Computer Infected - Antivirus 2010???

My computer is in bad shape, and everything I have tried has not worked.

I'll start by saying I am clueless with this stuff, but am hoping someone can guide me to fix this problem.

I have Windows XP.

Started getting survey pop-ups about a week or so ago.

Then, I got a big black box, and lost my wallpaper, saying: YOUR COMPUTER IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not run any application before all spyware removed.

Also popped up was a Windows Security Alert: Your computer is making unauthorized copies of your system and internet files. You should imideatly run full scan your system to prevent any unauthorized access to your data. Click YES to run Antivirus scaner right now. I click NO, and Antivirus 2010 starts scanning on my computer. This can be closed, but will pop back up.

Also popped up was a VERIZO~1.exe - Bad Image or GoogleUpdate.exe - Bad Image: The application or DLL C:\WINDOWS/system32\winsock.dll is not a valid Windows image. Please check this against your installation disketee. This has to be clicked several times before it goes away. But keeps coming back up.

I also am unable to access the internet, as it says I have no connection.

I should also say, I allowed my McAfee Antivirus to lapse, so I'm sure that did not help and I haven't yet renewed it or added another antivirus.

I've tried to download, from a clean computer onto a flash drive, Malwarebytes, Super Anti Spyware, Rkill, Combofix. I was directed to a few old threads here, that sited similar problems. So, I tried Rkill, which got rid of the big black box. But, when I run either Malwarebytes or SAS, it will run for a short period, as little as 5 seconds, then just shuts down. I then get something similar to this, when I try to click them again: C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe X Window cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I tried in safe mode, with the same results. I tried renaming Malwarebytes and SAS, but the same thing happens.

When I run SAS, 2 things get found early on, before it shuts down. They are: Trojan.Agent/Gen-ProxBot & Trojan.Dropper/svcHost.Fake. I paused the scan, before it got shut down, and tried to remove both of these. Trojan.Agent/Gen-ProxBot no longer comes up, but Trojan.Dropper/svcHost.Fake is there every time. SAS will run for up to 5 minutes in Safe Mode, before shutting down.

When I tried Combofix, but I received an error due to McAfee running I believe.

Tried Hijackthis, and it was also shut down by this thing.

My System Restore must have been off, because I have no Restore Points saved.

That is where I am at, or at least the best I can explain it with my limited knowledge. I'm at the end of my rope and really do not know what else to do, so I'm asking, pleading for help. Spent several hours the past few days on this, and am no further along then when I started. My usual fixes, and those from some others are not working.

I'd greatly appreciate any help provided. I need to take some time away from this problem to actually work, but will be checking back later in the day. Again, I appreciate any help offered.

Patrick B

Hello and welcome . Please do not run ComboFix on your own.
Let's see if we get the Internet back first.
Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.

OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


Now try this,

Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill

• Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
  
  Link 1
  Link 2
  Link 3
  Link 4
  
  
• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  
• If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.

Thanks for the reply!

As I said I'm fairly clueless with this stuff, so I already have a question.

Should I do ALL (Including the 1st file) downloads from a clean computer onto a flash drive, then copy them onto the infected desktop, or will I be going online in Safe Mode to download them?

Thanks again!

Hi, try Safe w/ netwoking first ,if you have no internet ,you will have to use a Flash Drive.

Your malware is affecting your Winsock (Internet Connwction)settings so we will need to try the steps before Reboot into Safe Mode with Networking to see if we can connect on this machine.

I should also say, I allowed my McAfee Antivirus to lapse,

We can remove this and install a new one when clean,remind me if I forget.

If you connect

You may not have the appropriate permissions to access the item.

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.

One more NOTE.. If you hvave used the flash on this PC and connected it to another it may be infected and the FD and the other PC will need you to run this on them.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Hi, try Safe w/ netwoking first ,if you have no internet ,you will have to use a Flash Drive.

Your malware is affecting your Winsock (Internet Connwction)settings so we will need to try the steps before Reboot into Safe Mode with Networking to see if we can connect on this machine.

I should also say, I allowed my McAfee Antivirus to lapse,

We can remove this and install a new one when clean,remind me if I forget.

If you connect

You may not have the appropriate permissions to access the item.

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.

One more NOTE.. If you hvave used the flash on this PC and connected it to another it may be infected and the FD and the other PC will need you to run this on them.
Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

My friend has been infected this virus too, I scanned with TrendMicro, NOD32,... and I tried to use some tools (OTL, HijackThis, AUtorun, PExplorer,...) but I can't run they. Please help me

Do you have interner yet?

