Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, then cleaned, but problems still


  • Please log in to reply
15 replies to this topic

#1 GeraldUK

GeraldUK

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 April 2011 - 06:01 PM

Not quite sure if this should be in this forum or XP. Am running a Desktop with XP home, 2GB RAM and 500GB (I think) of space.

This afternoon (UK time) I picked up an infection(s) - 10 according to Malwarebytes, 1 according to Avira. Malewarebytes had trojans Fake Alert 3 times; Fake AV 4 times and PUM Hijack Display property 3 times. Malwarebytes has cleared them. Avira found TR/Kazy which it said was 18603828.exe. This seemed to reappear at each reboot - but no longer.

In "All programs" I now get the response "No programs" when there should be about 50. On my Desktop I had about 25 shortcuts for those programs most in use and half have gone. Luckily IE is still there, hence this request for help, and my email prog, Eudora works after a fashion.

Looking at System Properties all the (logical and physical) drives are recognised but the glaring problem is that my drive C is shown as just 27GB (when it should be about 150GB from recollection) with 10.2GB free (which is about correct). The other drives seem to show the expected sizes and useages. Unfortunately Windows Explorer has gone as well.

(Defrag and Search do not work, nor does Administrative Tools, so I cannot give you the error messages).

My initial question is how do I restore the parts of C that are not being read or recognised by the system, which, at a guess, ( and some hope) will put me back to pre infection?

BC AdBot (Login to Remove)

 


#2 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 25 April 2011 - 06:04 PM

Sorry, I forgot to add that "System Restore" does not work - and never did!

#3 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 26 April 2011 - 04:20 AM

In my first post I did not make it clear that whilst System Properties showed the other logical drives and expected sizes, I did not look to see what these logical drives contained. The answer is, unfortunately, nothing!

However, this morning I did a complete Malwarebytes scan and saw that when it got to the logical drives referred to above, there were all the expected folders and files being scanned. (The scan results were clear).

My amateur view is that the Trojans have done their bit and something (in the Registry??) is hiding files in certain logical drives, but Malwarebytes can see the missing folders and files and can scan them.

So, the question seems to remain, how can I undo what the Trojans have done?

#4 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 26 April 2011 - 06:27 AM

A further update before lunch:

In My Computer I did the following:
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK. (these had all been the opposite way around pre trojans)

To my surprise this showed the previously disappeared programs on my Desktop only, although all of them are "greyed out". However, I can launch them and apart from Eudora, they seem to work ok. Windows Explorer lets me see all my files, but in certain drives these are "greyed out." Whatever the Trojans did, there are still glitches like at Start I still have no programs - so can't look at system error messages plus the same tiny total size for the C partion.

Anyway, I got back Spybot Search and Destroy and this found a virus "Fraud Windows Recovery" twice as Registry entries. They have been removed.

So, some progress, but still at the stage of trying to rectify what the trojans did.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:41 PM

Posted 28 April 2011 - 02:49 PM

Hello, Let's run these next and see how it is,


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 29 April 2011 - 03:31 AM

Edit: boopme
not: To Insanity & Beyond
2nd edit: Boopme - you can ignore this and see the next post with the Rkill log


An apt name when computers go wrong!

Thanks for the reply.

Before I carry out your instructions I see that the FixExe.reg comes from a Vista folder. I am running XP Home SP3 so just wonder if that file is ok for an XP set-up?
I already have an up to date copy of Malwarebytes - free version 1.50.1.1100, which ran and quaratined the trojans it found. Can I use my own version of MBAM or do you refer to a pro version?

Look forward to your response - think the UK is 5 hours ahead of US East Coast time, even more West coast!

Gerald

Edited by GeraldUK, 29 April 2011 - 09:31 AM.


#7 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 29 April 2011 - 10:00 AM

Boopme

Before I did as instructed, I ran my version of Malwarebytes (free one) and Spybot Search & Destroy, both programs returning clean scans.

The first run of Rkill did not turn up anything, the second time I attach the log:

"This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 29/04/2011 at 15:11:37.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\WINDOWS\system32\wuauclt.exe


Rkill completed on 29/04/2011 at 15:11:43. " A VERY quick scan!

Looking it up on google, I am not sure if this is a virus, but part of Windows XP, perhaps to do with updating. Doing a search turns it up in about 4 other places.

