Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pre attack files inaccessable


  • Please log in to reply
11 replies to this topic

#1 kerk

kerk

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 17 April 2011 - 07:19 AM

The title should be Pre attack 'files', but that can't be edited.

Anyway, my computer is a Presario, about 5 years old, supposedly 100 GB hard drive, I have 2 GB ram, Windows XP Home edition, service pack 3 installed,

A couple days ago, an Avira alert came up while online, as usual, it defaulted to the ‘deny access’ option, which I did. Another alert came up immediately after that with the same option, which I clicked. I do not recall if I closed my browser at that point, or if it closed itself, but after that happened, I had no icons (except for ‘trash bin’, ‘MS Exporer’, and ‘Firefox’, on my desktop. And going into my files from ‘My Computer’, the only folder listed on the hard drive was ‘programs’, and in that folder the only file listed was an old, disabled ‘Zone Alarm’ file.

My hard drive still shows that about 28 GB are used, and 58 GB are free when checking properties. When I use the XP search function, it will find the folders and files, but they will appear dimmed, and when right clicking them to explore, explorer will open that folder and show it empty. So I am unable to access any existing files on my computer. Also, on my start menu, the ‘All Files’ option show completely empty, except for a couple programs that were downloaded after this occurred.

I can get online, Firefox, I.E., Thunderbird, Word, and Wordpad are accessible and functioning. I did download ‘Iobit Security 360’ from C-Net. It did install and run, and found some threats, but the problem still exists. Any new programs downloaded are accessible, but none of my old ones are. I also downloaded ‘Ad-Aware’, but it would not install as it said it could not access ‘Visual C++ Runtime 9 Service Pack 1’.

Since this happened, I have only run in 'Safemode with networking'.

Also, I can not open ‘Avira’ to get updates, but it will scan the hard drive when told do do so through the right click menu on my hard drive. And as I watch the scan, it does go through all the old files on the drive.

In ‘Control Panel’ I found ‘Anti virus 2010’, I suspect it is malicious, but the above mentioned security seems to ignore it.

When an uninstall of it is attempted through add and remove, a ‘Run Installation Program’ box appears and states “..An error occurred while trying to remove Antivirus 2010. You do not have access to \\globalroot\systemroot\system 32\userinit exe. You can specify the new uninstall program below..”, which gives a browse window to pick a program, but since I can’t access any programs, it will only browse the programs I have downloaded in the last couple days.

I ran ‘Rkill’, and then by changing MBAM’s name, was able to run it, and it found these:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\czlsibcevumxmskfuyaxTaskMgr (Hijack.TaskManager) -> Value: czlsibcevumxmskfuyaxTaskMgr -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ehclocyj (Trojan.FakeAlert.Gen) -> Value: ehclocyj -> Quarantined and deleted successfully.

Files Infected:
c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\RP1754\A0476489.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I rebooted in ‘safemode’, but still have no old files showing up. Everything is basically the same: ‘Anti Virus 2010’ is still listed in ‘Add and remove’, and I can’t update or install Avira, I can only run it off the right click drop down.

Should I reboot out of safemode at this point?

Any ideas?

Thanks, and sorry for posting an essay.

Edited by kerk, 17 April 2011 - 09:23 AM.
Moved from XP to Am I Infected.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 PM

Posted 17 April 2011 - 05:28 PM

You ean Rkill and Mbam in Safe Mode,correct?
Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 17 April 2011 - 05:57 PM

Thanks Boopme, but I've only been running in safe mode with networking.

I haven't been able to open my Super Anti, so I downloaded it again, but when I try to install it I get a 'Window Installer' window that says "The system administrator has set policies to prevent this installation". I've gone back in in safe mode as administrator, but I can't find any setting that controls that, so I wonder if it's just a malware trick. I tried changing the name, but it still won't install.

Anyway, that's where I'm stuck at, I can't get Super Anti to work. I downloaded Spybot also, but it won't install either.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 PM

Posted 17 April 2011 - 06:58 PM

The system administrator has set policies to prevent this installation

Fix the local security policy.

