Did I just get hit by a virus? Task Manager has been disabled.......

[lektrix]

i was just at a LAN party and I was the only one transferring games to people and 8 hours later I suddenly got some "you have spyware popup" on my desktop and a flashing red sign in my active icons WHILE BROWSING THE INTERNET.....i thought it was some adware/spyware but i couldnt right click and remove it so i tried ctrl-alt-delete-ing and going to the task manager to find the process and shut it down but strangely, the TASK MANAGER WAS GREYED OUT....this was the first time in my life seeing this so I was dumbfounded......anyhow, one of my friends told me to dl avast trial so I did, installed it, reboot and did the complete scan before entering into XP....it found 5 trojans and adware and quarantined them (i assume) but my computer is still acting strange...first, the task manager is still disabled, second after booting into desktop, i hear my raptor (presumably C make reading noises in the same exact pattern every 3-4 seconds....some huge process or app is running behind closed walls and it probably doesn't want me to shut it down which is why they disabled task manager......

what should i do?

 

[mechBgon]

Yeah, your computer is infected. As an initial step, try using Windows XP's system restore feature (Start > All Programs > Accessories > System Tools > System Restore, if I remember correctly). Go back to before you infected your computer.

I would also remove the Avast antivirus software, then install a 30-day trialware of Kaspersky AntiVirus 7. Go into the Settings panel by right-clicking the red K icon in your system tray. Go down the list of settings and max them all out. Enable the Riskware checkbox in Threats & Exclusions, too.

Now update the virus definitions again, and run a full Scan My Computer. This is just your opening move; you can try out Schadenfroh's automated virus-removal utility and work through John's malware-removal guide as additional steps.

Big picture: don't play with fire and you're not as likely to get burned. Eh?

 

[corkyg]

Yes, and you might want to forward MechBgon's instructions to everyone else at that LAN party - chances are they share your affliction.

 

[lektrix]

what can i do and cannot do on my infected pc?

should i still leave it on the network with all the other pcs?
can i login to personal/sensitive sites?
can i backup my files (non-infected) and transfer them over to my other pc?

 

[corkyg]

Do nothing until you fix it as MechBgon suggested.

 

[Schadenfroh]

Originally posted by: mechBgon
you can try out Schadenfroh's automated virus-removal utility

Just released a major update to it today, it should catch and purge a significant amount of malware.

 

[lektrix]

Originally posted by: mechBgon
Yeah, your computer is infected. As an initial step, try using Windows XP's system restore feature (Start > All Programs > Accessories > System Tools > System Restore, if I remember correctly). Go back to before you infected your computer.

I would also remove the Avast antivirus software, then install a 30-day trialware of Kaspersky AntiVirus 7. Go into the Settings panel by right-clicking the red K icon in your system tray. Go down the list of settings and max them all out. Enable the Riskware checkbox in Threats & Exclusions, too.

Now update the virus definitions again, and run a full Scan My Computer. This is just your opening move; you can try out Schadenfroh's automated virus-removal utility and work through John's malware-removal guide as additional steps.

Big picture: don't play with fire and you're not as likely to get burned. Eh?

i did everything there except schladenfroh's link...i got kaspersky and i ran all the apps reccomended in john's guide..it removed a lot of stuff and my task manager works fine now..

i will probably run schaldenfroh's link when i get a chance but right now i have 2 more problems:

1. my computer feels very sluggish, it still feels slow loading up apps and running programs especially at startup...my startup.exe isn't bloated and i only run essentials so i don't know why i'm experiencing this additional lag or slow down.....could it be kaspersky running in the background? i know they say its only 15mb and its not a resource hog but it seems that way right now....

2. why did all my times change to military times with the +12hours?

 

[mechBgon]

There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

 

[lektrix]

Originally posted by: mechBgon
There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

actually i wasn't able to run kasp 100%.....it ran at 38% and i accidentally rebooted my pc, but so far it found:

deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
detected: virus Heur.Invader (modification)
quaratined: virus Heur.Invader (modification)

Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: Trojan program Trojan.Win32.Inject.ph
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz

 

[Schadenfroh]

Also, do you have more than one realtime antivirus / antispyware application running?

What other antimalware (norton, mcafee?) / firewall applications (zonealarm, etc) have you installed (even if it was just the trial) since your last format? Remnants can cause issues.

Consider posting a hijackthis log over in the security forums for Medea to take a look at.

 

[lektrix]

Originally posted by: Schadenfroh
Also, do you have more than one realtime antivirus / antispyware application running?

What other antimalware (norton, mcafee?) / firewall applications (zonealarm, etc) have you installed (even if it was just the trial) since your last format? Remnants can cause issues.

i just took out avast trial and symantec corporate edition virus scanners
no firewall applications..

