Jump to content

Sony Vaio Notebook


Recommended Posts

Just ran downloaded Malwarebytes on another computer, updated and scanned and it started shutting down durring the scan, went back to welcome screen. When I log in to the either account it immediately starts loging off... Prior to running the scan I could get into the account (no Internet access) and it had a flashing wallpaper announting I was infected...

Nothing out of the ordinary in Add and remove software... But during the scan, it seems a lot of items were lots of things in the temp file and Microsoft live messenger...

It made a log, but and I believe I saved... I will be able to load a Mepis a Linux Live CD to look for the log, and use it to post here...

But for the moment it seems starting windows is going to be a problem...

I will be right back with the log, and hope someone can assist me in getting Windows XP back-up to start the clean-up process...

Note i tried to make a restore point prior to running malwarebytes, but it would not let me accomplish that feat...

JR

Link to post
Share on other sites

I have not tried, but maybe I can go back to the the last recovery point and load Hijack this from CD...

I am not certain as this does ot provide anyone with much to go on...

JR

Malwarebytes' Anti-Malware 1.34

Database version: 1815

Windows 5.1.2600 Service Pack 3

3/3/2009 4:37:59 PM

mbam-log-2009-03-03 (16-37-59).txt

Scan type: Full Scan (C:\|)

Objects scanned: 35624

Time elapsed: 23 minute(s), 34 second(s)

Memory Processes Infected: 4

Memory Modules Infected: 4

Registry Keys Infected: 31

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

C:\Documents and Settings\elena\Application Data\cogad\cogad.exe (Trojan.Downloader) -> Unloaded process successfully.

C:\Documents and Settings\elena\Application Data\Twain\Twain.exe (Adware.Agent) -> Unloaded process successfully.

C:\Documents and Settings\elena\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Unloaded process successfully.

C:\Documents and Settings\elena\Application Data\Microsoft\Windows\mngjf.exe (Trojan.Vundo) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

C:\Program Files\WebShow\WebShow.dll (Trojan.BHO) -> Delete on reboot.

C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\TypeLib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cogad (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Adware.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfkg6wip (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\Program Files\Windows Live\Messenger\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

C:\Documents and Settings\elena\Application Data\cogad\cogad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\elena\Application Data\Twain\Twain.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\elena\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.

C:\Documents and Settings\elena\Application Data\Microsoft\Windows\mngjf.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\WebShow\WebShow.dll (Trojan.BHO) -> Delete on reboot.

C:\Program Files\Mjcore\Mjcore.dll (Trojan.BHO) -> Delete on reboot.

Link to post
Share on other sites

Starting in safe mode, administrator, and the other two accounts all start with loading your personal setting, then immediately switch to saving your settings... I am effectively lockled out... but I did download Hijack this per the sticky and placed it on the desktop if I can get back into windows some way...

JR

Link to post
Share on other sites

  • Root Admin

Please download, burn and run this and see if you can then logon to Windows.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

I did not have a working windows, use the computer next door and am running the Avira AntiVir Rescue System now...

mousehook.dll << Is the Trojan horse TR/Crypt.Gen

ntd1164.dll << Is the Trojan horse TR/BHO.mme

SRUninstall.exe << Is the Trojan horse TR/Dlr.Agent.aldb

f3Setup1.exe << Contains detection pattern of the AD- or Scanware ADSPY/FunWeb.102

Live?Messenger/riched20.dll << Contains detection pattern of the AD- or Scanware ADSPY/Mywebsearch.24576.8

NPMyWebbS.dll << Contains detection pattern of the AD- or Scanware ADSPY/Adspy.Gen

system32/998.exe << Is the Trojan horse TR/Dldr.Agent.GTZ

system32/senekaeqtmstv.dll << Is the Trojan horse TR/Crypt.XPACK.GEN

system32/senekaidihfbfp.dll << Contains detection pattern of rootkit RKIT/Agent.hcq

system32/seneksnticxtbv.dll << Is the Trojan horse TR/Crypt.XPACK.GEN

system32/prunnet.exe << Is the Trojan horse TR/Dlr.Agent.bpik

system32/goMefecB.dll << Is the Trojan horse TR/Crypt.XPACK.GEN

system32/tuvTmklsyA.dll << Is the Trojan horse TR/Crypt.XPACK.GEN

system32/cbXolklk.dll << Is the Trojan horse TR/Crypt.XPACK.GEN

stem32/dllcache/userinit.exe << Is the Trojan horse TR/Crypt.XPACK.GEN

system32/drivers/senekapeqqpctf.sys << Contains detection pattern of rootkit RKIT/Agent.67584

content.IE5/2RSG30Pl/lsp[1].exe << Is the Trojan horse TR/Crypt.XPACK.GEN

Now going to scan again with Try to repair infected files and Rename files, if they cannot be removed checked will post again after I try to boot

JR

Link to post
Share on other sites

scanned, and removed or renamed the above... System still will not run windows XP, or will not stay load windows in safe mode either! After typing in a password on any account: it appears to load (loading personal settings), and immediately shows the desktop image for a split second and then returns to welcome screen (saving save settings) and sits waiting with the welcome screen... After a while the screen saver will engage, and display lots of lovely vaio screens...

I do not have recovery media, might you have another suggestion?

JR

Link to post
Share on other sites

  • Root Admin

I'm guessing here that userinit.exe may be infected or deleted. It could also be a bad registry entry.

You will at least need access to another computer with a working CD burner. You can then copy their userinit.exe file to CD and copy it over using one of the Linux boot cds.

Take a look here and see if this CD can help you out. Trinity Rescue Kit

They also have a support forum like this if you need assistance. The USERINIT.EXE file is stored in the C:\WINDOWS\SYSTEM32 folder.

I would try to copy that file from a working computer to the infected computer and then try to boot up.

Link to post
Share on other sites

Done, still not working: I moved the file with a Linux Live CD... Windows still loads, but saves setting immdediatly and waits at the welcome screen...

Recovery media will arrive tomorrow, via Fed Ex, and I have grabbed the documents I needed to save...

This is a new one that went beyond my knowledge, but my time is far to short at the moment to continue working with this infected system...

I wish we had a Live Linux CD with Highhackthis that could e-mail a log to be used... Again thanks for all the help, as I will take the faster route this time...

JR

Link to post
Share on other sites

  • Root Admin

Well there are a couple other methods but since you're in a hurry I'm assuming you don't have time to continue with this and are planning on a wipe and re-install.

This should be a bit of a learning experience though. You should prepare a working Ultimate Boot CD for Windows for future such issues if they were to arise. Also make sure you do data backups frequently as hardware also fails often at the worst times.

Let me know if you do want to pursue other methods of recovery or not otherwise I'll go ahead and close this post soon.

http://www.malwarebytes.org/forums/index.php?showtopic=4693

Thanks.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.