Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Virus help needed

  • 28-11-2006 7:02am
    #1
    Closed Accounts Posts: 164 ✭✭


    I'm in serious touble with some malware.
    I don't know exectly what it is and any hep would be appreciated.
    I'm running WinXP SP2.
    CTRL_ALT_DEL has been disabled so I cannot see/stop the process.
    Windows firewall has been turned off. I tried to turn it back on but I'm not sure it is active
    I have run AVG, Adaware, Spybot and downloaded and run stinger260.
    All except stg260 found and healed/deleted some files.
    A task bar has appeared on the side of my desktop which I can't get rid off. It looks like a normal task bar in a normal folder except it shouldn't be there. There is a red circle with a white X on my toolbar which keeps giving me warningsbut I suspect this load up Brave Sentry which tests for virus and fins about 39 Trojans ( Download VX and variants) but doesn't fix anything. It just tries to force me to buy it.
    On the whole the system is running really slow.
    The only thing I can remember doing out of the ordinary in the last few days is accepting and "Upgrade Java Prompt" I think I was on dumpalink.com at the time. Probably dumb, probably the cause of everything.
    I have to book some flights and I am afraid to enter CC details with my PC in this state.
    Anyway you can poke fun at my stupidity later if you must, in the meantime please help as this is my business computer and I'm borked without it. Many Thanks.


Comments

  • Registered Users, Registered Users 2 Posts: 254 ✭✭Baraboo


    Looks like the first thing you should do is try Hijack this.

    There are forums where you can load the result and get a diagnosis

    http://www.spywareinfo.com/~merijn/programs.php will give you a lot more information.


  • Closed Accounts Posts: 209 ✭✭DublinEvents


    Critical system files might have been over-written by the malware. I suppose installing a new copy of Windows XP on another partition might be the quickest way of getting rid of this menace and booking your flights. Or download a bootable Linux CD and use the internet browser in that to book your flights.


  • Closed Accounts Posts: 164 ✭✭Just My View


    Logfile of HijackThis v1.99.1
    Scan saved at 20:31:45, on 28/11/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\Wanadoo\taskbaricon.exe
    C:\PROGRA~1\Wanadoo\CnxMon.exe
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\nordsys.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\system32\taskdir.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hercules\WiFi Station\WifiStation.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Spyware Doctor\sdhelp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Chris\Desktop\AV Files\Hijack This\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
    R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
    O4 - HKLM\..\Run: [WOOTASKBARICON] "C:\Program Files\Wanadoo\taskbaricon.exe"
    O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
    O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\Fix-It\MemCheck.exe
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
    O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
    O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O4 - Global Startup: WiFi Station.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: Wanadoo - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - http://www.wanadoo.fr (file missing) (HKCU)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Fix-It Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\Fix-It\mxtask.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

    CWShredder is warning of CWS.Smartsearch.2
    Sorry to sound abrupt I can only open this log for a few seconds before it closes itself. So I am having trouble getting to the site.
    Browser very slow and falling over. Any Ideas?


  • Closed Accounts Posts: 36,634 ✭✭✭✭Ruu_Old


    C:\WINDOWS\system32\taskdir.exe looks to be a trojan, linkeh has some removal instructions. Thats the first one that jumped out at me. It is also in the Run section, so it loads at Startup also. Go into Safe Mode, open msconfig.exe in the Run box, go to the Startup tab and remove the entry.


  • Closed Accounts Posts: 164 ✭✭Just My View


    Thanks Ruu, the reference is there but the file can't be found.
    I'm running the evaluation copy of Spyware Doctor, It's finding 101 infections but won't do anything until I register.
    Is it worth the €29.95 fee?
    Will I be Ok using my credit card on line to pay for it before I get out of this mess?


  • Advertisement
  • Closed Accounts Posts: 36,634 ✭✭✭✭Ruu_Old


    I would advise picking up a copy of Ewido Security suite (now AVG anti-spyware) here first and see if you get anywhere. I find it excellent and use it where Spybot-Search and Destroy, Ad-aware fails me (not often). Even when the trial runs out, you can still use it and a few of the features are just disabled. Programs that ask for moneh to fix problems scare me.:)


  • Closed Accounts Posts: 164 ✭✭Just My View


    SitRep.

    First off, thanks for the help. I was really worried. I was afraid to take a backup, to ext hdd, in case it buggered up my other backups.

    The malware was turning off AVG Anti Virus and AV Spyware and blocking access to any site in cluding HijackThis. I used safe mode and downloaded Hijackthis and got a log file that way. I then used my laptop to check every entry one at a time and got rid of a few dodgy progs. I downloaded bitdefender and that seems to have done the trick.

    However there are two outstanding items which are worrying. I stil cannot use Ctrl-Alt-Del nor can I change my desktop background, not terribly important in itself but the reason why is worrying. can I change anything as Admin to fix this? Is suspect it is just something disabled by the virus to protect itself.


  • Closed Accounts Posts: 164 ✭✭Just My View


    Last post on this I hope, BitDefender and AVG got infected.
    Nordsys.exe and Taskdir.exe seemed to be the culprits. They seem to have the ability to shut down some AV progs at will ,turn off the firewall and disable Ctrl-Alt-Del.

    This site gave me the ability to Ctrl-Alt-Del and stop the rogue processes.
    http://www.kellys-korner-xp.com/xp_tweaks.htm
    Then delete the directories, not un-install the progs, for AVG and Bitdefender. Downloded new AVG, main process has different name so is not stopped by virus and run. This cleaned some but not all. Downloaded Cyber Defender and it did the rest. I have not reloaded BitDefender as I'm not too confident in it. I hope this helps some other poster. Again thanks to those who helped.


  • Moderators, Category Moderators, Science, Health & Environment Moderators, Society & Culture Moderators Posts: 47,537 CMod ✭✭✭✭Black Swan


    Thanks Ruu, the reference is there but the file can't be found.
    I'm running the evaluation copy of Spyware Doctor, It's finding 101 infections but won't do anything until I register.
    Is it worth the €29.95 fee?
    Will I be Ok using my credit card on line to pay for it before I get out of this mess?
    I found Spyware Doctor to be bad news! It runs a proxy that can suck up your CPU.

    There are several free antispyware/adware/malware programmes out there you may want to consider? Ad-Aware SE Personal is free from Lavasoft and does not tax your CPU. Spyware Blaster is free, does not suck up CPU, and blocks a lot of malware from installing on your machine (and is compatible with Ad-Aware SE Personal).


  • Closed Accounts Posts: 114 ✭✭Zoned


    You have been infected with Bravesentry.

    O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
    BraveSentry is a rogue anti spyware program that hijacks the web browser and it is known to issue fake warnings on your computer in order to manipulate you into buying its full commercial version. It can also be installed from the BraveSentry website and has been forced onto the computer without EULA and users knownledge of installation. It does not actually detect parasites, but targets harmless system and software objects as threats in attempt to trick the user into purchasing the full version of Brave Sentry. BraveSentry is related to SpySheriff and Spware-no.

    The removal instructions are here....http://www.spywareremove.com/removeBraveSentry.html

    regards

    Zoned


  • Advertisement
Advertisement