Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus System Pro


  • Please log in to reply
15 replies to this topic

#1 sheerin

sheerin

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 26 November 2009 - 02:34 PM

My computer is infected with this "anti virus" software. I tried doing the self removal (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-pro) I can download the file but whenever I try to run it I get a "warning" saying that it's infected and asking me if I want to get protection.

My computer is essentially useless now as I can't open any files or programs (not quite sure how I was able to restart firefox, but it seems to be the only thing working).

I'm currently running windows XP (I think SP3).

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 26 November 2009 - 07:35 PM

Hello, run this first then MBAM again.
Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 sheerin

sheerin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 27 November 2009 - 12:59 PM

I was able to run RKill last night by initiating the program while the computer was still booting, which then allowed me to run both MBAM and Superantispyware. since then I haven't seen anymore signs of the virus.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

27/11/2009 12:57:03 PM
mbam-log-2009-11-27 (12-57-03).txt

Scan type: Quick Scan
Objects scanned: 107159
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 27 November 2009 - 04:18 PM

Looks promising except that MBAM did not update.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Let's also get a second opinion.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 sheerin

sheerin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 27 November 2009 - 10:59 PM

okay, tried doing the update for MBAM< but it wouldn't let me, it gave an error message with an error code of 732 (0,0).

Tried running the program you just mentioned, first with firefox, it downloaded the program and it started running, but then stopped during installation saying "cannot get update, is proxy configured". I don't have a proxy.

Tried running it through IE, but IE won't connect to the internet.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:46 PM

Posted 28 November 2009 - 02:43 PM

Possibly a rootkit..
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 sheerin

sheerin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 02 December 2009 - 07:52 PM

Been out of town for the past few days so I was only able to to this last night.

Anyway the scan revealed no files that were recommended for deletion.

