Computer Hope
Software => Computer viruses and spyware => Topic started by: Doesitfloat on February 06, 2009, 01:49:22 PM
-
When networked computer immediately connects to malicious sites.
I found some similar symptoms on this site and started corrective action.
This is what I have so far:
Computer Info:
SONY Vaio w/ 2 gig ram 300 gig Hard drive video is nvidia geforce 750 gtx
OS:
Windows XP Media Center Service Pack 2
Original operating system for computer.
I do not have a recovery DVD the system has a partitioned hard drive for recovery. (Recovered last week)
Automatic updates are on and installed regularly.
Anti Virus:
Used to run spybot
Just changed to AVAST I like it better
Actions:
Followed steps 1-6 running cleaners Logs: Attached
Additional problems:
Network adapter no longer working.
Inthe hardware manager the device status reads:
Windows cannot start this hardware device because its configuration (in the registry) is incomplete or damaged (code 19)
Computer can not access internet.
( I have an identical computer that is not used very much I should be able to copy registry info from it if necessary.)
[attachment deleted by admin]
-
How is the computer after the scans?
-
Avoid using a copy of the registry from even a identical computer.
The proper method is to fully remove the device and start all over again with the installation. No shortcuts allowed.
Do a full removal of the device in question. This can mean to even physically remove it with h power off, of course. Or disabel it in the BIOS, if it is built-in. After the the PC ha rebooted and the device is not longer there, install what ever setup is normal for that device. Install the drivers BEFORE you put the device in the system unless the setup progrtam says otherwise..
The power off, install the device physically (or enable in the BIOS) restart system. The proper driver configuration should come up this time.
Also, others here can give you some additional help. 8)
-
Did you set this proxy? R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7070
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- O20 - AppInit_DLLs: obxndg.dll
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis.
----------
Download Lop S&D by Eric_71 (http://eric.71.mespages.googlepages.com/LopSD.exe) and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista
Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
- Double-click Lop S&D.exe
- Choose the language by typing of the corresponding letter and press Enter
- Click OK at the informative window
- Type 1, to choose Option 1 (Search) then press Enter
- Wait until the end of the scan
- A report will be generated, post the contents of it in your next reply.
A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
-
Good morning and thanks again for the help.
After completeing the above steps the computer rubs better but,
After a few minuter Avast alerts me that there is an active virus in the memory and I should restart and let avast handle it in boot mode.
Over the weekend I let Avast scan the hard drive twice and this still pops up.
I need to uninstall and reinstall the network controllers. ( will Do that today.)
Ran the LopSD program Log Follows:
[attachment deleted by admin]
-
Got the network adapter working again.
Computer is running performance improved.
CPU is is staying low at 0% to 3%
Internet works.
VPN works.
Programs work.
-
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Ran ComboFix Log attached.
[attachment deleted by admin]
-
Download the OTMoveIt3 (http://oldtimer.geekstogo.com/OTMoveIt3.exe) by OldTimer
Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.
* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)
:Processes
explorer.exe
:files
c:\windows\system32\1A.tmp
c:\windows\system32\15.tmp
c:\windows\system32\18.tmp
c:\windows\system32\19.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\secupdat.dat
c:\documents and settings\Administrator\tqihcr.exe
c:\windows\system32\17.tmp
c:\windows\system32\dsgrab_01c986433407c4e8.dll
c:\windows\system32\drivers\dsload.sys
c:\windows\system32\dsdd.dll
c:\windows\system32\drivers\dsvideo.sys
c:\windows\Tasks\ewwcejcy.job
c:\windows\system32\opnlJbYq.dl
C:\khq
C:\cqhhbeu.exe
C:\asyoclq.exe
C:\-1396750784
C:\khq
c:\documents and settings\All Users\Application Data\Viewpoint
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.
----------
Download DrWeb CureIt (http://www.freedrweb.com/) & save it to your desktop.
Scan with DrWeb-CureIt as follows:
- Double-click on drweb-cureit.exe and then click Start.
- An Express Scan of your PC notice will appear.
- Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory.
- If or when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the Scan tab and UNcheck Heuristic analysis and click OK
- Back at the main window, select the Complete scan button.
- Then click the Green Arrow (http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg) Start Scanning button on the right and the scan will start.
- Click Yes to all if it asks if you want to cure/move any file(s).
- When the scan is done.
- In the Dr.Web CureIt menu on top left, click File and choose Save report list.
- Save the DrWeb.csv report to your Desktop.
- Exit Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
[/COLOR]- After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
- Copy and paste that log in the next reply
-
Ran OTMoveit!
Log Attached
[attachment deleted by admin]
-
Ran Dr.web
1st time goofed did not get a log.
2 nd time log attached.
Avast continues to find Trojan viruses.
Internet explorer does not work. Downloaded and use firefox now.http://
[attachment deleted by admin]
-
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
.
The above procedure will:- Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
- Reset the clock settings.
- Hide file extensions, if required.
- Hide System/Hidden files, if required.
- Set a new, clean Restore Point.
.
----------
1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3
----------
Download Dial-a-Fix (http://wiki.djlizard.net/Dial-a-fix#Mirrors.2Fdownload_locations.2C_and_articles) by djlizard, save it to the desktop then extract it to it's own folder.
- Open the folder and run Dial-a-fix.exe
- 2 windows will open. Close the one in the background labeled Restrictive Policies
- Check the box in section 1, Empty temp folders.
- Check the box in section 2, Fix Windows Installer.
- Check the box in section 3, Fix Windows Update.
- Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
- Check all boxes in section 5, labeled Registration Center.
- Click Go
- OK any error messages if received, but write them down and post them here.
- Restart the computer when done.
.
How is everything now?
