Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Security Protection designed to protect" infection


  • This topic is locked This topic is locked
16 replies to this topic

#1 GrayT

GrayT

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 17 August 2011 - 11:31 PM

My computer is infected with the "Security Protection designed to protect" malware described at the bleepingcomputer web page, http://www.bleepingcomputer.com/virus-removal/remove-security-protection

However, I was not able to remove it using the instructions from the web page.

The first thing I tried was starting up the computer in Safe Mode and using System Restore to go back 2 days in time. That didn't fix it. Then I found the bleepingcomputer web page, which exactly described the symptoms: fake scan window, can't run programs, and web pages redirected to strange ad web sites.

I tried running TDSSKiller, but it will only scan for a few seconds, and then it suddenly stops running and disappears.

When I try to run Malwarebyes, the same thing happens. It scans for awhile, maybe 20 seconds, then dies and disappears.

When I try running rkill, I get a popup that says Installation Failed, but it still seems to run. Then all the desktop icons disappear, and I get the "Windows is running in safe mode" window, like Safe Mode is restarting from the beginning. I click Yes to start Safe Mode, and I'm back to where I started.

I attempted to do the steps in the bleepingcomputer "Preparation Guide for Use Before Using Malware Removal Tools and Requesting Help". I enabled the Windows firewall (it was already enabled), ran DeFogger (it didn't find anything to disable), and ran DDS successfully, which created the log files DDS.txt and Attach.txt.

When I tried to run GMER, I got the same bad effect as the other programs. It would scan for a little while and then stop and disappear. After running it a few times, I knew when it was about to die, so I stopped the scan and saved a partial report. But it seems like the program is never allowed to complete its scan.

If you have seen this before, please help! Thank you in advance.

Here is the dds.txt log:

.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by A Chou at 19:28:20 on 2011-08-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1732 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\1567235537:786601378.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
E:\Defogger.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyServer = http=127.0.0.1:59274
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Startup Cop Pro Startup Launcher] c:\program files\pc magazine utilities\startup cop pro\StartupCopPro.exe /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\a chou\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_09\bin\jusched.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
StartupFolder: c:\docume~1\achou~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\a chou\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
Trusted Zone: aol.com\free
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://tutorvista.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.94.156.1 68.94.157.1
TCP: Interfaces\{B34B7DA2-2448-45C5-BDB2-663AABC5589A} : DhcpNameServer = 68.94.156.1 68.94.157.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\a chou\application data\mozilla\firefox\profiles\atun6o7h.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
.
============= SERVICES / DRIVERS ===============
.
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-9 4718888]
.
=============== Created Last 30 ================
.
2011-08-15 04:29:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-15 04:29:31 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-06-23 12:05:13 385024 ------w- c:\windows\system32\html.iec
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-10-01 09:11:56 462112 ----a-w- c:\program files\common files\ZugoInstaller.exe
.
============= FINISH: 19:29:51.55 ===============


-----------------------------------------------------------------------------
I have attached three files:

attach.txt from DDS

ark1.txt from GMER (I stopped the scan manually before it could die)

ark3.txt from GMER (Subsequent attempt, stopped the scan manually before it could die, longer report)

-------------------------------------------------------------------------------

If you can help, it will be GREATLY appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 AM

Posted 22 August 2011 - 11:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/414933 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 23 August 2011 - 12:42 AM

Since my first report, I was able to run MalwareBytes ONE TIME to completion. It found and removed 5 infected files. I have attached the mbam log file. I thought my computer was cured, so I restarted it in normal (non-safe) mode. The fake Security Protection screen didn't appear. However, I still have the other problems I had before: browsers are being hijacked and going to strange web pages, and when I try to run MalwareBytes again, it gets killed and disappears after a minute or so.

I successfully ran DDS again, and I have attached the report files dds_822.txt and attachh_8-22.txt. I tried running GMER again, but like last time, it gets killed and disappears after a minute or so. If I stop the program before it gets killed, there are 4 lines in the report; see the attached file GMER-partial_8-22.log.

Unfortunately, this DELL laptop computer did not come with installation CDs. The instructions say to use System Restore or Dell PC Restore instead. I purchased another Dell Windows XP computer at about the same time, a desktop, which DOES have a Windows installation CD, which I still have.

I brought my old desktop computer out of retirement to use while I wait for your help in fixing my laptop. Anything you can do to help will be greatly appreciated!

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 23 August 2011 - 10:34 PM

Hello GrayT,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


If you can't get these to run in Normal mode try them in Safemode. Make sure you choose Safemode with Networking.


1.
Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.


2.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Things to include in your next reply::
Combofix.txt
aswMBR log
How is your machine running now?


1.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 24 August 2011 - 12:09 AM

Dear fireman4it,

Thank you for helping me! I will definitely try the procedure, but it might be a day or two before I get to it. In the meantime, I'm using my old computer taken out of retirement.

Thank you again, I'm looking forward to getting my computer fixed!

GrayT

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 24 August 2011 - 08:36 PM

Ok, I will wait for your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 24 August 2011 - 09:55 PM

I've just spent 1.5 frustrating hours trying to do the procedure. Combofix asked me to install Windows Recovery Console. But the wired Internet connection is not working. So I stopped combofix, then tried to connect to the Internet with a USB wireless network adapter. But I can't install the driver because the CD isn't working. I also tried to install Windows Recovery Console from a Windows XP installation CD, but again, the CD drive isn't working.