here's the log:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 01/12/2009 at 21:12:13 PM
User "Dave Sheerin" on computer "KEPLERIV"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\GraboidVideoSetup.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Tools.dll
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP178\A0040138.dll
Hidden: file C:\Program Files\Spybot - Search & Destroy\advcheck.dll
Hidden: file C:\Program Files\BOINC\projects\setiathome.berkeley.edu\libfftw3f-3-1-1a_upx.dll
Hidden: file C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
Hidden: file C:\DELL\Utilities\Driver Reset Tool\Driver Reset.exe
Hidden: file C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setigraphics_6.03_windows_intelx86.exe
Hidden: file C:\DELL\mmkey.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\InstallWT.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{24C8EE9E-CACE-4C60-8B1F-E2317BC2B510}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{24F30DB9-CBD0-420A-B39D-3BB5655E5334}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{542A04D2-5975-4FE3-9B47-8A708648CEA9}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{6BA84DD0-959B-47F3-A69E-908FA76FB07A}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{7034285D-DFC3-42E5-B957-93A2622BC737}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{8FDE0001-5FA4-45E6-8BD8-61EDEFE3EFDC}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{932A7BED-387F-440F-9C95-F77FC6A4B843}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{B661BAD0-C7B4-40A0-AA2E-64612316D766}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{BEF6363C-7A4A-421D-903C-24D785FF7B7B}.exe
Hidden: file C:\Program Files\Dell\Media Experience\Extension\WTGames\games\{E98B553D-C3DD-440C-AB4C-DA61E6AF72F4}.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\.housecall6.6\tsc.exe
Hidden: file C:\Program Files\Lavasoft\Ad-Aware\pkarchive85u.dll
Hidden: file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP191\A0044150.exe
Hidden: file C:\Program Files\BitTornado\wxmsw251h_core_vc.dll
Hidden: file C:\Program Files\Common Files\Nullsoft\Video\ActiveX\plugins\nsvplayx_vp5_mp3.dll
Hidden: file C:\Program Files\Jasc Software Inc\Paint Shop Photo Album\QuickTime\QuickTimeInstaller.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\RSIT.exe
Hidden: file C:\Program Files\Trend Micro\HijackThis\Dave Sheerin.exe
Hidden: file C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civ4Patch1.52.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\misc\silent_hunter_3_dvd_1-1.4b_us.exe
Hidden: file C:\Program Files\ShareDRMusic\ShareDRMusic.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\My Games\Warlords\Patch\v208.exe
Hidden: file C:\I386\DPCDLL.DLL
Hidden: file C:\I386\mfc71.dll
Hidden: file C:\Program Files\DivX\DivXPlayerUninstall.exe
Hidden: file C:\Program Files\DivX\DivXBundleUninstall.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\.limewire\.NetworkShare\LimeWireWin4.12.6-nopack.exe
Hidden: file C:\Program Files\VideoLAN\VLC\uninstall.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\misc\tcmdpocketarm.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\Downloads\anapod_906_tr.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\misc\930-enu-xp.exe
Hidden: file C:\Program Files\CCP\EVE\LogServer.exe
Hidden: file C:\Program Files\CCP\EVE\bin\vivoxsdk.dll
Hidden: file C:\Program Files\CCP\EVE\Uninstall.exe
Hidden: file C:\Program Files\Mozilla Firefox\plugins\np_gp.dll
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\Downloads\revosetup.exe
Hidden: file C:\Program Files\SonicWALL\SSL-VPN\NetExtender\uninst.exe
Hidden: file C:\Program Files\VS Revo Group\Revo Uninstaller\revouninstaller.exe
Hidden: file C:\Program Files\Xfire\uninst.exe
Hidden: file C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP178\A0040139.exe
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP178\A0040140.exe
Hidden: file C:\Sierra\Counter-Strike\SierraUp.exe
Hidden: file C:\Sierra\Counter-Strike\SierraPt.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ic\dpcdll.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ipevldpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ipseldpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isdpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\isendpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\knperdpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\knprodpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kperdpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\kprodpc.dll
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\msncli.exe
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\pcl5eres.dll
Hidden: file C:\Program Files\Common Files\Microsoft Shared\PROOF\MSTH3ES.DLL
Hidden: file C:\Program Files\Ubisoft\SilentHunterIII\MODS\13owman's Readable Dial Mod.exe
Hidden: file C:\Program Files\Ubisoft\SilentHunterIII\MODS\Deafult files.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\avg_free_stf_en_8_173a1373.exe
Hidden: file C:\Program Files\ATI Technologies\ATI.ACE\MFC71.dll
Hidden: file C:\Program Files\ATI Technologies\ATI.ACE\mfc71u.dll
Hidden: file C:\WINDOWS\SYSTEM32\Macromed\Flash\uninstall_plugin.exe
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSWMAFile2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioFile2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioInformation2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioPlayer2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioRecord2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioCDGrabber2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSLangUtil.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioTransform2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSVideoFile.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioTimeLines.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioEditor2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioVisualization2.dll
Hidden: file C:\Program Files\AVSMedia\AudioEditor\AVSAudioEditor.exe
Hidden: file C:\Program Files\AVSMedia\AudioEditor\Registration.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\My Games\Warlords\Patch\Patch_213.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\2.13\ISSetup.dll
Hidden: file C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Civilization4.exe
Hidden: file C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Shared_Assets\locales\en_us\ADB2.EXE
Hidden: file C:\WINDOWS\SYSTEM32\DivX.dll
Hidden: file C:\Program Files\DivX\DivXCodecUninstall.exe
Hidden: file C:\Program Files\DivX\DivX Codec\DivX EKG.exe
Hidden: file C:\Program Files\DivX\ConverterUninstall.exe
Hidden: file C:\Program Files\DivX\DivX Player\DivX Player.exe
Hidden: file C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
Hidden: file C:\Program Files\Netscape\Netscape\plugins\npdivx32.dll
Hidden: file C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Hidden: file C:\Program Files\DivX\DivXWebPlayerUninstall.exe
Hidden: file C:\Program Files\DivX\DivXContentUploaderUninstall.exe
Hidden: file C:\Program Files\Logitech\SetPoint\Quicktour\QuickTour2.exe
Hidden: file C:\WINDOWS\SYSTEM32\MFC71u.dll
Hidden: file C:\Documents and Settings\Dave Sheerin\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP190\A0044071.dll
Hidden: file C:\Program Files\IGN\Download Manager\DLM.exe
Hidden: file C:\Program Files\SecondLife\SecondLife.exe
Hidden: file C:\Program Files\SecondLife\uninst.exe
Hidden: file C:\Program Files\InstallShield Installation Information\{3E4B349F-10B5-4586-9D99-489A90A8B228}\ISSetup.dll
Hidden: file C:\Program Files\Firaxis Games\Sid Meier's Civilization 4\Warlords\Civ4Warlords.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Application Data\.BitTornado\datacache\61c887ed012d6a9784356f50ca80c497212e1625
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\Downloads\rkill.com
Hidden: file C:\Program Files\Mozilla Firefox\pev.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\Downloads\rkill(2).com
Hidden: file C:\Documents and Settings\Dave Sheerin\My Documents\Downloads\mbam-setup.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\spybotsd160.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\EVE_Premium_Setup_85476.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\Google Updater.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\sar_15_sfx.exe
Hidden: file C:\Program Files\Common Files\Apple\Mobile Device Support\bin\YahooSync.exe
Hidden: file C:\WINDOWS\SYSTEM32\msdelta.dll
Hidden: file C:\WINDOWS\SYSTEM32\DLLCACHE\wmploc.dll
Hidden: file C:\WINDOWS\SYSTEM32\wmploc.dll
Hidden: file C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\NlsLexicons0009.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
Hidden: file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP175\A0038978.dll
Hidden: file C:\Documents and Settings\Dave Sheerin\Desktop\PokerStarsInstall.exe
Hidden: file C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe
Hidden: file C:\Documents and Settings\Dave Sheerin\Application Data\SopCast\adv\SopAdver.exe
Hidden: file C:\Program Files\SopCast\uninst.exe
Hidden: file C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$\spuninst\SQLSTPCustomDLL.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\dpcdll.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipmntdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\xpsp2res.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\dpcdll.dll
Hidden: file C:\WINDOWS\SYSTEM32\MUI\041e\xpsp2res.dll
Hidden: file C:\WINDOWS\SYSTEM32\dpcdll.dll
Info: Starting disk scan of F: (NTFS).
Stopped logging on 01/12/2009 at 22:49:22 PM



