Jump to content

Virus infected files will not go away.


Recommended Posts

Hello again,

 

This is my third attempt.  Everytime I try to attach the log files I lose everything. 

 

To begin again, I down loaded Malwarebytes, ran the scan and found 2 infected files.  I clicked on show results, remove now and then rebooted.  Ran the scan again and got the 2 infected files again. 

 

I also down loaded Hijackthis, ran the scan a got the results.  I have not been able to attach the 2 log files to this message.  Right now I just want to get the messaage out.  Hopefully someone can help me get the log files attached.  I run Windows XP on a 32 bit system. 

 

I addition to getting the 2 infected files, a few other problems have occured. 

 

      1.   I cannot print from my browser - Firefox.  I keep getting unknown error when I try to print from the

            browser.  I can, however, print from Word.  Avast Pro is my antivirus program and I run Firefox in 

            the Sandbox.  I wouldn't think running Firefox in the Sandbox would keep me from printing.

 

      2.   When I download a program - like Malwarebytes - and go into my download folder, the

            program is not accessible.  It can not be opened.  All I can do is delete it from the list.  Even

            though I am the Admin.   

 

     3.    Another problem is that when I start Firefox, I get a message that, "the program can not be

            updated"  Check to to see that another copy is not running.  However, I cannot get into task mgr

            to check/stop that another copy is running. 

 

 

Of course, any and all help will be greatly appreciated.

The Coach

 

Link to post
Share on other sites

  • Root Admin

I'm going to be away for most of the night but please go ahead and run the following and I'll check back on you either later tonight or tomorrow.


STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
 

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02

Please download Malwarebytes Anti-Rootkit from HERE


  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


STEP 03

Please download Junkware Removal Tool to your desktop.


  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 04

Please download AdwCleaner by Xplode to your desktop.


  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.


STEP 05

button_eos.gif

Please go here to run the online antivirus scannner from ESET.


  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


 

 

Link to post
Share on other sites

Ok, I was able to do all to the step you gave me to do.  Thank You so much for helping me.  Now, I hope I can post the Logs. 

 

 

Root-Kit Log:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.06.22.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
ODDministrator :: HOME-60 [administrator]

6/22/2013 7:56:31 PM
mbar-log-2013-06-22 (19-56-31).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 281235
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

Next log: JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Microsoft Windows XP x86
Ran by ODDministrator on Sat 06/22/2013 at 22:14:50.70
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] "hkey_current_user\software\apn pip"
Successfully deleted: [Registry Key] "hkey_local_machine\software\pip"



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/22/2013 at 22:23:52.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Next Log: AdwCleaner

 

# AdwCleaner v2.303 - Logfile created 06/22/2013 at 22:45:51
# Updated 08/06/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : ODDministrator - HOME-60
# Boot Mode : Normal
# Running from : C:\Documents and Settings\ODDministrator\My Documents\Downloads\AdwCleaner.exe
# Option [Delete]


***** [services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Charlie Hearn\Application Data\Mozilla\Firefox\Profiles\5j1d1n28.default\extensions\afurladvisor@anchorfree.com
Folder Deleted : C:\Documents and Settings\Charlie Hearn\Local Settings\Application Data\Max Secure Software
Folder Deleted : C:\Documents and Settings\Charlie Hearn\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\ODDministrator\Application Data\Mozilla\Firefox\Profiles\1f2gxg73.default\extensions\staged
Folder Deleted : C:\Documents and Settings\ODDministrator\Local Settings\Application Data\PackageAware

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Value Deleted : HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel [Homepage]

***** [internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\ygsjya53.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Charlie Hearn\Application Data\Mozilla\Firefox\Profiles\5j1d1n28.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\Joyce Hearn\Application Data\Mozilla\Firefox\Profiles\a672wphc.default\prefs.js

[OK] File is clean.

File : C:\Documents and Settings\ODDministrator\Application Data\Mozilla\Firefox\Profiles\1f2gxg73.default\prefs.js

C:\Documents and Settings\ODDministrator\Application Data\Mozilla\Firefox\Profiles\1f2gxg73.default\user.js ... Deleted !

[OK] File is clean.

-\\ Google Chrome v28.0.1500.52

File : C:\Documents and Settings\Charlie Hearn\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Documents and Settings\ODDministrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3049 octets] - [22/06/2013 22:42:55]
AdwCleaner[s1].txt - [3135 octets] - [22/06/2013 22:45:51]

########## EOF - C:\AdwCleaner[s1].txt - [3195 octets] ##########
 

Next Log:  ESET Scan

 

This log file did not save to the desk top.  I did try to save it as ESET scan log, but it sis not save and a search did not find it.

 

Again, Thanks for your help.

Link to post
Share on other sites

I ran the eset scan again and got the same results. 

 

Eset Scan Log:

 

C:\Documents and Settings\Charlie Hearn\Application Data\dxspb.dll    a variant of Win32/Medfos.QE trojan
C:\Documents and Settings\ODDministrator\My Documents\Downloads\FoxitReader602.0413_enu_Setup.exe    a variant of Win32/Bundled.Toolbar.Ask.C application
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe    Win32/SpeedUpMyPC application
C:\WINDOWS\system32\drivers\etc\hosts    Win32/Qhost trojan
E:\registrybooster.exe    Win32/RegistryBooster application
E:\speedupmypc.exe    Win32/SpeedUpMyPC application

 

Again, I appreciate your help

Bluefrank
 

Link to post
Share on other sites

  • Root Admin

Please uninstall SpeedUpMyPC and RegistryBooster

 

Then run MBAM and check for updates and do a Quick Scan and post back that log.

