Vista - Ramdom Router Virus?

wayner · 08-18-2008

Hello,

Has anyone run into a virus that keeps coming into the a wireless router and setting up a new network icon in the network connect to area as "wireless g" I cannot delete it or access any files with it, I get access denied,Iam logged in as admin.The linksys router shows up then this wireless g shows up and it wont have a ip address, shows up as unknown.I can get rid of it by doing a system restore and router reset, few days later it`s back,Ive went into cmd promp as admin.done sfc it found corrupt files but won`t let me access the cbs logs, access denied.Won`t let me take ownership either. Iam runnung vista sp1 with all updates and avast anti virus/firewall. Any help or Ideas most appreciated Thx Wayner. This is the hijack this log.ogfile of Trend Micro HijackThis v2.0.2

Code:

 
Scan saved at 3:28:50 PM, on 8/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\ScanSoft\OmniPageSE4\OpWareSE4.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9e.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=T-6836
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.h...s=PTB&M=T-6836
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=PTB&M=T-6836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.h...s=PTB&M=T-6836
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files (x86)\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Net (rpcnet) - Absolute Software Corp. - C:\Windows\SysWOW64\rpcnet.exe
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Program Files (x86)\IDT\WDM\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)
--
End of file - 8685 bytes

**rive0108** · 08-18-2008

Quote: Originally Posted by wayner

Hello,

Has anyone run into a virus that keeps coming into the a wireless router and setting up a new network icon in the network connect to area as "wireless g" I cannot delete it or access any files with it, I get access denied,Iam logged in as admin.The linksys router shows up then this wireless g shows up and it wont have a ip address, shows up as unknown.I can get rid of it by doing a system restore and router reset, few days later it`s back,Ive went into cmd promp as admin.done sfc it found corrupt files but won`t let me access the cbs logs, access denied.Won`t let me take ownership either. Iam runnung vista sp1 with all updates and avast anti virus/firewall. Any help or Ideas most appreciated Thx Wayner. This is the hijack this log.ogfile of Trend Micro HijackThis v2.0.2

Try running another antivirus program. Avast has some trouble detecting viruses/malware in vista sp1 (missed 19 in independent antivirus testing a few months ago). If you have malware it may resolve your problem.
This is a good program. Its an online scanner/cleaner (no downloads) that can be set for in-depth scanning of everything.
Free ESET Online Antivirus Scanner

here are links for more antivirus/antimalware scanners that are free/paid:
Antivirus Scanners & Internet Security Tools

here is a link for the antimalware independent test results. If you look at the chart Vista sp1
you can see who passed and who failed:
http://www.vistax64.com/system-secur...es-vendor.html

wayner · 08-18-2008

Thx rive0108,I will give it a try,I tried to open the eset scanner and I get the same admin,required access denied,I went to thier website they set me a email link ,it took me to download page same deal. Any way to get around this?

**rive0108** · 08-18-2008

Quote: Originally Posted by wayner

Thx rive0108,I will give it a try,I tried to open the eset scanner and I get the same admin,required access denied,I went to thier website they set me a email link ,it took me to download page same deal. Any way to get around this?

hmm,

Press Start, Run, and then type in:
SFC /scannow (checks for missing/damaged files)

Make sure to use 32-bit IE as you have to load activeX control for the online scanner.
Best bet as it seems to be affecting your wireless is to turn it off, and connect to router (or modem) directly with ethernet cable. (for direct connect to modem this requires you to restart computer)

ps- according to your log, you seem to have alot of files missing. You havent been messing around with a registry cleaner have you? Your problem may be severe corruption of your O/S. You may want to think seriously about backing up documents, etc., and doing a destructive reformat/reinstall of Vista. Just the time alone invested in this issue, and the inability to use your system may be worth the time involved in reinstalling.

**rive0108** · 08-18-2008

One more thing:

Why do you have so many IE toolbars installed?

I see you also have WildTangent installed.
Some popular antispyware programs classify it as adware/spyware, mainly because it solicited advertisements and installed software without the user's knowledge or consent, a behaviour commonly associated with spyware and malware.

msdtc.exe file is missing
msdtc.exe is not a virus - it's a part of a couple of Windows applications.

