Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deleted Antivirus Xp 2008 Still Beating Me Up


  • Please log in to reply
13 replies to this topic

#1 mambomama

mambomama

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 31 August 2008 - 06:35 PM

Ahh the joys of parenting teens. While my kids were watching online videos we manged to attrack the unwanted attentions of Antivirus XP 2008. By the time I approached the computer in the morning, this monster had taken over my screen and my web browser, sending everything to fake google sites. We are running windows XP with Fsecure as our virus checker. Using another computer I learned about Malawarebytes as the solution for fixing this problem. It worked, or so I thought. The program found 76 problems and reported them all fixed. The screen was back to normal, I could actually search like a normal person. I was happy. Until the next day. It has since gone down hill from there.

Problems that we are encountering.

Windows randomly shuts down. No rhyme or reason. It will shut down using firefox, incredimail, or just while playing solitaire.
Frequent "firefox has encountered a problem and must close" or "explorer has encountered a problem and must close" boxes, some times they can be ignored but just results in more boxes piling on top of existing boxes until I shut down the program. Some times the "problem" message simply immediately shuts down the program itself, saving me the hassle.
I am also getting random "corrupt file, please run checkdisk" messages, always with a different file that is "corrupt". Check disk is not showing corrupt files.
I can not run a complete scan with malawarebytes because the system keeps shutting down. I can perform a quick scan.
Fsecure discovered riskware.win32.reboot.j which it was not able to clean
system often freezes when tab browsing.
All system restore points from before the virus hit are gone and none of the other restore points will work due to interruptions during restore session.

Problems I had but seem to have fixed (somehow).

Every time windows rebooted it would do a complete checkdisk. I did something involving checkdisk and dirty to fix it.
When windows rebooted, I would often get a message that it was operating in diagnositc mode and instructing me to change to normal mode. However I was not able to do that.
incredimail would not open because "it requires another version of flash" yet when ever the download page opened up, it would always close up.

Any ideas of what to try next? Thank you in advance.

Lynn

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 31 August 2008 - 06:38 PM

See if you can get this scan to run:

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 01 September 2008 - 10:29 AM

Thank you for your help. This is what happened. I followed your instructions as printed and everything went fine except one part. When using ATF cleaner, under main and after checking all, I was not able to empty selected. The program froze. I tried several times and received the same result. I was able to empty the folder for firefox though. I decided to continue with the process as directed, despite this problem. After the reboot I got (yet again) system has recovered from a serious error. So far everything is pretty good though. I have not had any other error messages and have not been kicked off any of my programs so far. One internet site I usually visit informed me that I need to install shockwave because I apparently no longer have it. I have not done this as I do not want to add to the picture until I get the all clear sign. I am including the file from Superspyware.

What now or am I done :-) ?

Lynn....

Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/01/2008 at 06:36 AM

Application Version : 4.20.1046

Core Rules Database Version : 3553
Trace Rules Database Version: 1542

Scan type : Complete Scan
Total Scan Time : 10:32:15

Memory items scanned : 161
Memory threats detected : 0
Registry items scanned : 6351
Registry threats detected : 6
File items scanned : 101041
File threats detected : 5

Rootkit.Dropper/Zorg
HKLM\System\ControlSet001\Services\p1jzxwjbnbd.sys
H:\WINDOWS\SYSTEM32\DRIVERS\P1JZXWJBNBD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_p1jzxwjbnbd.sys
HKLM\System\ControlSet003\Services\p1jzxwjbnbd.sys
HKLM\System\ControlSet003\Enum\Root\LEGACY_p1jzxwjbnbd.sys
HKLM\System\CurrentControlSet\Services\p1jzxwjbnbd.sys
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_p1jzxwjbnbd.sys

Adware.Tracking Cookie
H:\Documents and Settings\Lynn\Cookies\lynn@CASVC7QH.txt
H:\Documents and Settings\Lynn\Cookies\lynn@www.avxp-2008[1].txt
H:\Documents and Settings\Lynn\Cookies\lynn@banner.eurogrand[3].txt
H:\Documents and Settings\Lynn\Cookies\lynn@banner.eurogrand[2].txt

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 01 September 2008 - 06:06 PM

Your SUPERAntiSpyware logs indicates a Rootkit infection. Some of these Rootkit infections can be particularly nasty, and you should probably change any on-line passwords you have, especially banking and other financial passwords.

Update and run the Malwarebytes scan again and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 01 September 2008 - 08:35 PM

Thanks again for all your assistance. All afternoon I have been getting virus alerts from F-secure saying that I have risktool.win32. reboot (and another risktool virus whose name eludes me). Each time I have chosen to delete the file. I ran a full malwarebytes scan (was finally able to do so) and found two trojans. Log included in this email.

