Spyware, Viruses, & Security forum

General discussion

crazy virus....please help

hello everybody,

i have a nasty virus the i can't seem to get rid of. hopefully somebody here will have some ideas.

here is the history. Last week i grabbed an iso of latest ubuntu through bittorrent, and i assume something nasty entered my system.

here is what happens (in no particular order or timing....very random):

1) system beeps
2) explorer (or whatever browser is default) will start opening over and over again. in some of the google searches, i see "p..,"
3) printer will sometimes print the google page
4) if i'm in a program it will automatically start 'entering' whatever i have on the screen. thus making installing, uninstalling, etc. VERY difficult.

I have Mcafee, super antispyware, spybot, and windows defender running. NONE have detected or stopped anything....even when the attack is happening.

I also did a full system reinstall of my operating system partition, and a day or so later it came back.....

if anybody wants to view the hijackthis report, please email me.

any help would be much appreciated...i'm at a loss.

-Michael

Discussion is locked
You are posting a reply to: crazy virus....please help
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: crazy virus....please help
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
hmmm. I would start with........

In reply to: crazy virus....please help

Please perform a scan with F-secure online scanner

1. Scroll to the bottom of the page and click on "Start Scanning"
You may receive an alert on the address bar at this point to install the ActiveX control, please do so.
2. After installed, click on Accept on the license agreement.
3. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
4. When the scan completes, click the "I want to decide item by item" button.
5. For each item found, Select "Disinfect" and click "Next".


Please perform a scan with TrendMicro Housecall

Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.

1. Under "Scan your PC", please click "Scan now. It's free!".
2. Then under ?Continue with your free scan? click on ?Launch Housecall Free Scan?.
A new window will open.
3. Read and put a Check next to "Yes, I accept the Terms of Use".
4. Click the "Launch HouseCall" button.
**If Java support is disabled on your system''' or no Java runtime environment is installed, click on the link in the red box to download and install Java or enable Java.
5. Next, click on "Starting HouseCall". Please be patient while Housecall downloads necessary components. You may receive a Security Warning " Do you want to install this software? Name: hcImpl.cab Publisher: Trend Micro..." Click Run when prompted.

Please be patient while Housecall downloads necessary components. You may receive a Security Warning about the TrendMicro Java applet and asking if you want to run it Click "Yes" when prompted.

Again please be patient while Trend Micro HouseCall is updated or installed. This can take some time especially if you are using a dial-up connection.

7. Under "'''Scan complete computer for malware, grayware, and vulnerabilities'''" click the "Next>>" button. It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start. Once the scan is complete, it will take you to the summary page.
8. Once done, it will take you to the ?Results page? In the ?cleanup options? select the first dial button "Clean all detected infections automatically".
9. Click the "Clean now>>" button.
10. When presented with a notification "According to your instructions, all detected infections were cleaned...", click "OK".

Please download Malwarebytes Anti-Malware or alternate download link

* Make sure you are connected to the Internet.
* Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
* - Update Malwarebytes' Anti-Malware
* - Launch Malwarebytes' Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

* On the Scanner tab:
* - Make sure the "Perform Quick Acan" option is selected.
* - Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.

* -- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Did the scans find anything ?

Collapse -
hacker

In reply to: hmmm. I would start with........

definitely think this is a hacker.....any idea how to block this?

i run mcafee and have my netgear router pretty tight.

any suggestions on anti-hacker software?

-Michael

Collapse -
Hackers gain access to your computer ......

In reply to: hacker

Collapse -
see how it goes

In reply to: Hackers gain access to your computer ......

some windows are still opening randomly, but i'm going through the disabling File Sharing and Clients for Microsoft Networks initially.

i have also changed my Mcafee Firewaall status to Stealth (one away form lockdown).

i'll go through this website.

thanks again...and any other monitoring software,etc. please let me know.

thank you.

-MIchael

Collapse -
BlackICE PC Protection for Desktops

In reply to: see how it goes

BUT......... is NOT free!

BlackICE PC Protection is Powerful and Easy-to-Use

BlackICE teams a personal firewall with an advanced intrusion detection system to constantly watch your Internet connection for suspicious behavior.

BlackICE PC Protection now features Application Protection, an exciting new feature designed to shield your PCs, laptops and workstations from hijack by an attacker, and protects you from Trojan horse applications, worms and other destructive threats.

BlackICE's Application Protection quickly and invisibly defeats dangerous programs that attackers deliver through instant messaging, email, or even your Web browser! BlackICE stops these destructive programs before they do harm-like damaging your PC or launching email attacks against your friends and co-workers.

BlackICE automatically detects and blocks attacks through a comprehensive inspection of all inbound and outbound information to your computer. And BlackICE PC Protection is constantly working to secure your dial-up, DSL, and cable modem from hackers 24 hours a day, every day of the year.

http://www.virus-scan-software.com/firewall-software/black-ice-defender.shtml

Collapse -
not hacker...something else

In reply to: BlackICE PC Protection for Desktops

well i locked down the entire system, and it still happened. I immediately captured the Hijackthis report DURING the activity.

here goes:

------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:01 PM, on 7/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\PSPad editor\PSPad.exe
D:\xampp\xampp-control.exe
D:\xampp\apache\bin\apache.exe
D:\xampp\apache\bin\apache.exe
D:\xampp\mysql\bin\mysqld-nt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 2.4.lnk = D:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Startup: WinMySQLadmin.lnk = D:\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2.2 - Apache Software Foundation - D:\xampp\apache\bin\apache.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MySql - Unknown owner - D:/xampp/mysql/bin/mysqld-nt.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe

--
End of file - 6843 bytes
------------------------------------------------

thanks,

-Michael

Collapse -
Strange........

In reply to: not hacker...something else

.....as there is nothing unusual in your log.

I see you have TeaTimer.exe running. As you perhaps know, TeaTimer is a new tool of Spybot S&D - spam filter which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future.

Did it ever "warn" you?

Only to have "peace of mind" - download and run Malwarebytes Anti-Malware and let me know IF it finds anything.

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.