Pages: 1

 

2009-09-07 00:18:14
Benzin
Member
+576|6259
So I left my computer for a month while I went back to the US to visit my family. Now I come back, whenever I open Firefox or Photoshop, I get these MSVCRT.dll errors. I've tried using Windows Recovery, but it wouldn't recognize my administrator password as being valid and I ended up screwing up Windows, requiring a reformat and reinstall.

Now I have a fresh install with Firefox and Java, and the error has returned. I am finding people saying just turn off Java Quick Starter add-on in Firefox, but now I cannot load Java games or any applets. I haven't yet installed Photoshop to see if that will cause an error, but I am almost positive that it will.

Has anyone heard of this problem before??? I also noticed when I did a fresh install of Windows that my Internet Explorer was going to NewsPedia.com as the homepage? What the hell is that?

Now my EEE PC has also gone straight to NewsPedia randomly while in Firefox. Two separate computers and now the Java error with MSVCRT.dll is occurring on that computer whenever I open Firefox, too.

WHAT THE HELL IS GOING ON?!?!?!?!
2009-09-07 08:19:15
steelie34
pub hero!
+603|6642|the land of bourbon
download hijack this and post the output here.  it sounds like you have malware.
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2009-09-07 15:13:38
Benzin
Member
+576|6259
Here is my Hijackthis log ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:06, on 08.09.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programme\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe
D:\Programme\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programme\Asus\EeePC ACPI\AsTray.exe
C:\Programme\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\Programme\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\igfxsrvc.exe
D:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
D:\PROGRA~2\SYMANT~1\VPTray.exe
D:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Programme\RocketDock\RocketDock.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Mozilla Firefox\firefox.exe
D:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

D:\Programme\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AsusTray] C:\Programme\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Programme\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [ETDWare] C:\Programme\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Programme\Adobe\Reader

9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~2\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [eTrustPPAP] "D:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "D:\Programme\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER

DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User

'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutoRun OSCleaner.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftup … .cab?12453

23540031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup … .cab?12453

23528765
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -

D:\Programme\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9f035e9ea689a) (gupdate1c9f035e9ea689a) -

Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Programme\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Programme\Symantec

AntiVirus\Rtvscan.exe

--
End of file - 4479 bytes
2009-09-07 15:15:11
Benzin
Member
+576|6259
I have gotten it down to where it only opens to NewsPedia when I start Windows on my EEE. I had a nasty trojan and an autochk.dll, but got rid of those and seemingly also the registry parts, too.

Not sure what else I can do, but this is REALLY bothering me.

That HJT log up there is from my EEE, btw
2009-09-07 18:06:43
steelie34
pub hero!
+603|6642|the land of bourbon
the hjt log looks clean... but i'm not see the part where it shows your browser settings and other hidden registry startup stuff.  is this the whole output file?
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2009-09-07 19:52:12
jsnipy
...
+3,277|6783|...

run sysinternals procmon to see what is being sought when you get those errors

http://technet.microsoft.com/en-us/sysi … 96645.aspx

its so very underused imo
2009-09-07 19:55:19
13urnzz
Banned
+5,830|6758

jsnipy wrote:

run sysinternals procmon to see what is being sought when you get those errors
i understand why M$ bought out sysinternals. Can't understand why Mark sold it to them . . .
2009-09-07 20:06:26
jsnipy
...
+3,277|6783|...

burnzz wrote:

jsnipy wrote:

run sysinternals procmon to see what is being sought when you get those errors
i understand why M$ bought out sysinternals. Can't understand why Mark sold it to them . . .
Well, he gets to continue to work on them and he got paid. At least m$ is not charging anything for them and they are continually being improved upon. These tools should have bundled with Windows all along imo. I mention them a quite a bit here from time to time but never get any feedback. They have helped me though some complex issues in the past.
2009-09-07 20:14:33
13urnzz
Banned
+5,830|6758

jsnipy wrote:

I mention them a quite a bit here from time to time but never get any feedback. They have helped me though some complex issues in the past.
they simply work ~ small footprint, as advertised, they are "read only" on my thumbdrive.
goddammit, one of the things i cannot stress enough to my current employer how vital a MSDN script is to an office full of windows © machines!
2009-09-08 00:59:35
Benzin
Member
+576|6259

steelie34 wrote:

the hjt log looks clean... but i'm not see the part where it shows your browser settings and other hidden registry startup stuff.  is this the whole output file?
That was the entire thing that HijackThis threw back at me in the log. I copied it straight from the txt file and posted it there.

