.tmp (TMP File - 08/26/2009) 13 KB
    VRTD32D.tmp (TMP File - 08/26/2009) 13 KB
    vtblhtkbnh (application - 08/26/2009) 397 KB
    vtxyjrkpnl (application - 08/26/2009) 398 KB
    vycefpxeim (application - 08/26/2009) 397 KB
    wxbwnyctov (application - 08/26/2009) 398 KB
    x1c69075.dll (versin 8.0.6001.18813 modified 7/21/2009) 1,181 KB
    yuxoehsqss (application - 08/26/2009) 397 KB

    I've run several scans with various products. Unfortunately, some of them need updated, and I can't reach the sites through IE or Firefox - the status bar says looking for... and it just hangs. Same with Windows Update, or trying to go to support.microsoft.com or any such site. I can't update Malwarebytes Antimalware, or AVG. I WAS able to manually update Spybot S&D through a memory stick (BTW - ran Flash Disinfector on the laptop as well as this PC to stop that particular nonsense - was trying to also infect the USB memory stick...)
    I ran Spybot before, and it cleaned up several things, but the last couple of scans prior to updating showed nothing. After the update, it found another Trojan in the registry, under WBEM (which was deleted.)
    I'm not sure if I got it all yet. I'm still scanning in safe mode (Vista) and running everything i can to try to find whatever it is that got on here. The last time I tried to do a normal restart, the laptop booted, then hung on a dark screen - couldn't even get to the logon screen.
    Any help would be appreciated.

    Best regards...
    Rich
     
    Trevise425, Aug 30, 2009
    #2
  3. Trevise425

    Trevise425 Private E-2

    Can't log on to Windows Vista

    Greetings...okay, after (hopefully) removing all traces of various malware and such (girlfriend's son got on my laptop when I wasn't here) I've now gotten to where I can boot, but only in safe mode. Trying a normal boot gets me to where I can get to the log on screen, but after the welcome, a box shows up, saying "An unauthorized change was made to Windows." Actually, two different windows will pop up with similar messages, one saying "you will no longer receive notifications, including those about your license or activation." It then suggests you go online to learn more...but the thing won't boot, so you can't GET online.
    Also in the box is the following message under 'details':

    Error 0C004D301
    Description
    The security processor reported that the trusted data store was tampered.

    Restore isn't an option - when I tried using system restore, it seems all the restore points up to a couple of days ago are gone - nothing before 08/26 - which is when all this began.

    Any help would be GREATLY appreciated.

    Best regards,
    Rich
     
    Trevise425, Aug 30, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The below are the steps that you needed to follow when you first came here.

    Please read ALL of this message including the notes before doing anything. Once you attach the logs requested at the end, we will know better how to help you if you are still having problems.

    Pleases follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Sep 3, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds