×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Hijacked by Virus/Worm

Hijacked by Virus/Worm

Hijacked by Virus/Worm

(OP)
Hello,

I can't stay on my machine 10 minutes before it will open another tab and bring to a site trying to sell me something. I have used AVG ,Spybot and MalwareBytes to no avail. I then used the recovery cd thinking that would get rid of it, but was later told the recovery doesn't reformat, it just bring you back to the default operating stage.

I did this in safe mode and it keeps coming back. It happens in both Firefox and IE.

Any help would be great appreciated. Thanks

RE: Hijacked by Virus/Worm

I should have said "safe mode with networking" so that you can have internet access because combofix wants to download and install the Microsoft Recovery Console if it's not already installed and thus it must be downloaded.

If you're using wireless and you don't get internet with Safe Mode with Networking, you'll have to go with regular mode.

RE: Hijacked by Virus/Worm

Quote (geeknerd):

I then used the recovery cd

See reference on different types of recovery media:
http://vlaurie.com/computers2/Articles/recovery_disk.htm

That one looked interesting, anyway.

But in the short of it, as you found out:
Recovery disk = basically a system repair disk.  It will allow you to access your previous restore points, if you have any.

Restore disk = take you back to whenever it was created - if you created, then back to when you made it.  If it came with the computer, then it would take you back to store settings or "out of the box settings".

Another type of recover/restoration can be accessed without a disk.  Oftentimes, the manufacturer will include a recovery partition on the system, which will allow you to get you system back to "out of the box" settings sometimes in as little as 10 or 15 minutes... or at least I've seen some that fast, it may not always be that fast.  To access this, you'll have a specific key combination to press upon booting the machine.

Regardless, post your results from the aforementioned programs, and let us know how it goes.

RE: Hijacked by Virus/Worm

(OP)
Ok, going to try what you guys recommended tonight and post the results.Thanks

