Jump to content

Infected with Advanced Virus Remover infection HELP NEEDED


Recommended Posts

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

Hi - Good morning. The PC is running okay in terms of not seeing any visual remnants of the virus (no popups, redirects, no stopping me from accessing control manager) but my PC startup is very slow (as if it is super fragmented and I would need to run the de-fragmenter). Once it has completed the start up, it seems to not be slow.

I am still getting the installation errors I mentioned a few posts back. Kaspersky did not fix that (I don't think its supposed to). So, in trying to install automatic updates, such as an HP fix, I get an error that states "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'HP Update.msi' in the box below. Use Source: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pft21F.tmp\"

I got a similar message in trying to download the Adobe update, and the first JAVA update you suggested a few posts ago and could not complete them.

For some reason though I could do the Kaspersky requested JAVA update - I am thinking it was not really an update (download new version, delete old version), just a download.

I also get an autotmatic "Update Error from McAfee" - "an error occurred while updating. Please reinstall these programs: McAffee Security Suite".

I am not sure if I try the McAfee reinstall if it will just look for pieces it is missing and fix that or if it will delete the old version and try to add the new version - the process of which seems similar to the Adobe and HP updates that does not seem to be working. I am hesitant to loose any FW or AV protection that it is having right now and would feel comfortable knowing first how to fix the "network resource unavailable" issue first.

Let me know your thoughts.

Thanks

Link to post
Share on other sites

It's probably some folders/files are locked by the infection, let's check.

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop. (Next to Inherit.exe)

@echo off

CD %~dp0

if not exist Inherit.exe (@Echo Inherit Not found >>"%Temp%\log.txt"&&Pause&&goto End)

Inherit.exe "%systemroot%\system32\cmd.exe"

cd C:\

if not exist junction.exe (@Echo Juction Not found >>"%Temp%\log.txt"&&Pause&&goto End)

junction -s c:\ >>"%Temp%\log.txt"

:End

notepad "%Temp%\log.txt" & del log.txt

del /q %0

Double click on look.bat

Notepad will open, please copy/paste the results here.

Link to post
Share on other sites

I also get an error regarding initialization of Windows Defender - I had tried to download that when I thought I had the virus (I have now since read on the forum that is not a good thing, I believe) and it must have not allowed it to fully build. I have now tried to use Control Panel to delete it and cannot do so - I get a message that "Another installation is in progress. Complete that installation before proceding with this installation" However nothing is being installed. I also tried the Change capability in Control Panel to get it to update, and get the same message. Is there a back-end way to delete this and the other programs (Adobe) which would then maybe allow me to get the most current working copies ??

Link to post
Share on other sites

Hi - in my first reply, I failed to put it next to Inherit - I over-read that. After posting I saw that and ran it again and got the same response. I have since run it again and here is what it gave me in the log:

Juction Not found

Juction Not found

Juction Not found

Also, I went to my ISP service and downloaded McAfee as I recall that they seemed to just install the pieces needed. I took the risk and it worked out fine. McAfee installed and is running as it was pre-virus.

Its just the HP Update and Adobe update - type issues that I describe that are still existing.

Also, I still have Combo Fix on my machine. Is that ok - I noticed in other forums in doing research before posting my main issue that it was something that should be deleted (when advised by you). Just wanted to let you know I still have it.

Thanks again.

Link to post
Share on other sites

Hi - I was able to uninstall Windows Defender (versus trying to update it - which would not complete). I then was installing it and got to a point where it gave me this message: "The installer has insufficient privleges to modify the file C:\Program Files\Windows Defender\MsMpEng.exe" At that point I cannot Continue and must Cancel.

Would you know why some things are not allowed the "privleges" like Windows Defender, and some things are able to be installed (e.g. McAffe) ??

Also, I have a question about scanning an 1) an external hard drive, and 2) a thumb drive that were both installed at the time of the virus which I immediately removed as soon as I knew I had a virus. I have not "plugged these in" yet and was wondering how is best to do that scan. Do I get MBAM all set to run against them and then plug them in and immediately run the scan ?? I am fearful that if there is any of the virus/trojan on them that it will quickly try to get back to the pc or try to run. These backups have just my normal work-type files (word, excel, iTunes stuff, etc...), not OS files. This question and how and should I turn SpyBot back on (and how to do so). Maybe we can leave these for our last steps ??

Thanks again.

Link to post
Share on other sites

I'll get to your other points soon, let's see if we can sort this first.

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop. (Next to Inherit.exe)

@echo off

if exist "%Temp%\log.txt" del /q "%Temp%\log.txt"

cd C:\

For %%G in (

%userprofile%\Desktop\junction

%userprofile%\Desktop

C:\Windows

) DO (

If exist "%%G\junction.exe" copy "%%G\junction.exe" C:\junction.exe && goto Found

)

if not exist junction.exe (@Echo Junction Not found >>"%Temp%\log.txt"&&Pause&&goto End)

:Found

junction -s c:\ >>"%Temp%\log.txt"

:End

notepad "%Temp%\log.txt"

del /q %0

Double click on look.bat

Notepad will open, please copy/paste the results here.

Link to post
Share on other sites

>> I'll get to your other points soon, let's see if we can sort this first.

No problm.

I created the new Look.bat file, put it next to Inherit on my desktop and ran it.

The DOS screen said:

Access is denied

0 file(s) copied

Press any key to continue.....

---and in doing so, here is what is posted in the log:

Junction Not found

Link to post
Share on other sites

Hi - I am not sure what the script is supposed to do, but trying to decypher it, it seems like it is looking for Junction.exe in my C drive. I had copied in there as instructed a few posts back, but in looking for it now, I don't see it.

Could that be the problem....should I re-do post #41 ?? or just hang tight.

Link to post
Share on other sites

Something very strange is happening ???

Please do the following.

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    Junction.exe
    :comment


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

Hi - here are the results of the log:

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 17:15 on 30/08/2009 by HP_Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "Junction.exe"

C:\WINDOWS\junction.exe --a--- 95616 bytes [19:58 24/07/2007] [19:30 29/08/2009] (Unable to calculate MD5)

-=End Of File=-

Link to post
Share on other sites

Ok, it looks like Junction is locked as well now :)

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it look.bat Please save it on your desktop. (Next to Inherit.exe)

@echo off

CD %~dp0

if exist "%Temp%\log.txt" del /q "%Temp%\log.txt"

if not exist Inherit.exe (@Echo Inherit Not found >>"%Temp%\log.txt"&&Pause&&goto End)

Inherit.exe "C:\WINDOWS\junction.exe"

Copy C:\WINDOWS\junction.exe C:\junction.exe

cd C:\

if not exist junction.exe (@Echo Juction Not found >>"%Temp%\log.txt"&&Pause&&goto End)

junction -s c:\ >>"%Temp%\log.txt"

:End

notepad "%Temp%\log.txt"

del /q "%Temp%\log.txt"

del /q %0

Double click on look.bat

Notepad will open, please copy/paste the results here.

Link to post
Share on other sites

Hi - this script ran and sent me to Inherit for which I Accepted a user agreement, kept running and then produced this log:

Junction v1.05 - Windows junction creator and reparse point viewer

Copyright © 2000-2007 Mark Russinovich

Systems Internals - http://www.sysinternals.com

Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

...

...

...

...

...

...

...

...

...

...

.

Failed to open \\?\c:\\Documents and Settings\HP_Administrator\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch.160.446921: Access is denied.

..

...

...

...

...

...

...

Failed to open \\?\c:\\Documents and Settings\HP_Administrator\Desktop\OTS.exe: Access is denied.

Failed to open \\?\c:\\Documents and Settings\HP_Administrator\Desktop\RSIT.exe: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware-\mbam.exe: Access is denied.

...

...

...

...

...

...

...

...

...

...

Failed to open \\?\c:\\Program Files\Trend Micro\HijackThis\HijackThis.exe: Access is denied.

...

...

...

Failed to open \\?\c:\\Program Files\Windows Defender\MsMpEng.exe: Access is denied.