I am not sure what we have achieved? The most obvious errors I get is that Start>All programs returns an "Empty" for all my programs and in IE the list of favorites has vanished. However, it still exists as when I added Bleeping Computer to the "empty" list, it told me that was already a favorite.

Grateful for further thoughts please? Would a Hijack This log help?

Thanks

Gerald

Edited by GeraldUK, 29 April 2011 - 12:22 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:41 PM

Posted 29 April 2011 - 07:47 PM

Hello, sorry wasn't able to get here till now.
FixExe runs on all OS's... I'll try to be as brief as possible but at the same time, hope you will understand as it can get complicated.

Fixexe.reg is a Registry File that fixes .exe file association that has been broken, which is usually caused by malware. When .exe file associations are broken, any associated .exe applications cannot be executed, and you will get one of those warnings/errors saying "What do you want to use to Open this file" since Windows can not recognize the file.


Ok that is a legit file. RKill may have seen an infection it it ,as they like to use that file. RKill stops a file it sees as possibly infected so that the next run scanner tool will clean it. Once a pC is rebooted Rkill drops everything and would need to be run again.

Your Free MBAM is fine,by updating it updates the virus Database(now at 6475) also,so I always ask for an update first.


This may be a system file issue,but there are also malware that do this. so one more scan.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
This may show the all programs folder or just allow the next scan in a little deeper.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 30 April 2011 - 06:44 AM

Hi bootme

Thanks for the explanation as to what Fixexe does. My folders attributes had already been changed back by me to the settings required, which I did sometime after the first post in this thread when looking at the properties of some holiday photographs I saw that they were read only, and hidden! Yes, my MBAM is kept up to date - was 6470, now 6477.

I have run the ESET scan and about 3 hours later it reported nothing found - clean.

I think we may have cleaned up the obvious things since the first plea for help. The most important problem remaining is that Start> All programs returns an empty. Whilst my most commonly used programs have short-cuts to my desktop, and seem to work OK, there are at least 50% of programs I have lost access to. Looking on google, I think Microsoft have a fix for this?

I am not too worried about the no show of my favorites in IE as I can add past favorite sites as I come across them again. As I said, the file does exist, as it told me that I already had Bleeping Computer as a favourite, so I overwrote it.

Late last night I booted in Safe Mode and got a very historical set up - very much out of date - almost as the computer came when purchased years ago. Event viewer (system) gave a few error messages as to things that had not loaded. Anyway, I will try it again, and see what I get, and let you know.

As you infer, we might now be trying to deal with the system damage the trojans caused.

Any other steps?

#10 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 30 April 2011 - 09:27 AM

Boopme

Just an update on Safe Mode with networking. I had clicked on Administrator, not my own profile, hence what I saw was the virtually dormant Admin's stuff.

Cheers

Gerald

#11 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 30 April 2011 - 10:23 AM

Boopme

Just an update on the no show of favorites in IE. I went to my profile and looked for the favorites folder which, of course, was marked as hidden. I unticked that at I now have my favorites displayed again. :thumbup2:

Now, I need to do this for Start>All programs to try and display my programs.

We make progress slowly!

#12 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 30 April 2011 - 03:22 PM

Boopme

Almost there I think. The shortcuts in Programs linked to the Start button were all "hidden". I changed these to unhidden and most of the programs now appear. The 2 which do not are the Windows XP related ones - Accessories and System I think. However, I seem to be able to get to these by right clicking on Start and double clicking in the folders in Programs.

Not terribly elegant but almost there.

I am not sure what I did but on boot I now get a screen saying AutoRunsDisabled and referring to my Adobe Gamma Loaders shortcut. I don't think it is doing anything too serious. How can I get rid of it? Not quite sure what an "Autorun" is - something which polls for update availability?

Cheers

#13 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 01 May 2011 - 02:48 PM

Add/Remove programs causes a lot of h/d activity but nothing appears. Is there a system file which is the shortcut to the various program uninstall/install files?

Anyway, after about 15 minutes of h/d activity a list does appear - although it does not seem to stay in memory - or the folder/Registry where the information is stored.

Aaah - I see - with a reboot the Registry information is retained. OK - this is not a problem now.

Edited by GeraldUK, 01 May 2011 - 04:54 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:41 PM

Posted 01 May 2011 - 10:21 PM

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 GeraldUK

GeraldUK
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 02 May 2011 - 07:58 AM

Boopme

Thanks for the email.

I have run Unhide.exe and things seem to be back to normal.

Thank you for your help

Gerald




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users