TechSpot

virus attack on my computer - hjt log

By chipopo
Aug 22, 2007
Topic Status:
Not open for further replies.
  1. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    You didn`t attach an AVG Antispyware log, nor did you let us know the results of the AVG Antirootkit scan. Please do so in your next reply.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    ms hexidecimal defx (mshexdefx)

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ivchost.exe
    hlamavdc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O23 - Service: ms hexidecimal defx (mshexdefx) - Unknown owner - C:\WINDOWS\system32\dllcache\ivchost.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\dllcache\ivchost.exe
    C:\WINDOWS\system32\hlamavdc.exe

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  2. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    hi there howard and thanks for replying.
    i ran the avg antispyware but i got an empty log.
    same with the antiroot aplication. it gave me a result that no roots were found.
    anyways i'm starting now to go through the rest of what you wrote maybe i'll get more lucky there. and if it is of any help let me tell you that just before i ran ss&d and every few minutes my antivirus gave me a message that a file was found c:\a.bat and it is a REG/zapchast trojan. i was told that i should take no action because the av already took care of it and that it was just a notice.
    also, at the end of the ss&d scan a trojan named IPEW was found but when i pressed immune the computer got stuck.
    so long

    ok, these are the results:
    i disabled the service you told me.
    task manager didn't show any of these processes.
    HJT didn't show the line you wrote (see log).
    the files weren't there in the system32 folder.

    (when i tried to restart in safe mode i got an error message (attached). when i tried to save the screen picture i got another message saying that the computer will shut down in 45 seconds and some other stuff. i tried to do print screen but it wouldn't let me.)


    now, i just hope i can attach all of these logs in one post.

    i just don't know which one is the last.
     
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows System Update Tools

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    upds.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Windows System Update Tools] upds.exe

    O4 - HKLM\..\RunServices: [Windows System Update Tools] upds.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\upds.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  4. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i got the shutdown message again (before i did what you said).
    the service 'windows system update tool' wasn't found nor the process 'upds.exe'
    but i did find the 2 values in HJT and fixed them. i also found the file C:\WINDOWS\System32\upds.exe and deleted it.

    i should mention that the startup of my pc is taking a hell of a long time (it gets stuck on the 'windows is starting up' screen for about 40 sec) and also just now i got the message that comes right before the shutdown one. i hope it lets me send this post.

    just before it shut me down before (yeah i got the post just the 2nd time) i got the message attached here. this lsass.exe thing keeps popping during this whole buisness - thought you should know.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows System Update Tools
    Microsoft Update
    Windows Server Peer Verification Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    mdm.exe
    upds.exe
    wspvs.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Windows System Update Tools] upds.exe

    O4 - HKLM\..\RunServices: [Windows System Update Tools] upds.exe

    O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\wspvs.exe
    C:\WINDOWS\System32\mdm.exe
    C:\WINDOWS\System32\upds.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log from normal mode.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    o.k. i did it

    thanks for staying with me.

    i didn't find any of the services in the services window.
    none of the processes showed either.
    HJT found and fixed the following two:
    O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')
    i found only C:\WINDOWS\System32\mdm.exe and deleted it.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    The baddies are still there.

    Let`s try a different approach.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wspvs.exe
    mdm.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKCU\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe

    O4 - HKUS\S-1-5-18\..\Run: [Windows Server Peer Verification Service] "C:\WINDOWS\system32\wspvs.exe" * (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe (User 'SYSTEM')

    Click on the fix checked button.

    Close HJT.

    1: Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    2: Click edit and choose find. Type Windows Server Peer Verification Service into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to Windows Server Peer Verification Service and display them in the righthand pane. Right click on any such Windows Server Peer Verification Service entries and choose delete.

    3: Now click edit again and choose find next. Again, delete any entries that reference Windows Server Peer Verification Service.

    4 :Repeat the above, until no more Windows Server Peer Verification Service entries are found.

    Repeat steps 2 through 4 above for this entry: Microsoft Update

    5: Close regedit.

