Technology, Support, and News Forum

[SmokeYou Profile Website]

ok i was checking my e-mail and i had a message from a friend with a link and i went to it but then my computer shut down. when i turned it back on some spy sherrif started running and my wallpaper changed to something blue with a black box in the midle that said spyware infection. windows explorer keeps on shuting down and i cant go into any file it just exits. i created a new acount and delete my old one and ran microsoft anti spyware but it diddent help. i want to reinstall windows however i have lost the cd so...

oh also there are icons appering on my desktop there has been about 12 within the last 10 min

[augie]

Ooh, that's a bad one. First, I'd go to your friend's house and strangle him. As for the CD, MS will ship you a new one if you have all your info.

[SmokeYou Profile Website]

ill talk to microsoft i dont know if i have the recites. but untill then has anyone ever had this problum and howdo you fix it

[augie]

Ok, let's start with posting a log from Hijack This here.

[SmokeYou Profile Website]

StartupList report, 11/20/2005, 2:43:47 PM
StartupList version: 1.52
Started from : C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
SysMemory manager = c:\windows\system32\mdms.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 1404118937

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SysTray.Exbr: C:\WINDOWS\System32\dcqbpahi.dll

--------------------------------------------------
End of report, 4,467 bytes
Report generated in 0.032 seconds

[augie]

Hmm, I don't see anything wrong in the startup except for the last .dll entry, next run this and post a log http://www.spywareinfo.com/~merijn/files/hijackthis.zip

[ZRC Profile]

http://www.sophos.com/virusinfo/analyse ... botch.html

The

SysMemory manager = c:\windows\system32\mdms.exe

entry is a virus.

If you have AV - let it try to get rid of it by performing a full system scan. If that doesn't work, boot into safemode and attempt to delete the file - if you can't delete it, try to rename it. You may have to hit Ctrl+Alt+Del and bring up the Task Manager, end explorer.exe, and then attempt to delete or rename the mdms.exe file. Once you've renamed it, go ahead and reboot into Windows - chances are this virus is in addition to the spyware/malware you got from the link from your friend.

Do you have any recently purchased Sony CDs? If you do, and you attempted to uninstall their DRM 'stuff' you might have the backdoor that allows machines to be remotely rebooted - or it could just be that whoever owns your computer through the virus infection decided to reboot it. See here and here

As long as you don't have a rootkit, you're still cleanable (and maybe even then...) - just keep posting the logs and we'll do all we can to get you back to top performance.

[kd1966 Profile YIM]

NUMBER ONE............. turn off your system restore

TWO.............. update your AV and other spyware/malware progs

THREE................ Boot to safemode and run your scans

FOUR.................... When you're convinced the issue is fixed, reboot back to normal mode and look at HJT scan, if you're brave enough to believe someone over the internet and run the fixes...................

FINALLY............. turn on your system restore [If you use it............... and you should]

[j8k3sp00n Profile]

Hi Smokeyou,

Looking back at your startup list I see another one that you ought to be very careful with, Azureus. It's a very popular torrent P2P and has recently been infiltrated by a lot of malware cretins.

I found 3.2 GB of crippled porno files on my torrent drive, undoubtedly due to Azureus and friends, one day strictly by accident. I couldn't view them(and that infuriated me) but they had porno sounding names; you know what I mean. That was the day I wiped Azureus and its friends off my machines.

If you visit warez or keygen sites, you are certain to pick up some malware just as if you visited all the brothels in Manila.

One other to add to the 5 steps for fixing your machine. After you clean it, set another restore point, go into drive properties, cleanup the drive using the advanced function to clean all but the latest restore point. Then you will have removed the malware that might have been stored in the previous restores. All this is predicated on whether you have been using system restore; I highly recommend it; it saved my computer once again just yesterday.

Practicing safe computing is getting harder to do.

[kd1966 Profile YIM]

I've personally used Azureus over a year without incident; I also do not have "friends" or others using my computer. I think it is all in where you get your torrents. The public/free arena has seen a blowup in malware loaded torrents, most likely in the pr0n files, but also in music and movies