Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Noob With A Nasty Infection


  • Please log in to reply
11 replies to this topic

#1 Talbot

Talbot

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 19 November 2007 - 05:40 PM

All, thanks for a great forum.

First of all let me say I like the Kharma - there are people out there that will wreck your computer for entertainment, and there are great folks like you that will help you get back on your feet.

I'm not sure as to the protocols here and if I should post in the hijack forum

I'm running XP SP2. CA e-trust antivirus, adaware, spybot and BHO demon.

It all started when I got a pop up message telling me my computer is making unauthorised copies of my system and I need to click the link to 'pervent' (sic) any problems. The message is being called by a program called csrss.exe.

I ran BHO demon, adaware and spybot and got rid of some nasties but did not stop the message. I ran CA e-trust antivirus and found lots of nasties and removed them. e-trust had been doing a fairly good job till now, but I'm a bit underwhelmed as I had progressive scanning enabled. This slipped right past my McAfee firewall also.

My internet homepage defaulted to Google, and control panel was nowhere to be found. I then had a system crash. Now on boot up, even before the windows load screen I get a message that my skuns.dat file is not a valid image and I should check my installation disk.

Once windows starts to load, many exe's that start in Windows checks skuns.dat, so I get maybe 30 error messages on start and whenever I try to run something. Very few progs work in Normal Mode, but some will work in Safe Mode. Computer is very slow.

I also get a message during start up that e-trust has detected the hostblock virus - comes up every time, so I'm not sure its getting rid of it. If I run e-trust, it tells me it has detected and removed the shinwow virus, every time - so its either not getting rid of it, or it keeps coming back.

In my naiveity I went and got a copy of McAfee virus checker, but it requires Vet to be removed and control panel is nowhere to be found, so I cant remove any programs.

I googled skuns.dat and this what got me here, what do I do now?

Edited by Talbot, 19 November 2007 - 05:42 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 19 November 2007 - 06:39 PM

Please print out and follow the generic instructions for using SmitfraudFix in BC's self-help tutorial "How to remove the Smitfraud/Generic Zlob".
(scroll down to where it says Removal Instructions; ignore the part that shows symptoms in a HijackThis log as they may not apply your case.)
If you have downloaded SmitfraudFix previously, please delete that version and download it again as the tool is frequently updated!

Then download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Talbot

Talbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 20 November 2007 - 04:39 PM

Quietman7,

Thank your very sincerely for your assistance. I followed the smitfraudfix instructions and ran the exe. I have two HDD, C: (40Gb) and X: (100Gb). The smitfraud.exe worked quickly through C: but hung when it got to cleaning the X: drive. I left it for about 4 hours and came back to a black screen showing safe mode and mouse pointer and no HDD activity.

I rebooted back to safe mode, very relieved to see no skuns.dat message, but got a message about a missing proper.exe. No control panel under settings yet.

I ran the smitfraud.exe again and let it run 6 hours overnight . Its back to the black Safe Mode screen and mouse pointer.

Can you suggest next steps? Awaiting your instructions.

Many thanks

Talbot

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 20 November 2007 - 06:02 PM

got a message about a missing proper.exe

From what you describe in regards to the error message, the file is an orphaned entry related to malware that was set to run at startup. Windows is trying to load this file but cannot locate it since the file may have been removed during an anti-virus scan, the uninstall of a program or use of a specialized fix tool. However, an associated registry entry remains and is telling Windows to load the file when you boot up.

When Windows loads, it looks for any files associated with registry entries for programs that are set to run at startup. If the file was removed but not the registry entry, Windows will display an error message indicating that the file was not found. You need to remove this registry entry so Windows stops searching for the program when it loads.

To resolve this download and run Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file you need to remove.
  • Right-click on the file and choose delete.
  • Reboot your computer and see if the startup error returns.
Sounds like you may be dealing with multiple infections. Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Talbot

Talbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 20 November 2007 - 07:25 PM

Quietman7,

Thanks, I'll give this a try. I'm at work at the moment, PC is at home, so I'll get back to you tomorrow.

Just so I have this straight:

1. Download autoruns in Normal Mode and unzip (hopefully winzip will be there - I'll download and unzip from work just in case and install it in its own directory on my home box).

2. Run the autorun exe in Safe Mode and get rid of the entry calling for proper.exe.

3. Do I retry with smitfraud.exe in Safe Mode given that it hung - or do I follow the Vundo/Winfixer procedure?

4. After this, I will setup Superantispyware.

Not surprised about multiple entries, this little episode has really opened my eyes. My confidence in CA e-trust has changed.

Thank you for all of your help - fingers crossed!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 20 November 2007 - 10:31 PM

You can use Autoruns in Normal Mode. Your just removing a registry entry as the file was already removed, hence the error message. After that use Vundofix, followed by a Superantispyware scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Talbot

Talbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 21 November 2007 - 05:39 PM

Quietman7,

Thanks. I ran the autoruns and removed the proper.exe entry, and a few others where there was a file not found. It seemed to boot OK, but still no Control Panel. I followed the instructions for Vundofix, but it said it found nothing. Virtumundobegone found nothing as well.

I downloaded Superantispyware and installed, but it would not run in Safe Mode. I set it up to run in Normal mode. When I woke up this morning it had been going for 9:45hrs and still scanning - It has picked up a few nasties.

I'm at work at the moment, so I'll be interested to see what i find tonight.

Thank you again for your assistance

Talbot

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 21 November 2007 - 07:42 PM

This step involves making changes in the registry. Always back up your registry before making any changes. If you are not familiar with working in the registry, then you should NOT attempt to make any changes on your own. Improper changes to the registry could adversely affect your computer and render it inoperable.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #256 and click "Restore the Control Panel" in the left column. Go to File, choose "Save page as" All Files and save controlpanelrestrictionrestore.reg to your desktop. Double-click on that file and choose "Yes" to merge it into the registry when prompted. Once you get a successful message delete the file and reboot.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Talbot

Talbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 21 November 2007 - 10:06 PM

Quietman7,

I'll give it a go. Thanks for the instructions for backing up registry

Talbot

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 21 November 2007 - 10:40 PM

Your welcome.

Post back if you continue to have problems and we will try something else.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Talbot

Talbot
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Melbourne Australia
  • Local time:03:31 AM

Posted 22 November 2007 - 03:22 AM

Quietman7,

Everything feels good!...

Am I really clean? How can I tell? Marathon man references aside, is it safe?

I'd like to buy the pro version of superantispyware - is giving card details out OK now?.

I think I was living in a fools paradise with CA e-trust antivirus. Is there a product I should consider?

In my naivety I purchased McAfee viruscan plus. I thought it would complement my firewall. Given how this malware slipped by, should I bother?

You saved my bacon (I hope) and I'm a complete stranger to you.

Thank you most sincerely

Is there a way for me to express my appreciation?


Talbot

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:31 PM

Posted 22 November 2007 - 07:53 AM

Your certainly welcome.

Now if there are no more problems, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
SUPERAntiSpyware Free vs Pro Comparison Features. If your using the free version, use it as an on-demand scanner...no need to run at startup.

Although McAfee is as good as any other well known anti-virus program, it has become a resource hog that slows down your system especially if on dial-up or if installed on older systems without much RAM/slow CPU. McAfee requires numerous services and more than a dozen running files that use a lot of system resources.

Keep in mind that no single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

Using more that one anti-virus program is not advisable even if your using one of them as a stand-alone on demand scanner. Even when one of them is disabled, it can affect the other. Issues can arise when the active anti-virus detects the non-active one's definitions or quarantined files.

The primary concern with using more than one anti-virus program is due to conflicts that can arise when both are running in real-time mode simultaneously. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus will often interpret the activity of the other as a virus and there is a greater chance of them alerting you to a "False Positive". If one finds a virus and then the other also finds the same virus, both programs will be competing over exclusive rights on dealing with that virus. Each anti-virus will attempt to remove the offending file and quarantine it. If one finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a virus has been found when that is not the case.

Anti-virus scanners use virus definitions to check for viruses and these can include a fragment of the virus code which may be recognised by other anti-virus programs as the virus itself. Because of this, most anti-virus programs encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. However, some anti-virus vendors do not encrypt their definitions and will trigger false alarms if used while another resident anti-virus program is active. To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".

Safe surfing and have a malware free day.

Edited by quietman7, 22 November 2007 - 07:54 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users