Let me know what is next :-)

Lynn

Malwarebytes' Anti-Malware 1.25
Database version: 1099
Windows 5.1.2600 Service Pack 3

6:26:28 PM 9/1/2008
mbam-log-09-01-2008 (18-26-28).txt

Scan type: Full Scan (H:\|)
Objects scanned: 139575
Time elapsed: 1 hour(s), 20 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
H:\System Volume Information\_restore{2248A41E-B8B2-4AED-809A-21086A02BA2F}\RP1\A0000004.0ll (Trojan.Virantix) -> Quarantined and deleted successfully.
H:\System Volume Information\_restore{2248A41E-B8B2-4AED-809A-21086A02BA2F}\RP1\A0000006.dll (Trojan.Virantix) -> Quarantined and deleted successfully.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 01 September 2008 - 10:24 PM

How's your computer behaving now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 01 September 2008 - 11:39 PM

Great other than about once an hour getting a virus alert from F secure for either rootkit.win32.agent.cxe or risktool.win32.reboot. Not sure what to do about that. I keep saying delete the file but it is either not deleting or I am somehow getting reinfected. I wish computers built up antibodies and once you got a virus you could never get the same one again...kind of like measles :-)

Lynn

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:16 AM

Posted 01 September 2008 - 11:41 PM

Try running a full system scan with F-Secure in Safe Mode.

How to start Windows in Safe Mode
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 02 September 2008 - 07:23 AM

Here is a logfile from a full fsecure scan I did last night. It was not in safe mode though. I can run it again today in safe mode and post that later. Lynn

Scanning Report
01 September 2008 21:50:06 - 22:56:10

Computer name: FAMILYROOM
Scanning type: Perform full computer check
Target: H:\ + system + rootkits
Result: 1 malware found
Windows (vulnerability)

* REGDATA:HKCR\regfile\shell\open\command\
Action: quarantined

Statistics
Scanned:

* Files: 90012
* Not scanned: 9

Result:

* Viruses: 0
* Spyware: 1
* Suspicious items: 0
* Riskware: 0

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* Quarantined: 1
* Failed: 0

Boot Sectors:

* Scanned: 1
* Infected: 0
* Suspicious items: 0
* Disinfected: 0

Files not scanned:

* Cannot open file (click here for more info) H:\PAGEFILE.SYS
* Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SAM
* Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* Cannot open file (click here for more info) H:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* Scanning of H:\DOCUMENTS AND SETTINGS\LYNN\MY DOCUMENTS\MY RECEIVED FILES\WINDOWSXP-KB835935-SP2-ENU.EXE was aborted [F-Secure AVP]
* Scanning of H:\DOCUMENTS AND SETTINGS\LYNN\DESKTOP\SONYA'S FOLDER\BACKUP\SCHOOL\PORTFOLIO\SONYAPORTFOLIO.PPT was aborted [F-Secure Libra]
* Scanning of H:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\WINDOWSXP-KB835935-SP2-ENU.EXE was aborted [F-Secure AVP]

Options
Definitions version:

* Viruses: 2008-09-02_04
* Spyware: 2008-09-01_06

Scanning Engines:

* F-Secure AVP: 7.00.171, 2008-09-01
* F-Secure Libra: 2.04.04, 2008-08-28
* F-Secure Orion: 1.02.40, 2008-09-02
* F-Secure Draco: 1.00.35, 2008-07-08
* F-Secure BlackLight: 1.00.68

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ANI AVB BAT CEO CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR TGZ

Actions:

* Viruses: Ask after scan
* Spyware: Ask after scan

Error information
"Cannot open file" error occurred:
The "Cannot open file" error message means that the scanner was unable to open a file and that this file was not scanned. You can normally ignore this error message as there are many reasons for this message that do not imply a security threat, including:

* The file was a system file. System files are protected by the operation system by design. You can ignore this message in this case.
* You do not have permission to read the file. To scan the file, log in with a user account with sufficient permissions (for example the computer's administrator account) and rescan.
* The file was in use by an application when the scan was performed. To scan this file, close all applications and rescan.

Copyright © 1998-2007 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:16 PM

Posted 02 September 2008 - 07:51 AM

MBAM has been updated. Please download and install the most current version of MBAM from here

Perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 02 September 2008 - 08:40 AM

Ok, ran update on malawarebytes, did a quick scan (nothing found) and a reboot. No error messages this time nor did it tell me that my computer (in any department) had recovered from a serious error...for the first time I did not feel the need to have paramedics standing by :-) Here is the latest log. Lynn

Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 3

9/2/2008 6:32:51 AM
mbam-log-2008-09-02 (06-32-51).txt

Scan type: Quick Scan
Objects scanned: 51245
Time elapsed: 8 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:16 PM

Posted 02 September 2008 - 08:51 AM

Good. That's a clean log.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 mambomama

mambomama
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 02 September 2008 - 07:58 PM

ok all done, and no virus alerts all day!!! Yeah I think it is fixed :-) Thank you so much for all your excellent help, you guys are awesome.

Lynn

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:16 PM

Posted 03 September 2008 - 06:39 AM

You're welcome.

For Tips to protect yourself against malware and reduce the potential for re-infection, be sure to read:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Best Practices - Internet Safety for 2008".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users