Serious problem

[reigoskeiter]

I dont know but i suddenly got 100 trojan attacks, ithink it was an old virus.
I remember there was windows files moved to quarantine by ESET NOD32, then i restarted my computer and this happens.
http://www.freeimagehosting.net/qav56
And always ends up to this
http://www.freeimagehosting.net/k1lfq

 

[S.T.A.R.S.]

That was me.I wanted to steal all your credit card details and I made it and I am spending your money as I am writing this!MUHAHAHAHAHAHA!!!!!!!!

LoL I am just kidding

It appears that some of the Windows files were infected and the ESET NOD32 removed them in order to protect the system,but now that of course causes the problem with OS itself.
The best first thing you can do is to repair your OS using it's CD-ROM or DVD-ROM disk?

By looking at the fonts,I suppose the OS is Windows XP?If so,here is how the REPAIR menu looks like:

If it's Windows Vista or Windows 7 hen it looks like this:

After you do that,you might wanna run the CHECK DISK utility in the case there are some unreadable informations that are needed for things to work properly.Here is the syntax to run it in CMD:

chkdsk.exe C: /f /r /x /v

Replace "C:" with the drive letter you want to check.I would recommend you to check all of them you have.

In Windows XP it looks like this:

Cheers!

 

[reigoskeiter]

Yes thats why im running low on money
Hahaha.
Allright, so what i need to do is get a windows XP cd and just put it in the comp and it reinstall the OP?

 

[voyagerfan99]

Before doing anything with the XP CD, try selecting "Last Known Good Configuration" and see if that does it.

 

[ReMiXeDg]

Try booting from your last known good configuration, if this dose not help then you'll need to use your original XP cd and repair your OS. If then this dose not help out you'll need to then go and do a reinstallation of your operating system.

 

[reigoskeiter]

Nope, last known didint work.
So all i have to do is slip the Windows XP cd in and a reinstallation menu will appear?

 

[MyCattMaxx]

After you saved what you want to keep, put cd in drive.
Reboot with cd as first boot device then follow the instructions.

If it was me I would download KillDisk and wipe the entire drive first.
You will probably want the DOS version.
http://www.killdisk.com/

NOTE: Be sure you have a full install disk before using KillDisk.

 

[S.T.A.R.S.]

Yes thats why im running low on money
Hahaha.
Allright, so what i need to do is get a windows XP cd and just put it in the comp and it reinstall the OP?

Not REINSTALL.I meant REPAIR.
REINSTALL will delete all your data and I am pretty sure you don't wanna do that.You need to do the REPAIR.
If you are not 100% sure in what you are doing,ask rather than losing all your data.





Cheers!

 

[reigoskeiter]

Okay then.
I need to get a Windows XP cd then and put it in the comp then repair?

 

[reigoskeiter]

Wait, i got in the comp with safe mode with networking.
What should i do?

 

[Jon Boy]

If safe mode is working but when logging into your standard profile it isn't then it is most likely a Windows driver issue and I would still go down the repair option.

 

[S.T.A.R.S.]

How to repair Windows XP:

-Boot from the Windows XP CD-ROM disk...
-When the CD-ROM disk is completely loaded,you will get this:

PRESS THE ENTER BUTTON ON YOUR KEYBOARD...

-Then you will get this:

PRESS THE F8 BUTTON ON YOUR KEYBOARD...

-Then you will get this:

PRESS THE R BUTTON ON YOUR KEYBOARD...

-The repair process will start so let it finish.If something during the process is not clear enough to you,feel free to ask.


NOTE 1: Be sure that the Windows XP CD-ROM disk you get is the SAME version of Windows XP like the one you have on your computer!

NOTE 2: The Windows XP CD-ROM disk must have/contain the SAME service pack as the one you have installed on your Windows XP computer or NEWER version!



Cheers!

 

[reigoskeiter]

Omg!
It appears that my computer had a recovery built in the comp, so thats why i didint have no cd...hmmm..
Now funny thing is my friend got the safe mode with networking working, but then some kind of fake virus "protection" called internet security somehow got itself in the comp, saying i have alot of viruses and wasnt able to open anything, it said its a virus lol.
But on admin i ran eset nod, it did clean something im sure.
Now i recoverd the comp, it still has stuff on it, but im sure its not 100% clean, combofix detected some rootkits.
Any advice on what scans i should do?

 

[johnb35]

Did it say anything about the zero access rootkit? If so, you are better off doing a system restore back to a day before getting infected.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.


2.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log

 

[reigoskeiter]

Oh!
Ill remember this next time!
But i got carried away and did my own thing.
I downloaded and ran Combofix, it found rootkits and afew viruses, removed them successfully.
Then downloaded maleware bytes and then that deleted 13 viruses, including that "internet security" one.
Then finally, installed ESET NOD32 and it found 2 viruses.
Anything else i might do?

 

[johnb35]

Just because you ran combofix, doesn't mean it removed everything. Can you post the logfile from it?

