Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus removed start menus and documents


  • This topic is locked This topic is locked
16 replies to this topic

#1 cvandor

cvandor

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 17 May 2011 - 10:49 AM

Recently I removed a virus on my computer using SuperAntiSpyware and Malwarebytes AntiMalware. However it seems that the virus has removed all executable entries from the start menu and all contents from the Documents folder. I also noticed that there are no users in C:\Users, only the folder, "UpdatusUser" remains. Can someone help me recover these files? I have attached the scan logs from both SAS and MBAM.

SAS Scan Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/16/2011 at 08:23 AM

Application Version : 4.52.1000

Core Rules Database Version : 6504
Trace Rules Database Version: 4316

Scan type : Complete Scan
Total Scan Time : 02:47:18

Memory items scanned : 410
Memory threats detected : 0
Registry items scanned : 14612
Registry threats detected : 1
File items scanned : 33259
File threats detected : 15

Malware.Trace
(x86) HKU\S-1-5-21-2067896838-3830993589-4124492298-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Trojan.Agent/Gen-IEFake
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX0\H\IEXPLORE.EXE
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\IEXPLORE.EXE
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX1\H\IEXPLORE.EXE
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX1\PROCS\IEXPLORE.EXE
C:\windows\Prefetch\IEXPLORE.EXE-4A269098.pf
C:\windows\Prefetch\IEXPLORE.EXE-D3EB28ED.pf

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX1\NIRD\IEXPLORE.EXE
C:\windows\Prefetch\IEXPLORE.EXE-ACCF5296.pf

Trojan.Agent/Gen-PEC
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE
C:\USERS\CALVIN\APPDATA\LOCAL\TEMP\RARSFX1\PROCS\EXPLORER.EXE
C:\windows\Prefetch\EXPLORER.EXE-9C629685.pf

MBAM Scan Log

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6587

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.7601.17514

5/16/2011 10:16:24 AM
mbam-log-2011-05-16 (10-16-24).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 335992
Time elapsed: 2 hour(s), 16 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Udocivewavadejuz (Trojan.Hiloti) -> Value: Udocivewavadejuz -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LLTsVYNvhbVpa (Rogue.Installer.Gen) -> Value: LLTsVYNvhbVpa -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon (Malware.Packer.GenX) -> Value: winlogon -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Drotib (Trojan.Hiloti) -> Value: Drotib -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\adver_id (Malware.Trace) -> Value: adver_id -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Calvin\AppData\Local\hka.exe" -a "C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Calvin\AppData\Local\hka.exe" -a "C:\Program Files (x86)\Mozilla Firefox 4.0 Beta 12\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Calvin\AppData\Local\hka.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Calvin\AppData\Local\DExingfy.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\programdata\lltsvynvhbvpa.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\Users\Calvin\winlogon.exe (Malware.Packer.GenX) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\ivenufuq.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\hka.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\jwd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\NAC5QTTH\1008_2_19353[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\LocalLow\Sun\Java\deployment\cache\6.0\55\dde21f7-725ae00f (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Roaming\Adobe\plugs\mmc314969419.txt (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\Temp\0.4287983670438005.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Local\Temp\0.9048595686403589.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Calvin\AppData\Roaming\Adobe\plugs\mmc81.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\programdata\39116536.exe (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Edit: Moved topic from Win 7 to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 17 May 2011 - 12:54 PM

Rescan again with Malwarebytes Anti-Malware (Full Scan) in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 6587. Last I checked it was 6598.


the virus has removed all executable entries from the start menu and all contents from the Documents folder.

The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogue security programs which changes file attributes to "hidden", making them appear invisible so the user thinks some of their files have been deleted. Newer variants of the FakeHDD rogue delete Quick Launch and Start Menu items/folders.

Please download unhide.exe by Grinler and save to your Desktop. Double-click on the file to run the tool.

After running it, all files will have the "hidden" attribute removed. This includes files that are normally hidden by the operating system and any files you may have intentionally hidden. The tool is designed not to remove hidden attribute for system files. If Quick Launch and the Start Menu were deleted, unhide.exe will attempt to restore them back to their proper location. When done you will need to restore the hidden attributes to those files manually. To do that, open Windows Explorer, go to Tools > Folder Options > View and make that change there.

Note: Do not clean out your temporary files/folders until this issue is resolved.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 17 May 2011 - 01:39 PM

I updated the definitions right before i ran the last scan (which was a full one yesterday), but I updated them again and re-scanned again anyway. The new scan log was the same so I didn't post it.

