Computer Hope
Software => Computer viruses and spyware => Topic started by: kippyieh on July 25, 2010, 12:33:10 PM
-
Hi,
We are halfway thru a family trip and seemed to have picked up a virus on the family laptop. I am pulling my hair out on this one. It seems to have dis-abled the anti-virus software, and I can't copy much of anything from the USB drive without the comp freezing. I did manage to get hijack this installed and ran a scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:48 AM, on 7/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\RunOnce: [ScrSav] C:\WINDOWS\Screensavers\Acer\run_Acer.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: crd - Unknown owner - C:\DOCUME~1\Dad\LOCALS~1\Temp\IXP001.TMP\poststp.exe (file missing)
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 6465 bytes
Any help would be greatly appreciated.
-
Or - does anyone know whether or not this could be a hardware problem?
It is getting worse. If I remember correctly, it started freezing when I opened up a browser, specifically when I was trying to download ad aware and spybot (3 days ago), then it started balking while trying to transfer those files over from a usb drive: copy most of the file then hanging up. About this time I tried system restore, progressivley hung up earlier and earlier in the process. Now, I can't even type anything into the run command window without it locking up (trying to change the msconfig file).
It seemed I had the 'longest' stability while running the os in safe diagnostic mode. Now I can't even tell windows to load in that mode (via msconfig). This has occurred over the last 3 hours.
Possibly hardware? I would have gone the clean install route, but we are travelling and I don't have the dvd along - heh, go figure. I could download via my technet subsription, but the service is pretty slow here. And - not sure how given the acer is to a boot from the usb...
Thanks for any help!
-
Wait a bit and somebody will help you.
Meanwhile, find a friend that knows how to recovery data from your HDD.
Aat the rate you are going, you may have to re install everything on the laptop.
-
Your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help.
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
You will need an operating computer to do this. Please let me know what happens.
Go to this link to create a Rescue CD (http://evilfantasy.wordpress.com/2009/05/06/rescue-cds/) or to this site to create a Rescue USB (http://evilfantasy.wordpress.com/bitdefender-rescue-usb/). Carefully follow all the instructions for whichever method you choose.
-
Thanks for all the replies!
Sticky business being down here in CR and only have the hotel computer to use. Thankful to at least have this one however.
I will make a USB startup and follow the instructions on that page.
I have time this morning to work on this, but we are scheduled to drive someplace else today, so my responses may be slow in coming.
Thanks again! Hope we can get this thing going!
-
Hi!
Scan finished with no infected files found.
It appears that the Chkrootkit option is not available on this ISO? At least I could not find it.
I should perhaps also note that the definitions were not updated, I am assuming because the only internet connection available is wireless; but I did not try to figurfe it out.
Thanks for the help.
-
Ok. Let me get this straight. You ran the Rescue disk/USB and your computer is now running correctly?
-
No - I ran the usb iso and bitdefender found nothing wrong - no infections. But the computer is still not operating correctly.
I am beginning to wonder if something in windows is corrupted. Specifically, it seems now that trying to enter text into a windows explorer text field (e.g., the run command line, renaming a file, etc) freezes the computer.
Freeze should probably be qualified: sometimes the mouse continues to respond for a bit. When it quits moving, Windows will sometimes respond to the power off button (I.e., go thru the shutdown process); but this seems to be dependent upon how quickly I press the shutdown button after the mouse stops responding.
Also, ctrl+alt+delete always freezes the comp.
It seemed to be getting progressively worse for awhile, but now it seems to be holding more or less stable.
Not sure how useful this info is, but I thought I would post in case the problem is not malware related and someone recognizes the symptoms.
again - thanks in advance for any help.
-
Ok. My mistake. I thought you said your computer wouldn't boot. That's why I suggested the Rescue Disk. Let's run some scans to see what's happening. It could be a bad file in Windows but we'll check that later.
SUPERAntiSpyware
If you already have SUPERAntiSpyware be sure to check for updates before scanning!