Right now my PC is killing me......i have ZERO APPS running and my hdd still makes that "reading" pattern noise......i gotta complete this kaspersky scan but scanning 900GB will take 15 hours and sitting 15 hours here straight is gonna suck....i might as well backup the files i need, scan them on another computer, then reformat!

 

[mechBgon]

Originally posted by: lektrix

Originally posted by: mechBgon
There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

actually i wasn't able to run kasp 100%.....it ran at 38% and i accidentally rebooted my pc, but so far it found:

deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
detected: virus Heur.Invader (modification)
quaratined: virus Heur.Invader (modification)

Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: Trojan program Trojan.Win32.Inject.ph
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz

Interesting. Get a full scan done, or at least all the way through the C: drive. Also run Kaspersky's rootkit scan if you haven't already scanned for rootkits somewhere along the line. And one other scanner you might want to run, is the Microsoft Malicious Software Removal Tool, because I often found those Vapsup thingies to be a component of a Zlob infection. Microsoft's tool detects Zlob and they have relatively high detection rates for it.

 

[lektrix]

Originally posted by: mechBgon

Originally posted by: lektrix

Originally posted by: mechBgon
There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

actually i wasn't able to run kasp 100%.....it ran at 38% and i accidentally rebooted my pc, but so far it found:

deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
detected: virus Heur.Invader (modification)
quaratined: virus Heur.Invader (modification)

Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: Trojan program Trojan.Win32.Inject.ph
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz

Interesting. Get a full scan done, or at least all the way through the C: drive. Also run Kaspersky's rootkit scan if you haven't already scanned for rootkits somewhere along the line. And one other scanner you might want to run, is the Microsoft Malicious Software Removal Tool, because I often found those Vapsup thingies to be a component of a Zlob infection. Microsoft's tool detects Zlob and they have relatively high detection rates for it.

Have another question.

I need to send out some emails but something is wrong with my outgoing server:

INTERNET SECURITY WARNING
The server you are connected to is using a security certificate that cannot be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provided.
Do you want to continue using this server?

 

[mechBgon]

Originally posted by: lektrix

Originally posted by: mechBgon

Originally posted by: lektrix

Originally posted by: mechBgon
There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

actually i wasn't able to run kasp 100%.....it ran at 38% and i accidentally rebooted my pc, but so far it found:

deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
detected: virus Heur.Invader (modification)
quaratined: virus Heur.Invader (modification)

Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: Trojan program Trojan.Win32.Inject.ph
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz

Interesting. Get a full scan done, or at least all the way through the C: drive. Also run Kaspersky's rootkit scan if you haven't already scanned for rootkits somewhere along the line. And one other scanner you might want to run, is the Microsoft Malicious Software Removal Tool, because I often found those Vapsup thingies to be a component of a Zlob infection. Microsoft's tool detects Zlob and they have relatively high detection rates for it.

Have another question.

I need to send out some emails but something is wrong with my outgoing server:

INTERNET SECURITY WARNING
The server you are connected to is using a security certificate that cannot be verified.

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provided.
Do you want to continue using this server?

As a guess, that's probably due to your PC's time/date/timezone not being correct.

 

[lektrix]

Originally posted by: mechBgon

Originally posted by: lektrix

Originally posted by: mechBgon
There are a lot of possibilities. Out of curiosity, what were the names of the malwares, exactly? Kaspersky's "reports" section will have a panel that lists what it found, you can copy & paste from there.

actually i wasn't able to run kasp 100%.....it ran at 38% and i accidentally rebooted my pc, but so far it found:

deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
deleted: adware not a virus: AdWare.Win32.Vapsup.tz
detected: virus Heur.Invader (modification)
quaratined: virus Heur.Invader (modification)

Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: riskware not a virus: RiskTool.Win32.Reboot.f
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz
Infected: Trojan program Trojan.Win32.Inject.ph
Infected: adware not-a-virus:AdWare.Win32.Vapsup.tz

Interesting. Get a full scan done, or at least all the way through the C: drive. Also run Kaspersky's rootkit scan if you haven't already scanned for rootkits somewhere along the line. And one other scanner you might want to run, is the Microsoft Malicious Software Removal Tool, because I often found those Vapsup thingies to be a component of a Zlob infection. Microsoft's tool detects Zlob and they have relatively high detection rates for it.

The names I listed were only from Kaspersky (finished 38% and my C drive).....

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something


Here is what HiJackThis showed:

http://hjt-data.trend-braintree.com/hjt/display_data.php?report=5140886

 

[mechBgon]

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something

It's normal for antivirus products to detect ComboFix as a possible threat, because it uses some special tactics which malware could also use. Nothing to worry about in this case.

