Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need some help too


  • Please log in to reply
17 replies to this topic

#1 anog

anog

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 09 June 2009 - 07:22 AM

Hi

My original symptom was not being able to run Regedit. And my web browser running slow when I went near an anti-malware site.

I read your sites instructions about asking for help: not doing anything myself until I was told by one of you. But unfortunately I momentarily forgot the advice and downloaded an anti-malware and ran it.

I ran Malwarebytes' Anti-malware and it surprised me by picking up about 11 objects with malware. I couldn't resist clicking the Do-Something and it went away and did something.

Unfortunately, after start up again this morning, the annoying "serious error" popup went ahead and popped up.

So here I am I shall wait this time.

thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 09 June 2009 - 09:45 AM

Please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 10 June 2009 - 06:00 AM

Hi Quietman7,

Thanks for your help. I am able to run both Regedit and Spybot, which before were not able to run. But I am still getting that popup.

Here is MBAM from 9th June. Spybot deleted some things for me last night after this was run.



Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/9/2009 1:27:21 AM
mbam-log-2009-06-09 (01-27-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 207128
Time elapsed: 1 hour(s), 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cuskina.avideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d263b532-c528-49e5-8bb6-80fa67332c9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7165223d-d2c9-422b-8126-411b11842b8b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95e1d855-9232-48f7-80d9-1adb65b7939c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinPC Antivirus (Rogue.WinPCAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Trojan.JSRedir.H) -> Bad: (C:\WINDOWS\system32\..\ihig.xqi) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ihig.xqi (Trojan.JSRedir.H) -> Quarantined and deleted successfully.
c:\WINDOWS\xcxe.tcu (Trojan.Gumblar) -> Quarantined and deleted successfully.
c:\WINDOWS\xpople.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\ieocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\regscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Greg Curie\Application Data\asd.bat (Rogue.WinPCDefender) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 10 June 2009 - 07:13 AM

Your Malwarebytes Anti-Malware log indicates you are using an outdated database version. Please update it through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install.Your database shows 2182. Last I checked it was 2256.

Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware
Then perform a new Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 11 June 2009 - 07:31 AM

Hi again

I ran DrWeb last night, following the instructions I think. Here is the log.
I shall get onto Malwarebytes' program and add the log soon.


auto.exe;C:\;Trojan.Xifraud;Deleted.;
c.exe;C:\Documents and Settings\Greg Curie\Local Settings\Temp;Trojan.Packed.2463;Incurable.Moved.;
c-setup.exe;C:\download;Trojan.DownLoader.62741;Deleted.;
A0001014.dll;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2;Trojan.DownLoader.59078;Deleted.;
A0006005.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3;Trojan.Xifraud;Deleted.;
A0006006.exe;C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3;Trojan.DownLoader.62741;Deleted.;

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 11 June 2009 - 08:23 AM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 11 June 2009 - 09:13 AM

Ok. Here is MBAM for you.

Now, there is one other thing I would like to mention. MBAM asked me whether to restart and I clicked Yes, and it proceeded to shut the PC down. The bogus screen appeared with blue text, as it has before, and just sat there. So eventually I pressed the reset key and the shutdown went the whole way. The PC did not then proceed to restart itself, which I've notice happen when I select Restart item. Now I am wondering whether the bogus screen with blue text got in the way of MBAM doing its restart and whatever it was going to do, because the fake alert popup appeared again after I rebooted.


Malwarebytes' Anti-Malware 1.37
Database version: 2261
Windows 5.1.2600 Service Pack 3

6/11/2009 11:52:30 PM
mbam-log-2009-06-11 (23-52-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 206901
Time elapsed: 1 hour(s), 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{987e0331-0f01-427c-a58a-7a2e4aabf84d}\RP2\A0001015.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 11 June 2009 - 09:24 AM

Please perform an online scan with Kaspersky WebScanner.
(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 11 June 2009 - 09:54 AM

Your link does not go to a Kaspersky WebScanner but to a Kasperky File Scan page. There is a WebScanner when I look up with a search engine...

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 11 June 2009 - 10:27 AM

Try again. It should go to this page:
http://www.kaspersky.com/virusscanner
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 12 June 2009 - 01:41 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, June 12, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, June 11, 2009 18:42:47
Records in database: 2337631
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 109732
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 04:16:48


File name / Threat name / Threats count
C:\Documents and Settings\<username>\Application Data\Sun\Java\Deployment\cache\6.0\41\529ea6e9-56674eb3 Infected: Trojan-Downloader.Java.OpenStream.ab 1
C:\Documents and Settings\<username>\DoctorWeb\Quarantine\c.exe Infected: Trojan-Downloader.Win32.FraudLoad.vzki 1
C:\gc Technical\x Virus Stuff\xrxegscan.exe Infected: Trojan-Downloader.Win32.Agent.azr 1
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0001016.exe Infected: Trojan-Downloader.Win32.Agent.azr 1
C:\WINDOWS\SYSTEM32\sfcfiles.dll Infected: Trojan.Win32.Patched.fr 1

The selected area was scanned.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 12 June 2009 - 04:44 AM

You can remove everything from DrWeb's quarantine.

xrxegscan.exe and sfcfiles.dll can be removed with Malwarebytes Anti-Malware which has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the file to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


To clear the Java cache, do this:
  • Click Start > Settings > Control Panel.
  • Double-click the Java icon.
    - The Java Control Panel appears.
  • Click "Settings" under Temporary Internet Files.
    - The Temporary Files Settings dialog box appears.
  • Click "Delete Files" at the bottom.
    - The Delete Temporary Files dialog box appears with options to delete:
    • Applications and Applets
    • Trace and Log Files
  • Click "OK".
  • Click "OK" on the Temporary Files Settings window.
  • Close the Java Control Panel.
The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a malicious file was detected in the SVI folder (System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

To remove these file(s), the easiest thing to do is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 13 June 2009 - 08:54 AM

Hi

I think I have done all those things. I shall let you know tomorrow how it has all gone.

The file sfcfiles.dll wasn't in the SYSTEM32 directory when I went looking for it. Some setting is hiding it? Or was it deleted some other way? I was able to remove regscan.exe using MBAM, so that much was as expected.

The webpage for instructions on using Cleanmgr doesn't correspond completely with my version.

Thanks for very much for your help. We may be there.

#14 anog

anog
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 14 June 2009 - 07:05 AM

Hi

My very own pet fake alert has stopped popping up. And I don't get an extra screen of blue text as I am logging off. I am very grateful.

While we are on a roll perhaps some other things might be problemware related? I have a mouse arrow which moves a little every so often. And I have an extra directory in my C:\ drive, C:\737a57273fe6b8e719bea3aa, which doesn't seem to be a MS sort of directory.

thanks
greg c

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 14 June 2009 - 05:29 PM

The webpage for instructions on using Cleanmgr doesn't correspond completely with my version.

You are using XP SP3 arn't you? The first link is the one you should be using.
http://bertk.mvps.org/html/diskclean.html

The second one is for Vista.

I have an extra directory in my C:\ drive, C:\737a57273fe6b8e719bea3aa, which doesn't seem to be a MS sort of directory.

Anything inside that folder?

Randomly alpha/numberic named folders are commonly created and used temporarily when updating Windows components or by some software programs during installation to hold setup files (.inf, .cat, .gpd, .ppd and .dlls). Sometimes these folders/files are removed automatically but it is not uncommon for them to be left behind after an update or installation has completed. If that's the case, the folder/files can be deleted manually.

For example, when you run the MS Malicious Software Removal Tool (MSRT), a temporary folder named with random alpha/numeric characters (i.e. 79f142e5e9e574d23954) will be created on your C:\ drive that contains mrt.exe, mrtstub.exe and a file named $shtdwn$.req. Most of the time after performing a scan and you click finish/cancel the folder will automatically be removed right away or after the next restart. If not, the folder can be deleted manually without an adverse effect on the computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users