Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32
  1. #1
    Member
    Join Date
    Apr 2006
    Location
    NJ
    Posts
    19
    Points
    0

    Default Virus - opens ie automatically, downloads other viruses

    Hi! I've got a very annoying virus - whenever computer is connected to the internet, IE launches automatically and several spam windows open. It also seems to be downloading other viruses automatically if IE is left open.

    Symantec antivirus (corporate edition) after each (re)boot finds gbpwlvd.exe in c:\WINNT\system32 directory, and "quarantines" it. Yesterday I've done everything outlined in the "get rid of the spyware..." tutorial (except couldn't run the Panda activescan). Cleaned up a bunch of stuff, but this probelm is still there.

    Help2Go Detective prompted me to post my HijackThis log:


    Logfile of HijackThis v1.99.1
    Scan saved at 11:20:16 AM, on 4/12/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Unable to get Internet Explorer version!

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\UPHClean\uphclean.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\WINNT\System32\vmnat.exe
    C:\WINNT\System32\WLTRYSVC.EXE
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\System32\CCM\CcmExec.exe
    C:\WINNT\System32\vmnetdhcp.exe
    C:\Program Files\Citrix\PNAgent\ssonsvr.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
    C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
    C:\Program Files\Screen Mode Switch\SMSwitch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\Adobe\Distillr\Acrotray.exe
    C:\windows\mousepad10.exe
    C:\Program Files\TrojanHunter 4.5\THGuard.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Dell\Bluetooth Software\BTTray.exe
    C:\Program Files\Citrix\PNAgent\pnagent.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    E:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://inside.us.dell.com/home/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://inside.us.dell.com/home/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 143.166.*;*.dell.co*;163.244.*;10.*;127.*;198.185.237.*;*.corptvl.com;ORL10PLUSWS01.CSERVER;dell.mtgworksphere.com;dellhome.mtgworksphere.com;64.207.0.*;*.tbgfinancial.com;*.outtask.com;myinvoice.csd.disa.mil;vdc.emc.com;text.speche.com;
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\vfitb.exe
    F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,gbpwlvd.exe
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
    O4 - HKLM\..\Run: [Screen Mode Switch] C:\Program Files\Screen Mode Switch\SMSwitch.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard10.exe
    O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad10.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat\AdobeUpdateManager.exe AcPro7_0_5
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\PNAgent\pnagent.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
    O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Dell\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\ATONECLI.dll (HKCU)
    O9 - Extra 'Tools' menuitem: Start WebEx One-Click Meeting - {80947ADC-151D-490B-87F1-7C8CE1B46220} - C:\Program Files\webex\webex\350\ATONECLI.dll (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://inside.us.dell.com/home/
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://training/controls/awswaxf.cab
    O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
    O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://10.38.13.155/tsweb/msrdp.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dellefd.webex.com/client/v_m...rt/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.dell.com
    O17 - HKLM\Software\..\Telephony: DomainName = aus.amer.dell.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{06A76094-1C4A-4223-9533-3AFF8ABD089F}: NameServer = 68.87.64.146,68.87.75.194
    O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\System32\btxppanel.dll
    O20 - Winlogon Notify: DateTime - C:\WINNT\system32\p64ulgh9164.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
    O23 - Service: ConnectEMC - Unknown owner - C:\Program Files\EMC\Navisphere Agent\ConnHome\ConnectEMC.exe (file missing)
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: IP4700 Trap Catcher (DTCserver) - Unknown owner - C:\Program Files\EMC\Navisphere Agent\dtcsrv.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    O23 - Service: OracleORACLEHOMEClientCache - Unknown owner - C:\ORACLE\BIN\ONRSD.EXE
    O23 - Service: SAVRoam - symantec - C:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\System32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\System32\vmnat.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE



    Corporate tech support just wants me to do a system restore and are sending me a DVD for it :roll: Any help will be greatly appreciated.

    Thanks!

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    renatele

    Corporate tech support just wants me to do a system restore and are sending me a DVD for it Any help will be greatly appreciated.
    This site is geared for the home user, not to support a for profit company, especially one with tech support.

    To get started on this

    Please down load this program:

    http://www.atribune.org/content/view/28/

    Please download Look2Me-Destroyer.exe to your desktop.

    Close all windows before continuing.

    Double-click Look2Me-Destroyer.exe to run it.

    Put a check next to Run this program as a task.

    You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK

    When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.

    Once it's done scanning, click the Remove L2M button.

    You will receive a Done Scanning message, click OK.

    When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    Your computer will then shutdown.

    Turn your computer back on.

    Next step:

    Download ewido security suite install, update and run it.

    Please set up as :-

    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

    2. Run Ewido --- When you run it for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

    3. From the main ewido screen, click on update in the left menu, then click the Start update button.

    4. After the update finishes (the status bar at the bottom will display "Update successful")

    5. You may need to manually update the definitions which you can get HERE

    6. Exit Ewido. DO NOT scan yet.

    Reboot the PC in the Safe Mode

    SAFE MODE:

    safe mode<<< Click Here for instructions
    and scan with Ewido

    7. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

    8. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    9. Once the ewido scan has completed, there will be a button located on the bottom of the screen called Save report.

    Important - You need to click "Save report" and Save it to your desktop, or you wont have a log

    10. Post the Ewido log, the contents of Look2Me-Destroyer.txt and new HJT log.

    BG

    _________________


    P.S. - Is your tech support hiring ?, sounds I could do their job setting here in my basement, never have to leave the house. It real easy to send out Operating system disks.

  3. #3
    Member
    Join Date
    Apr 2006
    Location
    NJ
    Posts
    19
    Points
    0

    Default

    My oh my... am I in trouble now (it's husband's laptop that I'm trying to troubleshoot).

    Ran the L2M destroyer, L2M was found. Ran msconfig and edited boot.ini to boot into safe mode, but it said that configuration could not be saved as I need to be logged in as administrator to do it. Fine. Reboot, F8 into safe mode, blah blah blah. Administrator password that my husband has doesn't work. Call the Corporate, they say that is the password, and they can't help any other way.

    Got frustrated. Decide to just forget the whole thing, and let the Corporate deal with it (husband is inclined to restore the OS, but needs to save some of his work files beforehand). Try to boot into normal mode, NO GO! Goes into safe mode only. F8 on reboot, choose "normal mode", still no go. F8 and choose "last known good configuration", still get safe mode (which we can't log into).

    Husband is beyond MAD with me.

    Help!

  4. #4
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Hopefully Steamwiz will have an answer, as I don't.

    BG

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    From safemode, go back to msconfig > boot.ini > and remove the checkmark from the /safeboot option

    Then try to reboot to normal mode

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Apr 2006
    Location
    NJ
    Posts
    19
    Points
    0

    Default

    Quote Originally Posted by steamwiz
    From safemode, go back to msconfig > boot.ini > and remove the checkmark from the /safeboot option

    Then try to reboot to normal mode

    steam
    Yes, of course that'd be the thing to do assuming we could GET into safe mode - the administrator's account password doesn't work, and the Corporate claims that it hasn't been changed.

    (going to try to save husband's data now using USB hdd and Knoppix...)

  7. #7
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Lets us know.

    So I assume there will be no funeral

    BG

  8. #8
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Sorry I didn't read your last post properly... this is all I saw...

    "Try to boot into normal mode, NO GO! Goes into safe mode only. F8 on reboot, choose "normal mode", still no go. F8 and choose "last known good configuration", still get safe mode"

    didn't see the .... (which we can't log into).

    Well if this was a desktop I would tell you to remove the harddrive, & slave it in another computer, access the boot.ini ... reverse the change ... put the harddrive back and voilla....

    There are ways to get into Windows but they are not quick or easy...

    http://www.help2go.com/Tutorials/Lin...x_Live_CD.html

    http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  9. #9
    Member
    Join Date
    Apr 2006
    Location
    NJ
    Posts
    19
    Points
    0

    Default

    Basementgeek: I'll live

    For now, I'm still fiddling with the backup (turns out my extra hdd had some problems, so I just am using a USB stick to transfer files from the laptop to my PC, and that's a loooong process).

    Next step: with the backup out of the way, I'm going to try to get back to normal mode by editing the boot.ini directly by booting into linux with ntfs *write* support. Does this sound ok?

    Assuming the above works and I get into normal mode, I can then either: 1) get dh to force the BIG EVIL CORPORATE (LOL) to change the administrator password (possible, but not sure if possible to do today) 2) find a way to change it myself

    Husband is set on using the "re-imaging" DVD that is going to arrive tomorrow... all my today's efforts are/were in vain, save for current backup (which hubby should have been making on a regular basis anyway! :evil: )

    Thanks for your help, if I get a chance/time today to take another stab at the actual virus, I'll post here.

  10. #10
    Member
    Join Date
    Apr 2006
    Location
    NJ
    Posts
    19
    Points
    0

    Default

    Paragon NTFS for Linux very nicely and painlessly let me edit the boot.ini to take out the safeboot option (should have done it hours ago, but didn't want to risk *anything* without having a full backup, or my death by hubby's hand would have been certain!).

    I'm back into normal mode, am going to try to find a way to login to safe mode.

Page 1 of 4 123 ... LastLast