Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Continuing Problems Ridding Trojan


  • Please log in to reply
13 replies to this topic

#1 storyp24

storyp24

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 19 June 2007 - 09:02 AM

I am using AdAware to detect viruses but it seems to have little ability to remove.

I followed steps to put computer in SafeMode. Find the offending .exe startup files.
Thought I had everything removed and for a day all seemed quite.

Then I noticed if I went on the Internet the viruses reappeared. I only went to a trusted forum site.

After running another scan with AdAware this is what I see.

MalWare
C:\Documents and Settings\username\localsettings\temporary internet files\content.IE5\mpoju9eh\xc29[1].exe
C:\System Volume Information\_restore[e7fb4978-6866-4123bb76-8116bab3495b}rp6\a0001004.dll
C:\System Volume Information\_restore[e7fb4978-6866-4123bb76-8116bab3495b}rp6\a0001005.exe

I cannot read the System Volume Information folder even after following instructions to make readable.

Any help is appreciated. Been trying for days to get rid of this.

Rob

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 19 June 2007 - 09:08 AM

Hi there, welcome to BleepingComputer.
One of those infections is in your temporary internet files.
The other two files are related to your system restore, and since they are infected, this means that if you decide to roll your computer back to an earlier stage, the infections will rise again. Therfore, we need to clean up your restore points, and create a new, fresh one.

Download ATF Cleaner to your Desktop.
Don't run it yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Boot back into Normal Mode again and it should have been deleted.

On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start | All Programs | Accessories | System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 19 June 2007 - 12:46 PM

In my effort to delete potentially corrupt files last night I eraased something important.
Now my computer will not load the Icons after startup. I can place it in safe mode.

Here's what happens.
While booting in SafeMode it will bring up
- Welcome to Windows
- Security Logon w CTRL Alt Delete
- Load Settings
- Sound of Loading
- Desktop screen comes up but with not Program Icons or Start Button.

I can access task manager.

Ouch.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 19 June 2007 - 03:31 PM

Can you try using system restore then? It may be an infected restore point, but it's better than nothing.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 19 June 2007 - 04:38 PM

can I do that from a DOS prompt or is there another way when doing an F8 reboot?

just tired from a DOS command

%systemroot%\system32\restore\rstrui.exe

however it says:
System Restore is not able to protect your computer. Please restart your commputer, and then run System Restore again

Edited by storyp24, 19 June 2007 - 05:17 PM.


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 20 June 2007 - 05:21 AM

Do you have System Restore turned on?
In your Task Manager navigate to File | New Task
Type in services.msc then hit OK.
Scroll down in the right panel until you come to "System Restore Service"
Does it have Started next to it?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 20 June 2007 - 10:52 AM

In Windows Task Manager under Applications tab I went to File, New Task(run) and typed in services.msc. The hour glass popped up but just a blank screen. The Browse feature works and I can see Folders such as Documents and Settings. I was able to open Word and a recent document.

Services did finally come up after a few minutes but said it was not responding.

Edited by storyp24, 20 June 2007 - 11:25 AM.


#8 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 20 June 2007 - 04:35 PM

I think this problem should be posted in the Windows XP Home and Professional forum, there you can receive the best help.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#9 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 20 June 2007 - 09:07 PM

Thanks. The Windows Icons came back. Not sure how. I followed your original advice to create a restore point, however I don't know how to manually go back to before June 11 when the problems started and not sure if when I create a restore point if it is before June 11. I ran AdAware again and here is what show up

c:\windows\retadpu100272.exe
process csi c:\windows\retadpu1000272.exe
root: hklm path: system\controlset001\services\symevent
root hklm path: system\currentcontorlset\services\symevent
root hklm path: software\microsoftwindows\currentversion\run Value: runner1
file c:\windows\wr.txt


Will you still be able to offer help. Thanks so much

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 21 June 2007 - 02:40 AM

Hi there, glad to hear you got it working a bit better.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Next, please find and delete the following file (if present):

c:\windows\retadpu100272.exe

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN]
"runner1"=-

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Boot into Normal Mode, then see how things are running now.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 21 June 2007 - 12:44 PM

Thanks. Things seem to be running much smoother. I am not online with the infected computer and I continuet to get a pop up stating I am working OFFLINE and do I want to connect.
Concerned this may another way to launch a virus, I have gone into the Task Window and just closed it. Do you think this is a Virus.

thanks again for all your help.

Rob

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 21 June 2007 - 03:03 PM

I don't think that this is a virus; it's just that some programs are trying to connect to the internet where it is not available.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 storyp24

storyp24
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 21 June 2007 - 04:01 PM

You have been great thanks.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 21 June 2007 - 05:24 PM

You're welcome :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users