Author Topic: My school computer is screwing up please help (Read 11765 times)

essexboy · « **Reply #30 on:** December 19, 2010, 01:17:26 PM »

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/avz4.zip download a copy from my site

ICAngels · « **Reply #31 on:** December 28, 2010, 02:36:12 AM »

I'm jumping into this topic because I'm having the same problem... ("Svchost.exe Application Error" The instruction at "0x7c923845" etc.). No matter what you do when this pops up, your computer freezes and you're forced to reboot to get it going again. The only reason I'm on here now is because I didn't choose either of the options (ok to terminate OR cancel to debug), I simply dragged the error down to the bottom of my screen for now...

I do know this. Whatever caused this began when I clicked on a link to play hidden objects 4, on Facebook... I knew immediately that it was not a good link because my computer (or the link) started a malware scan. (I turned my computer off in the middle of the chaos and the scan never completed). I noticed a couple files that seemed suspicious in my WINNT\TEMP and deleted them (4225859.exe and another file with a different extension). I also disabled this in msconfig's startup... (not sure if I should have done any of that, but since I couldn't determine what 4225859.exe was, I took my chances and deleted it)...

I used your OTL and scanned as you directed. The two .txt files are on my desktop, but I didnt have the program make any changes because I just wasn't sure what would happen there... If you give me the ok, I'll post the results here. (I figured out how to attach them and here they are.

Thanks so much,

ICAngels

-----------------------------------

essexboy · « **Reply #32 on:** December 28, 2010, 09:25:05 PM »

That was a good move - that file was the main initiator. I can see no sign of an Antivirus programme on your system - not a good move really

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Quote
:OTL
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 8888
FF - prefs.js..network.proxy.no_proxies_on: ""
FF - prefs.js..network.proxy.ssl: "127.0.0.1"
FF - prefs.js..network.proxy.ssl_port: 8888
FF - prefs.js..network.proxy.type: 4
[2010/10/12 07:01:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\MRSystem\Application Data\Mozilla\Firefox\Profiles\31q0z3et.default\extensions\searchtoolbar@zugo.com
O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-1482476501-838170752-839522115-1006\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - Reg Error: Value error. File not found
[2010/12/13 11:19:39 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2010/12/15 13:09:42 | 000,000,120 | ---- | M] () -- C:\WINNT\Tlujetakobi.dat
[2010/12/15 07:03:58 | 000,000,000 | ---- | M] () -- C:\WINNT\Kyufohapu.bin

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

ICAngels · « **Reply #33 on:** December 29, 2010, 05:33:21 AM »

Followed your instructions. The svchost error came up just before I did the fix and my computer wouldn't reboot when the program tried to. So, I manually shut it down and did the fix a second time. I reinstalled the microsoft security, so you'll notice it in the new log I'm attaching.

Before I did all this, I received an email from my bank's security dept notifying me that their rapport (spyware) caught & stopped 4 trojans when I accessed my account this morning... Ugh... (TDL4 (severity: High); Zeus 2 (severity: High); TDSS (severity: High); Hiloti (severity: High). My Microsoft Security Antispyware scanned and only found two instances of Hiloti and deleted them. It didn't seem to recognize the other three. I also don't know if combofix took care of the other three viruses.

Thank you so much for your help here...

L

**UPDATE: No problems for a while then a new one is popping up now...
AXWINFRAME Windows: svchost.exe - Application Error (instruction at "0x16cda24e" referenced memory at "0x16cda24e" The memory could not be written...

12/29 - Ugh... The original svchost.exe - Application Error just popped back up...

essexboy · « **Reply #34 on:** December 29, 2010, 09:59:18 PM »

Combofix confirms the TDL4 infection so lets kill that now - Whilst you are doing this I will read the rest of the logs

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.