TechSpot

Malware found / Downloader.VB.akq (Plus Windows Validation?)

By rjbeals
Aug 18, 2006
  1. I've been through the whole How to remove Begin2Search / CoolWebSearch.... and went through the steps in order and carefully. After a boot up in normal mode, I thought my trojan was gone... This is what I had for a few days (see that new search field next to my sys tray???)

    [​IMG]

    Windows is doing it's thing, and then I get a popup that says "You may be a victim of software counterfiting. This copy of windows in not validated" So I click the grey star in the system tray and it takes me to the windows validation page and I then get this message, "Validation Incomplete: Unable to Perform Validation"

    Meanwhile, I get this new popup window:

    [​IMG]

    I am using a real version of WinXP SP2 that came installed when I bought my new computer. I'm attaching the Hijack log file before I started cleaning & fixing, and after. Help Please??

    Also - Here is a picture of the files I "fixed" from hijackthis. I couldn't save them as a txt file so I saved a screenshot..

    http://img.photobucket.com/albums/v450/rjbeals/Hijackthis-Blocklist.gif

    Thanks
    Rob.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    The reason you`re having a problem with Windows validation, is because you`ve fixed the wrong entries in HJT.

    Run HJT and click on the config button, then the backups button and restore all entries. reboot your computer and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. rjbeals

    rjbeals TS Rookie Topic Starter

    Thanks for the welcome Howard. After all the warnings I read about using caution when fixing your registry - I probably should've posted here first :rolleyes:

    I've restored all backups and rebooted.

    I forgot to mention that when I first got my virus and my windows defender was going crazy detecting everything - after my first reboot I got this error:

    [​IMG]

    I've been getting ever since that first reboot, and I'm still getting it. I have my "Restore DVD" that came with my Gatway - so Maybe I could restore drivers or something to fix it?

    Anyway - here is a hijackthis log from about 2 minutes ago - Thanks again Howard!


    Edit: Here is the backup I see from spybot. I haven't recoverd from this yet.

    http://img.photobucket.com/albums/v450/rjbeals/spybot.gif
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    BioniX Wallpaper v4.60

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Duce6.exe
    sys0306242838-14.exe
    ALCMTR.EXE
    BioniX Wallper.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    F2 - REG:system.ini: UserInit=userinit.exe

    O2 - BHO: (no name) - {412723CF-37F3-4BD6-9A64-4B0C5A2E45DA} - \

    O2 - BHO: (no name) - {F1EAC2C4-9EDE-4D8F-8D20-F9BDA4DD2E72} - \

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

    O4 - HKLM\..\Run: [mhn294f9] RUNDLL32.EXE w3523c08.dll,n 003294f6000000033523c08

    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

    O4 - HKLM\..\Run: [sys0306242838-14] C:\WINDOWS\sys0306242838-14.exe

    O4 - HKCU\..\Run: [BioniXWallpaper] "C:\Documents and Settings\Owner\My Documents\My Music\Nero Ultra Edition 7 full - From www.recomandeddownloads.com\Program Files\BioniX Wallpaper v4.60\BioniX Wallper.exe"

    O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\nllanui2.dll (file missing)

    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\nilanui.dll (file missing)

    O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\idmp.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\Duce6.exe
    C:\WINDOWS\sys0306242838-14.exe
    ALCMTR.EXE

    C:\Documents and Settings\Owner\My Documents\My Music\Nero Ultra Edition 7 full - From www.recomandeddownloads.com\Program Files\BioniX Wallpaper v4.60\BioniX Wallper.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. rjbeals

    rjbeals TS Rookie Topic Starter

    I love you Howard - I'll do all this in the morning - where can I contribute some money?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No problem mate. No need for any money, this is a commercial website paid for by advertising. Thanks for the thought though.

    Regards Howard :)
     
  7. rjbeals

    rjbeals TS Rookie Topic Starter

    Errr... Sorry about that. Late night & Alcohol....

    But I just did all of the above. Ran Spybot after my reboot and found no problems.

    This error no longer appears either
    [​IMG]

    Looks like I'm clean, except I'm still getting the message that my windows version is counterfeit.

    Windows was preinstalled when I purchased my computer from TigerDirect.. But I do have this:

    [​IMG]

    and this:
    [​IMG]

    Can I "re-validate" my copy of windows with this?

    Thanks Again Howard -
    Seriously let me know if I can contribute to your forum, or help you out anyway.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    I noticed ther are no 016-DPF entries in your HJT log. I assume you`ve fixed them all. This is what`s causing your Windows validation problem.

    Run HJT and click on the config button, then the backups button, look for any 106-DPF entries and place a tick in the little box next to them. Clcik the restore button, followed by ok and reboot your system.

    Post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. rjbeals

    rjbeals TS Rookie Topic Starter

    No 016's in any backups. I also looked for my original HJT log but it's not there.

    I followed the instructons here
    http://www.techspot.com/vb/topic17297.html
    And one of the items says,
    "O16 - DPF:
    Fix ALL, no matter WHAT names they have, except for Microsoft/Windows entries."

    From what I remember, there were no Windows entries, so I fixed them all. And I also disabled (and therefore deleted) all system restore points... Is there a way to add a 016 entry back?

    Thanks
    Rob.
     
  10. sw123

    sw123 TS Rookie Posts: 595

    I don't think that you can do that with HJT. Have you ever used your restore disk before? do you have a windows xp cd?
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Try running Windows updates, that may help. HJT makes backups of any entries it fixes. Therefore, if you did fix any 016_DPF entries, they should be in HJT`s backup folder.

    Regards Howard :)
     
  12. rjbeals

    rjbeals TS Rookie Topic Starter

    Windows Update workded. Computer is back to normal. Thanks Howard - Last thing - what is your preferred ant-virus software? Right now all I have running is SpyDoctor, Edido which is my free trial version and Spybot Search & Destroy. My Norton is 2004 and seriously out of date. I was thinking of purchasing Bit Defender becasue that seems to have the best reviews? Any suggestions.

    Thanks for all the help.
    Rob.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system will be better off without that Symantec/Norton crapware.

    I use the free AVG antivirus programme and the free Zonealarm firewall. I`ve never had any problems. However, I do know that Zonealarm can cause problems on some systems. The free Kerio firewall is a good alternative.

    You can get the above programmes HERE, HERE and HERE.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...