Please Help-Urgent Suffering with VIRUSES

View previous topic View next topic Go down

Please Help-Urgent Suffering with VIRUSES

Post by rohit3312 on 27th December 2008, 8:28 am

This is my first query after joining this forum.
So,i need all your valuable advise and suggestions for virus and related severe network connectivity issues.

Issues:-Explorer hanging and crashing,CPU usage percentage showing about 90-100% always,IE nd MOZILLA also hanging very frequently.
System is also significant lagging in performance.
**The worst part is during these times-all the settings of the CORPORATE ANTIVIRUS protection,updates are disabled and SET to READ ONLY.
And also effects severly network connectivity like loosing domain and workgroup membersips,internet connections,router page not opening at all,etc

I am sorry for writing so much mainly because the issues and symptoms were not restricted to only 1 virus but of different combinations for which its been a mess.

It has been very bad experiences with viruses that after sometime-- the network & security admin people had to format and clean install 3 times in past 1 month as the OS started giving severe issues and that it would
in turn effect the network in general.This has really put me into security issues of my company's policies and also it wasted a huge amount of my work time.I am really frustrated and I really worry that what would
happen next as viruses have effected again.Its really a mess.

I use my Company's dell laptop which is loaded with Winxp pro + sp2.This is installed as an Image bundled with other customized utilities.
Antivirus:- Corporate edition of Trend Office Scan latest 8.0 and its entire suite included with Rootkit,etc

Steps I took:-I have been told that Trend Office gives real time protection and hence would never face any issues.But,unluckily i have seen that for some viruses
like PAK_GENERIC ,it gives a virus found alert but the quarantine fails.
So,next i go to the virus location and do a SHIFT+DELETE of all items reported.But this doesnot solve all problems because I still get Security alert mails for
the same virus later on which means its still left out.
Next time,i restart and everything is changed.Cant start TREND OFFICE SCAN,nor its related services,all disabled,etc.
Once even it removed my USER profile and so couldnt login to any DOMAIN.

I did a google of virus removal steps but havent been successful much.I dont install ANY OTHER ANTIVIRUS PROGRAM BECAUSE as far as I know 2 active antivirus progs
would usually conflict and also more important is we cant un-install/de-activate/remove corporately provided specified SOFTWARES as per our official policies.

Also,i fear that my IP connections has also been HIJACKED as twice i found different MAC adresses other then my PCs in the router configuration and i couldnt remove them.
Only option was to do a hard reset and set the router to default settings.(Have both wired and wireless networks at home)
The WIRELESS NETWORK is properly encypted with passwords.

(1)I have attached a word document with Images of all the recent settings on my MACHINE for ANTIVIRUS,etc
(1)I have attached the latest HIJACKTHIS log below



Still in addition,i have the full version of Spybot and it does identify certain things- but still its clear that i am infected.
*****************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:55:18 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program \Common \Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program \DellTPad\Apoint.exe
C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program \Microsoft Office Communicator\Communicator.exe
C:\Program \Messenger\msmsgs.exe
C:\Program \DellTPad\ApMsgFwd.exe
C:\Program \DellTPad\HidFind.exe
C:\Program \DellTPad\Apntex.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\Program \Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\mstsc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program \Trend Micro\OfficeScan Client\PccNTMon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Program \Citrix\ICA Client\pn.exe
C:\Program \Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program \Microsoft Office\OFFICE11\EXCEL.EXE
C:\Documents and Settings\mp010668.\Desktop\RootkitRevealer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program \Trend Micro\OfficeScan Client\pccnt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program \Common \Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program \DellTPad\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program \ (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKCU\..\Run: [Communicator] "c:\Program \Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program \Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program \Common \Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program \Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program \Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program \Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program \Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program \Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://how.you.are//
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http:officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - officescan/console/html/ClientInstall/setupini.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [You must be registered and logged in to see this link.]
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B2FC031D-8C74-46AE-8042-BCF4FC03C1EF} (Loader Class v4) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
O23 - Service: IXJZDFOH - Sysinternals - [You must be registered and logged in to see this link.] - C:\DOCUME~1\LOCALS~1\Temp\IXJZDFOH.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program \SigmaTel\C-Major Audio\WDM\StacSV.exe

--
End of file - 7533 bytes
Afraid

rohit3312
Beginner
Beginner

Posts Posts : 1
Joined Joined : 2008-12-27
OS OS : WINXP-PRO
Points Points : 29020
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Please Help-Urgent Suffering with VIRUSES

Post by Belahzur on 27th December 2008, 1:35 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Please Help-Urgent Suffering with VIRUSES

Post by Doctor Inferno on 8th February 2009, 9:31 am

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum