Jump to content
GRIVEN

SCANS for Mr.Charlie

Recommended Posts

The three items were gone in the new scan. When I saved the log, a box came up saying

'"run-time error '326' Resource with identifer 'VERSION' not found" with an "OK" click

Does that sound right or is it a flag?

Share this post


Link to post
Share on other sites

It's a flag. Like I said before...this system is so corrupt, I think the best idea is to reinstall the operating system and start fresh and I would also strongly suggest you add some memory to the system for it to operate properly .

MrC

Share this post


Link to post
Share on other sites

Since, as explained, we have no OS disk for it, can we try Combo-Fix or would that be worthless effort?

I've taken off Malwaresbyte for now, since it doesn't run anyway. Plus Registry Mechanic because I've caught

it freezing things in earlier attempts to treat the infections & it showed up in the HijackThis log.

Plus AVG tune-up because of the oddity that a balloon, seemingly MS, pops up at start-up and sometimes

at other odd moments, saying that AVG 2012 Anti-virus was out of date. Since I thought I had removed AVG

days ago because it was blocked from updating, I thought that message was fishy. After removing AVG PC tune-up &

rebooting, however, it still came up even though I believed everything AVG was removed.

Adding memory, I agree, is a good idea but also not an option at the moment.

Am I correct in assuming that without the OS disk, reinstall is not an option?

-Grivin

Share this post


Link to post
Share on other sites

By the way, since that last reboot things seem to be running more swiftly on that challenging computer

but I don't want to delude myself about progress.

The instructions for Combo-fix mentions that it sets its own restore point. Is this separate from the

failed Windows restore point?

I won't, of course, run anything without your approval.

Share this post


Link to post
Share on other sites

Mr.C,

You're not giving up on me, are you? Please don't tell me this is hopeless.

For the first time in weeks, her computer is running without a pronounced time lag.

Share this post


Link to post
Share on other sites

I'm still here. I wanted you to try and create a new system restore point.

Were you able to do this?

MrC

Share this post


Link to post
Share on other sites

I have gotten to the point of being ready to run Combo-Fix.

In reading their instructions, I noted that Combo-Fix sets its own Restore Point.

My question is if this is their own method, apart from Windows. If it depends on Windows Restore, will it work

or fail like the XP attempts?

I didn't want to proceed without your nod...

Share this post


Link to post
Share on other sites

No, it won't work.

You can try to turn system restore off, reboot and then turn it back on.

This will clear out all the restore points and reset it.

It may fix it.

Let me know, MrC

Share this post


Link to post
Share on other sites

How do I turn off Restore? If you recall, when I go to System Tools through Acessories, the next step just says "empty"

Is there another approach in Windows to control that function?

Share this post


Link to post
Share on other sites

First try at running Unhide drew a "Windows No Disk" notice which said

" Exception Processing Message c00000 Parameters 75b6bf9c 4 76b6bf9c 75b6bf9c "

Below were options which included "Retry" (same result) and "Continue"

The latter option resulted in the log pasted below.

I mention this detail in case the prolog message is an indication that the scan was about to be compromised in some way.

//////////////////////////////////////////////////////////

Unhide by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2012 BleepingComputer.com

More Information about Unhide.exe can be found at this link:

http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 05/07/2012 09:22:28 AM

Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive

Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive

Finished processing the C:\ drive. 66332 files processed.

Restoring the Start Menu.

* 0 Shortcuts and Desktop items were restored.

Searching for Windows Registry changes made by FakeHDD rogues.

- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Program finished at: 05/07/2012 09:31:29 AM

Execution time: 0 hours(s), 9 minute(s), and 0 seconds(s)

///////////////////////////////////////////////////////

NOTE: When I brought the flashdrive back to my own computer to send this, AVG threat warning opened

with this news- g:\7zip_Set.up.exe Adware Generic 5DHX

this apparently is one of the programs I ferried to the infected computer

to "treat" it (although it may not have been used)

I sent it to the vault.

(also trying to adjust the font size in the post box, pardon the shift, please)

-Griven

Share this post


Link to post
Share on other sites
when I go to System Tools through Acessories, the next step just says "empty"

Is there another approach in Windows to control that function?

Looks like nothing was retored, is it still empty?

Try something for me regarding system restore.......

Disable all your anti-virus and anti-malware programs and try using system restore again, sometimes these programs interfere with it.

MrC

Share this post


Link to post
Share on other sites

MrC,

Early in my bumbling attempted defense of this system, after it had been hit by SMART HDD, I ran Unhide and

recovered an ability to see files. (I used the same exe already on the Desktop for this run) Could that be why

it found nothing this time?

The System Tools path still reads "Empty."?

To recap: I was able to get into Restore before by placing %SystemRoot%\System32\restore\rstrui.exe in the Run

box but the 2 emboldened restore points prior to the infection would not take. After that I removed an inoperable

Malwaresbyte (and had previously removed AVG) so they wouldn't interfere with a pending deployment of

ComboFix (which was not run). So, as far as I can tell, that system is presently without an active anti-virus or

anti-malware program.

If I use the above mentioned method to get into restore again, is there an option in there to turn it off, as

requested, even though it's not "officially" recognized by the System Tools category? And, if so, is this still

advisable?

-Griven

Share this post


Link to post
Share on other sites

I went back into Restore Point & tried again to set one but there are no longer any dates available

prior to infection.

So, I followed the MS Guide & turned Restore off.

What's next?

Share this post


Link to post
Share on other sites

Reboot and turn it back on, now see if you can create a new system restore point.

Just copy and paste this into the run box ( start button > run) and hit OK

%SystemRoot%\system32\restore\rstrui.exe

That will bring up system restore.

Let me know.....MrC

Share this post


Link to post
Share on other sites

Will do.

In the meantime, a new concern has arisen with my own system.

When I returned the flashstick to a port on this one after sending you the text file for that last scan, AVG picked up

an "adware" bug [see above] AVG confirmed that it had quarentined it but then picked it up again in the same spot,

twice, then vaulted it twice again, or so it said. This was strange.

I ran a Malwarebytes scan

/////////////////////////////////////////////////////////////

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.05.04.06

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

yarg :: IBM-A8507EB698C [administrator]

5/7/2012 10:32:50 AM

mbam-log-2012-05-07 (10-32-50).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 334116

Time elapsed: 1 hour(s), 34 minute(s), 43 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 2

C:\Documents and Settings\yarg\Desktop\April Rescue Programs\7zip_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{AC585E84-CD80-49E6-ADC6-F009D307C4BA}\RP22\A0005417.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)

////////////////////////////////////////////////

...then rebooted because MWB said it was needed to complete boot.

At start-up there was a little balloon saying AVG anti-virus was turned off.

I checked. It wasn't. But this was the same behavior reported on the sick system we've been trying to heal.

According to descriptions, that sad balloon was coming up on her computer before the infection turned up.

Have I infected my own computer with something on that flashstick?

Share this post


Link to post
Share on other sites

I'm setting a System Restore Point for today (which is the only date available, I guess that's standard).

Share this post


Link to post
Share on other sites
Have I infected my own computer with something on that flashstick?

Looks like you caught it before you did, have cleaned the flashdrive?

Do this:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

---------------------

Yes that's OK for the system restore name.

MrC

Share this post


Link to post
Share on other sites

Mr.C,

How in the world do you do this day after day? This stuff throws up manias every time you blink.

I'm a month into the malware maze & already halfway down the hall to jabbering idiocy.

I tried downloading the flash disinfector. It was halted by AVG with a message that

"...Temporary Internet Files\Content.IE5\VBABWLE7\Flash_Disinfector[1].exe IDP.Trojan.F6B57C97

Trojan This is a known Trojan/Backdoor..."

I'm guessing it was a false positive but thought it was safer to ask first. AVG tells you to save & close

open files but that very warning is immobile and predominant so that any "save changes?" box can't

be accessed. I also couldn't get to email to ask. The other computer was busy and an AVG system scan

was in progress when the "trojan" pop up appeared so, I waited for the scan to finish.

Meanwhile, on the originally infected computer, an "update" balloon came up on restart & I clicked it.

Service Pack 3 started downloading. (I had noticed she was operating on Pack 2 when I started fighting

this battle weeks ago & tried to install 3 but it wouldn't let me install it.) This time it suceeded but took

quite a while.

So, those are the new conditions.

Back to the flash disinfector. I used the link you posted. Am I correct that it WAS a false positive stopped

at the onset of download? ...and should I try it again? (after pouring more coffee on my jangled nerves)...

-Grivin

Share this post


Link to post
Share on other sites

I zipped it up and attached it, the file is safe.

Let me know, MrC

Share this post


Link to post
Share on other sites

Thank you.

Operations performed on flash drives.

And now....?

Back to the original problem?

Restore date is set for today.

What's next?

Share this post


Link to post
Share on other sites

Lets run ComboFix.....

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:

If you get the message Illegal operation attempted on registry key that has been marked for deletion. after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Share this post


Link to post
Share on other sites

I've taken the malware & anti-virus programs off of that computer for now & I've had ComboFix on the desktop for a while

So, unless there are some Anti-Vs built into XP I'm not aware of, I'm ready to click.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.