I tried unhide.exe and it worked to some extent. The All-Programs folder executable files are still missing, but my documents are back. I also noticed that the virus left a shortcut called Windows 7 Recovery on my desktop. I right-clicked it and looked at the properties and found that it refered to a file called C\ProgramData\39116536.exe . Upon investigation i loacted the file and it was no longer an executable file but of a type "File". There were two other similar files with the names "~39116536" and "~39116536r". Should I delete these files? and is there anything more I can do to return the All-Programs files?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 17 May 2011 - 06:57 PM

There were two other similar files with the names "~39116536" and "~39116536r". Should I delete these files?

Yes.


The new scan log was the same so I didn't post it.

Did you rescan in normal mode? Your previous scan was safe mode which is not as effective as a normal mode scan. If you did not do that, then rescan again.


The All-Programs folder executable files are still missing

This is a manual fix for Vista/Windows 7 users:

1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu

2. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\2
and paste it to this folder:
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

3. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\3
and paste it to this folder:
C:\Users\user-name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

4. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\4
and paste it to this folder:
C:\Program Data\Desktop

-- Note: The "Start Menu", "Quick Launch" and "Desktop" folders are system folders. In order to see them, you need to Reconfigure Windows to show hidden files, folders. In Windows Explorer go to Tools > Folder Options and click on the View tab. Under Advanced settings > Files and Folders > Hidden Files and Folders, uncheck "Hide Protected operating system Files (recommended)" and hit Apply > OK. In order to access the "Start Menu" folder, you may need to that folder as show here.

If the above does not work, then you can restore the defaults for the Start Menu:
And you can Restore the Administrative Tools folder with Ultimate AdminTools (vista_ultimate_admintools.zip) for Windows Vista.

For any other missing program shortcuts you will probably need to reinstall the application.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 19 May 2011 - 04:51 PM

Okay so a couple of things.

First of all, I did 3 separate full scans one after another: MBAM, SAS, and Avast. Both MBAM and SAS returned a clean sheet, but avast found and quarantined the file below marked as an Win32:Malware-gen.

C:\Users\Calvin\AppData\Local\Temp\cliputil.dll

Something else of note, when I search Google, about half the time the link I click on is redirected to another site. It's not always the same site, but sometimes it causes my avast real-time shield to block some sort of attack or intrusion. When I go back to the search results and click the link again it goes to the proper location. I'm sure this is a sign that there is still an infection lurking.

The methods you posted for returning my start menu to normal worked fine.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 19 May 2011 - 05:18 PM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 19 May 2011 - 10:37 PM

I ran TDSSKiller and it returned no results. However, I ran an avast Boot-Time scan and came out with these results:

05/19/2011 17:56
Scan of all local drives

File C:\Users\Calvin\AppData\Local\Temp\jar_cache2700413892554637661.tmp|>google\gijupo.class is infected by Java:Agent-HO [Expl], Moved to chest

File C:\Users\Calvin\AppData\Local\Temp\jar_cache2700413892554637661.tmp|>google\kilop.class is infected by Java:Agent-HP [Expl], Moved to chest

File C:\Users\Calvin\AppData\Local\Temp\jar_cache2700413892554637661.tmp|>google\lighmap.class is infected by Java:Agent-HQ [Expl], Moved to chest

File C:\Users\Calvin\AppData\Local\Temp\jar_cache8323617692826027411.tmp|>google\gijupo.class is infected by Java:Agent-HO [Expl], Moved to chest

File C:\Users\Calvin\AppData\Local\Temp\jar_cache8323617692826027411.tmp|>google\kilop.class is infected by Java:Agent-HP [Expl], Moved to chest

File C:\Users\Calvin\AppData\Local\Temp\jar_cache8323617692826027411.tmp|>google\lighmap.class is infected by Java:Agent-HQ [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-49d468a4|>favort\siurele.class is infected by Java:Agent-HF [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>olig\arel.class is infected by Java:Agent-EH [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>olig\arena.class is infected by Java:Agent-EG [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>olig\arep.class is infected by Java:Agent-EE [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>olig\aret.class is infected by Java:Agent-GE [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>manty\rova.class is infected by Java:Agent-FP [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>manty\zimbie.class is infected by Java:Agent-EI [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>manty\ronozi.class is infected by Java:Agent-EB [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\465c2a43-669f6a8b|>manty\peleza.class is infected by Java:Agent-GJ [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>olig\arel.class is infected by Java:Agent-EH [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>olig\arena.class is infected by Java:Agent-EG [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>olig\arep.class is infected by Java:Agent-EE [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>olig\aret.class is infected by Java:Agent-GE [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>manty\rova.class is infected by Java:Agent-FP [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>manty\zimbie.class is infected by Java:Agent-EI [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>manty\ronozi.class is infected by Java:Agent-EB [Expl], Moved to chest

