My first post on the Norton community, and, regretfully, it's for the wrong reasons
I share this computer with my younger sister, who has... interesting ideas concerning safe internet surfing. At some point yesterday, she downloaded an .exe (she can't remember which one), which in turn led to MSA.exe and B.exe being placed on my computer. She then deleted them, in the hope that it would prevent further damage to the computer, (and the hope that her older brother wouldn't find out)
However, this hasn't solved the problem, as I'm still being randomly redirected to websites when I use Google.
I'm also vaguely aware that this means that there's a nasty rootkit installed on my computer, which has prevented me from using (Malwarebytes, DDS.scr and Hijackthis) to gather logs that analyse the problem. The only thing I've managed to get working is Win32kDiag - I've attached the log, in the hope that this might provide information to help solve the problem.
Quick replies would be appreciated, although I'm aware that it takes great deals of time to deal with this sort of thing (having written code before... I'm aware that it can be like finding a needle in a haystack when the needle's made of hay)
My first post on the Norton community, and, regretfully, it's for the wrong reasons
I share this computer with my younger sister, who has... interesting ideas concerning safe internet surfing. At some point yesterday, she downloaded an .exe (she can't remember which one), which in turn led to MSA.exe and B.exe being placed on my computer. She then deleted them, in the hope that it would prevent further damage to the computer, (and the hope that her older brother wouldn't find out)
However, this hasn't solved the problem, as I'm still being randomly redirected to websites when I use Google.
I'm also vaguely aware that this means that there's a nasty rootkit installed on my computer, which has prevented me from using (Malwarebytes, DDS.scr and Hijackthis) to gather logs that analyse the problem. The only thing I've managed to get working is Win32kDiag - I've attached the log, in the hope that this might provide information to help solve the problem.
Quick replies would be appreciated, although I'm aware that it takes great deals of time to deal with this sort of thing (having written code before... I'm aware that it can be like finding a needle in a haystack when the needle's made of hay)
Are you running XP or Vista? If you are running XP, right click on Hijackthis, go to properties, and check at the bottom for an Unblock option. This is preventing quite a few programs from running rather than malware.
Have you tried doing scans in safe mode? You can try the Eset online scan if you aren't blocked from accessing the website (try the www.eset.co.za one).
I don't see any rootkits in your SysProt log, so seems as though you're lucky in that respect. I also noticed that you have Norton 2009 installed - you may want to upgrade that to 2010, as Sonar 2 might catch these pesks. But I'm not sure it would be a good idea to install it while malware is on the system - I'm sure other posters can comment on this? :-). But definitely upgrade after this has been sorted out, as the detection rates are significantly better.
Username1 - As stated , your system seems to be rootkit free but there does look to be something running a lot of svchst processes.
Please download HiJackThis for this web site. Choose the executable and save it on your desktop. Run the file and select the first option on the main menu "Do a system scan and save a log file". When this is finished, Notepad will open with the log file in it. Save the log file and attach it to a post here via the Add Attachments under the orange Post button.
I found this thread from another forum. I don't know if it will be of any use or if it's the same problem that Username 1 has. Please take a look at this forum and decide if it's of any help. That mentions a bagel also so I don't know if the fix would be the same or not. But PLEASE DONT DO ANYTHING SAID ON THAT FORUM UNTIL YOU GET INSTRUCTIONS FROM A MORE QUALIFIED PERSON than myself Username1.
I've tried downloading and then running Hijackthis a couple of times, and each time I do it, it cuts out, and when I try to reopen the original application, it tells me I can't access it - and denies me renaming, moving and deleting privileges.
I've also noticed since earlier, that when I tried to boot up MSN Messenger, it comes up with an error message that says "Windows Live Communications Platform has stopped working" - this only seems to have occured since my new best friends moved in. (I've changed my password since on another computer, and won't be using it on this one)
Message Edited by Username1 on 10-17-2009 09:36 AM
Have you updated your Windows Live Messenger to the newest version? This is an update for security reasons and they have been saying if you don't update it, then you won't be able to use MSN Live Messenger. I don't know just when the update became or will become mandatory or just when the functionality of the program will end if you haven't updated it yet. So the MSN messenger could be affected by these viruses or because the program hasn't been updated yet. If you already have the newest version, then it may be the viruses themselves. Please check out the Windows Live site and see if you have the newest update for it. Thanks.
I've tried updating Live Messenger, and when that didn't work, uninstalling/reinstalling it, but I'm still getting the same message. I'm still having the problems with HijackThis; it won't let me run more than about 10 seconds of scanning before it closes down and refuses to re-open
I'm also getting another error message (according to Firefox), which says that's there's an error with the .NET framework 1.1 plugin, and it recommended disabling it.
The Firefox pop up is unrelated. It has to do with a security issue introduced into the browser by a couple of Microsoft .NET framework plug-ins that Mozilla is disabling to protect users. The alert and disabling of the plug-ins are not malicious.
Message Edited by SendOfJive on 10-17-2009 11:14 AM
In spite of the fact that the Eset online scan came back clean, you still have symptoms of a malware infection. Just for diagnostic purposes I would suggest that you download and run a scan with Prevx 3.0. In the trial version it will find but not remove the malware. It’s less than a 1MB download and will only take a few minutes to install and run. It is very good at finding malware and usually finds things that other scanners don’t. Prevx
Have just tried running and installing PrevX 3.0 - I managed to install it, but part of the way through it running its initial scan, it vanished, and I haven't seen it since. I've just tried to uninstall it, to reinstall it - but I get greeted with a message informing me, despite this being the only account, that I have insufficient privileges to uninstall or reinstall.
Message Edited by Username1 on 10-17-2009 11:54 AM
Are you able to bring up task manager? Could you provide a screen shot of what is on it? Save your screen shot, or "snipit" to paint and upload it using the little green tree icon near the smilie. Use the "large size"
Even if yours is the only account, you will still have to right click and run as administrator.
Username1, it sounds like you have a rootkit, if so it will prevent any well known security apps. from running. I saw 2 suspicious entries in your Sysprot log. Download and run a scan with Hitman Pro, it is an on demand scanner that uses cloud technology to scan with 5 different security apps. It is particularly effective against rootkits. The fact that it is not well known works in your favor as the malware probably wont know about it and will allow you to complete a scan. Unlike Prevx Hitman Pro will allow you to delete the malware it finds for the entire 30 day trial period. Let us know how it goes. Hitman Pro
OK... I've attached screenshots of the processes page of task manager (I'm guessing that that's the most important one, although if I'm wrong, I do apologise)
I sorted the processes alphabetically, and it took two screenshots to fit them in. I've attached them both, but seeing as the forum won't let me attach text files, I had to rename the extensions to .txt - they should be .jpg - I apologise for any irritation that this might cause.
I also tried "Run as Administrator" earlier, but it still vanishes without a trace.
*EDIT*: I tried Hitman as well... Still no luck - I ran it as administrator, and it vanished as well - and with every application that this rootkit neuters, in the bottom left of the application's icon, a little picture of two heads appears
Message Edited by Username1 on 10-17-2009 12:23 PM
Message Edited by Username1 on 10-17-2009 12:32 PM
Please read the instructions I gave you on how to upload a screenshot. You can not change the file name and attach it and actually expect to see it. Won't work.