Download SuperAntispyware Free Edition (SAS) (http://www.superantispyware.com/download.html)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.
•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:
•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked
•Click the Close button to leave the control center screen.
* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes
•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.
•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
===============================
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here (http://www.malwarebytes.org/mbam/program/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
================================
Please download: HiJackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThisInstaller.exe) to your Desktop.
- Double Click the HijackThis icon, located on your Desktop.
- By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
- Accept the license agreement.
- Click the Open the Misc Tools section button.
- Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
- Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
- Please post the log in your next reply.
-
Thanks Dave!
I will try to to look for the manual install option on the defintion updates, but it appears the that the link was forgotten on your reply.
-
Also - the Malware bytes link appears to be broken.
-
Also - the Malware bytes link appears to be broken.
The site is overworked.
Download from alternate site.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
-
Thanks for that.
Does Malware have a manual definition update option? I cannot connect to the internet with the problem computer.
-
The current version will give and error it you start with no internet. Ignore the error and start the scan anyway.
-
Awesome - thanks again. I will post the hijack log in a couple of hours.
-
Ok - I have been unable to get either of the scans to complete. Both just pause, the timer continues to count down, but the scanning stops.
Also - the Super Anti Spyware does not start when windows starts; it is set to, but it does not.
And - Windows in non-safe mode will not boot, it just re-boots. This seemed to start after Super Anti spyware was installed.
Any suggestions?
-
Please uninstall SAS and see if will reboot normally. Please run MBAM either in safe mode.
-
I was trying to run both of the scans in safe mode.
Now - when I try to boot in non-safe mode, Windows says that the OS needs to be authenticated.
Also - I can only run MBAM one time - if I try to run a second time I get two VBS errors and it stops running. I have to uninstall and then re-install in order to get it to run the scan again.
Nasty piece of work whatever this is.
-
Please try this even though your XP CD is at home. If it finds a bad file it will ask for the CD. At least we'll narrow it down.
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
-
Hello Dave,
In the interim I downloaded xp via the technet subscription. The file is an iso - do you happen to know off hand how I can get this to usb? Thanks.
-
do you happen to know off hand how I can get this to usb? Thanks.
Please go to Reply #4 and follow the link. It will tell you how to burn an ISO file to CD or USB.
-
I tried using that and it didn't work... I assumed it was because it was a linux boot?
Any additional suggestions?
-
Also - I narrowed the comp freezes down to pressing anything on the keyboard. I cannot run the scan.
-
This sounds more like a problem with the laptop. Is it possible to try another USB keyboard on the laptop?
-
Not at the moment.
But the linux usb boot from reply number 4 worked fine - i.e., I was able to boot, scan, type, etc.
Should I be able to use the linux usb boot for a windows cd?
-
Let's try this.
We are going to be using a Windows Recovery Environment to help disinfect the system so it may boot again.
Download the OTLPE Standard REATOGO Windows Recovery Environment.- Place a blank CD-R disc in to your CD burning drive.
- Download OTLPEStd.exe (http://oldtimer.geekstogo.com/) and double-click on it to burn to a CD using ISO Burner.
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- Your system should now display a REATOGO-X-PE desktop.
- Double-click on the OTLPE icon.
- When asked "Do you wish to load the remote registry", select Yes
- When asked "Do you wish to load remote user profile(s) for scanning", select Yes
- Ensure the box "Automatically Load All Remaining Users" is checked and press OK
- OTL should now start. Change the following settings
- Change Drivers to Non-Microsoft
- Press Run Scan to start the scan.
- When finished, the file will be saved in drive C:\_OTL\MovedFiles
- Copy this file to your USB drive if you do not have internet connection on this system
- Please post the contents of the OTL.txt file in your reply.
-
Hi Dave,
Given the laptop is a mini, I don't have a cd available.
But - on the last day of the trip here, so will be back home quick enough and I should be able to get things going from home. If not, I will let you know.
Thanks for all the help!