Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Home Security Lockdown


  • This topic is locked This topic is locked
28 replies to this topic

#1 Desent

Desent

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 01 April 2011 - 08:08 PM

My computer has a virus that is preventing me from running any .exe files, including command prompt and regedit (I can, however, open files of things like firefox (html) or microsoft word). It used to start up a fake virus scan called "Vista Home Security" and only blocked internet browsers, but then I changed the filename extension of it's program (hjk.exe). Does anybody know something I can do to delete this stupid thing? It was stored in C:\AppData\Local, but it was hidden and wouldn't show up even when I set it to show hidden files, so all I could do was change its name from the properties screen that I got from the task manager. I can open the command prompt from the boot menu, however, but I am unfamiliar with it. Sorry, I cannot post the logs and things requested on this board, but this is the best I can do.

BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 06 April 2011 - 07:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

Since you are having trouble running .exe files, rename DDS.exe & the .exe for GMER to .com and see if they will run.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

Edited by oneof4, 06 April 2011 - 07:40 AM.

Best Regards,
oneof4.


#3 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 07 April 2011 - 05:54 PM

3. I don't know where my windows CD is, although it might be somewhere in my house. I will look for it if it will be useful.
4.Sorry for not posting the logs earlier, I didn't try because I was afraid the virus would progress to a new stage if I turned on my computer. The dds worked, and so did the GMER once I changed it to .com. This virus only seems to be blocking my .exes.
5. I didn't mention this, but google has been redirecting too. I probably have multiple viruses (in fact, when I opened the html file to get to this site, it redirected me to a cell phone website DX Attached File  Attach.txt   7.54KB   3 downloadsAttached File  ark.txt   3.14KB   2 downloadsAttached File  DDS.txt   15.57KB   5 downloads

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 08 April 2011 - 07:15 AM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:

Best Regards,
oneof4.


#5 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 08 April 2011 - 02:44 PM

I'm with ya.

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 12 April 2011 - 07:25 AM

Hello Desent, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========


Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

Once you have saved it to the Desktop, right-click on the ComboFix.exe icon and choose "Rename". Rename it to "VHS.com" and hit "Enter".

  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on VHS.com & follow the prompts.
The Recovery Console step that follows does not apply to Vista or Windows 7

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Best Regards,
oneof4.


#7 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 15 April 2011 - 04:48 PM

I ran combofix in safemode, and .exes are working again. I'll now restart in normal mode and see how things are.

Thankyou so much!

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 15 April 2011 - 07:46 PM

Could you please post the Combofix.txt log. :)

Best Regards,
oneof4.


#9 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 16 April 2011 - 04:42 AM

whoops forgot to click attach.

Thank you so much! I can now use my computer normally. But I still see some suspicious things. For example, there is a program called NDSTray.exe that is in my startup explorer that I cannot remove and it's from an unknown publisher.

Attached Files

  • Attached File  log.txt   15.71KB   10 downloads


#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 19 April 2011 - 02:18 PM

Hello Desent :)

Thank you so much! I can now use my computer normally.

Your welcome! That's GREAT! :thumbsup:

The file NDSTray.exe is nothing to worry about, it's actually part of your Configuratin Tray for your Toshiba laptop.

You do however have some other files we need to take a look at, so please follow the next set of instructions:

======

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\programdata\SPL6AB4.tmp

c:\program files\Bigler\IKB\IKB.EXE

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

======

  • Please UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

    Performance Center
    SpeedscanPro

  • Now, using Windows Explorer, I need you to DELETE the following folder and all its content:

    C:\Program Files\Ascentive

======

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

SecCenter::
AV: avast! antivirus *Disabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Disabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

======

Things I need to see in your next reply:

  • Jotti / VirusTotal results
  • ComboFix.txt
  • How are things running?

Best Regards,
oneof4.


#11 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 21 April 2011 - 08:34 AM

Jotti found nothing wrong with the two files. My computer is running great, except for that google is redirecting sometimes. Also, "I deleted avast and downloaded Avira(my trial for avast was up) between now and the last time I posted.

Attached Files

  • Attached File  log.txt   14.7KB   5 downloads


#12 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 22 April 2011 - 10:37 AM

Hi Desent :)

...except for that google is redirecting sometimes


Answer three questions for me:

  • Which browser/s are you seeing the redirects in?
  • How often?
  • Can you remember any of the sites that you get redirected to?

Best Regards,
oneof4.


#13 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 23 April 2011 - 01:06 PM

Usually it's the first couple searches of the day (although I don't use google often). It happen on firefox. Next time it happens I'll post the url.

#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:07:02 AM

Posted 23 April 2011 - 01:16 PM

Try using IE, along with any other browsers you may have, and let me know if they redirect as well.

Best Regards,
oneof4.


#15 Desent

Desent
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:06:02 AM

Posted 24 April 2011 - 10:55 AM

I got Firefox to redirect me: I searched for sports gear, and click on http://www.wolverinesports.com/?source=google_sports_equipment&gclid=CMPc1sDAtagCFUSo4Aod61iHCA, but it redirected be to http://www.internetcorkboard.com/search.php?q=Sports+Gear.

I couldn't get internet explorer to redirect, but I only tried 7 searches.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users