I'm still unable to use any web browser other than Firefox.

#8 Monkeymshr21

Monkeymshr21

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 02 December 2009 - 09:17 PM

Sheerin, do you have other programs, like iTunes, that you can test to see if you can use internet connection? Like the iTunes store or updates for software?

#9 quicksix

quicksix

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 02 December 2009 - 09:28 PM

Hello guys,

I am having this exact problem.. running all the same. XP . Will try this and hope for the best.

Thanks I hope..

Jeff

#10 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 02 December 2009 - 11:06 PM

you can't connect to MBAM to update because you need to disable the proxy server first.
Read the instructions to do that here.
http://www.bleepingcomputer.com/virus-remo...irus-system-pro
Then run MBAM.

When you are done the main virus will be gone but you probably still have the root kit.
You will know if you can't boot to safe mode.
There is no BleepingComputer solution to the root kit yet, but I solved it this way.
See my 2nd entry solution (the first one was how I got rid of the virus)
http://www.bleepingcomputer.com/forums/t/275317/probable-rootkit-left-over-from-other-virus/

#11 Monkeymshr21

Monkeymshr21

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 03 December 2009 - 12:02 AM

I also have the same problem, I got rid of Antivirus System Pro, but cannot connect to programs that require internet or updates, but I can still access the internet perfectly.

#12 sheerin

sheerin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 December 2009 - 04:34 PM

ran rkill and ran the updated mbam, it found nothing

Malwarebytes' Anti-Malware 1.42
Database version: 3292
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

04/12/2009 4:11:06 PM
mbam-log-2009-12-04 (16-11-06).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 249393
Time elapsed: 1 hour(s), 20 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 December 2009 - 06:04 PM

Sheerin,

If fire fox works but IE does not and MBAM will not update it really does sound like you need to disable the proxy server still. This is a known left over from the virus and is easy to fix.
Again read steps 3 though 6 from here
http://www.bleepingcomputer.com/virus-remo...irus-system-pro

That should get the net working.

Did you check that step yet?

When your done try to boot to safe mode. If you can't then you still have one more step to remove this virus as your ATAPI.sys will be bad. MBAM does not detect this problem though.

#14 sheerin

sheerin
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 04 December 2009 - 06:19 PM

The proxy has been disabled, and ie, itunes etc are working. However, iTunes only worked after I ran RKill again.

MBAM was updated, but the updated search revealed nothing.

#15 AshevilleHawker

AshevilleHawker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 05 December 2009 - 02:00 PM

Good your doing better, but the fact that Itunes does not work without killing processes concerns me.

Now we need to check if you have the other component that your virus left. MBAM will not detect this left over.

there are two ways to check. One is try try to boot to safe mode. If that doesn't work you have the other part of this virus still.

The other way is as follows.
Right click on My Computer and select Manage
Click on Event Viewer
Click on System.
Scroll though any red error flags from the last few times you booted your computer.
If any from source FDISK have event id 45 or 49 there is still more work to do to remove all of the virus.
My way to fix it is rather complex, so just report back if you see that in there and perhaps a PB pro can give you more guidance.

Hawker




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users