You have multiple Windows .dll (dynamic link library) entries missing

My conclusion

You have near catastrophic Windows system file corruption. I would back up user files and reformat/reinstall from your Gateway recovery partition/recovery disk. (For future reference, do not use a registry cleaner. If you do not know what it is deleting, then do not let it delete/clean it off of your system)

wayner · 08-19-2008

Thx again,Rive 0108 ,Those toolbars came with the gateway package I`ll delete these and the wise registry cleaner and do recovery from the partition,reset and reinstall the router ,reset the encryption on it.Thx Again Wayner

08-18-2008	#2 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Ramdom Router Virus? Quote: Originally Posted by wayner Hello, Has anyone run into a virus that keeps coming into the a wireless router and setting up a new network icon in the network connect to area as "wireless g" I cannot delete it or access any files with it, I get access denied,Iam logged in as admin.The linksys router shows up then this wireless g shows up and it wont have a ip address, shows up as unknown.I can get rid of it by doing a system restore and router reset, few days later it`s back,Ive went into cmd promp as admin.done sfc it found corrupt files but won`t let me access the cbs logs, access denied.Won`t let me take ownership either. Iam runnung vista sp1 with all updates and avast anti virus/firewall. Any help or Ideas most appreciated Thx Wayner. This is the hijack this log.ogfile of Trend Micro HijackThis v2.0.2 Try running another antivirus program. Avast has some trouble detecting viruses/malware in vista sp1 (missed 19 in independent antivirus testing a few months ago). If you have malware it may resolve your problem. This is a good program. Its an online scanner/cleaner (no downloads) that can be set for in-depth scanning of everything. Free ESET Online Antivirus Scanner here are links for more antivirus/antimalware scanners that are free/paid: Antivirus Scanners & Internet Security Tools here is a link for the antimalware independent test results. If you look at the chart Vista sp1 you can see who passed and who failed: http://www.vistax64.com/system-secur...es-vendor.html Last edited by rive0108; 08-18-2008 at 06:59 PM..
My System Specs

08-18-2008	#3 (permalink)
wayner vista sp1 64bit 3 posts	Re: Ramdom Router Virus? Thx rive0108,I will give it a try,I tried to open the eset scanner and I get the same admin,required access denied,I went to thier website they set me a email link ,it took me to download page same deal. Any way to get around this?
My System Specs

08-18-2008	#4 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Ramdom Router Virus? Quote: Originally Posted by wayner Thx rive0108,I will give it a try,I tried to open the eset scanner and I get the same admin,required access denied,I went to thier website they set me a email link ,it took me to download page same deal. Any way to get around this? hmm, Press Start, Run, and then type in: SFC /scannow (checks for missing/damaged files) Make sure to use 32-bit IE as you have to load activeX control for the online scanner. Best bet as it seems to be affecting your wireless is to turn it off, and connect to router (or modem) directly with ethernet cable. (for direct connect to modem this requires you to restart computer) ps- according to your log, you seem to have alot of files missing. You havent been messing around with a registry cleaner have you? Your problem may be severe corruption of your O/S. You may want to think seriously about backing up documents, etc., and doing a destructive reformat/reinstall of Vista. Just the time alone invested in this issue, and the inability to use your system may be worth the time involved in reinstalling. Last edited by rive0108; 08-19-2008 at 12:03 AM..
My System Specs

08-18-2008	#5 (permalink)
rive0108 Vista Ultimate X64 SP2 2,073 posts	Re: Ramdom Router Virus? One more thing: Why do you have so many IE toolbars installed? I see you also have WildTangent installed. Some popular antispyware programs classify it as adware/spyware, mainly because it solicited advertisements and installed software without the user's knowledge or consent, a behaviour commonly associated with spyware and malware. msdtc.exe file is missing msdtc.exe is not a virus - it's a part of a couple of Windows applications. You have multiple Windows .dll (dynamic link library) entries missing My conclusion You have near catastrophic Windows system file corruption. I would back up user files and reformat/reinstall from your Gateway recovery partition/recovery disk. (For future reference, do not use a registry cleaner. If you do not know what it is deleting, then do not let it delete/clean it off of your system) Last edited by rive0108; 08-19-2008 at 12:21 AM..
My System Specs

08-19-2008	#6 (permalink)
wayner vista sp1 64bit 3 posts	Re: Ramdom Router Virus? Thx again,Rive 0108 ,Those toolbars came with the gateway package I`ll delete these and the wise registry cleaner and do recovery from the partition,reset and reinstall the router ,reset the encryption on it.Thx Again Wayner
My System Specs

Similar Threads
Thread	Forum
Which router?	Network & Sharing
Got a virus alert on a virus that is over a year old	System Security
router	Vista networking & sharing
Can't reconnect to router after router reset	Vista networking & sharing
won't get IP address from router or see outside of router	Vista networking & sharing