I suspect my laptop is infected all kinds of problems

Hi,

I am having some problems with my laptop that seem to be getting worse and I think I have some malware. I noticed when I used IE under my wife’s profile that I can search ok using google, but when I click on a link I get a message “please click here if you are not redirected in 5 seconds” and that is all it does. When I search using yahoo I can click on the link and it loads normally.

I notice that the system is also not loading up properly. For example I have to turn it on and off several times before windows will load and it seems to just load a black screen mostly. When I went into my main user profile I was having some strange things also like for example my email program (outlook) started up when I did not click on it to start, and my msconfig was working but now I cannot get msconfig.exe to run, and now I have some strange auto things running in the bottom right (like NVIDIA settings) and I cannot exit WDSmartware, also located in the bottom right.

I tried to run an avast boot scan but it is not working. I have tried to boot into safe mode in windows but with my boot up problems I cannot seem to even get into safe mode. I am running WINXP and I also have MalwareBytesAM on the system and will upload any logs or scans as requested.

Follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

as you already have Malwarebytes…remeber to update it before you run quick scan :wink:

ah ok I had previously started a full scan w/mbam and I am 2 hours in, but I have to step out to run some errands and I will do the other steps asap and run a quick scan upon my return home.

started a full scan w/mbam and I am 2 hours in
no need to do full scan...... as we are looking for active malware.... the dead not running files you can look for some other time

Ok thanks so much. I just got home and here is the quick scan file and I now have the OT logs. I will be updating soon with the other.

I am still waiting on the aswMBR scan to finish but whenever it does so I will post the update immediately.

Once you get that posted I will review everything and we can get going… :slight_smile:

THank you. Is the aswMBR scan supposed to take a long time? It seems like it has hung up on me it has been scanning the same file/folder for an hour. I don’t mind waiting all day or if you think I should restart it I can do that also.

Ah here is the log that I have. Sorry, it did not finish scanning so I will post this for now and I guess I will try to run it again…

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-2993078827-757225962-2738381258-1006\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = http://vshare.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp
IE - HKU\S-1-5-21-2993078827-757225962-2738381258-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
[2012/02/16 17:38:59 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {3CE34EFC-D093-4626-97D6-E3682ECC5A72} - No CLSID value found.
O2 - BHO: (no name) - {6EE09159-4133-460A-A410-2F8A02559ED4} - No CLSID value found.
O2 - BHO: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found.
O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No CLSID value found.
O2 - BHO: (no name) - {EECEE87C-E612-4B88-BD27-934C9B47B846} - No CLSID value found.
O3 - HKU\S-1-5-21-2993078827-757225962-2738381258-1006\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-2993078827-757225962-2738381258-1006\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-2993078827-757225962-2738381258-1006\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O33 - MountPoints2\{cb9aa448-24b1-11df-95a8-001d09c60e3c}\Shell - "" = AutoRun
O33 - MountPoints2\{cb9aa448-24b1-11df-95a8-001d09c60e3c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cb9aa448-24b1-11df-95a8-001d09c60e3c}\Shell\AutoRun\command - "" = E:\HWPcAssistant.exe
O33 - MountPoints2\{cb9aa44c-24b1-11df-95a8-001d09c60e3c}\Shell - "" = AutoRun
O33 - MountPoints2\{cb9aa44c-24b1-11df-95a8-001d09c60e3c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cb9aa44c-24b1-11df-95a8-001d09c60e3c}\Shell\AutoRun\command - "" = E:\HWPcAssistant.exe
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\Documents and Settings\Levent Canyas\My Documents\*.tmp files -> C:\Documents and Settings\Levent Canyas\My Documents\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]
[2011/05/18 17:54:39 | 000,008,964 | -HS- | C] () -- C:\Documents and Settings\Levent Canyas\Local Settings\Application Data\ueu4ue45lg20w7c4ddf
[2010/03/04 18:10:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Levent Canyas\Application Data\GetRightToGo

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

I have copied the text into the custom scan portion and clicked on runfix but my system seems to be frozen. MBAM service unexpectedly terminated but the dialogue box for this is not responding and I cannot close it. OTL started the fix but now it is not responding so I guess I will reboot and try again. I had some weird activity before this also.

I did get a blue screen just recently before this. Firefox had stopped responding and it would not connect (kept getting connecting now message) so I had to go onto my netbook to visit this site and see your previous reply. I also had to save the ERUNT on a jump drive from my netbook, then went back to my laptop & closed firefox and when I plugged in the jump drive I immediately got a blue screen of death/memory dump. Windows did seem to load on reboot after about 10 seconds of black screen but when I tried to send the serious error log to microsoft I got some weird popup message with a long string not being found.

I will hopefully add the update logs as requested very soon.

I am not able to run the fix here. I copy and paste then after I click fix now I get the immediate pop up, MBAM service terminated unexpectedly, see eventlog for details. Then after I click on the red x to close the boxa few times I get this MBAM popup window becomes non responsive, and then the OTL seems to hang at this point again with no action.

When I did reboot my system the 2nd time though I got a message from HitmanPro that identified OTL.exe as potential malware naming it a trojan siggen. I thought this was a false alarm but with OTL not working and hanging I am not sure what to think…

Hi,

No…OTL is not an infection so you don’t need to worry about that.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Yes thank you, I thought that was a false alarm on the OTL alert via hitmanpro.

I was able to run combofix but I dont think my system rebooted during the process. Anyway here is the log file.

Hi,

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"=-
"10426:UDP"=-
"5353:UDP"=-
"9322:TCP"=-

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Run a new scan with OTL and attach the new log created along with the ComboFix log. :slight_smile:

Here is my log from combofix, while I am waiting on my new OTL log to finish. I was not sure though am I supposed to run OTL like before, copying and pasting the text box and running a custom quick scan of all users? That is what I am doing now…

OK well I have modified this post and I am modifying my other posts that I had copied all of the text into. I will upload the original combofix log as a file attachment here soon.

Wow this is a really long log file, can I just put it an attachment? I guess this is safer since my system is possilby infected.

UPDATE

Well I can’t wait to trash this old computer of mine I think I have about given up on it finally

I had this old Dell for ~ 6 years now. I think I got my $$$ worth out of it.

Here it the new OTL log that I just finished running. Btw I noticed when I dragged the text into combofix that when it ran the program it wanted to update combofix, which I did before it ran the combofix scan. Thanks again for helping me out.

If you are having a problem with a log format, see the attachments link to ensure the log format you are trying to attach is one that this forum will accept, i.e., txt, jpg, gif, png, log. Some of these logs or files are in a different format than these; merely “save as” in the required format to attach.

For example, Windows Paint will automatically save a screenshot in .bmp format, save as .jpg, .gif, or .png. Main reason is the size limitation here, as you have already discovered.