Jump to content

sandela

Members
  • Posts

    12
  • Joined

  • Last visited

Everything posted by sandela

  1. Will that erase my machine's current memory? Also, while playing around a bit, I realised HijackThis won't work because whatever is on my computer is changing the permissions for the file. I changed the permissions manually and it ran for all of 4 seconds before closing. The malware reversed my manual change....does this help anything? Do you still have the same recommendation?
  2. ....hmmm. Same thing as when I tried to get exehelper onto my desktop happened. However...it did leave a file with a *.part file extension on my desktop when I tried to download it...if that's at all helpful...
  3. Bah! Doesn't work.... It installs the program, and while updating, it says "Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]
  4. Okay, I'm back on the internet, and my computer isn't doing the weird popup thing anymore. iexplore only works for a short time before crashing. Firefox seems stable --But I still can't get the exehelper onto my desktop, and I'm being redirected from sites like malwarebytes when I click on links from google.
  5. No, that didn't help. Still won't give me "permission" if I try to transfer it from a USB; still saying it's finished downloading, without actually being anywhere on my system. In fact, after I download it, on the firefox "downloads" window, if I right-click it, "Open" and "Open Containing Folder" are unavailable options (light grey). If I try on iexplore, it just doesn't show up wherever I download it to.
  6. I also tried to get it onto my system by using a usb key first and then transferring it over...it says I do not have permission to do this.
  7. I cannot get this to download onto my desktop. It will complete the download and then...nothing. It's not on my desktop or anywhere else on my computer. I tried renaming it, which doesn't help.
  8. I'm having difficulty figuring out this persistent malware. I think it's likely that there are multiple issues. I'm running Windows Vista. The malware started off with "google redirect" symptoms, and disabling my Symantec software Shortly following, I could no longer access the web. However, the malware itself would create an internet explorer popup every 5-10 minutes (not my default browser) that would go to "search sites" (none that I recognized....) and search for lewd topics. Running the taskmanager would show multiple instances of iexplore.exe running on my machine (one for each popup). The popups would have to be eliminated one by one using the task manager. Trying to run a system restore, I discovered all restore points had been deleted. I installed AVG antivirus and got it to run once which seemed to help the problem. However, upon restart, all issues were back and I could no longer run avg. Windows defender constantly pops up that a new trojan is attacking my machine. At this point, I unplugged my internet connection and started using another machine. I had left my problematic computer alone for about a month. Upon turning it on last night, each time I logged on, it gave me a warning that "Windows had encountered a critical error and will restart in one minute" and would restart. I tried running cmd (in that one minute) to intercept it, but the task manager would freeze if I tried to run it from there and explorer would freeze if I tried to run it from there. I also discovered my Guest account is not working. I restarted in Safe Mode and ran msconfig and disabled all non-Microsoft services. Upon restarting my computer, I found I could successfully log on (although Guest account is still not working). At this point I figured I ought to post a highjackthis log to a forum. My computer would not let me install using HJTinstall.exe so I renamed it to HJTinstall.scr. After installation, highjackthis ran for about 1second and closed abruptly. My machine will not run highjackthis nor will it let me rename it. If I try to run it, it says that it cannot access the file, device or path and perhaps I don't have permission, and if I try to rename it, it says that I need permission to do so and asks if I'd like to try again. Right clicking does absolutely nothing. This is all the same in safe mode, although right clicking in safe mode will at least bring up the options. I'm out of ideas. Any help would be greatly appreciated.
  9. Caught some nasty malware recently and removed it with malwarebytes. Every since, my network drivers are dead and I can't figure out how to revive them. Any help would be appreciated! Thanks! Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 10/21/2009 6:07:23 PM mbam-log-2009-10-21 (18-07-23).txt Scan type: Full Scan (C:\|) Objects scanned: 252887 Time elapsed: 1 hour(s), 32 minute(s), 35 second(s) Memory Processes Infected: 3 Memory Modules Infected: 1 Registry Keys Infected: 13 Registry Values Infected: 17 Registry Data Items Infected: 9 Folders Infected: 4 Files Infected: 26 Memory Processes Infected: C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Unloaded process successfully. C:\WINDOWS\system32\servises.exe (Trojan.Agent) -> Unloaded process successfully. C:\Documents and Settings\Sandy\reader_s.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Illysoft (Rogue.SpyNoMore) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpsr (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.FakeAlert.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\servises (Trojan.FakeAlert.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: crnbdht.dll -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\All Users\Application Data\55647128 (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\crnbdht.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\servises.exe (Trojan.FakeAlert.H) -> Delete on reboot. C:\Documents and Settings\Sandy\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\reader_s.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully. c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\470HE9W3\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ITEPYXQD\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\S5S5O5QZ\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\55647128\55647128.exe (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully. C:\WINDOWS\system32\net.net (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Sandy\Local Settings\Temp\prun.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Sandy\Local Settings\Temp\b.exe (Trojan.Downloader) -> Delete on reboot.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.