Computer Help forum

General discussion

Hope someone can help me - major infection

by dustycat / January 1, 2009 4:30 AM PST

Happy New Year - I hope someone is on and can help me. I cannot get on bleeping computer, or geeks or the trend micro site. I was looking at the site icanhascheezburger (the funny cat caption site) I must have clicked something (or my cat did) because suddenly Pantomine and Virtumone loaded on my computer - viral pop-ups - and despite using McAfee and SB S&D I couldn't get rid of them - nothing was working so I did a system restore.

That seemed to work, but later the next day while closing a webpage - again on ICHC sister site Pundit-kitchen (political humor), I was redirected to some site, I closed it & thought nothing happened... a few minutes later a shield that looked like Microsoft's security center appeared in my start-up. stupidly I fell for it - realized it about 30 seconds later & tried to close it but the crap was loaded - something called "anti-virus 2.7" or something like that. I did add/remove & removed it, ran the stupid Mcafee that didn't even ask me if I wanted to download it and ran S&D... couldn't get rid of smitfraud-c or virtumonde and S&D kept finding microsoft.windowssecuritycenter_disabled by S&D. And since I did a system restore the day before I had no system restore points. Had to remove Spybot to restart in anything other than safe mode and upload firefox to stop the massive pop-ups on IE.

Anyone have an idea why I can't log on to Trend or other websites, yet this one loads and so do others.

Here is my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:20 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\Creative\SBAudigy2ZS\Mixer\CTSVolFE.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\USB Sharing\usbshare.exe

Please I would appreciate any help. I have never had trouble with ICHC before - really it's a clean & funny site.

thanks!

Discussion is locked
You are posting a reply to: Hope someone can help me - major infection
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Hope someone can help me - major infection
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Start with the usuals.
by R. Proffitt Forum moderator / January 1, 2009 5:15 AM PST
Collapse -
thanks - will try
by dustycat / January 1, 2009 5:22 AM PST
In reply to: Start with the usuals.

can't get on the malwarebytes site - but I was able to download it from cnet's free downloads if it doesn't work properly I will try the flash drive "backdoor" method.

I apologise for the HJT stuff but I can't get on any of the forums that analyze HJT - whatever virus this is blocks IE and firefox from going to everyhting - bleeping computer/geekstogo/trend/daniweb/ everything I could find.

It's weird - amongst site with computer/virus info only cnet is loading.

Collapse -
You'll Note The Instructions Say To Use...
by Grif Thomas Forum moderator / January 1, 2009 5:50 AM PST
In reply to: thanks - will try

... a clean "friend or family member's" computer to do the Malwarebytes and SuperAntispyware downloads from.. In addition, because the infection on your computer can frequently block the Malwarebytes program, please be sure to rename the files before attempting to transfer them to the problem machine and installing the program..

Hope this helps.

Grif

Collapse -
Been there
by generalgus / January 5, 2009 9:33 AM PST

I too have been hijacked, kidnapped, and molested by malware badguys.
But thanks to Moderator Marianna of www.cnet.com I am free.
At first it seemed to only effect my Internet explorer.
I couldn?t get to windows update or support sites.
Graphics stopped loading because my settings were changed.
Folder Options was gone on my tool bar, and I couldn?t change folder view.
Windows ?Explore all? no longer showed me everything.
If I attempt to go to a windows update site or other private vendor specializing in computer repair I get a pop up box for Local Host asking me to log into what appears to be my router. When I hit cancel, I get a page telling I am not authorized.
An attempt to get to RegEdit gives me an error message telling me I am not authorized and to contact the administrator.
I followed the directions in this thread and downloaded Malwarebytes and SuperAntiSpyware to a thumb drive on a laptop, changed the program names and installed them in the infected computer in a folder with a changed name. Changed the names of the .exe files and installed them.
I ran Malwarebytes 3 times. The first time I found 47 infected programs and removed them. Restarted and did it again. This time found 7, restarted and found 3.
Restarted and ran SuperAntiSpyware. Found 87 infections. Removed them, and again restarted computer.
It took three try?s to get windows to restart, but now I can get into regedit.
Pictures are back on the net and windows ?explore all? works again.
Now, I was able to get to windows update site (once I allowed it as a trusted site} and was asked to download updates to windows defender.
On system restart McAfee found ?Generic pup.x? file name ?tdssxfum.dll?
I did not allow it to run and told it to delete it.
Opened McAfee Security Center and was able to download updates to that.
Ran McAfee AntiVirus Scan. McAfee detected and quarantened167 items.
Ran McAfee again, this time found and quarantined 7 items.
Ran SuperAntispyware and again found hundreds of items:
227 Adware. Tracking Cookies
1 Adware.Vundo Variant/D3DX
2 Rootkit.TDSServ-trace
2 Trojan.Fake-CATSRVPS
2 Trojan.Fake-Drop/Gen
1 Trojan Smitfraud Variant-Gen/Bensorty
1 Trojan TaskDir
1 Trojan.Unclassified
Then rebooted and ?Explored all? where I found a number of hidden files and temp folder. Emptied all the temp folders and temp internet folders.
I deleted all the users listed except admin,
Ran Disk Cleanup
Ran defrag
Restart
Ran SuperAntiSpyware again found 1 tracking cookie and deleted it
Ran Malwarebytes again and found Trojan.Agent TDSSlxwp.dll and removed it.
At this time, it appears everything is fixed.
Thanks to www.cnet.com and goddess moderator Marianna

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.