RE: Hijacked by Virus/Worm

(OP)
Here's the Combofix data -


c:\windows\system32\Thumbs.db
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-15 to 2011-03-15  )))))))))))))))))))))))))))))))
.
.
2011-03-15 18:27 . 2004-08-04 07:08    26496    -c--a-w-    c:\windows\system32\dllcache\usbstor.sys
2011-03-14 12:49 . 2011-03-14 12:49    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-14 12:48 . 2011-03-14 12:49    --------    d-----w-    c:\program files\SUPERAntiSpyware
2011-03-13 11:13 . 2011-03-13 11:13    --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2011-03-13 11:04 . 2011-03-13 11:04    --------    d-sh--w-    c:\documents and settings\LocalService\IETldCache
2011-03-13 10:50 . 2011-03-13 10:50    --------    d--h--w-    c:\documents and settings\All Users\Application Data\Common Files
2011-03-13 10:40 . 2009-01-08 02:21    26144    ----a-w-    c:\windows\system32\spupdsvc.exe
2011-03-13 10:39 . 2011-03-13 10:48    --------    dc-h--w-    c:\windows\ie8
2011-03-13 10:34 . 2004-08-17 11:21    87168    ----a-w-    c:\windows\system32\drivers\drvmcdb.sys
2011-03-13 10:34 . 2004-07-14 10:56    40448    ----a-w-    c:\windows\system32\drivers\drvnddm.sys
2011-03-13 10:34 . 2011-03-14 05:20    --------    d-----w-    c:\windows\system32\dla
2011-03-13 10:34 . 2004-08-03 09:05    98358    ----a-w-    c:\windows\dla.exe
2011-03-13 10:34 . 2004-08-03 09:05    61498    ----a-w-    c:\windows\system32\tfswapi.dll
2011-03-13 10:34 . 2004-07-14 19:29    5627    ----a-w-    c:\windows\system32\drivers\sscdbhk5.sys
2011-03-13 10:34 . 2004-07-14 19:28    23545    ----a-w-    c:\windows\system32\drivers\ssrtln.sys
2011-03-13 10:34 . 2004-02-26 18:34    110592    ----a-w-    c:\windows\system32\ArcSpl.ax
2011-03-13 10:34 . 2004-02-23 02:01    48128    ----a-w-    c:\windows\system32\mpgvideo.ax
2011-03-13 10:34 . 2004-02-23 02:01    192512    ----a-w-    c:\windows\system32\AdavVideoDec.dll
2011-03-13 10:34 . 2003-12-18 17:03    47616    ----a-w-    c:\windows\system32\mpgaudio.ax
2011-03-13 10:34 . 2003-12-18 17:03    126976    ----a-w-    c:\windows\system32\AdavAudioDec.dll
2011-03-13 10:30 . 1995-08-01 12:44    212480    ----a-w-    c:\windows\PCDLIB32.DLL
2011-03-13 10:30 . 2002-09-29 18:56    139264    ----a-w-    c:\windows\system32\PhotoBase Screen Saver.scr
2011-03-13 10:30 . 2011-03-13 10:30    --------    d-----w-    c:\program files\ArcSoft
2011-03-13 10:12 . 2011-03-15 18:36    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVG10
2011-03-13 10:11 . 2011-03-13 10:11    --------    d-----w-    c:\program files\AVG
2011-03-13 09:58 . 2011-03-13 10:11    --------    d-----w-    c:\documents and settings\All Users\Application Data\MFAData
2011-03-13 09:34 . 2011-03-13 09:34    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-13 09:34 . 2010-12-21 02:09    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-13 09:34 . 2011-03-13 09:34    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-03-13 09:34 . 2010-12-21 02:08    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-03-13 09:31 . 2011-03-13 09:31    --------    d-----w-    c:\program files\SymNetDrv
2011-03-13 08:19 . 2011-03-15 18:35    --------    d-----w-    c:\documents and settings\uentin
2011-03-13 08:18 . 2004-11-16 06:07    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\InterVideo
2011-03-13 08:18 . 2004-11-16 05:44    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\AOL
2011-03-13 08:18 . 2004-11-16 05:30    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2011-03-13 08:18 . 2004-11-16 05:22    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\InterTrust
2011-03-13 08:18 . 2004-11-16 05:07    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\Symantec
2011-03-13 08:18 . 2004-11-16 04:32    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\Intuit
2011-03-13 08:18 . 2004-11-16 03:57    --------    d-----w-    c:\windows\system32\config\systemprofile\WINDOWS
2011-03-13 08:18 . 2001-04-04 09:31    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\toshiba
2011-03-13 08:18 . 2011-03-13 08:18    --------    d-----w-    c:\windows\system32\config\systemprofile\Application Data\Intel
2011-03-13 08:17 . 2011-03-13 08:17    17119    ----a-w-    c:\windows\system32\drivers\AegisP.sys
2011-03-13 08:17 . 2011-03-13 08:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Intel
2011-03-13 08:16 . 2004-12-08 15:44    458752    ----a-w-    c:\windows\system32\w29NCPA.dll
2011-03-13 08:16 . 2004-12-08 15:44    3222784    ----a-w-    c:\windows\system32\drivers\w29n51.sys
2011-03-13 08:15 . 2004-12-08 15:44    1654784    ----a-w-    c:\windows\system32\W29MLRES.DLL
2011-03-13 08:15 . 2004-11-16 03:57    --------    d-----w-    c:\documents and settings\Default User\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-08-27 22:19 . 2004-11-16 04:31    36963    ----a-r-    c:\program files\Common Files\SM1updtr.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2003-09-05 65536]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-02-18 2423752]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-15 368640]
"NDSTray.exe"="NDSTray.exe" [BU]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-09-06 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 88363]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 135168]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2004-11-13 73728]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-03 122939]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2004-08-27 278528]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2004-11-03 147456]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 385024]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 356352]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-11-16 98304]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-12-7 155648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-10-15 19:27    110592    ----a-w-    c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc    REG_MULTI_SZ       itlperf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.chesscafe.com/
uInternet Connection Wizard,ShellNext = hxxp://toolbar.google.com/done
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\uentin\Application Data\Mozilla\Firefox\Profiles\7vd88vbh.default\
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Notify-itlntfy - itlnfw32.dll
AddRemove-whitesmoketoolbar - c:\program files\whitesmoketoolbar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-15 10:58
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(988)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(2724)
c:\windows\system32\SynTPFcs.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\OProtSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-15  11:00:45 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-15 19:00
.
Pre-Run: 92,824,227,840 bytes free
Post-Run: 92,877,041,664 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B9730990EA2B3E511737B5A64F2FDADD
 

RE: Hijacked by Virus/Worm

Well - does it boot now and run normally???