 

[reigoskeiter]

Malewarebytes:
Malwarebytes Anti-Malware (Prooviversioon) 1.60.1.1000
www.malwarebytes.org

Andmebaasi versioon: v2012.03.11.12

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
Kasutaja :: PC256011462664 [limiteeritud]

Püsikaitse: Lubatud

11/03/2012 23:59:22
mbam-log-2012-03-11 (23-59-22).txt

Kontrolli tüüp: Täielik kontroll
Lubatud kontrollimise valikud: Mälu | Alglaadimine | Register | Failisüsteem | Heuristika/Ekstra | Heuristika/Shuriken | PUP | PUM
Väljalülitatud kontrollimise valikud: P2P
Kontrollitud objekte: 512013
Kulunud aeg: 3 tundi, 59 minutit, 37 sekundit

Tuvastatud mälu objekte: 0
(Pahavara ei tuvastatud)

Tuvastatud mälu mooduleid: 0
(Pahavara ei tuvastatud)

Tuvastatud registrivõtmeid: 0
(Pahavara ei tuvastatud)

Tuvastatud registri väärtusi: 0
(Pahavara ei tuvastatud)

Tuvastatud registriandmeid: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Halb: (1) Hea: (0) -> Paigutati karantiini ja parandati edukalt.

Tuvastatud kaustu: 0
(Pahavara ei tuvastatud)

Tuvastatud faile: 15
C:\Documents and Settings\Kasutaja\Application Data\Sun\Java\Deployment\cache\6.0\31\29e2c95f-42e371e9 (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Application Data\Sun\Java\Deployment\cache\6.0\8\7b125688-160f2c0f (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Application Data\20529a01\X (Rootkit.0Access) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\jag10307.exe (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\13.tmp (Trojan.UMadBro) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\fsa418200.exe (Trojan.FakeMS) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\~!#11.tmp (Trojan.UMadBro) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\Downloads\ESET NOD32 Key Finder Uninstaller.exe (Trojan.Agent.CK) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Favorites\Antivirus Scan.url (Rogue.Link) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Music\My Music.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\All Users\Start Menu\Online Antispyware Test.url (Trojan.Zlob) -> Paigutati karantiini ja kustutati edukalt.
C:\Documents and Settings\Kasutaja\Local Settings\Temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Paigutati karantiini ja kustutati edukalt.

(lõpp)
Combofix:
ComboFix 12-03-11.01 - Kasutaja 11/03/2012 23:36:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1022.731 [GMT 2:00]
Running from: c:\documents and settings\Kasutaja.PC256011462664\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security 2006 *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\isecurity.exe
c:\program files\Applications\myd.ico
c:\program files\Applications\mym.ico
c:\program files\Applications\myp.ico
c:\program files\Applications\myv.ico
c:\program files\Applications\ot.ico
c:\program files\Applications\ts.ico
C:\Thumbs.db
c:\windows\$NtUninstallKB17836$
c:\windows\$NtUninstallKB17836$\2726800942
c:\windows\$NtUninstallKB17836$\542284289\@
c:\windows\$NtUninstallKB17836$\542284289\L\trbssmgb
c:\windows\$NtUninstallKB17836$\542284289\loader.tlb
c:\windows\$NtUninstallKB17836$\542284289\U\@00000001
c:\windows\$NtUninstallKB17836$\542284289\U\@000000c0
c:\windows\$NtUninstallKB17836$\542284289\U\@000000cb
c:\windows\$NtUninstallKB17836$\542284289\U\@000000cf
c:\windows\$NtUninstallKB17836$\542284289\U\@80000000
c:\windows\$NtUninstallKB17836$\542284289\U\@800000c0
c:\windows\$NtUninstallKB17836$\542284289\U\@800000cb
c:\windows\$NtUninstallKB17836$\542284289\U\@800000cf
c:\windows\assembly\GAC_MSIL\desktop.ini
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 19:52 . 2012-03-11 19:52 -------- d-----w- c:\documents and settings\Kasutaja.PC256011462664
2012-03-11 19:46 . 2001-08-17 13:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-03-11 19:46 . 2001-08-17 14:02 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-03-11 19:20 . 2012-03-11 19:20 -------- d-----w- c:\windows\system32\LogFiles
2012-02-27 17:11 . 2012-02-27 17:11 -------- d-----w- c:\program files\Common Files\Skype
2012-02-21 21:50 . 2012-02-21 21:50 -------- d-----w- c:\program files\Common Files\Microsoft Games
2012-02-18 23:53 . 2012-02-18 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3
2012-02-18 23:11 . 2012-02-18 23:11 -------- d-----w- c:\program files\Microsoft Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-20 21:15 . 2011-12-26 14:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-11 36975]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-20 7581696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-20 86016]
"nwiz"="nwiz.exe" [2006-07-20 1519616]
"MsmqIntCert"="mqrt.dll" [2006-03-16 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 52848]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-16 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2008-10-1 102400]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 14:57]
.
2012-03-11 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2012-02-08 17:33]
.
2012-03-11 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Kasutaja.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 10:13]
.
2012-03-11 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2006-09-14 13:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 23:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???8U??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(832)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccProxy.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\msdtc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\program files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2012-03-11 23:55:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 21:55
.
Pre-Run: 12,589,936,640 bytes free
Post-Run: 12,557,193,216 bytes free
.
- - End Of File - - AA2945C8370C5F1A34AC1E8DEAC6DA94

 

[johnb35]

Do yourself a favor and uninstall norton antivirus as the version you have is from 2006 and its outdated. Download and run their removal tool.

ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

Then install Avast free version. If you already have Eset paid version installed then don't do avast. You can't have 2 antivirus programs installed at the same time.

 

[reigoskeiter]

Allright, removed Norton and i have ESET instead.
I noticed this odd thing when i wanted to install windows live messenger.
http://i44.tinypic.com/6579na.jpg
http://tinypic.com/r/2ngtpv7/5
Previously i had some kind of my computer icon in Local Disc named GHAS237HZW2 or something like that, now i dont cause its been removed.

 

[reigoskeiter]

Installed FBM10.
Got this:
http://tinypic.com/r/2nk2jqc/5