Here is what HiJackThis showed:

http://hjt-data.trend-braintree.com/hjt/display_data.php?report=5140886

No workie

 

[lektrix]

Originally posted by: mechBgon

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something

It's normal for antivirus products to detect ComboFix as a possible threat, because it uses some special tactics which malware could also use. Nothing to worry about in this case.

Here is what HiJackThis showed:

http://hjt-data.trend-braintree.com/hjt/display_data.php?report=5140886

No workie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:01, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Christian\Desktop\Windows-KB890830-V1.36.exe
c:\439e3bcbe4ed0fa62c63c853\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\rogueremoval\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/ju...010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.135.11.149:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {D3ADD35B-48FC-4EB5-84BB-AF7ED2795035} - (no file)
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...site.cab?1194815621921
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O21 - SSODL: xcvwer - {1F9FCF01-7BD6-4F9A-9AAD-6A9A7E694A7E} - C:\WINDOWS\xcvwer.dll
O21 - SSODL: hjoqor - {94A48AF2-C4CA-4980-8672-609FCF347574} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4357 bytes

 

[mechBgon]

Originally posted by: lektrix

Originally posted by: mechBgon

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something

It's normal for antivirus products to detect ComboFix as a possible threat, because it uses some special tactics which malware could also use. Nothing to worry about in this case.

Here is what HiJackThis showed:

http://hjt-data.trend-braintree.com/hjt/display_data.php?report=5140886

No workie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:01, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Christian\Desktop\Windows-KB890830-V1.36.exe
c:\439e3bcbe4ed0fa62c63c853\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\rogueremoval\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/ju...010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.135.11.149:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {D3ADD35B-48FC-4EB5-84BB-AF7ED2795035} - (no file)
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...site.cab?1194815621921
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O21 - SSODL: xcvwer - {1F9FCF01-7BD6-4F9A-9AAD-6A9A7E694A7E} - C:\WINDOWS\xcvwer.dll
O21 - SSODL: hjoqor - {94A48AF2-C4CA-4980-8672-609FCF347574} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4357 bytes

You appear to have an infection from the NewMediaCodec family of Zlobs. Reboot into Safe Mode when your scans are finished, run HijackThis while in Safe Mode, and nuke these entries to start with:

[*]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/ju...010&mid=MjI6Ojg5&lid=2

[*]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

[*]O3 - Toolbar: (no name) - {D3ADD35B-48FC-4EB5-84BB-AF7ED2795035} - (no file)

[*]O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

[*]O21 - SSODL: xcvwer - {1F9FCF01-7BD6-4F9A-9AAD-6A9A7E694A7E} - C:\WINDOWS\xcvwer.dll

[*]O21 - SSODL: hjoqor - {94A48AF2-C4CA-4980-8672-609FCF347574} - (no file)


One way that these NewMediaCodec-style Zlobs get onto peoples' computers is by posing as a video codec or Flash Player update, typically at pr0n sites. Such approaches would usually look something like this screenshot :camera:. If you run into anything trying to get you to download codecs or updates, be very suspicious.

 

[lektrix]

Originally posted by: mechBgon

Originally posted by: lektrix

Originally posted by: mechBgon

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something

It's normal for antivirus products to detect ComboFix as a possible threat, because it uses some special tactics which malware could also use. Nothing to worry about in this case.

Here is what HiJackThis showed:

http://hjt-data.trend-braintree.com/hjt/display_data.php?report=5140886

No workie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:01, on 23/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATITool\ATITool.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Christian\Desktop\Windows-KB890830-V1.36.exe
c:\439e3bcbe4ed0fa62c63c853\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\rogueremoval\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/ju...010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.135.11.149:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {D3ADD35B-48FC-4EB5-84BB-AF7ED2795035} - (no file)
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATITool\ATITool.exe" -s
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.co...site.cab?1194815621921
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F540156-FB65-4C46-80CD-FD3862A41711}: NameServer = 192.168.0.1
O21 - SSODL: xcvwer - {1F9FCF01-7BD6-4F9A-9AAD-6A9A7E694A7E} - C:\WINDOWS\xcvwer.dll
O21 - SSODL: hjoqor - {94A48AF2-C4CA-4980-8672-609FCF347574} - (no file)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4357 bytes

You appear to have an infection from the NewMediaCodec family of Zlobs. Reboot into Safe Mode when your scans are finished, run HijackThis while in Safe Mode, and nuke these entries to start with:

[*]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/ju...010&mid=MjI6Ojg5&lid=2

[*]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

[*]O3 - Toolbar: (no name) - {D3ADD35B-48FC-4EB5-84BB-AF7ED2795035} - (no file)