-
Computer runs much better,
will use it today see how it goes.
At start-up Avast always finds a Trojan virus at:
C: Windows\temp\VRT4.tmp
-
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
This computer took a turn for the worse.
I could not get any programs to run. I would execute them they would start to run for a second then stop.
I was able to run combofix in safe mode. Log attached.
[attachment deleted by admin]
-
Your computer is infected by Virut.
Virut spreads through every .exe, .dll and a other critical files on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even re-infects infected files. It's a computer killer...
-
Your computer is infected by Virut.
Virut spreads through every .exe, .dll and a other critical files on a computer. It's polymorphic, which means it spreads faster than any antivirus can contain it. 99.99% of the time the only solution is a reformat and reinstall. Virut is so aggressive it even re-infects infected files. It's a computer killer...
I bet that makes him feel better.
-
LOL, yea. It's a cheery revelation...
I made a new thread here (http://www.computerhope.com/forum/index.php/topic,77096.msg505073.html#new) on this with more information.
-
LOL, yea. It's a cheery revelation...
I made a new thread here (http://www.computerhope.com/forum/index.php/topic,77096.msg505073.html#new) on this with more information.
"Hey mom, let me use the computer real quick!" *Opens this up* Hmm...Lets see, Post by evilfantasy, oh yay.
WHAT!?! *faints*
-
thats why i would love to give the dumb sack of potatoes, who wrote Virut. a good bit of fist.
yet, hopefully sometime in the near future firewalls will prevent this virus.
-
thats why i would love to give the dumb sack of potatoes, who wrote Virut. a good bit of fist.
yet, hopefully sometime in the near future firewalls will prevent this virus.
you need to learn a little more about firewalls. LOL
-
The original isssue was, I thought, about dirt.
What kind of dirt?
Does a good firewall keep out all kinds of dirt? :P
-
The mudwall does.
-
thats why i would love to give the dumb sack of potatoes, who wrote Virut. a good bit of fist.
yet, hopefully sometime in the near future firewalls will prevent this virus.
you need to learn a little more about firewalls. LOL
some fire walls prevent programs from accessing files, running themselves...stuff of that nature.
-
thats why i would love to give the dumb sack of potatoes, who wrote Virut. a good bit of fist.
yet, hopefully sometime in the near future firewalls will prevent this virus.
you need to learn a little more about firewalls. LOL
some fire walls prevent programs from accessing files, running themselves...stuff of that nature.
No, they don't. that's a AV.
a firewall simply hooks all TCP,UDP, and in some cases IPX communications calls and blocks access through certain ports, and will warn when unknown programs open ports.
In this case such protection would do nothing, as the file is a trojan (IE downloaded via say P2P or something purposely) and then when run executes the payload of infecting files. no program initiated internet connections are established. (at least not my this particular virus).
-
..
-
a Firewall is purely the Internet facing side of a security solution. Other components monitor the other stuff.
The thing is- a lot of interprocess communication is done via Named Pipes - interestingly enough, a Socket is really just a Named Pipe that goes to another machine on the net.
So if the Firewall program hooks into the "CreateNamedPipe" API, it will also be able to inspect interprocess communication. of course there really is no way to know wether such communication is malicious, so the benefit of that is fairly low.
Also, since Named Pipes are written/read using the ubiquitous WriteFile/WriteFileEx and ReadFile/ReadFileEx API functions, hooking those will also result in the ability to hook into filesystem calls. This is far easier to inspect then interprocess communication.
Some may say, But BC! I thought internet connections using WinSock used Sockets, not Named Pipes?
Thats true, and I may be wrong in the assertion that WinSock, while representing Socket connections at a high level, is really just using Named Pipes to remote servers deeper down (again, just a educated guess on my part).
The thing is, Although "firewall" software may include these features, the features are not part of the "Firewall" itself and are rather simply part of the software. removing the features would make them no less of a firewall, and other firewalls may/may not have these features (such as Windows Firewall, which is no less of a firewall because of it).
making a broad statement that Firewalls do that is like saying that a image editor allows you to save in TGA format. Sure, a wide variety of image editors do, and it is a common practice, but basic image editors don't always have this ability- but it still makes them no less of a image editor.
See what I'm saying? :)
-
Many firewall vendors are incorporating AV technology into their product now days. They have to as the traditional firewall was getting easier and easier to exploit.
The tricky part is doing it so the AV and FW don't "argue" with one another...
-
Well there I went and trashed your post Kieran.
I'm getting good at that lately...
Sorry, I feel like a tool (http://img52.exs.cx/img52/271/l9iblush.gif)
-
Okay there evil. ;D
I can see why. :-[
-
(http://www.computerhope.com/forum/Themes/classic/images/english/quote.gif) (http://www.computerhope.com/forum/Themes/classic/images/english/modify.gif)
They are just too close together...
-
Half of me believes you and three quarters of me doesn't....
-
Half of me believes you and three quarters of me doesn't....
Wanna hear a funny story? I accidentally clicked modify instead of quote almost immediately after Steve made us moderators.... And even funnier it was one of his posts.
LOL
-
Well not to happy about the computer killer virus.
I have lots of data I want to recover from this computer this is my plan:
I have a 1TB USB drive to use as data dump, also installed a second serial drive in the infected computer ( Not hooked up yet)
On my last system restore I was able to remove the hard drive from infected computer and copy the data files to a lifeboat computer.(This file contained the virus and reinfected my computer. Lifeboat computer was unaffected.)
I copied this data file to the USB drive.
Did a system restore to infested computer.
installing programs now.
Plan to copy the big data block on new hard drive and access when necessary. Slowly bring over data files,and try to avoid this virus again.
-
hopefully it works out for you