Did you try from the Flash drive?

Did we try MalwqareBytes(MBAM) yet?

If you cannot use the Internet,you will need access to another computer that has a connection.
From there save mbam-setup.exe to a flash,usb,jump drive or CD. Now transfer it to the infected machine, then install and run the program.
If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive.
***
Manually Downloading Updates:
Manually download them from HERE and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine..

Note: Mbam-rules.exe is not updated daily. Another way to get the most current database definitions if you're having problems updating through the program's interface or have already manually downloaded the latest definitions (mbam-rules.exe) shown on this page, is to do the following: Install MBAM on a clean computer, launch the program and update through MBAM's interface. Copy the definitions (rules.ref) to a USB stick or CD and transfer that file to the infected machine. Copy rules.ref to the location indicated for your operating system. If you cannot see the folder, then you may have to Reconfigure Windows to show it.

• XP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
• Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

Sorry for the lack of a follow up, but this thing took up so much of my time earlier in the week, I'm now playing catch-up with work.

I was not able to get the internet up, as that box was not checked.

Have everything downloeded onto the flash.

Gonna try everything else this evening and will report back.

Thanks!

Edited by Patrick B, 22 October 2010 - 03:32 PM.

Ok, take your time I'll look back.

Just wanted to give a quick update before I turn in for the evening:

Ran - FixExe (was just 2 quick windows?)

Ran - RKill (seemed to work)

Installed - SAS - was not able to get updates (SAS.exe BAD IMAGE box popped up). Did the manual updates and was fine. Went to run SAS and got the [may not have approriate permission] pop-up. Tried xp_exe_fix, but still got the pop-up.

Installed - Portable SAS - installed fine and began to scan. Found: Trojan.Dropper/svcHost.fake (2 items) again. It actually ran for aboud 30 minutes (20-25 min longer then ever) but as I am sitting here typing, it got shut down and disappeared AGAIN.

It's letting me run the Portable SAS again, so I'll let it run and need to turn in for the evening. Hopefully I'll check in the morning and there will be a full completed scan.


Thanks!

This morning there was no evidence that the SAS scan was completed. Seems like it got shut down again. Not sure what to do now?

Thanks

I have the same thing happening to my pc. All my programs for malwware scanning won't run. Even wont even let me run my windows media player. what is this bad infection???

Hello, had a tornament to do yesterday and it went all day.. you may need to run these to get them to work.

(FILE ASSOC FIX)

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.


DEFOGGERPlease download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

OK, I'll try to get these this evening, or tomorrow at the latest and will post back.

Thanks again for your time.

Hello, had a tornament to do yesterday and it went all day.. you may need to run these to get them to work.

(FILE ASSOC FIX)

Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.


DEFOGGERPlease download DeFogger to your desktop.

Double click DeFogger to run the tool.

• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Sorry, am I doing this in Safe or Regular Mode?

Also, how would you recomend I post the log, if I can not access the net from the infected desktop that will contain the log? Would copy/paste it into a Word Doc then onto my good computer be the way? Would that infect the good comupter?

Thanks!

Would copy/paste it into a Word Doc then onto my good computer be the way? Would that infect the good comupter?

Yes this works,use the flash drive. You Did run Flash_Disinfector.exe ??

Or just disable Autorun.inf. Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
Please disable Autorun asap!.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/
(applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/
(aplies for XP Home. Same can be used for XP Pro)



3 Methods of repairing connectivity
METHOD 1

LSP-Fix
Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access
LSP-Fix Home Page
Using LSP-Fix to remove Spyware & Hijackers

METHOD 2

WinSock XP Fix 1.2
It can often cure the problem of lost connections after the removal of Adware components or improper uninstall of firewall applications or other tools that modify the XP network and Winsock settings.
If you encounter connection problems after removing network related software, Adware or after registry clean-up; and all other ways fail, then give WinSock XP Fix a try.
Download WinSock XP Fix 1.2

METHOD 3

Microsoft KB article to reset TCP/IP
One of the components of the Internet connection on your computer is a built-in set of instructions called TCP/IP. TCP/IP can sometimes become corrupted. If you cannot connect to the Internet and you have tried all other methods to resolve the problem, TCP/IP might be causing it.
Because TCP/IP is a core component of Windows, you cannot remove it. However, you can reset TCP/IP to its original state by using the NetShell utility (netsh)
How to reset Internet Protocol (TCP/IP) in Windows XP