Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Virus


  • Please log in to reply
3 replies to this topic

#1 NineBee

NineBee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 May 2012 - 03:00 AM

Hello everyone,
I think I have got a virus, which is not letting me install anti-virus programs. I tried Avast! Internet Security, but the setup closes automatically after 1-2 secs and also gets deleted automatically after some time. I also tried to rename the setup, but it did no good.
I also tried AVG (free) but after some time of downloading, it displayed the Blue Screen of Death.
Then I formatted my computer, and again tried installing Avast, but it wouldn't install and would close.
Also, I tried to go into Safe Mode, but my computer would restart automatically without going into Safe Mode.

Please help me.

My specifications are-
Microsoft Windows XP Professional
Version 2002
Service Pack 3
Intel Pentium 4 CPU 2.60GHz
512 MB of RAM

Thanks in Advance.

Sincerely,
NineBee

Edited by NineBee, 06 May 2012 - 03:17 AM.


BC AdBot (Login to Remove)

 


#2 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:37 AM

Posted 06 May 2012 - 06:58 PM

Hello,

I will be helping you with your problems

Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do NOT run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

----------------------------------------------

Please do the following:

Step 1

Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.

If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.


Step 2

  • Launch Malwarebytes' Anti-Malware (MBAM)
  • Click on the tab update, then click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Then on the Scanner tab select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log in your next reply.

NOTE: If asked to restart the computer, please do so. You may need to run rkill again - if so please also post the log for this run of rkill

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Step 3

How is your computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog


#3 NineBee

NineBee
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 08 May 2012 - 05:15 AM

Hello dev00709,
and thanks for helping me.

Step 1: Followed and here is the log-


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 05/08/2012 at 12:51:50.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe
C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe
C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe
C:\DOCUME~1\RAJESH~1\LOCALS~1\Temp\winmyctcg.exe
C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe
C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe
C:\Documents and Settings\Rajeshwar\Local Settings\Application Data\MapleStudio\ChromePlus\Application\chrome.exe


Rkill completed on 05/08/2012 at 12:51:56.


Step 2: I downloaded, istalled and updated MBAM, and then quick scanned, it found some files and I removed them. Then it asked me to restart the PC. I did so.
Here is the log-

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.08.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Rajeshwar :: SUPAPC [administrator]

5/8/2012 1:22:34 PM
mbam-log-2012-05-08 (13-22-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 175151
Time elapsed: 8 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 1 -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Rajeshwar\Local Settings\Temp\winergxxa.exe (Trojan.Proxy) -> Delete on reboot.
C:\jukuec.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.

(end)

Then I tried running rkill again, but it displayed an error saying-

|--------------------------------------------------------|
| Error |
|--------------------------------------------------------|
|Some installation files are corrupt. |
|Please download a fresh copy and retry the installation |
|--------------------------------------------------------|
Extracting wl.txt
Extracting prep.bat
Extracting rkill.bat
Extracting s.inf
Extracting procs\iexplore.com
CRC failed in procs\iexplore.com
Unexpected end of archive


Step 3: I still cannot install Avast. I don't have any other AntiVirus' setup.

Also I forgot to mention, that everytime I boot up, a Disk Scan is run, saying something like "Checking for consistency" and only the D: drive is scanned by something like 'CHKDSK'

Thanks for helping.
NineBee

#4 dev00790

dev00790

    Bleeping Chocoholic


  • Members
  • 5,037 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:37 AM

Posted 08 May 2012 - 07:54 PM

Hi

Leave installing avast for the moment - since your PC is still likely to be infected, Installation of Antivirus software may be troublesome.
We'll address this later.

Step 1:

Please download Rkill again and run it.
Post the log in your next reply.


Step 2:

  • Launch Malwarebytes' Anti-Malware (MBAM)
  • Click on the tab update, then click Check for Updates
  • If an update is found, it will download and install the latest version.
  • Then on the Scanner tab select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Post the log in your next reply.

Note: Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


Step 3:

We need to see the log produced when CHKDSK was run.

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

  • Click the Posted Image button
  • Click Run.
  • Type "eventvwr" without the quotes and press the <ENTER> key.
  • The Event Viewer window will open.
  • In the left pane, expand "Event Viewer (local)" then click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Click on that Winlogon entry to select it.
  • In the box below "Description", Copy all of the contents.
  • Paste the contents into your next reply.


Step 4:

How is your computer running now?

Regards, dev00790

---------------------------------------

Marge: "Homer, the plant called. They said if you don't show up tomorrow don't bother showing up on Monday." Homer: "Woo-hoo! Four-day weekend!"I do not reply to Private Messages (PMs) asking for assistance - please use the forums instead. If I have been helping you, and I have not replied to your latest post in 48 hours please send me a PM. My Blog





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users