[TUF]Catbox wrote:

here are a couple of links...
http://support.mozilla.com/tiki-view_fo … entId=2377


http://www.tech-pro.net/howto_016.html

http://support.microsoft.com/kb/192123
None of those will solve the problem of thenewspedia.com opening automatically in Firefox. The dll I can work around and ignore, not that huge. I tried using Windows Recovery Console but to no avail.

jsnipy wrote:

run sysinternals procmon to see what is being sought when you get those errors

http://technet.microsoft.com/en-us/sysi … 96645.aspx

its so very underused imo
I ran that and I haven't a clue what I am supposed to be looking for.
2009-09-08 01:59:30
Kmar
Truth is my Bitch
+5,695|6861|132 and Bush

http://download.cnet.com/Malwarebytes-A … 04572.html
Xbone Stormsurgezz
2009-09-08 02:06:09
Benzin
Member
+576|6259

Kmarion wrote:

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
I hope this can remove this Vozacka thing embedded in my external drive ...
2009-09-08 07:28:23
steelie34
pub hero!
+603|6642|the land of bourbon

CapnNismo wrote:

Kmarion wrote:

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
I hope this can remove this Vozacka thing embedded in my external drive ...
it should work.  you can also use windows defender to scan external drives as well.  just click the little drop down arrow next to scan, and choose custom scan, then pick your external drive.  at least you found where the little bitch is hiding.
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2009-09-09 03:12:38
Cheez
Herman is a warmaphrodite
+1,027|6699|King Of The Islands

You have Symantec and CA?

Anyway,

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

I use it all the time at work, I AM NOT A ROBOT GIVE ME PICKLES OR NEAREST OFFER.
My state was founded by Batman. Your opinion is invalid.
2009-09-09 11:29:25
Benzin
Member
+576|6259
I ended up having to format my USB stick that had Vozacka on there. It was a bitch, I had to format it. I haven't formatted my external HDD ... but Malware Bytes hasn't found it on the drive. It seems to have blocked itself. I don't know...

My EEE PC is infected with this horrible rootkit.tdss virus. I can't get rid of it and am working on the Malwarebytes forum and BleepingComputer forums to try and get them to help, but still waiting on answers. The battle continues.

I ain't doing ComboFix, though. The guys on that forum said not to do it without professional help ...

Last edited by CapnNismo (2009-09-09 11:30:02)

2009-09-09 11:44:21
Benzin
Member
+576|6259
I actually don't think vozacka is some kind of virus. The only reason I didn't recognize it and blocked it with my firewall was because I didn't recognize it. But I went and googled it and didn't find anything about it and it only came up on Serbian and Croatian websites as something non-program related. It only had the word vozacka and not the .exe ending. Turns out vozacka is Serbian for "drivers". It may actually be a driver file of some kind for the HDD enclosure I bought. It's an internal drive I stuck into an enclosure ... weird. I honestly cannot remember it being on my usb stick at all, though. But I have no idea. Nothing is recognizing it as a virus ...

Windows Defender didn't find anything on my Acer. But my ASUS EEE PC I know is still heavily infected. That thing is so fucked right now it isn't crazy.

Last edited by CapnNismo (2009-09-09 11:44:56)

2009-09-09 12:51:48
steelie34
pub hero!
+603|6642|the land of bourbon

CapnNismo wrote:

I ended up having to format my USB stick that had Vozacka on there. It was a bitch, I had to format it. I haven't formatted my external HDD ... but Malware Bytes hasn't found it on the drive. It seems to have blocked itself. I don't know...

My EEE PC is infected with this horrible rootkit.tdss virus. I can't get rid of it and am working on the Malwarebytes forum and BleepingComputer forums to try and get them to help, but still waiting on answers. The battle continues.

I ain't doing ComboFix, though. The guys on that forum said not to do it without professional help ...
this should help with your rootkit...
https://bf3s.com/sigs/36e1d9e36ae924048a933db90fb05bb247fe315e.png
2009-09-10 05:46:07
Cheez
Herman is a warmaphrodite
+1,027|6699|King Of The Islands

CapnNismo wrote:

I ended up having to format my USB stick that had Vozacka on there. It was a bitch, I had to format it. I haven't formatted my external HDD ... but Malware Bytes hasn't found it on the drive. It seems to have blocked itself. I don't know...

My EEE PC is infected with this horrible rootkit.tdss virus. I can't get rid of it and am working on the Malwarebytes forum and BleepingComputer forums to try and get them to help, but still waiting on answers. The battle continues.

I ain't doing ComboFix, though. The guys on that forum said not to do it without professional help ...
lololol its self run.

www.freedrweb.com
My state was founded by Batman. Your opinion is invalid.
2009-09-10 09:03:31
Benzin
Member
+576|6259
I went ahead and did ComboFix. Sorted everything out. There are a few special rules you have to follow when using it, though ... seems to be a bit of an unstabile program in a way. Worked like a charm, though.

 

Pages: 1

Board footer

Privacy Policy - © 2025 Jeff Minard