Should I go ahead and let Combofix work without installing Windows Recovery Console?

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 24 August 2011 - 10:08 PM

Yes go ahead and let Combofix run!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 24 August 2011 - 11:13 PM

I ran ComboFix. The log file is attached. The CD drive is working now. What should I do next? (I plugged in the Ethernet cable, but the Internet connection isn't working. I'm running Malwarebytes now, and it seems to be working [it's not getting killed].)

Attached Files


Edited by GrayT, 24 August 2011 - 11:49 PM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 25 August 2011 - 06:47 PM

Click here to download Kaspersky Virus Removal Tool.
  • Double click on the file you just downloaded and let it install.
  • It will install to your desktop.
  • After that leave what is selected and put a check next to My Computer.
  • Click on the option that says Threat Detection and change it to Disinfect => Do not select, delete if disinfection fails.
  • Then click on Start Scan.
  • Before it is done it may prompt for action regardless of the setting so choose skip if prompted.
  • When the scan is done no log will be produced.
  • Click on the bottom where it says Report to open the report.
  • Then highlight of of the items found by using ctrl + a on your keyboard to select all or use your mouse to select all then right click and choose copy.
  • This will copy the items that it found to the clipboard you can then open notepad (go to start then run then type in notepad) and choose paste to paste the contents into Notepad.
  • You can save this on the desktop.
  • Post the contents of the document in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 26 August 2011 - 12:38 AM

I downloaded and ran the Kaspersky virus removal tool. I wasn't able to follow the instructions. Maybe the Kaspersky tool has been updated. I didn't see My Computer as an option, nor did I see the Threat Detection option setting.

I clicked the Scan button and it started scanning files. It found 11 instances of Trojan.Win32.Patch.mf. The first time it asked me what to do, so I clicked "Yes, Perform (recommended)" Then each time it found an infected file, it offered me three choices: 1. Disinfect (recommended), A copy of the infected file will be saved, 2. Delete, object will be deteted, or 3. Skip (do not perform any action). Sometimes it said it could not disinfect, and only offered options 2 and 3, and 2 was recommended. I always followed the recommended choice. Sometimes during the scan, it warned me that a file was password protected.

Upon completion of the scan, the tool automatically reset the computer. There was no chance to save the log file. I ran Kaspersky again in safe mode, and no threats were detected. I restarted the computer and ran Kaspersky again in regular Windows mode, and no threats were found.

My wired Internet connection still doesn't work, and I'm unable to start Windows Firewall. What should I do next?

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 26 August 2011 - 06:34 AM

Hello,


Are you connected to the internet through a Router?


1.
  • Go to Start -> Control Panel -> Network and Internet Connection ->Network Connections.
  • Right-click your default connection, usually Local Area Connection or Dial-up Connection (if you are using dial-up), and left-click on the Properties option.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice.
    spacer.gif
  • Go to Start -> Run...
  • In the Open: field type cmd and click OK or hit Enter.
    This will open a Command Prompt.
  • At the DOS prompt screen, type in ipconfig /flushdns and then press Enter (notice the space between "ipconfig" and "/flushdns").
  • Exit the Command Prompt.
  • Reboot your PC and try to open any website.


2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, type 1 (SCAN) then Enter
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

Things to include in your next reply::
Internet Connection back?
Connected through a router?
Roguekiller log

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 26 August 2011 - 10:55 PM

1. The Internet connection didn't come back. When I tried the ipconfig command, this is what happened:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\A Chou>ipconfig /flushdns

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to query host name.

C:\Documents and Settings\A Chou>


2. I ran RogueKiller. It ran very fast (a few seconds) and found one thing. See the RKreport log file attached. Should I run it again and do option 2, Delete?

3. Yes, I am connected through a router. The other computers connected through the same router are working fine.

What should I try next?

[I'm getting discouraged. After spending about 8 hours trying to get rid of this virus, I wish that I had just wiped the disk clean and started over from scratch.]

Attached Files



#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:47 AM

Posted 27 August 2011 - 09:54 AM

Hello,

The problem is you had a file infector on board and it infected many system files. Your av may have already deleted those files that where needed for internet access. At this point A reformat and reinstall may be the right thing to do. I am seeing no signs of malware present on the machine.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 GrayT

GrayT
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 29 August 2011 - 09:25 PM

The viruses were gone, but the computer wasn't working properly -- no internet access and Windows Firewall was not working. So I backed up my data files and wiped the disk clean, and started with a re-install of Windows and all my software applications.

My recommendation to anyone who has this virus is to spend no more than 1 or 2 hours trying to fix it. If it's not fixed by then, and if your computer is such a state that you can back up your files, back them up and re-install Windows and your application software. Scan your backup data for viruses before you copy the files back to your computer.

My final question is, how did my computer get infected in the first place, and what can I do to prevent it from happening again? My daughter was using the computer at the time, so I didn't see it happen. She was browsing the Internet and reading something about Justin Bieber when she came over and told me something was wrong with the computer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users