[*]O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

[*]O21 - SSODL: xcvwer - {1F9FCF01-7BD6-4F9A-9AAD-6A9A7E694A7E} - C:\WINDOWS\xcvwer.dll

[*]O21 - SSODL: hjoqor - {94A48AF2-C4CA-4980-8672-609FCF347574} - (no file)


One way that these NewMediaCodec-style Zlobs get onto peoples' computers is by posing as a video codec or Flash Player update, typically at pr0n sites. Such approaches would usually look something like this screenshot :camera:. If you run into anything trying to get you to download codecs or updates, be very suspicious.

alright thanks, I will do that ASAP...my kaspersky virus scan is only at 93% and it's been running for over 12 hours...i still got 1 hour to go but it should be done by then...what a pain to scan 1TB =(...kaspersky found some malware/adware and dealt with it but that was with the autoscanner, the scan im running hasn't found anything yet.....

my computer is still lagging every 5 seconds with the hdd reading in the same pattern over and over again =(... ANDI just got 5-6 popups from my IE asking me to download anti-spyware programs...my IE is infected but that's weird because i ran all the spyware/malware programs and cleaned everything out......

 

[nsafreak]

I'm going to be honest and state this, you're better off just saving all of the document files & media files that you need to keep to DVD and then wiping & reinstalling windows. It is very, very tough nowadays to get a piece of malware and some viruses off your system. You can continue trying but the best solution is likely to wipe the system and start over again.

Btw the suggestion to perform a system restore will not do any good at all. Most malware & viruses infect that with copies of themselves once they get on your system.

 

[John]

Originally posted by: lektrix
i will probably run schaldenfroh's link when i get a chance but right now i have 2 more problems:

1. my computer feels very sluggish, it still feels slow loading up apps and running programs especially at startup...my startup.exe isn't bloated and i only run essentials so i don't know why i'm experiencing this additional lag or slow down.....could it be kaspersky running in the background? i know they say its only 15mb and its not a resource hog but it seems that way right now....

2. why did all my times change to military times with the +12hours?

1. You're still infected. If you feel that Kaspersky is slowing you down, uninstall it, reboot, and try the KAV standalone tool. (download the bottom one)

2. Combofix changed your time. You can safely change it back.

I think I removed a lot more when I ran JOHN'S GUIDE....and one of the programs in the link he sent me contains malware/adware..i think it was combo.exe or something

Nothing in my guide contains malware/adware. However, as mech pointed out, Combofix, Smitfraudfix, and Roguefix could be detected by certain scanners since they cannot distinguish between the good and malicious use of such programs.

FWIW this entry is safe: O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

what a pain to scan 1TB =(

Do you run a single c:\ partition? If not then the only drive that you need to scan (to start with) is the one containing your Windows installation.

my computer is still lagging every 5 seconds with the hdd reading in the same pattern over and over again =(... ANDI just got 5-6 popups from my IE asking me to download anti-spyware programs...my IE is infected but that's weird because i ran all the spyware/malware programs and cleaned everything out......

Are you in safe mode w/ networking and the system restore disabled?

 

[lektrix]

Originally posted by: John

Originally posted by: lektrix
i will probably run schaldenfroh's link when i get a chance but right now i have 2 more problems:

1. my computer feels very sluggish, it still feels slow loading up apps and running programs especially at startup...my startup.exe isn't bloated and i only run essentials so i don't know why i'm experiencing this additional lag or slow down.....could it be kaspersky running in the background? i know they say its only 15mb and its not a resource hog but it seems that way right now....

2. why did all my times change to military times with the +12hours?

1. You're still infected. If you feel that Kaspersky is slowing you down, uninstall it, reboot, and try the KAV standalone tool. (download the bottom one)

2. Combofix changed your time. You can safely change it back.

Is it Kaspersky slowing me down? I stopped their autoscanner but my hard drive still makes the "reading noise" pattern every 3-4 seconds.

what a pain to scan 1TB =(

Do you run a single c:\ partition? If not then the only drive that you need to scan (to start with) is the one containing your Windows installation.

Yes but I thought everyone wanted me to do a complete system scan.

my computer is still lagging every 5 seconds with the hdd reading in the same pattern over and over again =(... ANDI just got 5-6 popups from my IE asking me to download anti-spyware programs...my IE is infected but that's weird because i ran all the spyware/malware programs and cleaned everything out......

Are you in safe mode w/ networking and the system restore disabled?

Safe mode w/ networking is 100% working and blazing fast. At least something works!



Sooooo, I finally did a 100% Kaspersky scan, no viruses found, ran the HiJack this tool and removed the files as recommended above, and ran all of John's other tools and it fixed most problems (task manager works now).....however the hard drive is still slowing down every 3-4 seconds as it seems to be reading SOMETHING that I am not aware of...