    6: Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\wspvs.exe
    C:\WINDOWS\System32\mdm.exe

    7: Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log from Normal Mode.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    because the pc got stuck.
    startup still takes a long time.
    another thing i wanted to let you know is that most of the times i get stuck are when i'm surfing on the web. it usually gets worse from that point until i need to restart but i can't even use ctrl+alt+delete because i just doesn't work.

    another thing is, my trial version anti-virus (nod32) license is running out and i need to decide what to do. do i really have to buy the full version or is there a good enough free one that could do the job for me? what about a firewall, i only have the windows' one and i'm not sure it's working should i install another?
    if i have to install a new anti-virus is there anything i should know about uninstalling the old one (i hear these aplications don't give up so easily)?

    oops, i didn't see you already posted - i'm getting right to it.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

  10. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    ok, the processes weren't there (but i did notice that the last time when started windows in full mode the mdm.exe process was there).

    the only HJT value found and fixed was this: O4 - HKCU\..\Run: [Microsoft Update] C:\WINDOWS\System32\mdm.exe

    as for the registry, the first search gave me about 5 values but when i tried to delete them i got this message: unable to delete all specified values.
    the 2nd one (microsoft update) gave me one result and i deleted it.

    none of the files were found in system32.

    about the recommendations - thanks a lot.
    i already have the programs you listed after the firewall ones - should i have them on allways or just run them when i have problems?
     
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Just run the antispyware programmes when you want to.

    Please post a fresh HJT log from normal mode.

    Regards Howard :)
     
  12. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    gladly

    here it is.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is now clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    and i'm afraid it's not...
    this is the third time i'm trying to reply to your post. the first time i just wanted to tell you that i did what you said and to thank you for all your help and time (all is still true). but then, just as i tried to send the post everything froze and i couldn't continue. i had to restart. the second try was pretty much the same and the third also - i just clicked the mouse in order to type and all froze.
    this time i'm writing in notepad, hoping i would just have enough time to paste it and send. i'm also using internet explorer instead of avant which i regularly use, maybe it has something to do with it.

    of course the whole procedure was much of a bother since ctrl+alt+delete still ain't working and because startup still takes a lot of time (last i checked it was a minute or so).
    anyway, i seems as though the/a problem still exists here - i hope you can still help me fix it.

    maybe it could help understand what's going on here.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Click start/run and type sfc /scannow into the runbox and press the enter key. Windows will scan for any missing or damaged OS files and replace them as necessary. You`ll need to have your Windows cd handy.

    See if that helps.

    Regards Howard :)
     
  16. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i tried but...

    it asked me for some windows XP professional service pack 1 cd and all i have (and ever had) is windows XP home edition. of course it wasn't accepted.

    another thing, just before that i tried recieving and reading some mail and i got that annoying shutdown message again. this is how it goes:
    This system is shutting down. please save all work in progress and logg off. any unsaved changes will be lost. This shutdown was initiated by NT Authority/system.

    MESSAGE
    the system process 'C:\windows/system32\lsass.exe' terminated unexpectedly with status code -1073741819 the system will now shutdown and restart.

    then it gives me 60 secs till it shutsdown
     
  17. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download and run the Windows Malicious Removal Tool.

    Then, try doing a system repair as per this thread HERE.

    You will need to run Windows updates, once finished with the repair process.

    Regards Howard :)
     
  18. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    the tool found nothing.
    i reinstalled windows just like you said and while trying to update got this attached message. i remember getting the same message a little before this all started.
    what should i do?

    and just now nod32 gave me again the message about finding c:\a.bat
    Threat: REG/Zapchast trojan

    i think it's all back. i have no idea how but it seems as though we're right back in square one.
    my av keeps giving me the message i told you about before - file attached.
     
  19. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Messenger<This has nothing to do with any Messenger programme.

    Close the services window.

    That will stop those annoying messages.

    Post fresh HJT, combofix and AVG Antispyware logs from normal mode.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    done

    i disabled the service and ran the 3 programmes.

    i'm getting shut down right now but a few infected files were found.
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Please post the 3 requested logfiles from Normal mode.

    Regards Howard :)
     
  22. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i don't know what's going on here but i'm shown as if the attachments are being loaded and after that nothing happens.
    after i posted the message i see that they really weren't attached.

    i am in normal mode (you mean as opposed to safe mode?), i was here all the time.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Try again and if you still have problems, just copy and paste them. I`ll delete them once I`ve finished.

    Regards Howard :)
     
  24. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    it doesn't work

    here we go:
    combo:
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.