Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help I can't get my pc sorted!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help I can't get my pc sorted!

Unread postby jollycity » November 9th, 2005, 3:56 pm

Logfile of HijackThis v1.99.1
Scan saved at 19:50:29, on 09/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wincntrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Alan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcfc.co.uk/
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\rqrqp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\lvrq0995e.dll
O20 - Winlogon Notify: gebby - C:\WINDOWS\SYSTEM32\gebby.dll
O20 - Winlogon Notify: rqrqp - C:\WINDOWS\System32\rqrqp.dll
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe
jollycity
Active Member
 
Posts: 3
Joined: November 9th, 2005, 3:54 pm
Advertisement
Register to Remove

Unread postby Mat2 » November 9th, 2005, 4:03 pm

Image

Welcome to the forum. I am checking your log now and will return as soon as I have researched all the items.

While we are working together, please ....
  • Reply to this thread. Do not start a new topic.
  • If you are unsure of what to do, stop and ask! Don't keep going on.
  • Be patient. HijackThis logs take some time to research.

Please note the following:
  • I will be working on your Malware issues: This may or may not, solve other issues you may have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine is clear. (Absence of symptoms does not mean that everything is clear.)
  • The process may take considerable time.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby jollycity » November 9th, 2005, 4:12 pm

THanks very much for your help
jollycity
Active Member
 
Posts: 3
Joined: November 9th, 2005, 3:54 pm

Unread postby Kimberly » November 10th, 2005, 2:36 pm

Hi jollycity,

Your computer is very seriously infected and I will assist you from this point if you don't mind.

First off all, you need to be informed that your computer might be seriously compromised, you have a trojan of the Rbot/Sbot family, below is a general description of this family. You must be aware that if you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications)

Backdoor.Rbot is a family of Trojan programs for Windows, which offer the user remote access to victim machines. The Trojans are controlled via IRC, and have the following functions:

  • monitor networks for interesting data packets (i.e. those containing passwords to FTP servers, and e-payment systems such as PayPal etc.)
  • scan networks for machines which have unpatched common vulnerabilties (RPC DCOM, UPnP, WebDAV and others); for machines infected by Trojan programs (Backdoor.Optix, Backdoor.NetDevil, Backdoor.SubSeven and others) and by the Trojan components of worms (I-Worm.Mydoom, I-Worm.Bagle); for machines with weak system passwords
  • conduct DoS attacks
  • launch SOCKS and HTTP servers on infected machines
  • send the user of the program detailed information about the victim machine, including passwords to a range of computer games
Evidence in your log:
O23 - Service: MS Dns Service (WinNet) - Unknown owner - C:\WINDOWS\system32\wincntrl.exe

I would like to have more information about the Rbot variant present on your machine in order to find out what exactly could have been changed to your security settings and more precise info about what could have been compromised. With this type of infection you may have a rootkit on your computer also. Can you please perform the following:

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Submit the file C:\WINDOWS\system32\wincntrl.exe to Jotti's scanner at:
http://virusscan.jotti.org/ Post the results here in the next reply.

Perform the same at http://www.virustotal.com/xhtml/index_en.html and post the results.

You also have a Look2Me infection and a Vundo infection which both attract a wide range of other malware / spyware.

IMHO, You need to disconnect this PC from the internet and from your network if it is on a network. Use it as less a possible.

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/securi ... usrat.mspx

Can you please post the results of the virus scanner and a new Hijackthis log please since this malware changes very fast especially when you reboot.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby jollycity » November 11th, 2005, 4:18 am

Thank you for your support.

Having read your comments, I decided to do a reformat and clean install. I had only just done this recently but the trojan must have got in before I got my firewall set up.

Thanks again, everything is running fine now
jollycity
Active Member
 
Posts: 3
Joined: November 9th, 2005, 3:54 pm

Unread postby Kimberly » November 11th, 2005, 11:42 am

Hello jollycity,

Congratulations, that is a very wise decision you made. It's always possible to remove the Trojan of course but you are never sure of the damage that has been made. I hate to tell people that a reinstall may be the best solution, but believe me; it really is under certain circumstances.

May I recommend that you stay disconnected from internet as long as possible when you install your OS, it usually takes only 12 minutes to infect an unprotected system. :(

Below are a few tips to keep you computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Additional information is available in the following KB article:
Resources for using Internet Explorer 6

Download and install the following free programs
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's Hosts Manager here
Install Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

Good luck jollycity, and thanks for coming to our forums for help with your security and malware issues.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby NonSuch » November 17th, 2005, 3:45 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27225
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 33 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware