Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista all exe files show infected, will not run anything


  • Please log in to reply
14 replies to this topic

#1 bleepedindeed

bleepedindeed

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 20 April 2010 - 02:08 AM

I guess I must have browsed in the wrong place. Now upon boot up the first thing you notice is the weather gadget says "service not available". Windows Security alert pops up from taskbar-"Application cannot be executed. The file searchprotocolhost.exe is infected. Do you want to activate your antivirus software now?"
I also get a window on the lower right titled "Antivirus software alert"-your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan - dropper or similar. Details Attack from 195.204.42.231 Port 25500
Attacked port: 25500 Threat: BankerFox.a(for example, there are others).
These alerts also open a box dead center on the screen: Attention! Spyware Alert-Vulnerabilities found. The most recent one lists 34 threats-gives me the option of activiating "my" antivirus software. Firefox does not work, IE 8 goes to adult.com, viagra.com, etc. My new Home Page is not Google, but "http://alphaantivir.microsoft.com/block.php?r=69.1100&pgid=1"-visiting this website may harm your computer.
Windows Security Center opens, asks me to check settings on malware ptotection.
The affected PC is a dual boot XP/Vista machine, XP is unaffected.
I do not have any up to date AV program, which is why I am here.
Any assistance would be appreciated!

Edited by bleepedindeed, 21 April 2010 - 12:13 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 20 April 2010 - 12:54 PM

Hello and welcome... You need to do all the steps.
Please follow our Removal Guide here How to remove XP Security Tool 2010,

You will move to the Automated Removal Instructions

After you completed that, post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Try to install,update and scan with this free AV... ĽAntivir

Edited by boopme, 20 April 2010 - 12:57 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Eric ~ Computer Guy

Eric ~ Computer Guy

  • Members
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas, TX
  • Local time:12:56 AM

Posted 20 April 2010 - 01:36 PM

Don't forget that IS2010, and most other rogues, can come with the TDSS rootkit. The removal of the rogue itself may not be enough.

Edited by boopme, 20 April 2010 - 07:53 PM.
Removed quote of what was already read.


#4 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 20 April 2010 - 05:59 PM

I never said yes to the installation of the AV software, if it matters. I have several times tried to run fixexe.reg, it gets blocked by the malware. I saw somewhere else an Avira Linux based CD, is that my next step?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 20 April 2010 - 08:06 PM

We'll get to TDDS.

Can you run rkill.com Download Link

Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with this and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the guide. If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.

Do not reboot your computer after running rkill as the malware programs will start again.


Now you should download Malwarebytes' Anti-Malware, or MBAM and proceed in the Guide.

Were you able to download the AntiVir and run that? Tried Safe mode with Networking?

Edited by boopme, 20 April 2010 - 08:08 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 21 April 2010 - 01:16 AM

Rkill ran quickly, only one file found. I ran it twice, to be sure. Malwarebytes wanted a reboot, IE8 did not function before or after reboot. Firefox works. I am going to run Avira next, but here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4014

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18828

4/21/2010 2:08:05 AM
mbam-log-2010-04-21 (02-08-05).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|K:\|)
Objects scanned: 293364
Time elapsed: 47 minute(s), 47 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
F:\Windows\asam.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vbuwodgt (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Windows\asam.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Users\Administrator\AppData\Local\bsnoqpxuj\puafkretssd.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
F:\Users\Administrator\AppData\Local\syssvc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
F:\Users\Administrator\AppData\Local\Temp\urHJ.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Edited by bleepedindeed, 21 April 2010 - 02:13 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 21 April 2010 - 12:22 PM

Cool !! post the Avira log please so we can see if there is more to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 22 April 2010 - 01:51 AM

I am stuck with connectivity problems. I am on the affected machine now, Firefox works. No weather gadget, no IE, and no update for Avira. Do I run the scan anyway?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 22 April 2010 - 10:26 AM

Hi yes run it as it just may remove things that are causing issue and allow us to run more.

Update and rerun MBAM too.
If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.


Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.
  • XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 23 April 2010 - 01:44 AM

The update seems to have completed(very quickly) in malwarebytes, but the program does not run. I get run-time error "0" from vbAccelerator SGrid II Cont., followed by run-time error "440" Automation error from Malwarebytes Anti'Malware. I tried rkill, it reported nothing. Malwarebytes would again not run after rkill.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 23 April 2010 - 08:47 AM

Please follow the steps in step 17 here http://forums.malwarebytes.org/index.php?showtopic=10138
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 25 April 2010 - 02:17 PM

I ran malware bytes, scan was clean. Connectivity prevents avira from updating. Is there a way to update it through firefox?

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 25 April 2010 - 03:01 PM

I think one of these will help.

Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 bleepedindeed

bleepedindeed
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:01:56 AM

Posted 26 April 2010 - 03:28 AM

Thanks for the tip, the first method worked. I updated and ran Avira. Then it caught something trying to get in, I was not on the internet at the time. Updated amlwarebytes, running both again. Will post Avira log.

Edited by bleepedindeed, 26 April 2010 - 03:30 AM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:56 AM

Posted 26 April 2010 - 11:43 AM

Cool,post Mbam too
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users