Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

I need help!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

I need help!!

Unread postby frosty90 » April 17th, 2008, 8:24 am

Ive had some problems (severe problems!) with what i suspected to be the 'virtumonde trojan'. i cannot run any anti spyware programs (the result is a blue screen of death), i get constant ad popups, my antivirus program detects multiple 'viruses' and deltes them but has no effect, when attempting to start windows in safe mode i get a blue screen of death, all internet browsers will only load pages if the adress is typed in directly (no links or searcches) and firefox dosent work at all! Ive found out about combo fix and ran it and it seemed to fix most of the problems, except i still get a blue screen when i run an anti spyware program (ad-aware 2007) or try to boot in safe mode. here is my combo-fix log;
thanks in advance for any help!

ComboFix 08-04-16.5 - Administrator 2008-04-17 21:12:48.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Helper
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\21724.exe
C:\WINDOWS\system32\byXRhEWm.dll
C:\WINDOWS\system32\dsafhsln.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mWEhRXyb.ini
C:\WINDOWS\system32\mWEhRXyb.ini2
C:\WINDOWS\system32\nlshfasd.dll
C:\WINDOWS\system32\vjmodadn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 17:09 . 2008-04-17 17:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-17 17:01 . 2008-04-17 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-17 16:19 . 2008-04-17 16:19 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-16 16:19 . 2008-04-16 16:19 <DIR> d-------- C:\VundoFix Backups
2008-04-16 12:43 . 2008-04-17 16:19 <DIR> d-------- C:\Program Files\CCleaner
2008-04-16 11:23 . 2008-04-17 00:14 1,603,615 ---hs---- C:\WINDOWS\system32\srosvtdw.ini
2008-04-16 11:21 . 2008-04-17 21:07 101,178 --a------ C:\WINDOWS\BMc7a4b362.xml
2008-04-15 20:02 . 2008-04-15 20:02 117 --a------ C:\WINDOWS\system32\61a49.exe
2008-04-15 19:54 . 2008-04-15 19:54 117 --a------ C:\WINDOWS\system32\19c56ef.exe
2008-04-15 19:53 . 2008-04-15 19:53 55,218 --a------ C:\WINDOWS\qaszpurn.sys
2008-04-15 19:53 . 2008-04-15 19:53 117 --a------ C:\WINDOWS\system32\19c2d1d.exe
2008-04-15 19:52 . 2008-04-15 19:52 95,744 --a------ C:\WINDOWS\mrofinu1535.exe
2008-04-15 19:17 . 2008-04-15 19:17 <DIR> d-------- C:\Program Files\TryMedia
2008-04-15 19:11 . 2008-04-15 19:11 <DIR> d-------- C:\Program Files\Team17
2008-04-01 15:48 . 2008-04-01 15:48 <DIR> d-------- C:\Program Files\Sun
2008-03-27 18:41 . 2008-03-27 18:41 <DIR> d--h----- C:\WINDOWS\PIF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 10:26 --------- d-----w C:\Program Files\Download Manager
2008-04-17 08:49 --------- d-----w C:\Program Files\Google
2008-04-16 14:12 --------- d-----w C:\Program Files\eMule
2008-04-05 12:03 --------- d-----w C:\Program Files\DivX
2008-04-01 06:47 --------- d-----w C:\Program Files\Java
2008-03-14 12:07 --------- d-----w C:\Program Files\Power Audio Recorder
2008-03-14 11:56 --------- d-----w C:\Program Files\WMR11
2008-03-14 11:55 --------- d-----w C:\Program Files\Trainz Downloader Pro
2008-03-14 11:54 --------- d-----w C:\Program Files\RipCast 1.9
2008-03-14 11:27 23,616 ----a-w C:\WINDOWS\system32\drivers\nchssvad.sys
2008-03-14 11:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
2008-02-28 02:30 --------- d-----w C:\Program Files\ESET
2008-02-28 02:20 --------- d-----w C:\Program Files\SigScribe4
2008-02-28 02:20 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Move Networks
2008-02-28 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 02:08 --------- d-----w C:\Program Files\Lavasoft
2008-02-28 02:06 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 05:27 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-01-26 05:29 86,016 ----a-w C:\WINDOWS\DUMP813f.tmp
2007-10-21 07:38 40,616 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2007-09-19 12:46 604 ---ha-w C:\Program Files\STLL Notifier
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJBRHaw]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\SimSig\\Drain.exe"=
"C:\\Program Files\\SimSig\\Westbury.exe"=
"C:\\Program Files\\SimSig\\Peterborough.exe"=
"C:\\Program Files\\SimSig\\Swindon.exe"=
"C:\\WINDOWS\\Explorer.exe"= C:\\WINDOWS\\Explorer.EXE
"C:\\WINDOWS\\system32\\taskmgr.exe"=
"C:\\WINDOWS\\system32\\wscntfy.exe"=
"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"C:\\WINDOWS\\system32\\ctfmon.exe"=
"C:\\Program Files\\Sibelius Software\\Sibelius 4\\Sibelius.exe"=
"c:\\program files\\auran\\trs2006\\bin\\launcher.exe"=
"C:\\Program Files\\Auran\\TRS2006\\TRS2006.exe"=
"c:\\program files\\auran\\trs2006\\bin\\trainz.exe"=
"C:\\WINDOWS\\system32\\Rundll32.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4664:TCP"= 4664:TCP:emule
"4672:UDP"= 4672:UDP:emule

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]
S3 wmi_mfc_tpshoker_80;WMI_MFC_TPSHOKER_80;C:\WINDOWS\system32\drivers\mjingp.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 21:23:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
.
**************************************************************************
.
Completion time: 2008-04-17 21:33:42 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-04-17 12:03:29

Pre-Run: 4,173,520,896 bytes free
Post-Run: 4,149,456,896 bytes free
.
2008-04-12 14:09:28 --- E O F ---
frosty90
Active Member
 
Posts: 1
Joined: April 17th, 2008, 8:14 am
Top
Advertisement
Register to Remove

Re: I need help!!

Unread postby Katana » April 19th, 2008, 5:35 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

----------------------------------------------------------------------------------------

Click here to download HJTinstall.exe
  • Save HJTinstall.exe to your desktop.
  • Double click on the HJTinstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click I accept
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.



Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Top

Re: I need help!!

Unread postby Simon V. » April 26th, 2008, 4:22 pm

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Top
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 273 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index