 

Then reboot the computer again and run the following.

 

Please run the following scanner and send back the logs.

Download DDS from one of the locations below and save to your Desktop
dds.scr
dds.com


Temporarily disable any script blocker if your Anti-Virus/Anti-Malware has it.
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr or dds.com to run the tool.
Click the Run button if prompted with an Open File - Security Warning dialog box.
A black DOS console should open and run for a moment. 


    When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt


  • Save both reports to your desktop
  • Please include the following logs in your next reply as an attachment: DDS.txt and Attach.txt
    You can ignore the note about zipping the Attach.txt file


 

 

 

 

Next, Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.
 

Link to post
Share on other sites

Ok,  thank again for your help.  I have a ton of things going right now and this is something I really did not plan on.  I deleted SpeedupMypc and RegistryBooster.

 

I ran MBAM, even though my trial period is over. No malicius threats were found.  Here is the log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.25.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
ODDministrator :: HOME-60 [administrator]

6/26/2013 9:51:52 PM
mbam-log-2013-06-26 (21-51-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 279004
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Now I am going to reboot and do the other instructions.

 

I have to go out of town next week, so I hope we can get this done.  Again, thanks for all of your help.

Bluefrank

Link to post
Share on other sites

I ran the dds.scr prog and got 2 txt files.

 

 

Ok,  thank again for your help.  I have a ton of things going right now and this is something I really did not plan on.  I deleted SpeedupMypc and RegistryBooster.

 

I ran MBAM, even though my trial period is over. No malicius threats were found.  Here is the log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.25.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
ODDministrator :: HOME-60 [administrator]

6/26/2013 9:51:52 PM
mbam-log-2013-06-26 (21-51-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 279004
Time elapsed: 4 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

Now I am going to reboot and do the other instructions.

 

I have to go out of town next week, so I hope we can get this done.  Again, thanks for all of your help.

Bluefrank

 

How do I attach???

Ok I did it.

 

 

attach.txtdds.txt

Link to post
Share on other sites

  • Root Admin

Please uninstall ALL versions of Java and then restart your computer and run the following.

 

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file.  Please attach that log file to your next reply.
If needed the file can be located here:  C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
 

 

Link to post
Share on other sites

Thank you so much for working with me on this problem.  I appreciate your responses to my postings.  I am attaching the combofix log.  I will be out of town this week so I won't be able to continue until next week. 

 

After running Combofix, I got  an icon for IE on my desk top.  I have IE 6 and have been trying to upgrade to IE 8 and could not.  I did not launch the icon, but I am curious about it.  I will check it out when I return. 

 

While I am at it,  I have not been able to get windows updates.  I have tired everything I know but no success.    I am sure that I am over a year (or more) behind in updates.  Although I will not be able to continue to work on this problem until next week, my emails come to my phone so I will be interested to get your response to this posting.

 

Thank you again!!!

ComboFix.txt

Link to post
Share on other sites

  • Root Admin

You have an infected OS file and the NetSvc was broken and still actually may be broken. So the computer has some work to be done on it to fix it up once you get back.

If possible having a CD/DVD of Windows XP may help in order to get a replacement file back for that infected one.

Please send me a private message when you're back and ready to work on this.

Link to post
Share on other sites

Yes, I have another cpu to work with.  I have a 2 gig usb stick.  I also have the XP reinstall cd. I had trouble before and a friend - who is no longer available - reinstalled XP Pro.  Your name is not highlighted so I can't click on it to send a PM.  Thank you for your help.  I appreciate you. 

Link to post
Share on other sites

  • Root Admin

This file is infected and needs to be replaced.

 

c:\windows\system32\srsvc.dll

 

Please do the following to replace missing or invalid system files.

 

System File Check

  • Press the Windows key to open the start menu.
  • Don´t highlight anything, just write cmd.
  • The start menu will offer you an entry named cmd.
  • Right click it and select "run as administrator"
  • Within the opening window, write the following:
sfc /scannow
(There is a space after sfc but no space after the / switch).
  • Hit enter. Your system will be checked for damaged system files.
  • Tell me the result of that scan in here (as the tool produces no log).
Further details on running the System File Checker: How To Use Sfc.exe To Repair System Files
Link to post
Share on other sites

Just in case my PM didn't work, here is the result of my assignment.  I got the message:

         Files that are required for windows to run properly have been replaced by unrecognized versions.  To maintain system stability

         windows must restore the original versions of these files.  Insert window XP Professional cd-rom now. 

 

Of course, I don't have the original, I have a re-installation cd.  So, what is the next step?

 

Thanks,

Charlie

Link to post
Share on other sites

  • Root Admin

Depending on the type of re-installation CD it might work.  No harm in trying.  If you can't do that then see if you can locate another computer or that re-installation CD for the file in question and if you can find it let me know and we'll do some scripting to get it replaced.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.