Jump to content

started as AVcare, now just a mess


Recommended Posts

Hi all... I'm really hoping you guys can help. I've read many threads over the past day hoping to find some insight without having to post, but nothing has worked (also, I know there's another AVCare thread going on, and I've been reading it, but it hasn't helped me).

So it all started as a wave of AVCare fake installation/scanning screens, etc. I quickly opened the task manager and killed all unknown/curious processes. I then searched for the .exe files and deleted them, so the AVCare popup symptoms are now gone, but not the nasty stuff. The google redirect symptoms are there, plus a little more. Some websites it simply doesn't let load (even if I copy-paste the URL) but instead says it cannot load the page (trendmicro.com is one of these websites).

I tried malwarebytes, but it wouldnt open. So I read up on this, and saved it to a USB stick, and tried installing that file (I renamed it, etc). Installation got stuck at the very end. So instead, I tried installing it to the USB stick, and then copy-pasting the completed folder once it's done. The program started, but got terminated ~3 seconds into the scan. I had heard of this too, tried renaming it winlogon.exe, that did not help. Now, anytime I try to access the program (even if I reinstall it from scratch to the USB like I did before), the program won't start, and I get an error code (Error Code 723 (2,0) ).

I read up on some other proven methods for getting rid of other redirects, and none seem to work. I tried the RootRepeal, and it is terminated when it is scanning windows/system32. I tried renaming it to winlogon, but it was still terminated. I tried the ProcessExplorer... it runs fine but does not show any suspicious processes.

I tried HJT, and it is terminated while scanning as well. I tried renaming the exe to other names, and to winlogon as well. I should also note that after any of these programs are terminated, I cannot click said exe again, and it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Soo I think that about sums it up. I'll edit this post if there's something I've forgotten.

Thanks... any help is greatly appreciated.

Matt

Link to post
Share on other sites

  • Root Admin

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here

  • Place a blank CD in your burner and double-click on the downloaded file named
    rescue_system-common-en.exe

  • If the above link does not work please try this one:
    here

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files

    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.

  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Hi AdvancedSetup,

I followed your directions, created the boot CD and ran the scanner. I wrote down what it told me. Eventually it said it was finished, but gave me no way out of the program. So I manually powered down the machine with the button, then manually ejected the CD, and powered the machine back on.

Now, no matter whether I enter normal mode or safemode, I cannot open any .exe files! Well, almost any. The vast majority of .exe files simply open the "Open with..." window asking me how I would like Windows to open these files. At this point, I have no idea what to do. The only exe file that I've found which can actually open normally is Internet Explorer. What should I do next?

OK, here is what the Avira scan told me:

24 records, 0 suspected files, 2 warnings

The warnings were regarding .rar.X files, saying it could not scan the entire library because part of it was missing.

Here are the record specifics, in case that helps. I'll list the filename, and then the malware which Avira said the file represented. I should note that it could not remove any of them, and renamed all of them.

obfu.jar-17fe28d1-29814-722.zip --> part of TR/Java.Downloader.Gen

UACc5b5.tmp --> TR/Alureon.CD.13

A0000001.sys --> TR/TDss.waf

A0000002.dll --> TR/TDs.wae

A0000003.dll --> TR/Alureon.BF.2

A0000004.dll --> TR/Alureon.30208R

A0000005.dll --> TR/Crypt.ZPACK.Gen

A0000006.dll --> TR/Alureon.20480C.1

A0000117.dll --> TR/Trash.Gen

A0000118.exe --> TR/Tiny.705

A0000119.exe --> TR/Tiny.705

A0002179.exe --> TR/Crypt.XPACK.Gen

A0002180.dll --> TR/Fakealert.Biz.1

svchast.exe --> Fraud.WinAntiVirus.IV

desot.exe --> TR/Crypt.XPACK.Gen

dddesot.dll --> TR/Fakealert.Biz.1

Windows Antivirus Pro.exe --> TR/Fakealert.BJA

dbsinit.exe --> WinAntivirusPro.D

UACggpqrpvhnl.dll.vir --> TR/Alureon.20480C.1

UAChaqfyvngkr.dll.vir --> TR/TDss.wae

UAChxcxbedrod.dll.vir --> TR/Crypt.ZPACK.Gen

UACuwsxofoouh.dll.vir --> TR/Alureon.BF.2

UACwouxiorcyg.dll.vir --> TR/Alureon.30208R

UACwhounqpvnk.sys.vir --> TR/TDss.waf

Ok, I think that's all the info I have. Let me know what's next or if you have any other questions.

Thanks so much!

Matt

Link to post
Share on other sites

regarding the EXEs not working... I did some quick dirty googling. I looked under file types and EXE was indeed missing. So I created a new extension EXE and made it for applications, but they still wouldn't open. Next time I opened the file types again, EXE was gone again. The websites then suggested going into the registry, but I'm going to hold off on doing that until you tell me what to do, since my computer's life is now in your capable hands :)

Link to post
Share on other sites

I'm assuming that Avira removed or renamed those for you.

