There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
antivirus audio avg avg 8 backup bios boot browser bsod computer cpu crash css desktop driver dvd email error excel explorer firefox firefox 3 freeze game graphics hard drive hardware help please hijackthis hjt install internet internet explorer itunes javascript keyboard lan laptop malware missing monitor msn network networking openoffice outlook outlook 2003 outlook express php popups problem router screen seo slow sound sp3 spyware trojan usb video virtumonde virus vista vundo windows windows vista windows xp wireless word
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Solved: I downloaded something very sneaky


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

 
Thread Tools
Yonce's Avatar
Member with 82 posts.
  
Join Date: Dec 2004
Experience: Intermediate
09-May-2008, 04:09 AM #1
Solved: I downloaded something very sneaky
I'm running xp home on a Dell Dimension 2400

I think my registry or something has been changed. While I was running a video conversion program, I saw a small window open briefly that said "personal settings changed" this happened 3 or 4 times.

The first thing I did was disable my network connection. I tried to do a system restore but it was frozen. Now my computer hiccups every 10 seconds, the desktop icons disappear, all windows close and a warning window comes up that says

"Windows - No Disc
Exception Processing Message c0000013 parameters 75b6bf9c 4 75b6bf9c 75b6bf9c"

the hiccup happens until the computer freezes and I have to force restart by holding the tower button.

My system restore got turned off, my remote access got turned on.

I removed the program I had installed.

Here's a hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:27 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-329068152-412668190-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1191824283877
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

--
End of file - 2429 bytes

I noticed looking at the processes that imapi kept restarting even if I shut it down.

any help here on the road to recovery would be appreciated.
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
09-May-2008, 02:15 PM #2
Why do you not have any anti-virus program running on this machine?
Yonce's Avatar
Member with 82 posts.
  
Join Date: Dec 2004
Experience: Intermediate
09-May-2008, 04:24 PM #3
Because I thought I was smarter than I was. Need help. Yes It's my fault.
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
09-May-2008, 04:45 PM #4
Load AVG it's free.


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy the entire report and paste it in your next reply with a new Hijackthis log.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Yonce's Avatar
Member with 82 posts.
  
Join Date: Dec 2004
Experience: Intermediate
11-May-2008, 12:54 AM #5
Thank you, things seem to have cleared up but all of my network connections have disappeared.

A warning box came up and said to make sure my network services are turned on.

Here is the log

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 36894
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\xxyApPgh.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\opnmlmjI.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{a1e2f2d8-13eb-4e2a-8e0c-45926697f5c6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a1e2f2d8-13eb-4e2a-8e0c-45926697f5c6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{dd4a65c7-61d7-445f-bcf1-5065f765eaf9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{dd4a65c7-61d7-445f-bcf1-5065f765eaf9} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\opnmlmji (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\{dd4a65c7-61d7-445f-bcf1-5065f765eaf9} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxyappgh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Backdoor.Agent) -> Data: c:\windows\system32\xxyappgh -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xxyApPgh.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\hgPpAyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgPpAyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnmlmjI.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\NEW GUEST\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric\Application Data\addon.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
Yonce's Avatar
Member with 82 posts.
  
Join Date: Dec 2004
Experience: Intermediate
11-May-2008, 01:41 AM #6
The exact warning box dialog follows:

"The Network Connections Folder was unable to retrieve the list of Network adapters on your machine.
Please make sure that the Network Connections service is enabled and running.

It looks like a lot of my services are disabled

services screenshot attached.
Attached Files
File Type: zip Services.5.10.08.zip (353.9 KB, 4 views)
Yonce's Avatar
Member with 82 posts.
  
Join Date: Dec 2004
Experience: Intermediate
12-May-2008, 12:15 AM #7
I changed the ones I thought I needed to 'automatic' things seem good. Thank you for the help.
Installing AVG tonight.
Worth another donation thank you kindly again.
cybertech's Avatar
Computer Specs
Moderator with 55,962 posts.
  
Join Date: Apr 2002
Location: Washington State
12-May-2008, 01:05 PM #8


You're welcome!
Reply

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are Off
Refbacks are Off

Related Sites: Support.com | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 03:56 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.