Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I had a worm earlier today that spreads itself across networks, can't remember the name of it now, but I got tired of trying to remove it and just stuck the factory restore disk in and fixed everything, or so I thought. Before factory restore and even now, afterwards, every so often, or should I say every few minutes, a bunch of Windows pop up all over the screen. When it first started, it was Outlook Express, then I changed my email client over to Hotmail and then IE windows popped up everywhere. Well, after restore, I finally took a breath and then they started coming up everywhere again. This time it was throwing up Outlook Express setup windows all over the screen, because I hadn't set it up since restoring. Also, the same thing happened when I made Thunderbird my default email client. So what file is screwed up and why in the heck didn't system restore fix it? It doesn't make any sense to me. Hope someone knows what's going on. I'm running AVG right now with System Restore enabled and all hidden folders showing and I'm not seeing any viruses, of course I'm really suspecting its not a virus, worm, etc. that's causing the problem.
&%*~&%*~&%*~&%*~&%*~&%*~&%~&%*8~&%Oh, and sometimes these characters start texting across anywhere I'm writing like it just did ~&here and also, the Firefox text finder pops up at the bottom of Firefox and scrolls that text through the text finder box. Really annoying, maybe it could be Firefox?? Hmmm. Is a possibility. May go back and try an older build. 1.5.0.3 is what I'm using right now. Will go check on their forums while waiting for a reply here.
0 
I doubt it's firefox. Have you run Hijack this or Ad-Aware or any Spyware program? Have you tried another keyboard?
Life is more painless for those who are brainless.
0
Sounds like an infection to me...spyware/malware, browser hijack, trojan, virus, etc...could be any or all.
Download & install Spybot, Ad-Aware, HiJackThis, TrojanRemover, CCleaner & have a go at it.
http://www.filehippo.com/
http://www.simplysup.com/
0
Alrighty, I'm downloading them now. Well, now in addition to the windows popping up, I'm getting new "tabs" opening up in Firefox and loading the set homepage in Firefox. Still don't see how this made it through a factory restore. Noticed during the restore that it didn't rewrite D: drive, because I was unconnected from the network and had no CDRW to copy so I just transferred my files to D: and hoped they made it through the restore. Well, everything is still there. Oh, and I had Adaware installed and updated before the restore and ran it and use Hijackthis every so often for checks and they both came up clean except for AdAware, which found some Alexa entries, which I had it "FIX", but nothing other than that. And one more thing, I uninstalled Firefox according to their directions, even the registry entry and reinstalled an earlier version and of course, that did no good. I'll have a go at your suggestions and post back later.
0
Ran all of the above with nothing harmful coming up and still getting the windows popping up, this is getting very annoying now. I've already had to close 5 Firefox windows while writing this post. If I keep another browser window open behind the window I'm working on, it seems to happen less frequently??? I'm outta guesses here. Any more suggestions??
0
Stick your HijackThis log down so people can cast a gaze over it. They might spot something you haven't.
0
The message before last, as I posted, warned me not to post a HijackThis log here as it would be removed, unless you're an expert, that is :). I have disabled System Restore and have not had any problems since. Good riddance, never used it anyway, always used disk. Why it would be causing the problem. I have no idea. Let ya'll know if any more problems occur. Thanks for the help thus far.
0
There are a few "experts" floating around here. I wouldn't have told you to post a log otherwise. Up to you, the offer was there.
0
Yea, post your HiJackThis log.
BTW, my mistake for not telling you to disable system restore...that should always be done when infection is suspected & scans are run. Once the system is clean, re-enable it & set a new restore point. (because once it's disabled, all previous restore points are lost)
0
Guess ya'll figured I'd be back..:)
Logfile of HijackThis v1.99.1
Scan saved at 11:19:08 PM, on 7/20/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
D:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gardenweb.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.exe
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.exe
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.exe
------------------CWSHREDDER
Windows ME (4.90.3000 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\SYSTEM
AppData folder: C:\WINDOWS\Application Data
Username:Hosts file not present
Found Win.ini file: C:\WINDOWS\win.ini (8210 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (1847 bytes, A)
Found line in System.ini: shell=Explorer.exe- END OF REPORT -
-------------
CcleanerANALYSIS COMPLETE - (0.196 secs)
---
1.86MB to be removed. (Approximate size)
---Details of files to be deleted (Note: No files have been deleted yet)
---
IE Temporary Internet Files (12 files) 39.64KB
Marked for deletion: C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\WINDOWS\Cookies\index.dat
Emptied Recycle Bin (4 files) 4.89KB
C:\WINDOWS\IOS.LOG 679 bytes
C:\WINDOWS\HSP56 MicroModem.log 1.86KB
C:\WINDOWS\WININIT.BAK 273 bytes
C:\WINDOWS\ICSLOG.TXT 325 bytes
C:\WINDOWS\SchedLog.Txt 7.26KB
C:\WINDOWS\NDISLOG.TXT 0 bytes
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_MAP_ 0.13MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_001_ 0.14MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_002_ 0.13MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_003_ 0.21MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\8D6E4450d01 42.44KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\B33B0DEAd01 26.48KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\5F6F00A4d01 20.52KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\72D980C1d01 24.03KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_MAP_ 0.13MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_001_ 0.14MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_002_ 0.13MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\_CACHE_003_ 0.21MB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\8D6E4450d01 42.44KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\B33B0DEAd01 26.48KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\5F6F00A4d01 20.52KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\cache\72D980C1d01 24.03KB
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\history.dat 343 bytes
C:\WINDOWS\Application Data\Mozilla\Firefox\profiles\c7napbkk.default\downloads.rdf 206 bytes
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Logs\Checks.060720-0624.log 192 bytes
C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini 0 bytes
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginet.log 4.07KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginfo.ctf 2.52KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\upd7bin\download.nfo 121 bytes
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi778u77523.bin 52.63KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi401u39924.bin 96.26KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7upd\update7.log 0.21MB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log 12.71KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\history.log 1.16KB
C:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\Avg7.log 975 bytes
C:\WINDOWS\Application Data\AVG7\Log\emc.log 3.33KB
---
0
You're right, it's puzzling. The logs look good but just double check, using search for files and folders, how many instances of SysTray.exe you have (you should have one genuine microsoft one in c:\windows\system). Check the exact location(s).
Assuming you went on to clean what Crap Cleaner found. You can download and run Delindex too.
Next is standard advice until it's been done - use a couple of dedicated online virus scanners, running them is boring but can glean information and can unearth things. Make sure restore is disabled. I'd be surprised if you don't have something hooked in somewhere, just a case of finding it.
Symantec Security Check - Virus Detection
If you do think you have a suspect file, upload it to the Kaspersky online virus scanner and check it out.Have to ponder until you've done that. Stick down anything else you've observed, forgot, remembered.
0
Yeah, deleted the Ccleaner files, ran delindex in DOS. No luck with the scans either. I'm debating trying another restore and taking the chance it will drop this thing. Don't know. Always open for ideas............
0
"just double check, using search for files and folders, how many instances of SysTray.exe you have (you should have one genuine microsoft one in c:\windows\system). Check the exact location(s)."
0
in case ...
"just double check, using search for files and folders, how many instances of SysTray.exe you have (you should have one genuine microsoft one in c:\windows\system). Check the exact location(s)"
0
Meant to post that last time. I did check and there is only one and it is in the Windows System folder. Ran AdAware again and found Alexa entries registry and file entries once more. Hard Drive keeps kicking in (light runs for a few seconds) right now and pasting what's in clipboard and adding the characters, popping up a new window and loads MSN home page. Hasn't bothered me too much today, just started really going a few minutes ago. Seems to have a mind of its own.
0
Whatever it is, it's also making copies of shortcuts to random programs in whatever folder I'm in, including the Desktop. So it'll make copies like, Shortcut (1) to aswsyn20, Shortcut (2) to aswsyn20. But it's random that I can tell.
0
1a) Do me favour and unzip HijackThis to a folder in C:\Programs Files. Then run it again and post the log.
1b) Describe what type of network you're connected to - simple home set up? Also, describe in general your system set up and what you use it for. You could really do with remembering the name of the worm ("that spreads itself across networks") in the original infection.
2) Having run what you've run - and done what you've done, I'd be seriously tempted to unistall AVG (if it's possible in the systems current state) and assuming you have no problem yet getting online, downloading and installing. Install a free, 30-day trial evaluation version of Kaspersky Anti-Virus 6.0 it deals with viruses, worms, and trojans like few other anti virus packages (Take a look at Kaspersky Anti-Virus for Windows Workstations (25) and Windows File Server (1) too)
Do post that new HJT log first though.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