Please review the FAQ for a possible solution.

Please especially check Issue# 5

Hi,

Yes, issue #5 does sound a lot like mine (also, it is listed as #6, you might want to fix that). I found the FAQ before starting my own thread, and tried all of those solutions. Unfortunately, none worked :[ I had considered trying some of them again after my Avira scan (like maybe mbam or rootrepeal), but now exe files won't open. So I'm just not going to do a thing unless you tell me.

Link to post
Share on other sites

  • Root Admin

Extra note, please also do the following...

Open notepad and copy and paste next present in the quotebox in it:

DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\sceclt.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\ntelogon.dll >Look.txt

Start notepad Look.txt

Save this as look.bat , choose to save as *all files and place it on your desktop.

It should look like this: bat.gif

Doubleclick on it and notepad should open.

Copy and paste the contents of it in your next reply.

Lets see if you can get Combofix to run. If it won't run in normal mode then see if you can boot to Safe Mode and run it.

Try a few file renames if you have to.

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Also, Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Link to post
Share on other sites

Hi again Ron, lots of stuff

Firstly, in case it matters, I have disconnected the infected computer from the internet earlier today. All of my posting and file downloading is being done from a clean computer, and transfered over via USB stick.

Next, as silly as it may sound, I do not know how to uninstall whatever antivirus I'm running (not even sure which it is anymore, it's been ages since I've seen the application, though I suspect it has been running in the background). In my start menu, the only folder which looks anything like an antivirus name is Symantec Client Security. The only thing inside that is called Symantec AntiVirus, but it won't open because its an exe file. If I try to open 'Add or Remove Porgrams', I get an error: 'C:\WINDOWS\system32\rundll32.exe Application not found.' If I look for rundll32.exe, it's there, so I assume this is also related to .exe's not working.

Next up, I did the look.bat thing. Here is the log from Look.txt:

Volume in drive C has no label.

Volume Serial Number is 1CBB-CFEC

Directory of C:\WINDOWS\system32

08/10/2004 06:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

08/10/2004 06:00 AM 407,040 netlogon.dll

2 File(s) 587,264 bytes

Total Files Listed:

2 File(s) 587,264 bytes

0 Dir(s) 9,883,963,392 bytes free

Tried ComboFix the way you stated... wouldn't open because once again my computer doesn't know how to open exe files... just got the "Open With..." window again.

At this point, I tried to fix the broken EXE association myself, using the WinXP_EXE_Fix.reg (found on the thread: http://filext.com/faq/broken_exe_association.php). This seemed to work.

Clicked Combo-Fix.exe again. This time the progress bar appeared and went to completion, but nothing seemed to open after that. In the task manager, the process grep.cfxxe remains there, which for some reason I assume is related to combofix. At this point, booted into safe mode (administrator settings). Clicked Combo-Fix.exe again, progress bar appeared and went to completion again, but nothing after that.

At this point I ran GMER and it is working, finding a lot of stuff. (I am sorry if you did not want me to run this without your direction, tell me to cut it out and I will... I've just been up all night and need to catch some sleep, and wanted to give you all the info I could before going to bed.) GMER is scanning now and I will attach a zipfile of its log when it is done, unless you tell me to stop and do something else.

Thanks,

Matt

Link to post
Share on other sites

Ok... I was running GMER and almost all the way through the files scanning, when my computer turned off, because te plug had fallen out of the socket (and in safe mode, so I got no notification). I know, I'm an idiot. It had not alerted me of anything in the Files, so I redid it with everything checked except the files. Attached is the log for that scan. Let me know if you have any interest in me doing another full scan, or what you'd like me to do next.

Also, I'm sorry I keep posting back before your replies. I'm sure its frustrating. I'm just really antsy and anxious because I'm heading off to Grad School next monday and need a working computer, or else need to buy a new one really soon.

Thanks,

Matt

gmerlog.zip

Link to post
Share on other sites

  • Root Admin

Download and run Win32kDiag:

  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

[*]Double-click Win32kDiag.exe to run Win32kDiag and let it finish.

[*]When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.

[*]Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic, please do not attach the file.

Link to post
Share on other sites

Dear AdvancedSetup,

Thanks so much for your help and time. Due to the tightness of my upcoming schedule, and the fact that I had most of my files backedup already, I reformatted my machine. Actually I used Dell's factory settings restore partition thing. After using that, my system should be totally clean, right? If so, thanks again, and kindly close this thread.

Link to post
Share on other sites

  • Root Admin

Well glad you're up and running again. You may want to ensure that your Anti-Virus is running and up to date and do a Quick Scan with MBAM just to make sure all is still okay.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Anyways... I'll leave you with this information in case you need or want to review it.

Since I'm not even sure what your OS is I'll leave you with this XP version.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.