File C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-294aba6b|>manty\peleza.class is infected by Java:Agent-GJ [Expl], Moved to chest

File C:\Windows\System32\config\RegBack\SYSTEM is infected by Win32:KillAV-AHY [Rtk], Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Repair: Error 42060 {The file was not repaired.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}

File C:\Windows\System32\config\SYSTEM is infected by Win32:KillAV-AHY [Rtk], Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}

File C:\Windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin is infected by Win32:KillAV-AHY [Rtk], Moved to chest

Number of searched folders: 36881
Number of tested files: 1930394
Number of infected files: 25

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 20 May 2011 - 05:14 AM

Please perform a scan with Eset Online Anti-virus Scanner.
  • If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
  • Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check Posted Image and make sure that the option Remove found threats is NOT checked.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 20 May 2011 - 02:31 PM

here are the results

C:\Users\Calvin\AppData\Local\Mozilla\Firefox\Profiles\83kxt3kw.default\Cache\5\E5\9A2DBd01 JS/Kryptik.AI trojan

C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-49d468a4 Java/TrojanDownloader.OpenStream.NBW trojan

C:\Users\Calvin\Downloads\winamp561_full_emusic-7plus_en-us.exe Win32/OpenCandy application

D:\SW2010_SP0.0\sw2k10sp0.0_cracks.rar probably a variant of Win32/Agent.LWTYPIJ trojan

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 20 May 2011 - 03:19 PM

Rerun Eset Online Anti-virus Scanner again, but this time under scan settings, be sure to check the option to Remove found threats. Save the log as before and copy and paste the contents in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 21 May 2011 - 02:46 PM

Here's the second scan:

C:\Users\Calvin\AppData\Local\Mozilla\Firefox\Profiles\83kxt3kw.default\Cache\5\E5\9A2DBd01 JS/Kryptik.AI trojan cleaned by deleting - quarantined

C:\Users\Calvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\ac8c29b-49d468a4 Java/TrojanDownloader.OpenStream.NBW trojan deleted - quarantined

C:\Users\Calvin\Downloads\winamp561_full_emusic-7plus_en-us.exe Win32/OpenCandy application deleted - quarantined

D:\SW2010_SP0.0\sw2k10sp0.0_cracks.rar probably a variant of Win32/Agent.LWTYPIJ trojan deleted - quarantined

On a side note, I restarted my computer and a "RunDLL" message came up saying, "There was a problem starting C:\Users\Calvin\AppData\Local\Temp\cliputil.dll The specified module could not be found."

I opened up MSCONFIG and found an item called "dvdunify", Manufacturer: Unknown, Command: rundll32 "C;\Users\Calvin\AppData\Local\Temp\cliputil.dll",CreateProcessNotify, Location: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I assume there should not be a startup program from my temporary files folder. Possibly related to the infection?

Edited by cvandor, 21 May 2011 - 06:43 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 21 May 2011 - 08:09 PM

It's not unusual to receive such an error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there.
    Vista/Windows 7 users refer to these instructions.
  • Open the folder and double-click on autoruns.exe to launch it.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Mike2525

Mike2525

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 23 May 2011 - 10:31 AM

After running the unhide tool you may still be missing most of your start menu shortcuts… They can be found in a folder named smtmp inside:

(XP)- C:\Documents and Settings\Username\Local Settings\Temp
(W7)- C:\Users\Username\AppData\Local\Temp

In my case there were three numbered folders inside C:\Documents and Settings\Username\Local Settings\Temp\smtmp folder. The folders were numbered 1, 2 and 4.

Inside the 1 folder was a folder named “Programs.” This folder should be copied / pasted to (using XP) to C:\Documents and Settings\All Users\Start Menu, which will already have a folder named Programs but it is safe to overwrite it since Windows will replace the subfolders without creating duplicates.

Inside the 2 folder (for me) were the quick launch items specific for the user. Select ALL of these shortcuts and copy / paste to (using XP) C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch.

Inside the 4 folder were the desktop items that should be copied to C:\Documents and Settings\All Users\Desktop.

For Windows 7 users, the all users start menu is C:\ProgramData\Microsoft\Windows\Start Menu\Programs and the all users desktop folder is C:\Users\Public\Desktop

Mike

#14 cvandor

cvandor
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:56 PM

Posted 23 May 2011 - 12:54 PM

I am still having the Google re-direct problem.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:56 PM

Posted 23 May 2011 - 08:53 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users