Jump to content

JackNunn

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. After reading your comments I will be reinstalling the OS. I do have one final question. In the past I have reinstalled the OS without reformating. This allowed me to keep the data files. This would save me some time but if there is a chance it would not remove the virus I will go with the reformat & resinstall. In your opinion what is the risk or reinstalling the OS over the existing copy without reformating?
  2. Looks like screenshot did not attach. Attemping to attach it again. It works much better when I hit the 'Attach This File' button.
  3. Hi, thanks for your help. I attempted to run roguekiller but it crashed while scanning. (See attached screenshot for details.) I tried running it after booting normally and in safe mode with identical results.
  4. DDS.txt and Attach.txt attached My system runs for about 10-20 min then essentially locks up (some items not responding and some responding very slowly) and the menu bar at the bottom of the screen would disappear or turn white. Another symptem was that when selecting start->run the list of previous commands was blank. I am running F-Secure anti-virus. I have also ran full scans using Malwarebytes, SuperAntiSpyware, and ESET Online Scanner (http://www.eset.eu/eset-online-scanner) until they gave a cleam bill of health with no effect. Looking at System Log in Event Viewer showed an Event ID 4226. Below it the informaion on the event ID from Microsoft. ========================== Details Product: Windows Operating System ID: 4226 Source: Tcpip Version: 5.2 Symbolic Name: EVENT_TCPIP_TCP_CONNECT_LIMIT_REACHED Message: TCP/IP has reached the security limit imposed on the number of concurrent (incomplete) TCP connect attempts. Explanation The TCP/IP stack in Windows XP with Service Pack 2 (SP2) installed limits the number of concurrent, incomplete outbound TCP connection attempts. When the limit is reached, subsequent connection attempts are put in a queue and resolved at a fixed rate so that there are only a limited number of connections in the incomplete state. During normal operation, when programs are connecting to available hosts at valid IP addresses, no limit is imposed on the number of connections in the incomplete state. When the number of incomplete connections exceeds the limit, for example, as a result of programs connecting to IP addresses that are not valid, connection-rate limitations are invoked, and this event is logged. Establishing connection–rate limitations helps to limit the speed at which malicious programs, such as viruses and worms, spread to uninfected computers. Malicious programs often attempt to reach uninfected computers by opening simultaneous connections to random IP addresses. Most of these random addresses result in failed connections, so a burst of such activity on a computer is a signal that it may have been infected by a malicious program. Connection-rate limitations may cause certain security tools, such as port scanners, to run more slowly. User Action This event is a warning that a malicious program or a virus might be running on the system. To troubleshoot the issue, find the program that is responsible for the failing connection attempts and, if the program might be malicious, close the program as follows. To close the program 1. At the command prompt, type Netstat –no 2. Find the process with a large number of open connections that are not yet established. These connections are indicated by the TCP state SYN_SENT in the State column of the Active Connections information. 3. Note the process identification number (PID) of the process in the PID column. 4. Press CTRL+ALT+DELETE and then click Task Manager. 5. On the Processes tab, select the processes with the matching PID, and then click End Process. If you need to select the option to view the PID for processes, on the View menu, click Select Columns, select the PID (Process Identifier) check box, and then click OK. -------------------------------------------------------------------------------- Currently there are no Microsoft Knowledge Base articles available for this specific error or event message. For information about other support options you can use to find answers online, see http://support.microsoft.com/default.aspx. ========================== I followed the instrucions above and a few minutes after booing I was able to identify a process that was acting as described above. The process was scvhost.exe. Using Process Explorer from www.sysinternals.com I was able to get additional information that the command line for the process was 'C:\WINDOWS\System32\svchost.exe -k netsvcs'. The offending svchost process will show an incrascing amount of memory usage. I killed the process but within a few minutes a new version of 'C:\WINDOWS\System32\svchost.exe -k netsvcs' would start and start making connections. I did this several times but a new 'C:\WINDOWS\System32\svchost.exe -k netsvcs' would always start witing a few minutes. An additional if I start the system in 'safe mode' it does not hang but 'safe mode with networking' has the same problem. If I continually kill the offending svchost process the system appears to work fine however if I let it run of any length of time the process will consume more and more memory until the system locks up. dds.txt attach.txt
  5. Thank you for your help and detailed instructions. Below are the log files you requested. Malwarebytes Log: Malwarebytes' Anti-Malware 1.39 Database version: 2508 Windows 5.1.2600 Service Pack 2 7/26/2009 7:01:56 PM mbam-log-2009-07-26 (19-01-56).txt Scan type: Quick Scan Objects scanned: 89604 Time elapsed: 1 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 C:\Combofix.txt ComboFix 09-07-25.08 - Jean 07/26/2009 18:47.1.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2997 [GMT -4:00] Running from: c:\documents and settings\All Users\Desktop\Combo-Fix.exe AV: EMBARQ
  6. I ran Malwarebytes several times (rebooting as requested) and it keeps finding Trojan.TDSS MalwareBytes Log file: Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\system32\hjgruimyibhefu.dll (Trojan.TDSS) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\system32\hjgruimyibhefu.dll (Trojan.TDSS) -> Quarantined and deleted successfully. Hijack This log file: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:36:59 PM, on 7/25/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE C:\Program Files\Unforgettable!\Unforgettable.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080419 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080419 O1 - Hosts: ::1 localhost O1 - Hosts: 209.44.111.57 alarm-security.microsoft.com O1 - Hosts: 209.44.111.57 inetantivirus.com O1 - Hosts: 209.44.111.57 www.inetantivirus.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RTHDCPL] xxxRTHDCPL.EXE.realtek audio manager O4 - HKLM\..\Run: [Alcmtr] xxxALCMTR.EXE O4 - HKLM\..\Run: [PDVDDXSrv] "xC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe.remote contraol for dvd player" O4 - HKLM\..\Run: [dscactivate] "xxxC:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [nwiz] XXXnwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "xxxC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe.abobe pdf reader pre loader" O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [unforgettable!] C:\Program Files\Unforgettable!\Unforgettable.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [TomTomHOME.exe] "xxxC:\Program Files\TomTom HOME 2\HOMERunner.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1220653115042 O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.32.21/ttinst.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://yourconferencing.webex.com/client/T...bex/ieatgpc.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\hisozega.dll whozea.dll c:\windows\system32\funugipi.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\ORSP Client\fsorsp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 6950 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.