Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Deleting shortcuts and exe files


  • This topic is locked This topic is locked
4 replies to this topic

#1 rayraydayday

rayraydayday

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 29 July 2011 - 04:51 AM

Hi there,

Hi there,

I have not seen any problems for a while until yesterday! A fake Virus scanner popped up again. SO I tried running Malware bytes. The scan starts and then Closes! After that when I click the link to open in I get this error;

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I have been opening other applications that just end up doing the same thing! They start to run and then they close and I can no longer open the program!

I am now running in safe mode to try and troubleshoot this problem. I Uninstalled and reinstalled malwarebytes but I got the same result trying to run it in safe mode! The application opens, then I try to start the scan and it closes and I can no longer open malwarebytes. It gives me the same error above!

I ran rkill.com and rkill.exe a few times and it was closing ouc.exe, but now its not seeing that ouc.exe and its only closing scvhost.exe. Did it clone itself or something?

What is this terrible malware?! Can someone help me? Why the h311 do people make this garbage?

Sorry for my frustration,
Thanks


From My old post


That was my previous post in another area of this forum, I followed the Preperation guide for use before using malware tools and asking for help and followed the instructions provided. gmer.exe would close after I hit the Scan button, and I could not scan my system with that exe.

Attatched is my Attatch.txt This malware seems pretty bad! I hope I can recover!

Thanks,
Greg

Attached Files



BC AdBot (Login to Remove)

 


#2 rayraydayday

rayraydayday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 29 July 2011 - 05:25 AM

gmer.exe is now giving me the same error as stated above. This malware is freaking scary!

#3 rayraydayday

rayraydayday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 29 July 2011 - 07:14 PM

Here is my current dds log;

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Owner at 5:40:33 on 2011-07-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1471 [GMT -4:00]
.
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.BLAH\My Documents\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - c:\program files\microsoft visual studio 10.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
TB: {4064EA35-578D-4073-A834-C96D82CBCF40} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Web Test Recorder 10.0: {5802d092-1784-4908-8cdb-99b6842d353d} - mscoree.dll
LSP: mswsock.dll
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/hsi/vzTCPConfig.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1FC3E500-E1E3-4801-996C-C55EF240C937} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{CC6A4464-5BC3-498F-8B79-8F5F0F5F068E} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D950CD80-B76D-4943-9072-4AE13C1EF0C6} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.blah\application data\mozilla\firefox\profiles\j1zfjwvl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-11-30 200192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\owner~1.bla\locals~1\temp\alsysio.sys --> c:\docume~1\owner~1.bla\locals~1\temp\ALSysIO.sys [?]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\admini~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\admini~1\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]
S3 ATICDSDr;ATICDSDr;\??\c:\docume~1\owner~1.bla\locals~1\temp\{1735a~1\atiicdxx.sys --> c:\docume~1\owner~1.bla\locals~1\temp\{1735a~1\atiicdxx.sys [?]
S3 dxdiag;dxdiag;\??\c:\docume~1\owner~1.bla\locals~1\temp\dxdiag.sys --> c:\docume~1\owner~1.bla\locals~1\temp\dxdiag.sys [?]
S3 ESEADriver2;ESEADriver2;c:\docume~1\owner~1.bla\locals~1\temp\ESEADriver2.sys [2011-5-11 50164]
S3 hidusbf;USB Mouse Rate Adjuster Lower Filter by SweetLow;c:\windows\system32\drivers\hidusbf.sys [2011-1-27 4544]
S3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\microsoft visual studio 10.0\team tools\performance tools\VSPerfDrv100.sys [2009-12-8 48128]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Amdegapmmn;Amdegapmmn; [x]
S4 COMServer;COMServer;"c:\windows\system32\msapps\comsrvr.exe" s --> c:\windows\system32\msapps\comsrvr.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-06-07 03:11:17 256 ----a-w- c:\windows\system32\pool.bin
2011-06-07 03:04:33 256 ----a-w- c:\documents and settings\owner.blah\pool.bin
2011-06-05 04:20:41 0 ----a-w- c:\windows\Lziwaripeciluvun.bin
2011-05-04 00:54:14 103720 ----a-w- c:\documents and settings\owner.blah\GoToAssistDownloadHelper.exe
.
============= FINISH: 5:40:41.25 ===============

#4 rayraydayday

rayraydayday
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:33 PM

Posted 30 July 2011 - 12:50 PM

I have decided to reformat and reinstall my OS.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:33 AM

Posted 05 August 2011 - 12:41 AM

Hello,

Thank you for letting us know. I'm sorry we couldn't get to you sooner. Sometimes a reformat and reinstall is the quickest solution.

Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users