Trojan/Virus disabled Tsk Mngr/Secuirty Cntr/Folders&redirects search engine links

Butch Cassidy · 02-08-2010 4:12pm #1

I contracted either a trojan or virus or worm yesterday from a website. It was one of these that gave me a fake windows warning message saying I'd to download their anti-virus software. When I tried to close the tab I got a another message this time telling me to click "OK" to leave or "CAncel" to stay on the site. Whichever I clicked it was the wrong one as after that I got the fake Windows 98 screen in the tab saying it was "virus checking" or something. I also got a little warning icon on the windows taskbar saying I had a trojan and to click this to get rid of it - I don't know if this was a legit windows message or not.

I quickly disconnected the wireless, panicked a bit and ran Spybot. Spybot found a few things one of them that the Help and Security centre had been disabled as well as the Task Manager. I also couldn't access My Computer or any folders. Whatever Spybot gave me in the search results I clicked "Fix Problem".

There's some odd things going on so I know I'm still infected - tried running a Malwarebytes scan and after it finished and I clicked show results it crashed. I also tried using Microsoft Security Essentials but that isn't able to run. I had downloaded both of these after the infection but as I said, I am unable to run in Safe Mode with Networking.

Each time I click on a link from a search engine I get redirected around to different sites I didn't click on - some of them are fake looking Anti-Virus spam sites.

Any help is much appreciated.

Butch Cassidy · 02-08-2010 4:13pm

I tried running DDS to get the log files but I get a "An Unkown error occured. The program will be terminated."

If it helps, here's the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:15:37, on 02/08/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\windows\ehome\ehtray.exe
c:\program files\common files\java\java update\jusched.exe
c:\windows\system32\hkcmd.exe
c:\windows\system32\igfxpers.exe
c:\progra~1\eraser\eraser.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\program files\windows live\messenger\msnmsgr.exe
c:\windows\system32\ctfmon.exe
c:\program files\synaptics\syntp\syntpenh.exe
c:\program files\spybot - search & destroy\spybotsd.exe
c:\program files\mozilla firefox\firefox.exe
c:\windows\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
c:\windows\system32\ctfmon.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Internet Explorer Plugin - {AAE725F3-298B-4FEF-82EE-FAF909639409} - dgrosr7.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: (no name) - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - (no file)
O2 - BHO: (no name) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - (no file)
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {61539ecd-cc67-4437-a03c-9aaccbd14326} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ODBCJET] C:\WINDOWS\system32\ODBCJET.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209056789750
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: asp.net (ASP.NET) - Unknown owner - C:\Program.exe (file missing)
O23 - Service: BCWipe service (BCWipeSvc) - Unknown owner - C:\Program Files\Jetico\BCWipe\BCWipeSvc.exe (file missing)
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9921 bytes

Butch Cassidy · 02-08-2010 4:13pm

The blue screed of death I get is :

STOP: c000021a {FATAL SYSTEM ERROR}
The Windows Logon Process system process terminated unexpectedly with
a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down.

Butch Cassidy · 02-08-2010 4:32pm

Oh also, the trojan/virus thing reconfigured all my windows displays to Windows 95 or something. It revereted back after the Spybot stuff I did and when I restarted with "Last known good configuration"

I'm running Super Anti spyware now but I've a worry that it'll crash as soon as the search is finished but here's what it's foiund so far:

Butch Cassidy · 02-08-2010 4:54pm

As expected after Super Anti-Spyware was finished and I clicked "Next" and it was removing the harmful stuff I then got a BSOD "STOP: c000021a {FATAL SYSTEM ERROR}" and I can't start up in either Safe Mode or Safe Mode with Networking. Only "Last known config that worked" is starting up.

I'm also still getting redirected from search engine results.
The first results from this google search : http://www.google.ie/search?hl=&q=search+engine+results+redirected+&sourceid=navclient-ff&rlz=1B3GGGL_en-GBIE349IE349&ie=UTF-8 led me to: http://www.booking.com/city/fr/paris.html?aid=313788&label=562ace67. If I choose "cached" from google search then I do get brought tothe website if that's of any relevance.

Same thing is happening on Bing.

So bottom line is : I can't start in Safe Mode as I get a BSOD and when I use anti-spyware like SUPERAnti I still have this search engine redirect problem and I'm crashing with a BSOD.

seensensee · 02-08-2010 5:02pm

Yeah, weird stuff happens occasionally on my computer, usually the broadband drops first then the diagnose program freezes, then various buttons freeze. At times i notice that some system preferences have been changed. no one has a clue whats going on when asked, the usual advice is erase and install the OS. cures it every time.

Butch Cassidy · 02-08-2010 5:24pm

I can't do a full windows reinstall as I don't have the discs which is the long story short.

The long story is it's a laptop that didn't come with discs and I was supposed to burn recovery discs and I never did and the laptop died, had it insured and when they sent it back nothing was installed and no OS so PC Worled (where I bought it) installed Windows for me

ASJ112 · 02-08-2010 9:16pm

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

Click me
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Butch Cassidy · 02-08-2010 11:05pm

Cheers but I get this message after I try to open the executible:

"Windows cannot find '32788R22FWJFW\iexplore.exe'..."

Then I click OK and another window gives me:

"Windows cannot find '32788R22FWJFW\hidec.exe..."

Basically everything in this post:

http://forums.malwarebytes.org/index.php?showtopic=23645&view=findpost&p=121737

When I attempt to run Combo-Fix, a box opens that says "Windows cannot find '32788R22FWJFW\iexplore.exe'..."

When I click "ok", another pops up that says "Windows cannot find '32788R22FWJFW\hidec.exe..." which repeats several times and I also get "Windows cannot find '32788R22FWJFW\n.pif..." repeatedly and then there are about fifteen more pop ups referencing the same number with assorted other things after the backslash and then, after repeatedly clicking "ok", the program just closes.

ASJ112 · 03-08-2010 1:46pm

rename combofix to svchost.com and run it in safe mode

works ?

if not do this

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Butch Cassidy · 07-08-2010 1:46pm

Thanks for your help ASJ but after using Malwarebytes my windows has BSOD crashed and I can't seem to get it back. I did a scan with it and then it found a good few infected files or threats so I did the delete+reboot thing as it suggested but it's obviously deleted something it shouldn't have because my windows can't start up whereas before the Malwaresbytes I c0ould start up in Safe mode and Last Known Good Config.

ASJ112 · 07-08-2010 9:38pm

got your windows cd ?

Butch Cassidy · 09-08-2010 11:56am

ASJ112 wrote: »

got your windows cd ?

No unfortunately not. It's a Compaq Presario laptop with Windows XP Media bought from PC World with insurance. It didn't come with any discs but I was to burn recovery discs. The laptop took a fall and I lost the harddrive and hadn't burned the recovery discs so after it was fixed back up by the insurance I had nothing installed, no OS nothing. PC World sorted me out and re-installed the drivers and put Windows back on etc. but I was still without discs.

ASJ112 · 09-08-2010 3:13pm

can you borrow one from a friend, make sure its for XP if you can

Trojan/Virus disabled Tsk Mngr/Secuirty Cntr/Folders&redirects search engine links

Comments