Open Control Panel and go to Administrative Tools.
In Administrative tools open Local Security Policy.
Then in Local Security Policy right click Software Restriction Policies and click “New Software Rectriction Policy”.
Now Left click on software restriction policies and in the right-hand window you should see enforcement.
Double-click on enforcement and set the policy to apply to “ALL USERS EXCEPT LOCAL ADMINISTRATORS”
Now approve the changes and see if you are now able to install software.

If needed run
>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

OR

EXE Helper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Edited by boopme, 17 April 2011 - 07:02 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 17 April 2011 - 08:23 PM

Thanks Boopme, I'll give it a shot. Also, I just ran MBAM again and got this:

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LkmHONmnjf (Rogue.Agent.SA) -> Value: LkmHONmnjf -> Quarantined and deleted successfully.

I've hardly been anywhere other than Yahoo, and a couple malware forums. Either it's still coming in, or MBAM missed it last time.

That brings a question to mind: Am I more vulnerable online when I'm in 'safe mode'?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 PM

Posted 17 April 2011 - 08:57 PM

You're welcome kerk!
You are pretty safe online.

Let's do an Online scan and see if you can update and run SAS?
Be sure NOT ti install the Teatimer app in Spybot. I actually don;t care for it anymore not as good as MBAM and SAS/

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Edited by boopme, 17 April 2011 - 08:58 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 17 April 2011 - 08:57 PM

Tried the Admin Tools in control panel, through user, and administrator both, and the admin tools icon just opens up to a blank page. Same for my printers, usually there are 3 showing, but it also opens up blank.

But I ran EXEhelper, here's the log:

exeHelper by Raktor
Build 20100414
Run at 21:55:37 on 04/17/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

I'll wait for your advisement.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 PM

Posted 17 April 2011 - 09:05 PM

You still have this issue? “The system administrator has set policies to prevent this installation”

Can you run ESET?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 17 April 2011 - 11:10 PM

You still have this issue? “The system administrator has set policies to prevent this installation”

Can you run ESET?


Yup, still got the issue, but I managed to get Spybot to install and run by changing it's name.

It found some stuff that MBAM didn't, and here's the scan log. You'll see that there are four of the bugs it couldn't fix. I ran it a second time after a re-boot and it found them again and couldn't eliminate them:

Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Fraud.InternetSecurity2011: [SBI $D14AADAC] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $D3A45776] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $95A8AE49] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT

Fraud.InternetSecurity2011: [SBI $DF31D93D] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT

Fraud.WindowsRecovery: [SBI $9C8FE954] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1533000283-3194318694-620982708-1009\Software\75fa38b7-8b94-4995-ad32-52e938867954

Fraud.WindowsRecovery: [SBI $597FC39E] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-1533000283-3194318694-620982708-1009\Software\BD

Right Media: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, fixed)

I haven't tried ESET yet, but will, but not tonight.

Edited by kerk, 17 April 2011 - 11:12 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:24 PM

Posted 18 April 2011 - 09:12 AM

It looks like there are issues with Userinit,,so run ESET and see if that helps.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 April 2011 - 09:29 AM

Since Spybot can find em, but not fix em, MBAM and Avira don't see them, and Super Anti is not allowed to install, is there anyway to just eliminate the item below, before I go the ESET route?:

Fraud.InternetSecurity2011: [SBI $D14AADAC] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $D3A45776] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT\0000

Fraud.InternetSecurity2011: [SBI $95A8AE49] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_USERINIT

Fraud.InternetSecurity2011: [SBI $DF31D93D] Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\System\ControlSet002\Enum\Root\LEGACY_USERINIT

Edited by kerk, 18 April 2011 - 09:31 AM.


#12 kerk

kerk
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 18 April 2011 - 09:34 AM

It looks like there are issues with Userinit,,so run ESET and see if that helps.


Thanks Boop, I put up my last post before I saw yours.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users