Jump to content

Antivirus system pro - disabled my internet/applications


amy3148

Recommended Posts

Hello,

I hope someone here can help. My laptop is infected with AntiVirus System Pro.

I am unable to run anti-spyware any my internet connection has been completely disabled. The search feature has also been disabled. I would like to post a log to this board for assistance but without internet access or the ability to run applications I'm not sure how. Is there a way around this?

My CPU usage is very high and there is a cli.exe running high. Should I end this process?

System Restore gives me a message box that says System Restore is not able to protect your computer. Please restart.

I am open to any suggestions to get started.

Thanks so much.

Link to post
Share on other sites

  • 2 weeks later...
  • Replies 73
  • Created
  • Last Reply

Top Posters In This Topic

Hello,

No problem on the wait. And yes, I would still love some help. I think I found the virus files based on the date and time of infection but I have no idea how to get rid of them or how to find out what else they have infected. They are below.

My internet connection (only the computer's ability to connect - I have a strong wireless signal) and my USB ports are still disabled by the virus so I am unable to get any new applications or diagnostic tools on my computer until I can get one of them working again. If this prevents you from helping, I understand. A few pay-for-services have already turned me down because of the lack of internet connectivity.

C:\Program Files\ossdsm

C:\WINDOWS\syssvc.exe

C:\WINDOWS\System32\iehelper.dll

Thanks so much!

Link to post
Share on other sites

  • Root Admin

Hi Amy,

I'm guessing or assuming you already have MBAM installed, if not then let me know.

STEP 01

Restore Access to Programs

  • Please download the following tool: Inherit.exe and save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.
  • Click on START -> RUN and Copy then Paste the following text (including the quote " marks) into the Run box and click OK
  • "%userprofile%\desktop\Inherit.exe" ""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe""
  • You can also Drag-and-Drop any files onto inherit.exe if you want.
  • Repeat for any other files you get an access denied message

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

STEP 03

Please download the following scanning tool. GMER

  • Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.

  • Double click on
    random named exe file
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Hi and thank you!

This is a home computer and I am the only administrator.

I do have the Windows installation CD. I hoped that I would be able to save my files, pictures and Quickbooks but if that is not an option, I can start from scratch.

I will buy CD's tomorrow, try it after work and post the logs if I can get that to work.

In the meantime, I was able to run a couple logs a few weeks ago while by running in safe mode. I will send them in my next post.

Using the logs and since I know what day and time (9/28/2009 around 19:30) I got the virus I was also able to locate a couple suspect files. Should I delete them?

C:\WINDOWS\syssvc.exe

C:\Program Files\ossdsm

My processes are running a CLI.exe file and numerous svchost.exe files. Also ati2evxx.exe, rundll32.exe, csrss.exe, jqs.exe, ZCfgSvc.exe, tfswctl.exe among others. I include in case any of this is helpful.

Link to post
Share on other sites

Here are two logs run on 10/3/2009. I have not done anything with the computer since then. Please note that the virus became active on 2009/09/28.

OTL Extras logfile created on: 10/3/2009 10:41:15 PM - Run 1

OTL by OldTimer - Version 3.0.18.2 Folder = F:\

Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

1022.37 Mb Total Physical Memory | 830.14 Mb Available Physical Memory | 81.20% Memory free

2.40 Gb Paging File | 2.35 Gb Available in Paging File | 97.62% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 51.23 Gb Total Space | 18.01 Gb Free Space | 35.16% Space Free | Partition Type: NTFS

Drive D: | 17.21 Gb Total Space | 17.14 Gb Free Space | 99.62% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

Drive F: | 1.87 Gb Total Space | 0.02 Gb Free Space | 0.99% Space Free | Partition Type: FAT

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Current Boot Mode: SafeMode

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)

.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = ChromeHTML] -- C:\Documents and Settings\AMH\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)

http [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)

https [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" (Mozilla Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"67:UDP" = 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)

"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)

"C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)

"C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)

"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO

"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic RecordNow Data

"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView

"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE

"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA

"{1A15507A-8551-4626-915D-3D5FA095CC1B}" = Corel Paint Shop Pro X

"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD LE

"{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1" = Spy Sweeper

"{237a4b22-78c2-11d6-a394-00104bd190b1}" = QuickBooks Pro Edition 2003

"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java

Link to post
Share on other sites

Another update. I was able to get to my flash drive using the run... key and install Malwarebytes. I ran it and got the following pop-up:

An error occurred. Please report the following error to the Malwarebytes Anti-Malware support team.

Error code: 732 (0,0)

But it is currently scanning so I will post results once finished.

Is there any concern with copying the notepad .txt file to the flash drive and opening it on the uninfected machine in order to post the results?

Link to post
Share on other sites

  • Root Admin

Just means it was unable to update the database.

If you can update MBAM on another computer you can copy the rules.ref file to the infected computer and that will update the database.

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

As for infecting the other computer it's always possible. Make sure it has live up to date Anti-Virus running on the other system.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 2

10/14/2009 11:11:17 PM

mbam-log-2009-10-14 (23-11-17).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 200020

Time elapsed: 45 minute(s), 9 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{22e1eff7-d8dd-4bbc-9ce8-87edbe8c1a40} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP298\A0063271.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP299\A0063285.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\syssvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

Please see issue #15 from this post here: http://www.malwarebytes.org/forums/index.php?showtopic=10138

You might also need to do the following

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

Note: You will need to reactivate the program using the license you were sent

Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.

Restart the computer again and verify that MBAM is in the task tray and that you can run a quick scan and all is working as expected.

Link to post
Share on other sites

Hello,

I was able to run Malwarebytes again when I got home tonight. Very strange but sometimes I can get certain apps to run and this was one of those moments. 0 files were detected and it said the computer is clean but nothing works.

I also ran and have a gmer log file. I saved it to my desktop and my flash drive. I was able to zip it on the desktop but have no way to get the zipped file to the flash drive. I can send the unzipped log file if you would like.

Given this status update, what should my next step be?

Thanks so much.

Link to post
Share on other sites

  • Root Admin

Okay please try to copy this file over to the affected PC and run it. Then copy back the log file and post it back here.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

Great. I will do this tonight.

Is there any quick fix to restoring my internet connectivity? I read that viruses can disable you LAN settings but I checked mine and that does not seem to be the case. I ask because I am really afraid infecting the other computer with the back and forth flash drive. It would be nice if I could access this site from the infected computer and download these .exe files and logs directly.

Thanks.

Link to post
Share on other sites

  • Root Admin

You can try the following.

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH FIREWALL RESET

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C NETSH int ip reset c:\resetlog.txt

Click on START - RUN and copy / paste the entry below into the run line and click OK

CMD /C netsh winsock reset catalog

Link to post
Share on other sites

Not great. I ran the three commands and each time the black screen briefly popped up and closed. Is there something further I should have done? The internet still does not work so I am still moving the flash drive between computers which makes me really nervous. :D

Combo-Fix:

The only way I could run combofix was from the flash drive (by using run and entering the command) since I have no way of getting it on the machine. Hopefully this okay? It's running now but so far it's just a blue screen that reads...

Please wait.

ComboFix is preparing to run.

Hopefully it will start soon.

What should I do with the GMER log if I can't zip it? Would you still like to see it?

Link to post
Share on other sites

Blue screen:

Attempting to create a new System Restore point

pop-up box:

Microsoft Windows Recovery Console

This machine does not have the "Microsoft Windows recovery console' installed

Without it, ComboFix shall not attempt the fixing of some serious infections.

Click "Yes" to have ComboFix download/install it.

NOTE: this requires an active internet connection.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.