Computer Security & Viruses/downed toshiba satellite A105 S361

Advertisement

Expert: - 5/25/2009


Question
QUESTION: ok, i got m old laptop back some time agoand it was acting funny, i ended up using some restore program in the windows folder that ended up wiping out my drivers. i took some time getting them back but forgot to get antivirus software. fast foward about a 7 months and now i had a weird lsass,exe error that immediatly opened a 1 minute timer then shutdown my laptop. i eventuall got around it (still forgetting to get antivirus software...)and then i got a serfvices.exe error that knocked out m sound drivers and my network drivers.  i can't even log in regualrly now. i borrowed a norton antivirus disk from a fruend and somehow got it to login correctly and then installed it but it told me to restart my pc. i restarted it and it completel dissapeared from m hard drive...i'm now at m wit's end with it. got an solutions?

ANSWER: Hi Fabian

Are you able to boot into safe mode?  When starting the computer, keep tapping "F8" until you get to the boot screen.  Choose to start Windows in Safe Mode with Networking.  Log on as usual.

Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
*Run a Full Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.

Download and install HijackThis:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Make sure you close EVERY open window and ALL browser windows. The only thing that should be open is the HijackThis program.
Double-click on the file you just downloaded.
Click on the "Install" button.
Upon install, HijackThis should open for you.
Should it not open, go to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
Choose 'Do a system scan and save a log file'.
Copy the text file which opens in Notepad and paste it in your follow-up, along with the Malwarebytes log.
* Do not fix any entries in HijackThis, as they may be harmless.

Brian

---------- FOLLOW-UP ----------

QUESTION: ok, got the hijack this logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:05 AM, on 5/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportinAppleMobileDeviceService.exe
C:Program FilesJavajre6injqs.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32
undll32.exe
C:Program FilesJavajre6injusched.exe
C:Program FilesToshibaTvsTvsTray.exe
C:WINDOWSAGRSMMSG.exe
C:Program FilesToshibaToshiba Applet   hotkey.exe
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:WINDOWSsystem32TPSMain.exe
C:WINDOWSsystem32igfxtray.exe
C:Program Filesst Security Agent
ewlock.exe
C:Program FilesSynapticsSynTPToshiba.exe
C:WINDOWSsystem32TPSBattM.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32ctfmon.exe
C:Program FilesAdobeAcrobat 7.0Reader
eader_sl.exe
C:Program FilesTOSHIBABluetooth MonitorBtMon2.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O2 - BHO: (no name) - {E2BA40A2-74F3-42BD-F434-2604812C8953} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:Program FilesYahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [IMJPMIG8.1] "C:WINDOWSIMEimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6injusched.exe"
O4 - HKLM..Run: [Tvs] C:Program FilesToshibaTvsTvsTray.exe
O4 - HKLM..Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..Run: [THotkey] C:Program FilesToshibaToshiba Applet   hotkey.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [TPSMain] TPSMain.exe
O4 - HKLM..Run: [IgfxTray] C:WINDOWSsystem32igfxtray.exe
O4 - HKLM..Run: [HotKeysCmds] C:WINDOWSsystem32hkcmd.exe
O4 - HKLM..Run: [Persistence] C:WINDOWSsystem32igfxpers.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [00saskda] "C:Program Filesst Security Agent
ewlock.exe" saskda
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OB
ealsched.exe"  -osboot
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU..Run: [reader_s] C:Documents and Settingsgenesis
eader_s.exe
O4 - HKCU..Run: [ccleaner] "C:Program FilesCCleanerCCleaner.exe" /AUTO
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [nohovojole] Rundll32.exe "C:WINDOWSsystem32ijupuvu.dll",s (User '?')
O4 - HKUSS-1-5-20..Run: [nohovojole] Rundll32.exe "C:WINDOWSsystem32ijupuvu.dll",s (User '?')
O4 - HKUSS-1-5-21-606747145-1078145449-854245398-1010..Run: [reader_s] C:Documents and Settingsgenesis
eader_s.exe (User '?')
O4 - HKUSS-1-5-18..Run: [MySpaceIM] C:Program FilesMySpaceIMMySpaceIM.exe (User '?')
O4 - HKUSS-1-5-18..Run: [reader_s] C:WINDOWSsystem32configsystemprofile
eader_s.exe (User '?')
O4 - HKUS.DEFAULT..Run: [MySpaceIM] C:Program FilesMySpaceIMMySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:Program FilesAdobeAcrobat 7.0Reader
eader_sl.exe
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions present
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:Program FilesAIM Toolbaraimtb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32
wprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:Program FilesGoogleGoogle ToolbarComponent astsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: olozlx.dll gydltf.dll C:WINDOWSsystem32harupeza.dll c:windowssystem32ihorugi.dll c:windowssystem32sokoyeji.dll c:windowssystem32
izefipu.dll c:windowssystem32yelosuso.dll c:windowssystem32 atopoze.dll    ,
O23 - Service: Apple Mobile Device - Apple Inc. - C:Program FilesCommon FilesAppleMobile Device SupportinAppleMobileDeviceService.exe
O23 - Service: AppMgmt - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: AudioSrv - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: BITS - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: Bonjour Service - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: Browser - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: CiSvc - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: COMSysApp - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: CryptSvc - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: DcomLaunch - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: DeskSaverService - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: Dhcp - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: dmadmin - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: dmserver - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: ERSvc - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: Eventlog - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: EventSystem - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: FastUserSwitchingCompatibility - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: gusvc - Unknown owner - C:WINDOWSTEMPVRT1.tmp (file missing)
O23 - Service: HID Input Service HidServ Service (HidServ Service) - Unknown owner - .exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6injqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:WINDOWSsystem32GameMon.des.exe (file missing)

--
End of file - 8347 bytes

and thats it. i also want to mention that my ICS servcices and other services aren't working and will not start.

Answer
Hi Fabian

I need you to post me another HJT log, as this one is not formatted properly, making it very difficult to read.  Your log looks like this:

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe

Whereas it should look like:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe

Also, I need to see the Malwarebytes scan log.  Thanks.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.