Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus fake updates my notebook


  • Please log in to reply

#1
maddog10

maddog10

    Member

  • Member
  • PipPip
  • 67 posts
Sorry for the big messy post. I have a virus(I think), it happens at random

What it does is upon shutdown it starts what looks like a windows update then shutdowns. On restart it continues the update. The update then fails then reverts. This all takes around an hour. Once the netbook has booted there appears a hiden desktop.ini file and 2 shortcuts saying korean messenger and media player, like link to crappy looking websites.

first thing when I googled is 2 forums saying to have these shortcuts is normal and is a requirement of the korean goverment with microsoft when the korean language pack is installed. For one i dont believe that, why install shortcuts that link to crappy looking websites, when i dont have the korean language pack installed. Maybe I got a dodgy windows update involving all the language packs.

I've ran several scans(in safe without networking mode) from different virus software and mostly nothing. One scan found some stuff in some installation files
Win32/bundled.toolbar.ask.application
Win32/toolbar.babylon.c application and something to do with ask.com. Further research into this has found nothing.
Spybot rootkit scan finds 10,000 + things then adds this may not be malware. Plus the stupid cant mass delete them and it links to this recursive application data where it goes 15 folders deep repeating itself. I found one website saying this is normal behaviour due to the way windows was programmed.

looking around my C:\ I've not sure exactly if what i'm looking at are infected files or whats supposed to be there. Many folders have access denied, or protected by trusted installer(legit), or difficult to remove. Many folders have exe.mui files and many folders like ko-kr and en-us. Language pack stuff i find, but it seems strange they seem to be in so many folders for so many programs. Also many folders, .ini files also have the same creation date and time 14/7/09 or another date. Also seems strange

Sometime i look at files that are prefetch(.pf) or in windows\winsxs folders and wonder if they are part of it also

I've had a boot scan to run when it does it again, but that turned up nothing, the last time it did i decided to run safe mode, but i think it got ignored or i missed the button, but the usual windows update screen didnt appear and instead just a black screen with single line text showing all the files getting updated approx 60,000 files.it stopped at 10,000 and returned to the windows update screen, but this time it finished its update very fast booted up in normal mode and didnt install the shortcuts on the desktop

vlcsnap-2013-05-11-18h30m06s254.png
when i tried for safe mode, normally i see a normal windows update screen

vlcsnap-2013-05-11-18h34m06s86.png
and when it stopped and booted up

I got a couple of file1 error 42125 zip archive corrupted in some scans from stuff in my d drive, but i've figured they arnt anything to worry about

I scan my eyes over my c:\ files think, google them, delete a couple now and then
I have a search program to search for any strange files that I come across

I have been able to apply normal windows updates. Btw i turned the update service off, I scan the task manager processes to see if anything strange turns up then wonder if stuff like winlogon.exe should be in those locations on my computer

my files are all ok for now

I'm basically working on reinstalling as it looks like I my c drive is messed up,but i really want to get this thing
i am running windows 7 starter

one time after reboot and the desktop loaded there was a box in the centre of the screen saying main_wnd or main-wnd. A google gave me the impression this might have something to do the the C++ coding language. You see there just to much to google to try and work out. I feel like I'm research how to make an anti-virus program itself.

one thing is there a program I can get that runs at shutdown and monitors which files get changed or what is running when this update is happening

Am i remotely hijacked, spyware,virus, it prob came off some program i downloaded

Can anyone recommend other forums for this sort of thing

is it worth to try and decipher the scheduled tasks in the system tools or monitor monitor bandwidth as well

tried, avira, avast, malwarebytes, spybot, avg, oh yeah, avast would not install it was blocked, so downloaded this thing called chameleon which installed it,but strangely the chameleon folder seemed to fill up with strange files as well.

it seems to do it at random, but usually every 3-4 days, but the pattern does change. it used to do the whole update thing in one go, no reboot, its seems to do it 2 shutdowns in a row also at the moment


Anyone want to help me with this mystery, has the korean goverment cornered microsoft into making shortcuts appear on my computer? Do I have a virus playing a continous update on me that going to make my computer explode. Whats the point. Is there a virus at all. Can i get rid of it and return my file system to normal?

here is the hjack this, i had to run it as admin for it to work

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 6:50:12 PM, on 11/5/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16476)

FIREFOX: 19.0 (en-GB)
Boot mode: Normal

Running processes:
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Comodo\COMODO Internet Security\cfp.exe
C:\Program Files\Bluetooth Suite\AthBtTray.exe
C:\Program Files\Bluetooth Suite\BtvStack.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Flickr Uploadr\Flickr Uploadr.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\SearchFilterHost.exe
C:\Users\ken\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asus.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?p...22DHP&dt=042413
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IESpeakDoc - {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} - C:\Program Files\Bluetooth Suite\IEPlugIn.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [ETDCtrl] %ProgramFiles%\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [iSeriesCharge] AsusSender.exe C:\Program Files\ASUS\USBChargeSetting\iSeriesCharge.exe
O4 - HKLM\..\Run: [AthBtTray] "C:\Program Files\Bluetooth Suite\AthBtTray.exe"
O4 - HKLM\..\Run: [AtherosBtStack] "C:\Program Files\Bluetooth Suite\BtvStack.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files\Bluetooth Suite\IEPlugIn.dll
O9 - Extra 'Tools' menuitem: Send by Bluetooth to - {7815BE26-237D-41A8-A98F-F7BD75F71086} - C:\Program Files\Bluetooth Suite\IEPlugIn.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - AppInit_DLLs: C:\windows\system32\guard32.dll
O20 - Winlogon Notify: SDWinLogon - SDWinLogon.dll (file missing)
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: ASUS InstantOn Service (ASUS InstantOn) - ASUS - C:\Program Files\ASUS\InstantOn for EPC\InsOnSrv.exe
O23 - Service: Atheros Bt&Wlan Coex Agent - Atheros - C:\Program Files\Bluetooth Suite\Ath_CoexAgent.exe
O23 - Service: AtherosSvc - Atheros Commnucations - C:\Program Files\Bluetooth Suite\adminservice.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: COMODO Dragon Update Service (DragonUpdater) - Unknown owner - C:\Program Files\Comodo\Dragon\dragon_updater.exe
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: Spybot-S&D 2 Scanner Service (SDScannerService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
O23 - Service: Spybot-S&D 2 Updating Service (SDUpdateService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
O23 - Service: Spybot-S&D 2 Security Center Service (SDWSCService) - Safer-Networking Ltd. - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

--
End of file - 6652 bytes
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP