Malware found / Downloader.VB.akq (Plus Windows Validation?)

Status
Not open for further replies.
rjbeals

rjbeals

Posts: 6   +0
I've been through the whole How to remove Begin2Search / CoolWebSearch.... and went through the steps in order and carefully. After a boot up in normal mode, I thought my trojan was gone... This is what I had for a few days (see that new search field next to my sys tray???)

trojan.gif


Windows is doing it's thing, and then I get a popup that says "You may be a victim of software counterfiting. This copy of windows in not validated" So I click the grey star in the system tray and it takes me to the windows validation page and I then get this message, "Validation Incomplete: Unable to Perform Validation"

Meanwhile, I get this new popup window:

malware_Found_Image.gif


I am using a real version of WinXP SP2 that came installed when I bought my new computer. I'm attaching the Hijack log file before I started cleaning & fixing, and after. Help Please??

Also - Here is a picture of the files I "fixed" from hijackthis. I couldn't save them as a txt file so I saved a screenshot..

http://img.photobucket.com/albums/v450/rjbeals/Hijackthis-Blocklist.gif

Thanks
Rob.
 
Hello and welcome to Techspot.

The reason you`re having a problem with Windows validation, is because you`ve fixed the wrong entries in HJT.

Run HJT and click on the config button, then the backups button and restore all entries. reboot your computer and post a fresh HJT log.

Regards Howard :)

This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for the welcome Howard. After all the warnings I read about using caution when fixing your registry - I probably should've posted here first :rolleyes:

I've restored all backups and rebooted.

I forgot to mention that when I first got my virus and my windows defender was going crazy detecting everything - after my first reboot I got this error:

Error_DLL.gif


I've been getting ever since that first reboot, and I'm still getting it. I have my "Restore DVD" that came with my Gatway - so Maybe I could restore drivers or something to fix it?

Anyway - here is a hijackthis log from about 2 minutes ago - Thanks again Howard!


Edit: Here is the backup I see from spybot. I haven't recoverd from this yet.

http://img.photobucket.com/albums/v450/rjbeals/spybot.gif
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

BioniX Wallpaper v4.60

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Duce6.exe
sys0306242838-14.exe
ALCMTR.EXE
BioniX Wallper.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {412723CF-37F3-4BD6-9A64-4B0C5A2E45DA} - \

O2 - BHO: (no name) - {F1EAC2C4-9EDE-4D8F-8D20-F9BDA4DD2E72} - \

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [mhn294f9] RUNDLL32.EXE w3523c08.dll,n 003294f6000000033523c08

O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

O4 - HKLM\..\Run: [sys0306242838-14] C:\WINDOWS\sys0306242838-14.exe

O4 - HKCU\..\Run: [BioniXWallpaper] "C:\Documents and Settings\Owner\My Documents\My Music\Nero Ultra Edition 7 full - From www.recomandeddownloads.com\Program Files\BioniX Wallpaper v4.60\BioniX Wallper.exe"

O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\nllanui2.dll (file missing)

O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\nilanui.dll (file missing)

O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\idmp.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\Duce6.exe
C:\WINDOWS\sys0306242838-14.exe
ALCMTR.EXE

C:\Documents and Settings\Owner\My Documents\My Music\Nero Ultra Edition 7 full - From www.recomandeddownloads.com\Program Files\BioniX Wallpaper v4.60\BioniX Wallper.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log and let me know how your system is running.

Regards Howard :)

This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
No problem mate. No need for any money, this is a commercial website paid for by advertising. Thanks for the thought though.

Regards Howard :)
 
rjbeals said:
I love you Howard
Click to expand...
Errr... Sorry about that. Late night & Alcohol....

But I just did all of the above. Ran Spybot after my reboot and found no problems.

This error no longer appears either
Error_DLL.gif


Looks like I'm clean, except I'm still getting the message that my windows version is counterfeit.

Windows was preinstalled when I purchased my computer from TigerDirect.. But I do have this:

gateway_cd.gif


and this:
gateway_register.gif


Can I "re-validate" my copy of windows with this?

Thanks Again Howard -
Seriously let me know if I can contribute to your forum, or help you out anyway.
 
Your HJT log is clean.

I noticed ther are no 016-DPF entries in your HJT log. I assume you`ve fixed them all. This is what`s causing your Windows validation problem.

Run HJT and click on the config button, then the backups button, look for any 106-DPF entries and place a tick in the little box next to them. Clcik the restore button, followed by ok and reboot your system.

Post a fresh HJT log.

Regards Howard :)

This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
No 016's in any backups. I also looked for my original HJT log but it's not there.

I followed the instructons here
https://www.techspot.com/vb/topic17297.html
And one of the items says,
"O16 - DPF:
Fix ALL, no matter WHAT names they have, except for Microsoft/Windows entries."

From what I remember, there were no Windows entries, so I fixed them all. And I also disabled (and therefore deleted) all system restore points... Is there a way to add a 016 entry back?

Thanks
Rob.
 
I don't think that you can do that with HJT. Have you ever used your restore disk before? do you have a windows xp cd?
 
Try running Windows updates, that may help. HJT makes backups of any entries it fixes. Therefore, if you did fix any 016_DPF entries, they should be in HJT`s backup folder.

Regards Howard :)
 
Windows Update workded. Computer is back to normal. Thanks Howard - Last thing - what is your preferred ant-virus software? Right now all I have running is SpyDoctor, Edido which is my free trial version and Spybot Search & Destroy. My Norton is 2004 and seriously out of date. I was thinking of purchasing Bit Defender becasue that seems to have the best reviews? Any suggestions.

Thanks for all the help.
Rob.
 
Your system will be better off without that Symantec/Norton crapware.

I use the free AVG antivirus programme and the free Zonealarm firewall. I`ve never had any problems. However, I do know that Zonealarm can cause problems on some systems. The free Kerio firewall is a good alternative.

You can get the above programmes HERE, HERE and HERE.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of rjbeals only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

TS Dealmaster
  • Locked
This deal gets you Windows 11 Pro for $29
Replies
0
Views
691
TS Dealmaster
TS Dealmaster
H
Windows 7 Successfully Installed on UEFI PC Won't Boot
Replies
2
Views
461
info12345
info12345
AGenericFool
Help - Valid Windows 10 Licenses deactivate after two days?!
Replies
1
Views
317
Nelson28
N

Latest posts

Back