Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Soft Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 torontogirl

torontogirl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 27 March 2010 - 12:07 AM

Hi everyone,
Okay so recently, I've started getting all these notifications saying that my computer is infected. I keep getting a error message that says "the application cannot be executed. the wltuser.exe file is infected". Basically, I get the same message anytime I try to open some application. It wont even let me open my taskmanager or my symantec antivirus! Also, random internet sites start opening on their own when I am not even using Internet explorer! There is a green shield with a checkmark that keeps giving me windows security alert stating that my computer is infected and that I should scan my computer. When I click on it, it takes me to a site where it asks me to purchase the antivirus soft infection. Through google search, I found a thread on this forum with the person experiencing a similar problem. I tried to follow the instruction on that thread. I downloaded the rkill but when I double click on it, i get the following message: Application cannot be executed. the file rkill.exe is infected". mad.gif
I also tried to restart my computer in safe mode but it just went to a blue screen with a message saying that windows experienced a fatal error and must shhut down immediately (something along those lines). wacko.gif
Other Relevant information: I have windows XP. I have two antivirus software: Symantec antivirus and mcafee. Mcafee isn't up to date. Also, I downloaded a bunch of stuff online including rcure, Megbytes, and RegCure. Again, I cannot open any of these and get the same message every single time.
I would really appreciate it if someone could help me get rid of the virus!
Thanks,
Tg


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:41 PM

Posted 27 March 2010 - 12:13 AM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif
***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

You will need a clean computer to create this disc...

Print these instructions out so that you know what you are doingAfter you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.
  • Double click on the icon on your desktop.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
    • Copy and Paste the following code into the textbox. Do not include the word "Code"

      Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

      CODE
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %ALLUSERSPROFILE%\Application Data\*.
      %ALLUSERSPROFILE%\Application Data\*.exe /s
      %APPDATA%\*.
      %APPDATA%\*.exe /s
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      /md5stop
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
    • Push
    • When finished, the file will be saved in drive C:\OTL.txt
    • Please post the contents of the C:\OTL.txt file in your next reply.
    • Copy this file to your USB drive if you do not have an internet connection.
~Blade

Edited by Blade Zephon, 27 March 2010 - 12:13 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 torontogirl

torontogirl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 27 March 2010 - 12:18 AM

I have a question regarding this part:
"Insert the CD-ROM into the CD-ROM drive, and then restart the computer."

Do I need a blank Cd for this??

#4 torontogirl

torontogirl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 28 March 2010 - 02:33 AM

Hi,
So I somehow managed to open the taskmanager and closed the antivirus soft program so I am not getting the notifications right now but I still have to get rid of the virus permanently before I start getting the annoying notificatiosn again. Right now, I have access to the programs without getting the "the application cannot be executed. the file _______. exe is infected" error messages. I am scanning my computer using Symantec. So far, it hasnt found anything and I am not sure if it will detect the virus. I dont think there is any need to burn a cd anymore. So, can you please give me different instructions?
Thanks

#5 torontogirl

torontogirl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 28 March 2010 - 11:00 AM

Hey,
I did the malwarebytes scan last night. It found 9 threats. It removed some and asked me to restart my computer in order to remove the others. When my computer restarted, I started getting the notifications from antivirus soft again. Anyways, here is the mbam log that was created:
Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/28/2010 11:39:33 AM
mbam-log-2010-03-28 (11-39-33).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 256930
Time elapsed: 3 hour(s), 23 minute(s), 35 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\msa.exe (Trojan.Agent) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\roua3o12pw (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\00002a62.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


#6 torontogirl

torontogirl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 28 March 2010 - 11:34 AM

there are 8 objects in the quarantine that means only one did not get removed which is why I still got notifications from antivirus soft after restarting my computer.

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:41 PM

Posted 29 March 2010 - 11:13 PM

Hello torontogirl.

Sorry for the delay in reply.

Please carry out the instructions as laid out in Post 2.

We will attack the infection that way.

~Blade

In your next reply, please include the following:
OTLPE Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:41 PM

Posted 05 April 2010 - 12:23 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users