Jump to content

Need Help with infected system


Sylviapr

Recommended Posts

Hi-I am running Vista on my laptop, with Avira antivirus, windows defender, and using the windows firewall, but SOMETHING managed to get through.

I received defender notices about trojanloader win32 renos, but it would only let me quarantine, not remove. I also had internet explorer webpages redirected. I have noticed a new item called windows protection suite in my start menu. I have tried various tools to clean my computer, with no luck. Windows malicious tool remover does not load, nor does the Kaspersky tool. I received an error message and could not use the free scan from Windows Live online scanners. I bought Norton, thinking I could boot from the installation disk, but it just bypasses the disk.

I tried MBAM. It will install, but the initial run shuts down, 10-15 seconds in. I cannot run it directly. I tried renaming the file, but it told me I didn't have permissions. I tried to run HJT. It seemed to load OK, but again shut down a few seconds in, and my computer tells me I don't have permissions.

I WAS able to run AVIRA antivirus. It says it hasn't detected any viruses, but it shows a list of files that it is not able to open.

I am at my wit's end, and am almost prepared to start over with this computer!

For reference, I am including the files that could not be opened during the Avira scan.

C:\hiberfil.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

[WARNING] The file could not be opened!

C:\Program Files\Malwarebytes' Anti-Malware\Malwarebytes' Anti-Malware\mbam.exe

[WARNING] The file could not be opened!

C:\Program Files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe

[WARNING] The file could not be opened!

C:\Program Files\Norton 360\Norton 360\Engine\3.0.0.134\ccSvcHst.exe

[WARNING] The file could not be opened!

C:\Program Files\Windows Live Safety Center\wlschost.exe

[WARNING] The file could not be opened!

C:\Users\Price\Desktop\a\is-1BEQ3\is-1BEQ3.exe

[WARNING] The file could not be opened!

C:\Users\Price\Desktop\Virus Removal Tool2\is-0JBKT\is-0JBKT.exe

[WARNING] The file could not be opened!

C:\Users\Price\Desktop\Virus Removal Tool3\is-QN8I0\is-QN8I0.exe

[WARNING] The file could not be opened!

C:\Windows\System32\cngaudit.dll

[WARNING] The file could not be opened!

C:\Windows\System32\mrt.exe

[WARNING] The file could not be opened!

Any help would be appreciated!

Thanks!

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thanks for the help.

I saved the combo fix under a different name and ran it. When it completed, the internet connection was active, but explorer would not start. None of the icons worked (said "illegal operation attempted on a registry key that has been marked for delection"). I restarted computer and tried to run HJT. It said I didn't have permissions to the file, so I installed another copy in a different directory and ran. The logs are enclosed.

OH and I have a new icon on my desktop called internet explorer. It is NOT a shortcut though. I am not clicking on it. Not sure if it is an artifact of the software checks. :^)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:42:17 PM, on 9/17/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Launch Manager\LManager.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\OpenOffice.org 3\program\soffice.exe

C:\Windows\ehome\ehmsas.exe

C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE

C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE

C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE

C:\Program Files\OpenOffice.org 3\program\soffice.bin

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Trend Micro\HijackThis2\HijackThis.exe

C:\Windows\system32\SearchFilterHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe

O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup

O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup

O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe

O4 - Global Startup: Empowering Technology Launcher.lnk = ?

O4 - Global Startup: Philips GoGear ARIA Device Manager.lnk = ?

O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Amazon Unbox Video Service (ADVService) - Amazon.com - C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe

O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe

O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe

O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 7000 bytes

*****************************************************************************0

ComboFix 09-09-17.04 - Price 09/17/2009 17:53.1.1 - NTFSx86

Microsoft

Link to post
Share on other sites

  • Staff
OH and I have a new icon on my desktop called internet explorer. It is NOT a shortcut though. I am not clicking on it. Not sure if it is an artifact of the software checks. :^)
Don't worry-- ComboFix put it there. It's just Internet Explorer.