...

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.ConfigUXv2\2.1.72.22__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.7

2.22_x-ww_a742e49

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.ConfigUXv2_540d4816ead86321_2.1.7

2.22_x-ww_a742e49

\\?\c:\\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Esd.WinClient.Application.Update\2.1.72.22__540d4816ead86321: JUNCTION

Print Name : C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.22

_x-ww_c5eae641

Substitute Name: C:\WINDOWS\WinSxS\MSIL_Intuit.Spc.Esd.WinClient.Application.Update_540d4816ead86321_2.1.72.22

_x-ww_c5eae641

.

...

...

...

...

...

...

...

..

Failed to open \\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch.160.446921: Access is denied.

Failed to open \\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.160.446921: Access is denied.

.

...

...

..\\?\c:\\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup: MOUNT POINT

Substitute Name: \Device\__max++>\^

.

...

...

...

.

Link to post
Share on other sites

Hi - I got concerned when I saw it says it could not access MBAM, so I launched it and it launches fine. I even did an update to the new database. Then in clicking through it, I saw that I quarantined everything, but did not delete it. Thinking back, after it ran, I copied the log into the post but I never went and deleted everything. Did I miss an obvious step that would probably help with this problem. Some of the items it says it cannot access were ones that the virus hit.

Sorry if I should have deleted them --- let me know if that is what I should have done and should do now.

Link to post
Share on other sites

Then in clicking through it, I saw that I quarantined everything, but did not delete it.

That's OK, they are safe in there :angry:

Step 1

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it fix.bat Please save it on your desktop. (Next to Inherit.exe)

@Echo Off

CD %~dp0

if exist "%Temp%\log.txt" del /q "%Temp%\log.txt"

if not exist Inherit.exe (@Echo Inherit Not found &&Pause&&goto End)

For %%G in (

c:\Documents and Settings\HP_Administrator\Desktop\OTS.exe

c:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe

c:\Program Files\Malwarebytes' Anti-Malware-\mbam.exe

c:\Program Files\Trend Micro\HijackThis\HijackThis.exe

c:\Program Files\Windows Defender\MsMpEng.exe

c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch.160.446921

c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch.160.446921

) DO (

Inherit "%%G"

)

End

Del /q %0

Double click on fix.bat

----------------------------------------------------------------------------------------

Step 2

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it Win32.bat Please save it on your desktop ( IT MUST BE NEXT TO win32kdiag.exe ).

@Echo Off

CD %~dp0

If not exist win32kdiag.exe (@Echo File not found)&&Exit

win32kdiag.exe -f

del /q %0

Double click on Win32.bat

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Try Adobe again

Link to post
Share on other sites

Hi - the first script gave me quite a few OK prompts which I assume was tied to each thing it was trying to free.

Here is the Win32k.bat log:

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup

Finished!

=========================================

>> Try Adobe again

I tried Adobe and the installation was successful. I chose to do the Fix update (remove/replace the bad/broken pieces) and it installed successfully.

I then thought to try Windows Defender (from the Microsoft site) - in doing so however, I got the same privelege error as before: "The Installer has insufficient privileges to modify this file: C:\Program Files\Windows Defender\MsMpEng.exe." which seems wierd in that I would think the script would have fixed that, no ??

I should be back on around 6 am EST Monday....thanks again for all of your help this weekend.

Link to post
Share on other sites

1) the first script gave me quite a few OK prompts which I assume was tied to each thing it was trying to free.

2) I would think the script would have fixed that, no ??

1) Correct

2) It should have, but let's try it again

Create A Batch File

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Save it as "All Files" and name it fix.bat Please save it on your desktop. (Next to Inherit.exe)

@Echo Off

CD %~dp0

if exist "%Temp%\log.txt" del /q "%Temp%\log.txt"

if not exist Inherit.exe (@Echo Inherit Not found &&Pause&&goto End)

For %%G in (

c:\Program Files\Windows Defender

) DO (

Inherit "%%G\*.*"

)

End

Del /q %0

Double click on fix.bat

Try Defender again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.