Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't install any of the proggies to detect trojan or get assistance?


  • Please log in to reply
11 replies to this topic

#1 delray11

delray11

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 25 September 2009 - 05:40 AM

Hi, I have tried to follow many of the stuff in the stickies and other areas on this site, but my computer won't let me install any of them, or even use most of my programs, like CCclean, Eusing, etc. A cannot execute because this is not a valid Win32 notice keeps coming up.

So, can you direct or redirect me to what I can do? I can run Malwarebytes, somehow it works on my computer per a friend who told me that you recommended downloading and installing it. I ran it and it got rid of quite a few problems but obviously there is something terribly wrong for all this to keep happening. So, I could run mbam again and a log will magically appear if that helps any. Anyways, I know there are procedures to follow but I can't proceed with them the way my computer is responding to all the failed installs and programs that won't load, OK> thanks for listening, hope you can assist me, delray

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 PM

Posted 25 September 2009 - 07:32 AM

Hi delray11, and :thumbsup: to BleepingComputer!

Can you please check in MBAM on the Logs tab if there are saved logs there? If so, please post one in which I can see what stuff was deleted.

ROOTREPEAL
-------------
We need to check for rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 September 2009 - 01:16 PM

Hi, thanks Elise for responding, appreciate it. Well, it has been a long weekend trying to do stuff without a decent working computer. I got up today and for some reason decided to run Anitmalwarbytes again, and the bagle worm and its other soldiers were still on the computer, even after I followed everyone's directions. I went back to this thread and hope you can still help me. Here is my mbam report, but RootRepeal just crashed my computer, so no dice there, OK> Please help me fix this scenario. I think that my whole OS is trashed though, but with your info and insight might be able to get it fixed. TIA, delray


P.S. It did delete those reg entries and other stuff on reboot, but I can't boot in safe mode, so that might be adding to the problem, just a bit of info that might explain some other scenes.

alwarebytes' Anti-Malware 1.41
Database version: 2857
Windows 5.1.2600 Service Pack 3

9/28/2009 1:33:08 PM
mbam-log-2009-09-28 (13-33-01).txt

Scan type: Quick Scan
Objects scanned: 98607
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\111111s1ro1s1a (Worm.Bagle) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Worm.Bagle) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Owner\Application Data\drivers\downld (Worm.Bagle) -> Files: 1094 -> No action taken.

Files Infected:
C:\Documents and Settings\Owner\Application Data\drivers\111wfs1intwq.sys (Worm.Bagle) -> No action taken.
C:\Documents and Settings\Owner\Application Data\drivers\11s11ro1s1a2.sys (Worm.Bagle) -> No action taken.
C:\Documents and Settings\Owner\Application Data\drivers\winupgro.exe (Trojan.Agent) -> No action taken.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 PM

Posted 28 September 2009 - 01:37 PM

Okay, we really need a rootkitscan here, so lets try GMER

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 September 2009 - 02:41 PM

Wow, quick reply. Well, something else happened just now. I went to check my messages on Outlook Express and this black screen came up in Japanese or something like that and asked to click, OK< no way. That was after doing Gmer. I think the person who wrote and infected with this software knows what we are trying to do to remove it. Here is gmer log. By the way, whatever bleepingcomputer does telling us to use these proggies, it lets us do it with YOUR VERSIONS but the ones I downloaded last week, again NO WAY, so right there that should also pinpoint something. Please keep assisting, delray

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-28 15:33:46
Windows 5.1.2600 Service Pack 3
Running: 6gc03mu8.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kftdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 PM

Posted 28 September 2009 - 02:50 PM

Hi again, I keep track of this topic, so don't worry, we will get this solved eventually :thumbsup:

First of all a warning. You GMER log you have been using ComboFix. Thats not a good idea to do on your own.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Download and run Win32kDiag:

Edited by elise025, 28 September 2009 - 02:50 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 September 2009 - 03:41 PM

Hmm< Elise doesn't seem to want to work correctly or is this what you need to know. I will watch my thread a lot more closely. Thanks again for all the help, you are a life and pc saver, delray

Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

#8 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 September 2009 - 04:02 PM

Oh no, now my Anti Malwarebytes proggie won't work. That was one reliable checker that I could trust. Elise, what is going on? There must be something or someone that wants to stop us from removing this worm and the bad fish that it catches. How come I can't use mbam anymore? Well, will keep checking, just wanted to add this as you never know what an asst. like you can do with more info, ahah, as if you need any more, thanks again, Delray

#9 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 28 September 2009 - 10:51 PM

Hi, well I see my helper went home for the night. I did manage to get rid of almost all traces, except, had to be an except, winupgro.exe keeps reputting itself in C:\Documents and Settings\Owner\Application Data\drivers.

Also, the computer is still yoyoing with cpu usage, and a lot of older proggies like CCleaner and Eusing etc, won't work, not valid Win 32 stuff. OK, when Elise gets back, hope she reads this, or other brave assisters, amen, appreciate all the assistance.

P.S. By the way, the person or persons that did this should be tracked down, as this is beyond malicious. However, Microsoft should have developed ways of delivering this evil and relieving users of its offensives. delray

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 PM

Posted 29 September 2009 - 01:38 AM

Hi again,

The log you posted was what I wanted to see and lucky for you its clean :thumbsup:

Lets do some virus checking here. Note, the scan might take some time. If you are unable to do it in safe mode, just do it in normal mode.

ATF-CLEANER
------------------
Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


DR. WEB CUREIT
----------------------
Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 delray11

delray11
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 AM

Posted 29 September 2009 - 08:45 AM

HI, spent all night running Kaspersky and checking with Antimalwarebytes. I think I finally got rid of the pesky varmint. Computer is running well again. I have to tell you that now that I have been through the fire that the only thing that removes these viruses, worms or trojans is Kaspersky or Eset, along with the powerful proggie with the mbam, yeah, exe. Mostly all of the other assistance I got, just loaded programs on my computer that I now have to get rid of. Also, there is a checksum utility that works for this particular pest, but NOWHERE does it show or tell you how to use it properly. I might put up a place on the Net to demonstrate to others how this can be eradicated.

I have to thank Elise and others who might have counseled or helped her with my problem. There must be something in some of these replies that I am missing though, as I told quite a few people in my other postings that I couldn't boot into safe mode or use a lot of these proggies due to win32 not valid issues, but noone seemed to listen properly. I think some time should be spent trying to hunt down and lasso those that attach these viruses, trojans, and worms to stuff that infects computers. I mean, all I did was try and make a cd cover for my songs, wow, what a trying 5 days. I will reply to this thread if the threat continues, later, delray

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:52 PM

Posted 29 September 2009 - 09:19 AM

:thumbsup: glad things work fine now. If you need any more assistance please let me know!

As for the safe mode issue... see the quote

Note, the scan might take some time. If you are unable to do it in safe mode, just do it in normal mode.


ESET and Kaspersky are indeed both excellent AV scanners. The problem is they are not free. A good freeware alternative is Avira.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users