RE: Hijacked by Virus/Worm

(OP)
LOL....I guess I should have posted that, eh ? Yes, it is working good so far. Thanks guys/gals for all your help. This site is simply incredible.

Goombawaho, the drinks are on me buddy :)

RE: Hijacked by Virus/Worm

The site it OK - the minds are great (some of them).  Glad it's working for you.  By the way, I only recommend that as a last resort because it kind of does what it wants to do and once in a while it will render a computer non-bootable.

But, that would be rarely.  Still, don't recommend it as a first step.  The ones you listed are first step programs to cure what ails you.

RE: Hijacked by Virus/Worm

and the rest of us are now wondering, which of us dosent come into Goo's

Quote:

the minds are great (some of them).  
list?
smile

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

RE: Hijacked by Virus/Worm

Goomb's just a wee bit quick with words, I s'ppose.  wink

Frankly, the reason I've hung around tt this long is for the very fact that the vast majority of individuals are here for real genuine purposes:
1. To Learn
2. To Teach
3. To Learn through teaching others
4. To Learn through challenging one's own mind to solve other's technical issues.

I've seen this throughout LOTS of different technical categories, myself... both in helping, being helped, and seeing others helped.

Now I shall case my ramblings. smile

I know all too well how it is to be new to a product or new to a forum or group of sorts, and get the feeling that you're not part of the "in" crowd, and therefore your chances of learning anything are next to null.  So, I always end up sticking with tek-tips.

No site is perfect, nor will any group of individuals be perfect.  Why?  Because no person is perfect.

But at least here, the general membership for the most part avoids profanity (big plus) and sticks to the topics (another big plus).

Another thing I like about this place?  When you do see ads, they are technical-related ads, not pervert oriented ads that can come up in so many other discussion forums, including those which are supposed to be geared towards technical issues.
 

RE: Hijacked by Virus/Worm

"But at least here, the general membership for the most part avoids profanity (big plus) and sticks to the topics (another big plus)."
You would be flagged and your post "edited for content" pretty quickly if you were a true troll or a curse-monger.

I have no lists - good or bad.  What I meant was that most people on here have perfectly good intentions and many have consistently good advice.  I've just seen some dubious posts, so, like everything else - buyer beware.  But, since it's a free forum and you're not paying anything, be even more wary of what advice you buy into.

It's sort of like web sites.  There are some that I trust to be a good source of technical information on a regular basis.  Other hits when you're googling a problem may be anything from junk to a virus hot spot.  Just be careful what you try.

The other thing is that I've seen people trying to solve complex problems with servers and key systems without having two inches of technical depth.  Would I try to service my furnace??  No, because I don't want to get CO poisoning!

RE: Hijacked by Virus/Worm

Quote:

It's sort of like websites.  There are some that I trust to be a good source... Other hits .. anything from junk..
What? Wait.  Everything on the Internet isn't true?!?!?!
SHOCKED

RE: Hijacked by Virus/Worm

Quote:

know all too well how it is to be new to a product or new to a forum or group of sorts, and get the feeling that you're not part of the "in" crowd, and therefore your chances of learning anything are next to null.  So, I always end up sticking with tek-tips.

I liked that statement. It is very true. I have been a member here since 2001 and have always felt accepted and I usually get an answer to whatever problem I am having. I used to provide some answers, too, but I haven't kept up with newer technology as much as others, so I don't post as much as I used to. I can remember running into the 'in-crowd' syndrome on some linux sites in the past. I use Google a lot on problems and read Tek-Tips daily. I learn something every time I come here.
 

Jim

 

RE: Hijacked by Virus/Worm

I guess the whole reason I said the line about "the minds are great (some of them)" was that at one point, I started to notice this new guy posting lots of answers.  They shall remain unnamed, but let's just say that their answers were very poor if not dangerous in some cases.

Reminded me of the old Windows 95 scam where they told you to look in a certain folder and if there was a "file xyz" you were infected and needed to delete that file.

RE: Hijacked by Virus/Worm

And then there's the fact that over the years solutions have been collected for things you would have to search for for weeks. I'm a groupie.  

RE: Hijacked by Virus/Worm

I honestly didn't understand that last comment - tired? stupid?  (Me, not you).

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close