Please go to VirusTotal, and upload the following files for analysis:

c:\windows\System32\drivers\76332801.sys

c:\windows\System32\drivers\46434330.sys

c:\windows\System32\drivers\77723224.sys

c:\windows\System32\drivers\95426795.sys

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Thanks very much for the help! Enclosed is the requested info: Virustool info, F-Secure scan results and security check results.

System is running a LOT better now. There was a windows update scheduled that I noted as I was saving the scan logs, so when I finished all the actions and was checking out the system, I let the computer load the update on a restart. I still have these issues though:

1. Internet explorer has a google search bar in the top corner. When I use this, it is redirected to a Gala search engine. (when I type in address google.com, IE works normally.) Search results in google are NO LONGER redirected. (yay)

2. I tried to delete some of the removal tools that I was unable to run due to this rouge SW. Although I can now click on the folders and see the contents, I am still told I don't have permission to delete the files.

3. I am still somewhat cautious about trusting internet explorer (since that is what helped me get into this trouble in the first place. :^) I had 3 pages set for my home page, but only one is there now. Is that a reasonable outcome of the scanning and cleaning?

Thanks!

********************************************************************************

************

********************************************************************************

************

VIRUSTOTAL RESULTS on the specified files in the drivers folder:

(NOTE: when I uploaded these files, the pop up details described these as KLIF mini-filter files, and identified the company as kaspersky labs.)

76332801.sys results:

File has already been analysed:

MD5:0aa3ad071827118fcc8f37f7a6ab7aa1First received:2009.02.18 08:36:20 UTCDate:2009.09.18 10:47:55 UTC [+1D]Results:0/41Permalink:analisis/3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa-1253270875

46434330.sys

File has already been analysed:

MD5:0aa3ad071827118fcc8f37f7a6ab7aa1First received:2009.02.18 08:36:20 UTCDate:2009.09.19 12:39:57 UTC [<1D]Results:0/40Permalink:analisis/3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa-1253363997

77723224.sys

File has already been analysed:

MD5:0aa3ad071827118fcc8f37f7a6ab7aa1First received:2009.02.18 08:36:20 UTCDate:2009.09.19 12:39:57 UTC [<1D]Results:0/40Permalink:analisis/3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa-1253363997

95426795.sys

File has already been analysed:

MD5:0aa3ad071827118fcc8f37f7a6ab7aa1First received:2009.02.18 08:36:20 UTCDate:2009.09.19 12:39:57 UTC [<1D]Results:0/40Permalink:analisis/3e893bcf9e3ec8fa44c8ef0cf7c2d269212651d65c16b30bd953cc3a54f3b2aa-1253363997

********************************************************************************

****************

********************************************************************************

****************

F-Secure Online Scanner:

Scanning Report

Saturday, September 19, 2009 09:04:01 - 11:08:07

Computer name: PRICE-PC

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

18 malware found

TrackingCookie.Questionmarket (spyware)

Online_Scanner___Scanning_Report___Saturday__September_19__2009_110807.txt

Link to post
Share on other sites

  • Staff

Hi,

1. Internet explorer has a google search bar in the top corner. When I use this, it is redirected to a Gala search engine. (when I type in address google.com, IE works normally.) Search results in google are NO LONGER redirected. (yay)

Download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter gala as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

2. I tried to delete some of the removal tools that I was unable to run due to this rouge SW. Although I can now click on the folders and see the contents, I am still told I don't have permission to delete the files.
Which ones??
3. I am still somewhat cautious about trusting internet explorer (since that is what helped me get into this trouble in the first place. :^) I had 3 pages set for my home page, but only one is there now. Is that a reasonable outcome of the scanning and cleaning?
I recommend not using Internet Explorer. Instead, Firefox is fast and more secure. Give it a try and let me know how it goes.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java

Link to post
Share on other sites

Thanks again for the help.

I ran the registry search for gala (results below), installed firefox, and deleted the old Java programs and downloaded the latest version.

The programs I am having trouble deleting are the result of trying to run a Kaspersky (sp) tool. Before I realized why I couldn't run them, I tried downloading four times, leaving four "Virus Removal Tool" folders on the desktop (with 1-3 on the end of the file name for subsequent downloads).

Inside the folders were two batch files (Scan and script), a start shortcut, an uninstall and then a folder with the actual tool files inside. It never showed up under add/remove programs. After the major cleaning on my machine, running the uninstall worked for two of the folders.

For the other two, I then tried to delete manually. I could delete the batch files, but not the major folder, inside. When I try to delete, the windows user access control pops up, asking me to confirm that I started the action, and then when I say OK, it comes back and says destination folder access denied.

Thanks,

Sylvia

Here is the registry search result for gala:

**************************************************************

**************************************************************

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman

Link to post
Share on other sites

  • Staff

Hi Sylvia,

Inside the folders were two batch files (Scan and script), a start shortcut, an uninstall and then a folder with the actual tool files inside. It never showed up under add/remove programs. After the major cleaning on my machine, running the uninstall worked for two of the folders.

For the other two, I then tried to delete manually. I could delete the batch files, but not the major folder, inside. When I try to delete, the windows user access control pops up, asking me to confirm that I started the action, and then when I say OK, it comes back and says destination folder access denied.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). See if you can delete the folder now.

Next, please back your Registry with ERUNT.

  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Please open Notepad. Copy and paste the following text (starting with REGEDIT4) into the Notepad document.

Navigate to File --> Save As..., and save the file as Fix.reg (make sure the Save As Type is set to All Files).

Save it to your Desktop.

REGEDIT4

[-HKEY_USERS\S-1-5-21-2662971337-4023433041-1927293159-1000\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]

[-HKEY_USERS\S-1-5-21-2662971337-4023433041-1927293159-1000\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]

[-HKEY_USERS\S-1-5-21-2662971337-4023433041-1927293159-1000_Classes\Software\Microsoft\Internet Explorer\SearchScopes]

Now navigate to your Desktop, and double click fix.reg (Click Yes to the prompt)

Restart your computer and let me know if the redirects continue.

-screen317

Link to post
Share on other sites

Thanks for the registry change info. That took care of the redirects.

I still haven't had any luck in trying to delete the old Kaspersky files. I booted up into safe mode, and received the same denied access message when I tried to delete it. It still says "destination folder access denied" and that I don't have permission to perform that action.

Also, the system seems to be running sluggishly today (didn't notice it when I changed the registry files. Maybe Firefox takes more system resources? or the hijack loads on startup?) I'm checking all of my startup programs to see what I can turn off.

Thanks,

Sylvia

Hi Sylvia,

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu). See if you can delete the folder now.

Link to post
Share on other sites

  • Staff

Hi Sylvia,

Which version of Kaspersky was it?

Pick the link for your version and run the removal tool:

Kaspersky 4.0/4.5: http://www.ice-kav.com/downloads/util/KAV_Rem.zip

Kaspersky 5: http://downloads1.kaspersky-labs.com...stry_Clean.zip

Kaspersky 6: http://support.kaspersky.com/downloa...kav6remove.zip

Kaspersky 6/7: http://support.kaspersky.com/downloa...kavremover.zip

Restart your computer and see if it's okay now.

Next, please register (it's free, don't worry) with PCPitStop and run the full tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

-screen317

Link to post
Share on other sites

Thanks again for the help. (Sorry for the delay in responding.) The Kaspersky tool I used was not a full installation, it was a specific Kaspersky virus removal tool: 7.0.0.2 90 29.08.2009 04-332. I did try the removal tools below. It said it didn't show an installation of Kaspersky, and when I used the "force removal" it goes through the process, but doesn't delete the files. I am about ready to live with it--I am so glad everything ELSE is working better! :^)

I discovered the slow computer was due to a virus scan running in the background. I did go to the pitstop website you recommended. The results are here: http://www.pcpitstop.com/betapit/sec.asp?c...;report=Summary

(yes, under l price). It seemed to generally show that drivers need updating and that this isn't a high performance system. (which is OK. I have a desktop, and generally only use this machine for internet.) If you have any recommendations, they are very welcome.

Thanks,

Sylvia

Hi Sylvia,

Which version of Kaspersky was it?

Pick the link for your version and run the removal tool:

Kaspersky 4.0/4.5: http://www.ice-kav.com/downloads/util/KAV_Rem.zip

Kaspersky 5: http://downloads1.kaspersky-labs.com...stry_Clean.zip

Kaspersky 6: http://support.kaspersky.com/downloa...kav6remove.zip

Kaspersky 6/7: http://support.kaspersky.com/downloa...kavremover.zip

Restart your computer and see if it's okay now.

Next, please register (it's free, don't worry) with PCPitStop and run the full tests here. When the tests are complete, a results page will pop up. Copy and paste the URL of the Results screen and post it here for me.

-screen317

Link to post
Share on other sites

  • Staff

Hi Sylvia,

It said it didn't show an installation of Kaspersky, and when I used the "force removal" it goes through the process, but doesn't delete the files.
Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

See if you can delete them now.

Please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Restart your computer.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 2, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

-screen317

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Thanks for re-opening this topic.

Booting up in safe mode still didn't let me remove the Kasperksky tool removal files. I used the dos command prompt to check the file attributes, and found I could delete some of the files out of the subfolders. When the lower level files were deleted, then I could delete some of the folders. (Took a while because for some reason I thought doing this at the DOS prompt might work better than the Vista folder interface.) Strangely, this worked completely on all of the installed versions, except the original installation. While I can't delete it, I am moving it to a "junk" folder on the desktop so I don't have to look at it anymore.

I was able to download and run the ATF cleaner with no problems.

My real (and hopefully LAST) question has to do with the windows updates.

It took me a bit to get the updates installed.

I was able to download service pack 2 for Vista and install it, but my system also shows the September Windows Malicious Software tool as a montly update. My system shows multiple successful installations of the program, but as far as I can tell it never RAN. I went to the Microsoft website, and was able to download this manually, and then run it. But the system still shows this as a needed update. I show over 30 successful installations of the September malicious software removal tool, both before and after I installed manually but every time I shut down my computer it says it has updates to install. Not sure if this is related to all of my program troubles. Do I need to hide it so it doesn't keep showing up as an update?

Thanks,

Sylvia

PS: Do I need to do anything special to uninstall the tools used in cleaning my machine, or is there any value in leaving them on and rerunning to check for changes? (that is, I assume the tools get updated occasionally, so running a stagnant version, if you aren't having specific issues may not be useful?)

Link to post
Share on other sites

  • Staff
Thanks for re-opening this topic.

Booting up in safe mode still didn't let me remove the Kasperksky tool removal files. I used the dos command prompt to check the file attributes, and found I could delete some of the files out of the subfolders. When the lower level files were deleted, then I could delete some of the folders. (Took a while because for some reason I thought doing this at the DOS prompt might work better than the Vista folder interface.) Strangely, this worked completely on all of the installed versions, except the original installation. While I can't delete it, I am moving it to a "junk" folder on the desktop so I don't have to look at it anymore.

I was able to download and run the ATF cleaner with no problems.

My real (and hopefully LAST) question has to do with the windows updates.

It took me a bit to get the updates installed.

I was able to download service pack 2 for Vista and install it, but my system also shows the September Windows Malicious Software tool as a montly update. My system shows multiple successful installations of the program, but as far as I can tell it never RAN. I went to the Microsoft website, and was able to download this manually, and then run it. But the system still shows this as a needed update. I show over 30 successful installations of the September malicious software removal tool, both before and after I installed manually but every time I shut down my computer it says it has updates to install. Not sure if this is related to all of my program troubles. Do I need to hide it so it doesn't keep showing up as an update?

Thanks,

Sylvia

The Malicious Software Removal Tool is designed to run in the background; you can't see it actually running (unless you download the stand-alone version). Go ahead and hide the update; it has been run.
I am moving it to a "junk" folder on the desktop so I don't have to look at it anymore.
What's the path to this folder? We can remove it a different way...
PS: Do I need to do anything special to uninstall the tools used in cleaning my machine, or is there any value in leaving them on and rerunning to check for changes? (that is, I assume the tools get updated occasionally, so running a stagnant version, if you aren't having specific issues may not be useful?)
Precisely; our tools get updated too frequently to be useful with an old version.

