Computer Restrictions After Virus Infection

Sucrose · 03-11-2006, 07:47 PM

Recently I downloaded a trojan virus from ZimLabs.net (Note: If you decide to visit that website, do not download anything! All software offered on that website is infected and at the moment, undetected through scanners of all types.) The virus at first modified my clock settings to 24-Hour time and had about 8 ?'s after it. It looked like this: 21:34 ????????

After realizing I just downloaded something very unsafe, I did a full virus/spyware scan and noticed that the virus (W32/Generic!im) had attached itself to every executable file I ran after the virus was installed. The icons were changed to a black box and on the properties menu of every infected file said: Made by ZimLabs.net

Later on in the night, my brother notified me of very weird things happening such as the mouse buttons being reversed, passwords being changed, etc. I then decided I need to get this server off of my computer somehow. I started visiting search engines on how to remove it and all of a sudden he typed the following line in one of the search engines: Zim was here

After this I immediatly shut down the computer, only to find out that he blocked access to EVERYTHING possible after I started it back up with the modem turned off. The 'Run...', 'Search...', Control Panel options are hidden from the Start menu now. There are 0 icons on the desktop. Everytime I try to run a program or do anything, this error message is received: This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.

I cannot run any scanners or anything GUI because of the limitations I have now. I know all of my files are still intact, I made sure within DOS. Are there any suggestions on how to fix this situation I'm in?

Motoxrdude · 03-11-2006, 07:54 PM

looks like you are going to have to reformat.

**Buzz1927** · 03-11-2006, 08:14 PM

Post a Hijackthis log.
Hijackthis Logs

Sucrose · 03-11-2006, 08:15 PM

Reformatting is definatly not an option for me, unless there is a way I can backup some data in some specific directories because I am a seller on eBay with all of my 250+ customers' e-mail addresses all on one file. If I lose that, I lose my job. Is there such software that allows backup through DOS without having an extra harddrive or network connection? I have a wireless network and I'm sure DOS wouldn't support that.

I got to thinking, and I don't know if this will work or not but maybe if I install another OS on the same partition, on a different drive letter, would I be able to access the files on my other OS that had the infection?

Quote:

Originally Posted by Buzz1927

Post a Hijackthis log.
Hijackthis Logs

Um, how do you expect me to post a "Hijackthis log" when my computer will not execute anything? Please read before you give instructions.

**Buzz1927** · 03-11-2006, 08:26 PM

Is it the same in safemode?

Sucrose · 03-11-2006, 08:34 PM

Yes, it is the same.

**Buzz1927** · 03-11-2006, 08:36 PM

What exactly did you download from that site? I'll download it and see what I can do.

Sucrose · 03-11-2006, 08:43 PM

This is the file I downloaded: http://www.zimlabs.net/Zelda%20Onlin...nt%2011456.zip

I just started the computer in Safe Mode, and surprisingly I am able to access programs and the Windows Explorer by opening the Recycle Bin first. Can Windows burn CD's while in safe mode? I need to back my stuff up.

**Buzz1927** · 03-11-2006, 08:46 PM

You might not need to back anything up. Boot to safemode with networking and download Hijackthis and post a log. I'll download that file and play around with it.

Sucrose · 03-11-2006, 08:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:57:18 PM, on 3/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackTh is.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckOD Ls
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136960925389
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137092112125
O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: HXD Service 100 (HackerDefender100) - Unknown owner - C:\DOCUME~1\JON&BR~1\LOCALS~1\Temp\Rar$EX00.313\hx def100.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

03-11-2006, 07:47 PM	#1 (permalink)
Sucrose New Member Join Date: Mar 2006 Posts: 6	Computer Restrictions After Virus Infection Recently I downloaded a trojan virus from ZimLabs.net (Note: If you decide to visit that website, do not download anything! All software offered on that website is infected and at the moment, undetected through scanners of all types.) The virus at first modified my clock settings to 24-Hour time and had about 8 ?'s after it. It looked like this: 21:34 ???????? After realizing I just downloaded something very unsafe, I did a full virus/spyware scan and noticed that the virus (W32/Generic!im) had attached itself to every executable file I ran after the virus was installed. The icons were changed to a black box and on the properties menu of every infected file said: Made by ZimLabs.net Later on in the night, my brother notified me of very weird things happening such as the mouse buttons being reversed, passwords being changed, etc. I then decided I need to get this server off of my computer somehow. I started visiting search engines on how to remove it and all of a sudden he typed the following line in one of the search engines: Zim was here After this I immediatly shut down the computer, only to find out that he blocked access to EVERYTHING possible after I started it back up with the modem turned off. The 'Run...', 'Search...', Control Panel options are hidden from the Start menu now. There are 0 icons on the desktop. Everytime I try to run a program or do anything, this error message is received: This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator. I cannot run any scanners or anything GUI because of the limitations I have now. I know all of my files are still intact, I made sure within DOS. Are there any suggestions on how to fix this situation I'm in? Last edited by Sucrose; 03-11-2006 at 07:50 PM.

03-11-2006, 07:54 PM	#2 (permalink)
Motoxrdude Diamond Member Join Date: Nov 2005 Location: Nor Cal Age: 17 Posts: 5,970	looks like you are going to have to reformat. __________________ RIP Mom 9/17/55-02/22/08.

03-11-2006, 08:14 PM	#3 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,104	Post a Hijackthis log. Hijackthis Logs __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-11-2006, 08:26 PM	#5 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,104	Is it the same in safemode? __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-11-2006, 08:36 PM	#7 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,104	What exactly did you download from that site? I'll download it and see what I can do. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-11-2006, 08:34 PM	#6 (permalink)
Sucrose New Member Join Date: Mar 2006 Posts: 6	Yes, it is the same.

03-11-2006, 08:43 PM	#8 (permalink)
Sucrose New Member Join Date: Mar 2006 Posts: 6	This is the file I downloaded: http://www.zimlabs.net/Zelda%20Onlin...nt%2011456.zip I just started the computer in Safe Mode, and surprisingly I am able to access programs and the Windows Explorer by opening the Recycle Bin first. Can Windows burn CD's while in safe mode? I need to back my stuff up.

03-11-2006, 08:46 PM	#9 (permalink)
Buzz1927 Digaredd Join Date: May 2005 Location: Melbourne AU Posts: 6,104	You might not need to back anything up. Boot to safemode with networking and download Hijackthis and post a log. I'll download that file and play around with it. __________________ The Grim Reaper - Son of Glyndwr "To Hell or Connacht" may you burn in Hell tonight!

03-11-2006, 08:56 PM	#10 (permalink)
Sucrose New Member Join Date: Mar 2006 Posts: 6	Logfile of HijackThis v1.99.1 Scan saved at 1:57:18 PM, on 3/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Administrator\Desktop\Hijackthis\HijackTh is.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll O2 - BHO: (no name) - {9AFD91F9-6B03-4D22-A1E1-67D224CB7AB1} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckOD Ls O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136960925389 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1137092112125 O16 - DPF: {AE609930-A6EB-4A78-B7DA-B3200705FEBD} (Mophun Control) - http://www.mophun.com/codebase/mophun.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe O23 - Service: HXD Service 100 (HackerDefender100) - Unknown owner - C:\DOCUME~1\JON&BR~1\LOCALS~1\Temp\Rar$EX00.313\hx def100.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode