|
Help With This Virus (Blue Screen Memory Dump)
|
|
AfterDawn Addict
6 product reviews
|
28. December 2006 @ 12:01 |
Link to this message
|
Hi guys its me I have caused my laptop to come down with a virus. Basically have got most of it but it still dumps me out while using windows it comes out with a blue screen and gives me a memory dump. Can some one help thanxs.
I have got AVG Free and Zone Alarm on the laptop but still no good. What can i do to get rid of it besides formating it. Cause formating a laptop is harder than a desktop (in my opinion.)
Any assistance would be greatly appreciated. :)
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
|
Advertisement
|
|
|
|
|
kateman
Senior Member
|
28. December 2006 @ 13:49 |
Link to this message
|
that could be heaps of stuff that can cause a memory dump. hmm, well in your situation i would run a scan of avast on the computer. its a lot better at finding trojans and viruses than AVG. thats if your sure its a virus or trojan. the link below:
http://www.download.com/Avast-Home-Editi...4-10375520.html
|
AfterDawn Addict
6 product reviews
|
28. December 2006 @ 17:14 |
Link to this message
|
|
I am scanning the laptop with avast and so far its moved stuff to the vault.
I am getting this error when i try to open IE7 it says that it can't find secure32.html
I did delete it when scanning. I am wondering if i reinstall IE & or put IE6 back on will it put that file back on to my pc??
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
AfterDawn Addict
6 product reviews
|
28. December 2006 @ 18:59 |
Link to this message
|
This is the hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 3:55:25 PM, on 29/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll
O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.co...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1143847820558
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vturs - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing)
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
can someone let me know what i have to do from this??
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
Senior Member
|
28. December 2006 @ 22:00 |
Link to this message
|
Hi borhan9,
This is the reason you're infected "j2re1.4.2_05". You've still got Java version 4.0 when 6.0 is now available. :-)
SmitfraudFix will remove the secure32.html, but there are also more infections you need to remove also.
Download SmitfraudFix.zip to the desktop from here.
Extract the files to the desktop.
Do not run it yet, you will in safe mode.
Go to Add/Remove Programs and uninstall:
VSAdd-in
Then, go to Start > Run > type services.msc > click OK.
Find the following and double-click it.
COM+ Messages
Beside "Startup type" click the drop-down menu and select "Disabled".
Close Services.
Open HijackThis.
Click "Open th misc tools section".
Click "Delete an NT service".
Copy/paste this into the area and click OK.
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing)
You will be prompted to restart, click No.
Click "Back" and then "Scan".
Check these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll
O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O20 - Winlogon Notify: vturs - C:\WINDOWS\
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
Close all windows except HijackThis, then click Fix checked.
Note: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
* Reboot your computer in Safe Mode (upon boot press F8, select "Safe Mode" from the menu and press Enter)
* Open the SmitfraudFix folder.
* Double-click smitfraudfix.cmd
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt.
*Exit SmitfraudFix.
Show hidden files and folders.
Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders".
Click Apply, then OK.
Locate and delete these(if there):
C:\Program Files\VSAdd-in <--folder
C:\WINDOWS\system32\autosys.exe <--file
C:\WINDOWS\SYSTEM32\winexy32.dll <--file
Empty the Recycle Bin and restart in normal mode.
Go here and download Java Runtime Environment 6.0.
Uninstall all previous version and updates of JRE via Add/Remove Programs.
Restart and install Version 6.0.
Turn off System Restore.
Right click My Computer > Properties > System Restore tab > check "Turn off System Restore".
Click Apply, then OK.
Restart and turn System Restore back on.
Go here to run Kaspersky Online Scanner.
After downloading, click "My Computer" to scan.
After scanning, click "Save report as".
Save as a text file on the desktop.
Post the Kaspersky log along with a new HijackThis log.
|
AfterDawn Addict
6 product reviews
|
29. December 2006 @ 11:29 |
Link to this message
|
Quote:
C:\WINDOWS\SYSTEM32\winexy32.dll <--file
Ok this file was not there. Also it has not got rid of the trojan yet. I have found the recovery disc's would that help put things back to normal. I have not used recovery DVD's before, I have dont it through a clean format on my Desktop PC's before but never had to deal with the laptops.
Will the recovery DVD also have a format option??
Thanxs in advance :)
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
AfterDawn Addict
6 product reviews
|
29. December 2006 @ 14:16 |
Link to this message
|
|
UPDATE
Well I have decided to cut all loses and format the drive. That took some doing. I had to get my trusty old Heiren BootCD out and let it weave its magic :)
It did that and then i put in the recovery DVD. At first it looked like it did not work. But it was just taking its time :)
So far im nearly quarter the way done. At some level i am pleased that i have got the bug out of the system. But on the other hand i feel defeated.
I will keep you posted on the final results :)
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
Senior Member
|
29. December 2006 @ 17:07 |
Link to this message
|
|
Formatting the HD is very unnecessary in this case. These infections are not that serious and can be cleaned relatively easily. But, it's your computer and your choice. :-)
|
AfterDawn Addict
6 product reviews
|
29. December 2006 @ 19:05 |
Link to this message
|
|
@Niobis
Thanxs for the heads up. But it was really frustrating me soo i did what i did. I had nothing on the laptop of importance so i formated. Don't worry i feel defeated by it. Cause i feel what i did was a cop out. :(
Ohh well better luck next time i should no better that create a problem for me.
Edited by DVDBack23
"the mediocre teacher tells. the good teacher explains. the superior teacher demonstrates. the great teacher inspires."- William Aruthur Ward
Website: http://www.ampleblaze.com |
|
xhardc0re
Suspended due to non-functional email address
|
30. December 2006 @ 19:03 |
Link to this message
|
Niobis, i'm curious as to what that HijackThis log shows he had on his system. I didn't see anything unusual, but i'm no security expert.
If someone can afford it, I say buy a 2nd hard drive & install that with your favorites apps. At the very least, Ghost your system once every week & save the older drive image for about 3-4 months. If someone partitions their HDD so Windows has a 5GB drive, a 1.2GB swap, and then all the others at or below 30MB (FAT32 will go to 32,749MB but no more than that) you are GOLDEN! You'll have drives that can be read/written to by Linux, with a decent cluster size, and safe to use with any OS all the way back to Win95.
A second hard drive, if you keep track of what's on there, is a huge failsafe when this malware sh*t attacks your computer. Eventually, unless they're some security expert they will run into these problems.
if you're a college student, do NOT settle with the RIAA http://tinyurl.com/37oz2z
~ SlimPS2 v15US, PSP v3.60FW, TaiyoYuden DVD-R, SwapMagic_v3.6 & BreakerPro 1.1 (No mod)
Writer: HL-DT-ST DVD-RW GWA-4080N 0G03 SW: DVDDecrypt*r,
lastest Nero Ultra 7 & Alcohol 120% ~ |
|
Advertisement
|
|
|
Senior Member
|
1. January 2007 @ 13:33 |
Link to this message
|
Originally posted by xhardc0re:
I didn't see anything unusual
Look again. :-) All of these are bad:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll
O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file)
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O20 - Winlogon Notify: vturs - C:\WINDOWS\
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing)
|
