Results 1 to 10 of 34

Thread: Please Help Cant get clean!

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default Please Help Cant get clean!

    Everytime I connect to the internet without even opening up a browser my computer gets infected with the same virus. I clean my computer with SpyBot then Malwarebytes and rescan to make sure it is clean. After I cleaned my computer I think it would be safe to go back online but when I do my computer is infected be all the same files again please help. This virus spead to two other computers but only this one is online. I think that the other computers are also infected but SpyBot and MalwareBytes dont find anything. Any help would be nice

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:09:45 PM, on 4/26/2009
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\tcpsvcs.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\WFXSVC.EXE
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hkcmd.exe
    C:\WINNT\system32\wfxsnt40.exe
    H:\Program Files\QUICKENW\QAGENT.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINNT\system32\mrtMngr.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\explorer.exe
    C:\WINNT\TEMP\vyhoz8l3.exe
    C:\WINNT\TEMP\vyhoz8l3.exe
    C:\WINNT\explorer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\wfxsnt40.exe
    H:\Program Files\QUICKENW\QAGENT.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINNT\system32\mrtMngr.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINNT\Welcome.exe
    C:\WINNT\TEMP\337184272.exe
    C:\WINNT\TEMP\402809272.exe
    C:\WINNT\dhcp\svchost.exe
    C:\WINNT\system32\3361\SVCHOST.exe
    C:\WINNT\system32\taskmgr.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ADMINISTRATOR\Application Data\Mozilla\Profiles\default\4qfm61yd.slt\prefs.js)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe Pro 6\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [zzzHPSETUP] I:\Setup.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [QAGENT] H:\Program Files\QUICKENW\QAGENT.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\RunOnce: [svchost.exe] "C:\WINNT\system32\3361\SVCHOST.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\.DEFAULT\..\Run: [] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINNT\TEMP\vyhoz8l3.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINNT\TEMP\402809272.exe (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe Pro 6\Distillr\acrotray.exe
    O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\WinFax\WFXCTL32.EXE
    O4 - Global Startup: PGPtray.lnk = G:\Program Files\PGP Corporation\PGP for Windows 2000\PGPtray.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    O8 - Extra context menu item: &Search - ?p=ZKxdm021YYCA
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
    O12 - Plugin for .php: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1217109214875
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
    O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINNT\system32\jksahfo93wjfkd.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Dhcp server (DhcpSrv) - Unknown owner - C:\WINNT\dhcp\svchost.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: PGPsdkService (PGPsdkServ) - PGP Corporation - C:\WINNT\system32\PGPsdkServ.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
    O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

    --
    End of file - 7449 bytes
    -----------

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please note that all instructions given are customised for this computer only,
    the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.


    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. Please Read All Instructions Carefully
    2. If you don't understand something, stop and ask! Don't keep going on.
    3. Please do not run any other tools or scans whilst I am helping you
    4. Failure to reply within 5 days will result in the topic being closed.
    5. Please continue to respond until I give you the "All Clear"
      (Just because you can't see a problem doesn't mean it isn't there)

    If you can do those few things, everything should go smoothly

    Please Note, your security programs may give warnings for some of the tools I will ask you to use.
    Be assured, any links I give are safe

    ----------------------------------------------------------------------------------------
    Quote Originally Posted by Bithpq View Post
    This virus spead to two other computers but only this one is online.
    Are the other computers also W2K machines ?

    This machine appears to be quite heavily infected, so the cleaning process may take a few runs.


    Download and Run SD Fix

    Please download SDFix( by andymanchesta ) and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log




    Download and Run ComboFix (by sUBs)
    Please visit this webpage for instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial

    • You must download it to and run it from your Desktop
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply
    • Re-enable all the programs that were disabled during the running of ComboFix..



    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  3. #3
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    Quote Originally Posted by katana View Post
    [b][color=red]Please do not run any other tools or scans whilst I am helping you
    MY Computer got so slow and needed to print out some documents so i cleaned it up as much as I could using SpyBot and MalwareBytes Anti-Malware they both say it is clean so i am not using my internet on that computer because i know it will get infected if i do.

    Quote Originally Posted by katana View Post
    Are the other computers also W2K machines ?
    No they are both XP one Sp3 the other sp2 (sp2 is extremly slow at login about 5 min when the user desktop image shows) I cleaned them both but i have a felling they will both get infected when they connect to the internet.

    I wont be able to give you a fresh HJT log till tommorow.

    I can get the log and post it on the infected computer but ill have to clean it again.

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Do you have a Router ?
    if so, it's possible that the router has been altered to send you to the infected sites.

    Reset your Router

    Make sure you have any information you need for reconnection before you continue ( You may need settings from your Internet Service Provider)

    You need to reset your router to it's factory default settings.
    Whilst your router is switched on, press the reset button (It may be a small hole that requires a pin)
    When the router has finished it's reset, the first thing you need to do is set the password protection on it.
    (This will help prevent this problem happening again.)

    Please post the SDFix and Combofix logs rather than a fresh HJT log.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  5. #5
    Member Bithpq's Avatar
    Join Date
    Dec 2008
    Location
    127.0.0.1
    Posts
    74

    Default

    Quote Originally Posted by katana View Post
    Do you have a Router ?
    if so, it's possible that the router has been altered to send you to the infected sites.
    I have dial-up. All I have to do is connect to the internet without opening a browser and the viruses just come in.
    Quote Originally Posted by katana View Post
    Reset your Router
    Um I don't think i have a router. All I know is that I hook up the phone line into the back of the computer. It might be a modem. I use a phone cable and not a lan (Ethernet?) cable.
    Quote Originally Posted by katana View Post
    Please post the SDFix and Combofix logs rather than a fresh HJT log.
    Yesterday I got a fresh HJT log and it is a lot different then the one I gave you So should I just do the SDFix and Combofix scans anyway?

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Quote Originally Posted by Bithpq View Post
    So should I just do the SDFix and Combofix scans anyway?
    Yes please
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Thank you katana.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •