Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection Prevents Installation Of Antivirus Software


  • Please log in to reply
8 replies to this topic

#1 doctordoe

doctordoe

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 08 February 2008 - 07:40 PM

I'm infected with something. I don't know what. I thought it was Smitfraud.c. That came up in a Spybot scan and Spybot reported it as fixed. Afterward I tried to install Ad-aware, and got the message "the system adminstrator has set policies to prevent this installation". Acknowledgment of this message aborts the installation. I don't know how to proceed. I was trying to follow the tutorial "4 simple steps for removing Spyware, Viruses, Hijackers and other Malware. I have HiJackThis installed, but don't want to post a log until I get some instructions. Should I be in safe mode? If someone can help, I'd really appreciate it. I'm way over my head here.

BC AdBot (Login to Remove)

 


m

#2 Tomo2

Tomo2

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wanganui, Aotearoa NZ
  • Local time:09:01 PM

Posted 08 February 2008 - 08:18 PM

If you generate a HJT log it must be done in normal mode. Some components may not load in safe mode so they will not show in the log. Before you do that try running an AV program that you don't have to install.
TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

L&P, World Famous in New Zealand since ages ago!
Posted Image
Avast! Antivirus : Spybot S&D : Trend Micro Housecall : Hosts file : HiJack This
Don't be too open minded - your brains will fall out


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 08 February 2008 - 08:34 PM

IF this is an XP SP2 PC,Try to download and save to desktop SUPERAntiSpyware

Reboot PC into Safe Mode (If you can use safe Mode With Networking ,do so)
Safe Mode Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Open from the desktop icon or the program Files list
Install it (update it if you were able to boot with networking. If not Proceed on)
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how your PC in running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 doctordoe

doctordoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 08 February 2008 - 09:48 PM

I tried Housecall earlier, but it wouldn't start the scan. I will try again.

I have SUPERAntiSpyware installed. Booted to safe mode. (I have to use msconfig to boot to safe. F8 at startup brings up a BOIS menu on my system.) Performing complete scan of c:

Incidentally, every time I boot the computer today, Windows Explorer is open to My Documents. I'm not leaving it open. All windows are closed each time I shut down or restart. Can this thing infect my data files (word processor docs, mp3s, image files, etc)??? Also, can it infect other computers in the house that are networked to my broadband router?

I'm using another computer to reply. And since I'd really like to know about the questions above, I'll post this and post the log when it finishes scanning.

Thanks a lot for the input so far.

#5 doctordoe

doctordoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 08 February 2008 - 10:29 PM

SUPERAntiSpyware is finished. It didn't find much. The log file follows.

Upon normal reboot, My Documents is open. A message window pops up, LoadLibrary("C:\Documents and Settings\All Users\Application Data\qjqfszix.dll") failed - The specified module could not be found. The title bar of the window says "RegSvr32"

Here is the scan log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/08/2008 at 10:18 PM

Application Version : 3.9.1008

Core Rules Database Version : 3399
Trace Rules Database Version: 1391

Scan type : Complete Scan
Total Scan Time : 00:42:41

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 6236
Registry threats detected : 0
File items scanned : 45078
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Deborah\Cookies\deborah@pandasoftware.112.2o7[1].txt

#6 doctordoe

doctordoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 08 February 2008 - 10:43 PM

Posting that log caused me to look at the earlier logs in the list. I've been working on this for two days now. There is a log from yesterday that is interesting:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/07/2008 at 07:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3396
Trace Rules Database Version: 1388

Scan type : Complete Scan
Total Scan Time : 01:01:58

Memory items scanned : 833
Memory threats detected : 2
Registry items scanned : 6236
Registry threats detected : 41
File items scanned : 52633
File threats detected : 80

Rogue.Unclassified/Loader
C:\WINDOWS\SYSTEM32\RXJDDNVJ.EXE
C:\WINDOWS\SYSTEM32\RXJDDNVJ.EXE
C:\WINDOWS\HMJQLIXC.EXE
C:\WINDOWS\Prefetch\HMJQLIXC.EXE-0626FACC.pf
C:\WINDOWS\Prefetch\RXJDDNVJ.EXE-190EA246.pf

Trojan.Unclassified/Out-Variant
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\QJQFSZIX.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\QJQFSZIX.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c51c2e68-1dd1-11b2-9f33-c9da50e571c2}
HKCR\CLSID\{C51C2E68-1DD1-11B2-9F33-C9DA50E571C2}
HKCR\CLSID\{C51C2E68-1DD1-11B2-9F33-C9DA50E571C2}\InprocServer32
HKCR\CLSID\{C51C2E68-1DD1-11B2-9F33-C9DA50E571C2}\InprocServer32#ThreadingModel
HKCR\CLSID\{C51C2E68-1DD1-11B2-9F33-C9DA50E571C2}\InprocServer32#t
C:\WINDOWS\ZWVINONM.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\InprocServer32#ThreadingModel
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\ProgID
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\Programmable
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\TypeLib
HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}\VersionIndependentProgID
C:\PROGRAM FILES\HELPER\1202425575.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B8622FF}

Adware.AdBreak
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}
C:\WINDOWS\FHFMM-UNINSTALLER.EXE
C:\WINDOWS\FHFMM.EXE
C:\WINDOWS\HCWPRN.EXE
C:\WINDOWS\KKCOMP.DLL
C:\WINDOWS\KKCOMP.EXE
C:\WINDOWS\KVNAB.DLL
C:\WINDOWS\KVNAB.EXE
C:\WINDOWS\LIQAD.DLL
C:\WINDOWS\LIQAD.EXE
C:\WINDOWS\LIQUI-UNINSTALLER.EXE
C:\WINDOWS\LIQUI.DLL
C:\WINDOWS\LIQUI.EXE
C:\WINDOWS\PBSYSIE.DLL
C:\WINDOWS\SETTN.DLL
C:\WINDOWS\WBECHECK.EXE
C:\WINDOWS\XADBRK.DLL
C:\WINDOWS\XADBRK.EXE
C:\WINDOWS\XADBRK_.EXE

411Ferret Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12F02779-6D88-4958-8AD3-83C12D86ADC7}

Adware.AdBlaster
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}

AdBars BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}

Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}

Adware.Tracking Cookie
C:\Documents and Settings\Deborah\Cookies\deborah@apmebf[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@mediaplex[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@trafficmp[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@tacoda[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1072658588[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@msnportalbeetoffice2007.112.2o7[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@anad.tacoda[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@adrevolver[3].txt
C:\Documents and Settings\Deborah\Cookies\deborah@cgi-bin[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ad.exent[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@specificclick[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1072640828[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@atdmt[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@fastclick[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ad.cnetym.cnet[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@casalemedia[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@2o7[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@advertising[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1057062368[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ad[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@anat.tacoda[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@gcc[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@adserver[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@azjmp[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@tribalfusion[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@try.screensavers[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1072733040[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@iuniverse.112.2o7[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1069913521[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@realmedia[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1067507744[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@statcounter[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@msnportal.112.2o7[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@audiomixer.oddcast[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@maxis.112.2o7[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@doubleclick[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@1070413263[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@windowsmedia[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ads.pointroll[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ehg-verizon.hitbox[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@hitbox[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@ad.yieldmanager[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@atwola[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@screensavers[2].txt
C:\Documents and Settings\Deborah\Cookies\deborah@i.screensavers[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@bizrate[1].txt
C:\Documents and Settings\Deborah\Cookies\deborah@questionmarket[2].txt

Adware.E404 Helper/Hij
HKCR\E404.e404mgr
HKCR\E404.e404mgr\CLSID
HKCR\E404.e404mgr\CurVer
HKCR\E404.e404mgr.1
HKCR\E404.e404mgr.1\CLSID
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version

Adware.E404 Helper/Variant
C:\PROGRAM FILES\HELPER\1202425573.DLL

Trojan.FakeDrop-764
C:\WINDOWS\764.EXE

Trojan.FakeDrop-FLT
C:\WINDOWS\FLT.DLL

Trojan.FakeDrop-PBar
C:\WINDOWS\PBAR.DLL

Rogue.WinPerformance
C:\WINDOWS\PERFINFO\R3UTDUZN0TWP.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\ESHOPEE.EXE

Trojan.Fakespy-B
C:\WINDOWS\SYSTEM32\MSOLE32.EXE

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 08 February 2008 - 10:58 PM

It looks like you have removed an awful loy of malware and you are probably clean. That message is an operating system problem. Probably a file corruption.
You should post that error message in the appropriate section of the Operating Systems forums.
We'll keep this open for now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 doctordoe

doctordoe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:01 AM

Posted 09 February 2008 - 01:06 PM

Thank you for looking at those logs. I'll watch it closely for odd behavior. I'll copy down and post the error at boot-up on the correct forum.

It's nice that you monitor these forums and help folks out. I appreciate it.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 AM

Posted 09 February 2008 - 01:54 PM

You're welcome. It's one of the reasons I joined and stayed many moons ago.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users