Calguns.net  

Home My iTrader Join the NRA Donate to CGSSA Sponsors CGN Google Search
CA Semiauto Ban(AW)ID Flowchart CA Handgun Ban ID Flowchart CA Shotgun Ban ID Flowchart
Go Back   Calguns.net > GENERAL DISCUSSION > Technology and Internet
Register FAQ Members List Calendar Mark Forums Read

Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions.

Reply
 
Thread Tools Display Modes
  #1  
Old 01-12-2010, 11:23 AM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default Malware & Virus Infection

Okay, I am very very close to reformatting. Most of my stuff is backed up so it really isn't a problem. Though I'd like to avoid it if I can.

I got hit with some bad malware or adware or whatever. Some of my search engine results are redirected and I get some pop ups as well, most of the pop ups are some website survey page. Occasionally the redirects are to fake internet scans that show I have infections and need to buy their bogus virus scanners. It was actually worse before.

I just dealt with a Window's stop error that I believe was 0000007B, safe mode didn't work. I booted from "last known good" or whatever. That worked. I have been using many free software that hasn't been able to pin it down, amongst others their is Malwarebytes, Hi Jack This, Super Anti Spyware, Ashampoo, and Avast.

Is there anybody out there who can help me? Thanks in advance!
__________________
Proud NRA Life Member As Of 2016


"The American people will never knowingly adopt socialism, but under the name of liberalism they will adopt every fragment of the socialist program until one day America will be a socialist nation without ever knowing how it happened." Norman Thomas, American socialist
Reply With Quote
  #2  
Old 01-12-2010, 11:41 AM
code33 code33 is offline
Senior Member
 
Join Date: Nov 2004
Location: SF Bay Area
Posts: 966
iTrader: 54 / 100%
Default

Try this...

Go here:
http://www.avira.com/en/support/support_downloads.html
Download Avira AntiVir Rescue System in .ISO format. Burn it to a CD, then boot the computer from the CD. This CD will have up-to-date virus definitions included as part of the download. If you don't have a software that burns .ISOs to CD, you can use the .EXE version which will burn the CD for you. It is Linux-based and will boot run before Windows loads.

After running the Avira scan from the CD, boot to Safe Mode and delete all cookies, temp file, etc. from browsers.

Then run SuperAntiSpyware and MalwareBytes in Safe Mode, if possible.
Reply With Quote
  #3  
Old 01-12-2010, 1:17 PM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default

I'm on my cell. Acura is on the scanner but nothing is happening. Status says scanner not started. Start scanner button is faded, it cannot be clicked. It isn't frozen though, I cando anything except starting the scanner.

Back on my computer. Scanner does nothing. Safe mode doesn't start, it turns into a Window's stop error. MalwareBytes found nothing.

Last edited by Josh3239; 01-12-2010 at 1:24 PM..
Reply With Quote
  #4  
Old 01-12-2010, 1:37 PM
jammer2k's Avatar
jammer2k jammer2k is offline
Member
 
Join Date: Jan 2008
Location: Capitola
Posts: 273
iTrader: 4 / 100%
Default

Post your HiJack This report
__________________
Quote:
Originally Posted by bwiese View Post
Please also don't confuse small-L libertarians with the Big-L Libertarian Party. The former is a stance; the latter is generally useless (unelectable).
Reply With Quote
  #5  
Old 01-12-2010, 1:55 PM
97F1504RAD's Avatar
97F1504RAD 97F1504RAD is online now
Veteran Member
 
Join Date: Dec 2008
Location: Nor Cal-East Bay Area
Posts: 4,949
iTrader: 72 / 100%
Default

I got hit with something similar to what your describing a few days ago. Here is a link to some info on it for you.

http://securityresponse.symantec.com...010610-4802-99
__________________
Shop @ Amazon via link to Donate to CGF:
Reply With Quote
  #6  
Old 01-12-2010, 2:04 PM
ojisan's Avatar
ojisan ojisan is offline
Agent 86
CGN Contributor
 
Join Date: Apr 2008
Location: SFV
Posts: 9,183
iTrader: 41 / 100%
Default

My Mom's computer got this virus.
There is a step-by-step Utube video on how to fix this.
I don't know where it is in utube, my sister found it.
Maybe search the virus name.
It took 3 hours to fix but she did it.
__________________
Quote:
Originally Posted by Lonestargrizzly View Post
Is the lapdance from a donkey? Cuz that's worth it.
Reply With Quote
  #7  
Old 01-12-2010, 2:13 PM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default

Originally my background got hijacked, the pop ups happened a lot more and the redirects were after every search result. Pop ups and redirects aren't as strong and the background is back to normal. Also, the virus had shut down cntrl+alt+del, I have fixed that as well.

I am actually getting another error, I'll write down what it is next time I get it but it says windows suffered a serious error and needs to reboot and counts down from I think a 45 second timer. Very annoying.

