Malware (possibly Zinaps) Disabling My PC

[Leanna]

Hi All -- My husband and I have a small business and rely on our computer for customer interaction email (on Mozilla), and IE for internet. I'm the computer savvy one, he's buried with work away from the computer.

My husband, Ron, inadvertantly downloaded the virus that sets off the "XP MS Security Alerts" last weekend.

After a good scolding, I told him that is was probably just a hijack virus, that the alerts weren't as bad as they sounded, and he would need to scour the system with an anti-malware program.

I walked him through the steps in your forum to download Malwarebytes AV.

Anytime he opened a new browser window, the virus hijacks it to purchase the "antidote".

For some reason, he WAS able to keep windows to your forums open long enough to download Malwarebytes (thank god it's not a huge program; we are on basic DSL), BUT when he would try to launch the program, he gets the windows "what application do you want to use to launch?" -- with MS wordpad, etc.

I had him rename the MBAM file, and still not able to launch.

I had him download to our laptop, and copy it over to a pen drive and install on the PC with a changed name (a two hour process and lots of patience on the phone). Still no luck.

For several days he was still able to launch Mozilla for email, and try to ignore the windows while I sent various workarounds with no luck -- but NOW email and all other programs give the message "what application do you want to launch", so the virus is slowly disabling the system.

I'm not due home for a couple of months, and am at a loss to help. The computer is at our home in Nuevo Arenal, Costa Rica, Central America.

Is anyone able to help us via remote access??

We have a basic PC from Dell with Windows XP Home Version I think -- I can't remember, and Ron can't even run the WINVER line (dialog box "what application do you . . ") to determine what version we have.

Getting desperate; any help appreciated. Leanna Saunders

[Maurice Naggar]

Hello Leanna,

Good thing you mentioned your Windows version. As long as you have a clean computer, use it to do downloads and then transfer & copy to Desktop of the problem system.

do this to close the rogue "Security alert" window. Repeat as needed.

Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

Download >> this reg file << from Kelly's Korner

and save it to your system. Right-click on it and then select Merge

Now, you will be able once more to run exe programs.

Please reply when that is completed.

[Maurice Naggar]

P.S. The link for that file above is http://www.kellys-korner-xp.com/regs_edits/xp_exe_fix.reg

and keep in mind, that is only the start. There is a lot more to do afterwards to remove remainders of the rogue.

Let me know in this thread when that step is completed.

[Leanna]

P.S. The link for that file above is http://www.kellys-korner-xp.com/regs_edits/xp_exe_fix.reg

and keep in mind, that is only the start. There is a lot more to do afterwards to remove remainders of the rogue.

Let me know in this thread when that step is completed.

Thank you for your help. I can see in the last week so many people are having the same "blocks" at fixing this virus -- blocked IP addresses, hanging up on downloads of AV, won't run .exe files . . .

Our computer was so bad, and my husband so newbie that, get this, he actually had two buddies tell him that our PC was toast, and that he was better to buy a new hard drive and start over with a Linux OS.

I begged him to find an hour and walk through these steps above, and with luck and no "blocks", he was able to both MERGE the first download, and SAVE/RUN the second program.

He's reporting that there are no "pop ups", but EVERY PROGRAM is still asking "what program do you want to use to launch this" when he goes to launch his Mozilla Thunderbird or IE.

Look guys -- if there is a lot more work to be done on this, can someone help ME to remotely access the computer, and continue the steps with your forum?? He is far to much a newbie/non-computer person, that he is going to buy a new hard drive, salvage the monitor, keyboard, mouse, etc. from our PC and start over with Linux.

Problem is -- I'M THE COMPUTER PERSON -- and all our web-site working files are setup in Photoshop, I keep all our business contacts in MS Outlook, accounting in QuickBook, and even our VOIP on MagicJack -- ALL IN A WINDOWS setting. He doesn't understand that if he "junks" the Windows OS that I'm hosed. Yes, yes, there are programs that help you run Windows software on Linux, but, can't we just fix this virus for a starter?

If there is someone who could help me to access the computer, or who can work with me to do remote access and help, I'd really appreciate it.

Leanna

[Leanna]

P.S. The link for that file above is http://www.kellys-korner-xp.com/regs_edits/xp_exe_fix.reg

and keep in mind, that is only the start. There is a lot more to do afterwards to remove remainders of the rogue.

Let me know in this thread when that step is completed.

(rant over)

Basically . . .

Maurice, we've completed your instructions above. What next?

[Leanna]

(sound of shuffling feet, patiently waiting in the corner)

Not feelin' the love here; know you're busy and all, really appreciate an expert's guidance PLEASE!

HISTORY:

We were severely disabled by a hijack malware behind the mask of "SpyWare Doctor" and Window Alerts.

It was hijacking browser windows, disabling AV programs and runs, and disabling other program launches.

ACTIONS TAKEN:

Ran XP_EXE_FIX (I think "re"enabled launching programs) and succesfully downloaded MBAM, installed, ran Full Scan, and restart.

STATUS:

Programs are still being "disabled", i.e. when we double click an icon to launch, or select from Start Menu, we get a box asking "What application do you want to use to run this . . ."

WE ARE READY FOR NEXT STEPS PLEASE!

Thank you

[Maurice Naggar]

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Step 2

Download and save FixExe.reg from

http://download.bleepingcomputer.com/reg/a...2010/FixExe.reg

Right-click on the FixExe.reg file. When Windows prompts whether or not you want to allow the data to be added to your computer, click on Merge.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  

Step 3

Download & SAVE OTL by OldTimer to your desktop from one of the following links:

http://oldtimer.geekstogo.com/OTL.com

http://ottools.noahdfear.net/OTL.com

• Close all open windows on the Task Bar. Double Click OTL to start the program.
  
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  
• Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  
• It will produce two logs for you, one will pop up called OTL.txt, the other will be saved on your desktop and called Extras.txt.
  
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
  
• Exit OTL by clicking the X at top right.
  

Step 4

Then copy/paste the following into your post (in order):

• the contents of the MBAM scan log from the scan that you last ran
  
• the contents of OTL.txt
  
• the contents of Extras.txt