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Delete all of the Registry search tools we used.

Let me know what issues remain.

-screen317

Link to post
Share on other sites

The Windows update isn't showing up anymore and I was able to remove the helper programs you directed, without issue.

What's the path to this folder? We can remove it a different way...

I created a misc junk folder on my desktop. Murphy's Law: As I was typing this, and looking for the file extension for the lower level FILE that was preventing FOLDER deletion, I tried deleting it again at a DOS prompt. I'm not sure what changed, but this time it worked. (I feel pretty silly about it working now, but I don't think I was mistyping it, since the message was access denied, not file not found.) Any thoughts or guidelines on what might have caused this problem?

There is only one file left in the folder structure:...\desktop\misc junk\virus removal tool\is-1BEQ3\is-1BEQ3

My computer now appears to be operating normally. I started this thread ready to reload my operating system and start over---I am glad to have my machine back under control. Thank you so much for the help!

Sylvia

;) ;) :D

Link to post
Share on other sites

  • Staff

Hi Sylvia,

Sorry for the delay.

Any thoughts or guidelines on what might have caused this problem?
It just means that one of your processes required the use of those files before; you can't delete a file that is "in use" by another program. You must have restarted your computer in the meantime, and that process wasn't running any longer.

Please download Combofix by sUBs. Save it to your Desktop but do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

KILLALL::

Folder::

C:\Users\Price\Desktop\a\is-1BEQ3

C:\Users\Price\Desktop\Virus Removal Tool2\is-0JBKT

C:\Users\Price\Desktop\misc junk\virus removal tool\is-1BEQ3

C:\Users\Price\Desktop\Virus Removal Tool3\is-QN8I0

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply..

-screen317

Link to post
Share on other sites

Thanks for the info. I tried to run this, but it didn't work for me. I created the script file, and dragged over to combofix. It seemed to go through the process, but while it was scanning my system, I received a pop up error message:

windows command processor has stopped working. A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

At this point, I lost internet access through firefox and interne explorer. When I rebooted, access came back. I reran the cfscript on a clean restarted system, but received the same result.

Thanks,

Sylvia

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

It's been a while, so let's run these scans again:

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

13 malware found

F-Scan report

TrackingCookie.Questionmarket (spyware)

* System (Disinfected)

TrackingCookie.2o7 (spyware)

* System (Disinfected)

TrackingCookie.Advertising (spyware)

* System (Disinfected)

TrackingCookie.Atdmt (spyware)

* System (Disinfected)

TrackingCookie.Doubleclick (spyware)

* System (Disinfected)

TrackingCookie.Revsci (spyware)

* System (Disinfected)

TrackingCookie.Adrevolver (spyware)

* System (Disinfected)

TrackingCookie.Adbrite (spyware)

* System (Disinfected)

TrackingCookie.Webtrends (spyware)

* System (Disinfected)

TrackingCookie.Mediaplex (spyware)

* System (Disinfected)

TrackingCookie.Statcounter (spyware)

* System (Disinfected)

TrackingCookie.Atwola (spyware)

* System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

* System (Disinfected)

Statistics

Scanned:

* Files: 451607

* System: 4807

* Not scanned: 735

Actions:

* Disinfected: 13

* Renamed: 0

* Deleted: 0

* Not cleaned: 0

* Submitted: 0

Results of screen317's Security Check version 0.99.0

Windows Vista Service Pack 2 (UAC is enabled)

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira AntiVir Personal - Free Antivirus

WMIC entry does not exist for antivirus; attempting automatic update.

Avira updated!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 16

Adobe Flash Player 10

Adobe Reader 9

``````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSASCui.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Everything seems to be running normally now.

Thanks,

Sylvia

Link to post
Share on other sites

  • Staff

Hi Sylvia,

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

2) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

3) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

6) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,

-screen317

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.