Here is my Hi Jack This log (btw I removed the seconds on the time because it created one of those animated smilies hosted on this site ):
Quote:
Originally Posted by HiJack This
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 3:13 PM, on 1/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nxigorilo] rundll32.exe "C:\WINDOWS\alekicilucip.dll",Startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: vigibetos - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: gahurihor - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)
O23 - Service: Ashampoo AntiSpyWare 2 Service (AASW2_Service) - Unknown owner - C:\Program Files\Ashampoo\Ashampoo AntiSpyWare 2\AntiSpyWareService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6386 bytes
__________________
Proud NRA Life Member As Of 2016


"The American people will never knowingly adopt socialism, but under the name of liberalism they will adopt every fragment of the socialist program until one day America will be a socialist nation without ever knowing how it happened." Norman Thomas, American socialist
Reply With Quote
  #8  
Old 01-12-2010, 2:29 PM
jammer2k's Avatar
jammer2k jammer2k is offline
Member
 
Join Date: Jan 2008
Location: Capitola
Posts: 273
iTrader: 4 / 100%
Default

O4 - HKLM\..\Run: [Nxigorilo] rundll32.exe "C:\WINDOWS\alekicilucip.dll",Startup
and
O21 - SSODL: vigibetos - {29bbd6c9-7521-4b1f-9183-c1cd56ed1cad} - c:\windows\system32\zavisomu.dll (file missing)

are not good guys, while the second one says it is missing I would still remove it. Try removing both of those items and see if the behaviour changes for the better

EDIT: Realized I wasn't very clear. In HiJack This check both of these items (and only these items) and then click Fix Checked in the scan & fix section below
__________________
Quote:
Originally Posted by bwiese View Post
Please also don't confuse small-L libertarians with the Big-L Libertarian Party. The former is a stance; the latter is generally useless (unelectable).

Last edited by jammer2k; 01-12-2010 at 2:33 PM..
Reply With Quote
  #9  
Old 01-12-2010, 3:38 PM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default

Did it and rebooted. The 021 item is gone, the 04 item is still there.
__________________
Proud NRA Life Member As Of 2016


"The American people will never knowingly adopt socialism, but under the name of liberalism they will adopt every fragment of the socialist program until one day America will be a socialist nation without ever knowing how it happened." Norman Thomas, American socialist
Reply With Quote
  #10  
Old 01-12-2010, 4:13 PM
jammer2k's Avatar
jammer2k jammer2k is offline
Member
 
Join Date: Jan 2008
Location: Capitola
Posts: 273
iTrader: 4 / 100%
Default

how is the system behaving?
__________________
Quote:
Originally Posted by bwiese View Post
Please also don't confuse small-L libertarians with the Big-L Libertarian Party. The former is a stance; the latter is generally useless (unelectable).
Reply With Quote
  #11  
Old 01-12-2010, 4:15 PM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default

The redirects, pop ups, and errors are still here. The computer does seem to run faster though. I think the one that wouldn't go away is tied into the redirects and pop ups.

I got that reboot error again and wrote it down. It is a 1 mintue timer, it says a shutdown was initiated by NT Authority\System. Something else about DCOM server process launcher terminated unexpectidly.
__________________
Proud NRA Life Member As Of 2016


"The American people will never knowingly adopt socialism, but under the name of liberalism they will adopt every fragment of the socialist program until one day America will be a socialist nation without ever knowing how it happened." Norman Thomas, American socialist
Reply With Quote
  #12  
Old 01-12-2010, 4:39 PM
foxtrotuniformlima foxtrotuniformlima is offline
Veteran Member
 
Join Date: Nov 2008
Location: Los Angeles
Posts: 2,578
iTrader: 163 / 100%
Default

I had a nasty one before Christmas. ended up going the way of the reformat.

Glad I did as it runs much better now.
__________________
California - Come for the taxes, stay for the gun laws.
Reply With Quote
  #13  
Old 01-12-2010, 6:36 PM
Josh3239's Avatar
Josh3239 Josh3239 is offline
Calguns Addict
 
Join Date: Dec 2006
Location: Ventura County
Posts: 8,784
iTrader: 53 / 100%
Default

Hmm, I ran SpyBot this evening and found some bad sounding things. There are a whole bunch of things in the title "Microsoft.Windows.DisableSystemRestore". There were tons of these, bypassfirewalls, antivirus override and a couple of Win32 agents. Hopefully this'll help as none of my other software programs were working.
__________________
Proud NRA Life Member As Of 2016


"The American people will never knowingly adopt socialism, but under the name of liberalism they will adopt every fragment of the socialist program until one day America will be a socialist nation without ever knowing how it happened." Norman Thomas, American socialist
Reply With Quote
  #14  
Old 01-12-2010, 8:30 PM
code33 code33 is offline
Senior Member
 
Join Date: Nov 2004
Location: SF Bay Area
Posts: 966
iTrader: 54 / 100%
Default

If you have another profile, log on as that and scan from there. That profile might not be hosed or as bad.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -8. The time now is 7:26 AM.




Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Proudly hosted by GeoVario the Premier 2A host.
Calguns.net, the 'Calguns' name and all associated variants and logos are ® Trademark and © Copyright 2002-2016, Calguns.net an Incorporated Company All Rights Reserved.