Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows hit by malware


  • Please log in to reply

#1
xzmattzx

xzmattzx

    Member

  • Member
  • PipPipPip
  • 101 posts
My mom's/family's computer seems to have been hit by malware, or a virus, or something. It is a Dell Inspiron running Windows Vista.

After being told that "the computer isn't working" (and that was it), I went to look at it. It starts up normally, and goes into Windows as usual. From there, things are different. Instead of the background on the desktop coming up, an orange background shows up. No desktop icons show up, but the toolbar at the bottom shows the automatically-running programs going. Then, a message comes up: "Catalyst Control Centre: Host application has stopped working". I went into Windows Explorer to see if I could get my mom's pictures on a flash drive, but only a few folders are available: PerfLogs, Program Files, Program Files x86, Users, and Windows. (Pictures have been put in a new folder.) One thing that was interesting was that I was in Windows Explorer, I could hear an advertisement going on, as if a video ad on espn.com or some place similar was going. I have not tried many programs, but Microsoft Word appears to work.

I should mention that a little while ago, Live Security Platinum showed up on the computer, and based on a tutorial that I was using, I entered a phone registry key that made it think that it was purchased. I then went to follow the other steps, and Malware Bytes Anti-Malware and RKill both dd not find anything. I hadn't gotten any farther than that, due to being busy.

I'll try to find out what happened when things first went bad, but there's some information for now.

Edited by xzmattzx, 19 September 2012 - 01:37 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
If it's malware then the files and folders are probably just hidden:

If using Windows XP:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.


If using Windows Vista or Windows 7:

Close all programs so that you are at your desktop.
Open the Control Panel menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit My Computer.
Now your computer is configured to show all hidden files.

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
%systemroot%\assembly\GAC\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
rsvpsp.dll
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\$Recycle.Bin|@;true;true;true /fp 
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

What ever you do do not clear the Temp files! Usually your shortcuts are moved to %Temp%\smtmp (open a command prompt and type: cd %Temp%

Look and see if you have the folder smtmp. If so copy it to your desktop for safekeeping. Leave the original in place.

Ron
  • 0

#3
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Thanks; I figured that everything was still there, as the hard drive has as little free space as it did before. I did the first part and see the files now, and will run OTL in a little while.

In the meantime, I ran MBAM, and it found some stuff. Do you want to see the log?
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Yes but I really want to see the OTL log to see if there is anything MBAM missed.

There is a program called Unhide.exe which might be able to fix the missing shortcuts and make things visible again.

Download, Save and Right click on unhide.exe and Run As Administrator from

http://download.blee...nler/unhide.exe
  • 0

#5
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
I've run OTL a couple times, and it seems to stop responding when it gets to "Scanning HKEY_CURRENT_USER\Internet Explorer settings..."
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Try it again in Safe Mode

(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode. Login with your usual login.) If it runs here you will need to save the log then reboot into regular mode in order to post it.

See if this will work:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe (Vista or Win 7 must right click and Run As Admin)
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Run TDSSKiller again but this time:
before you hit the Scan hit Change Parameters and check the two items under Additional Options. OK then Scan.
In this mode it is prone to false positives so do not change the SKIP option to DELETE unless it says TDSS.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


What version of windows is this?
  • 0

#7
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
Okay, I ran OTL in safe mode, and it seems to be getting stuck on the same spot about, regarding Internet Explorer settings.

Should I try that TDSSKiller?
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
yes
  • 0

#9
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
I'll try that in a little while. The computer is running Windows Vista.
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
Don't forget to right click and Run As Admin.

Some other scans to try:


Download aswMBR.exe ( 511KB ) to your desktop.
Right click aswMBR.exe and Run as Administrator
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rightclick on ComboFix and select Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Download, Save and Run (win 7 or Vista => Right click and Run as Admin.) farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#11
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
I tried to run TPSSKiller a few times, and I get the box asking to continue to the program (asking the administrator, basically), and then nothing happens. No program opens up. I've also right-clicked and selected "Run as administrator" just to be sure, and nothing happens.

I'll try that aswMBR now.
  • 0

#12
xzmattzx

xzmattzx

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 101 posts
A little bit of an update. I tried running aswMBR, and nothing seemed to happen. I tried running ComboFix, but Windows Live Security is apparently installed, and I couldn't find it in Windows Task Manager to shut it down. McAfee was also running, but I think I got that taken care of.

I have not been on that computer in a couple weeks, so I don't know if things have gotten worse since then.
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,790 posts
  • MVP
You might have better luck with Combofix in Safe Mode with Networking
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)


Let combofix run if it will. I'm not sure Windows Live Security is a real anti-virus anyway.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP