TechSpot

[A] Internet Security Virus

Inactive
By Harry96
Aug 6, 2012
  1. I seem to have contracted the internet security virus this morning. I have a paid sub to Spyware Doctor, but I can't access it; most of my software, files, desktop icons, etc. have disappeared. When I go to Start, All Programs, it says "(empty)". I tried downloading MalwareBytes, but I get an "access denied" error when I try to install it. I'm running Vista.
    Thanks so much for any advice.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =========================================

    Restart computer in Safe Mode with Networking.


    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. Harry96

    Harry96 TS Rookie Topic Starter

    Broni, thanks so much for responding.

    I completed the first two steps. But, when I double-click on TDSSKiller.exe, nothing happens. I also tried right-clicking and selecting open, start, and run as administrator, and none of that did anything either.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Stay in Safe Mode with Networking.

    Please download the below tool named Rkill (courtesy of BleepingComputer.com) to your desktop.

    There are 2 different versions. If one of them won't run then download and try to run the other one.

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    http://download.bleepingcomputer.com/grinler/beta/rkill.exe
    http://download.bleepingcomputer.com/grinler/beta/iExplore.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    If normal mode still doesn't work, run the tool from safe mode.

    When the scan is done Notepad will open with rKill log.
    Post it in your next reply.

    NOTE. rKill.txt log will also be present on your desktop.

    Then right away try TDSSKiller again.
     
  5. Harry96

    Harry96 TS Rookie Topic Starter

    I was able to download RKill from the first link, and it seemed to run successfully.

    I tried TDSSKiller.exe again afterward, and it still didn't do anything.

    Here's the Notepad log:

    Rkill 2.1.0 by Lawrence Abrams (Grinler)
    http://www.bleepingcomputer.com/
    Copyright 2008-2012 BleepingComputer.com
    More Information about Rkill can be found at this link:
    http://www.bleepingcomputer.com/forums/topic308364.html
    Program started at: 08/06/2012 06:07:09 PM in x86 mode.
    Windows Version: Windows Vista
    Checking for Windows services to stop.
    * No malware services found to stop.
    Checking for processes to terminate.
    * No malware processes found to kill.
    Checking Registry for malware related settings.
    * No issues found in the Registry.
    Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
    * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to exefile!
    * HKCU\SOFTWARE\Classes\.exe has been deleted!
    * HKCU\SOFTWARE\Classes\exefile has been deleted!

    Performing miscellaneous checks.
    * SMTMP folder detected. Your machine is or has been infected with the Fake.HDD rogue anti-spyware program. Please see this link for more information about this type of rogue: http://www.bleepingcomputer.com/forums/topic405109.html
    * ALERT: ZEROACCESS rootkit symptoms found!
    * HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
    * C:\Users\Johnny\AppData\Local\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\ [ZA Dir]
    * C:\Users\Johnny\AppData\Local\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\@ [ZA File]
    * C:\Users\Johnny\AppData\Local\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\L\ [ZA Dir]
    * C:\Users\Johnny\AppData\Local\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\n [ZA File]
    * C:\Users\Johnny\AppData\Local\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\U\ [ZA Dir]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\ [ZA Dir]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\@ [ZA File]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\L\ [ZA Dir]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\n [ZA File]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\U\ [ZA Dir]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\U\00000001.@ [ZA File]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\U\80000000.@ [ZA File]
    * C:\Windows\installer\{86aa8405-3cd8-63c3-1445-d3b238d8ec9a}\U\800000cb.@ [ZA File]
    Searching for Missing Digital Signatures:
    * C:\Windows\System32\services.exe [NoSig]
    Restarting Explorer.exe in order to apply changes.
    Program finished at: 08/06/2012 06:07:45 PM
    Execution time: 0 hours(s), 0 minute(s), and 35 seconds(s)
     
  6. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Very well.

    We have ZeroAccess infection there.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
     
  7. Harry96

    Harry96 TS Rookie Topic Starter

    I don't have a flash drive, so I'll have to go buy one. I'll get back to you by tomorrow.

    Thanks again.
     
  8. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    No problem :)
     
  9. Harry96

    Harry96 TS Rookie Topic Starter

    When I hit F8 and select "Repair Your Computer," it doesn't ask for language or operating system; it goes straight to one option, which is to select "other user" and try to log in with it. My regular user name isn't an option. When I try to log in with my name and password, I get this error message:
    "The specified domain either does not exist or could not be contacted."
    I tried this three times, and had the same problem each time.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    If you have Vista DVD use second option:
    To enter System Recovery Options by using Windows installation disc:

    If you don't have Vista DVD let me know.
     
  11. Harry96

    Harry96 TS Rookie Topic Starter

    I tried using the disc.
    The first time, "Repair Your Computer" wasn't on the list of options on the Advanced Boot Options menu.
    I tried three more times; each time, I was unable to even get the ABO list to come up again with F8 -- I would only get the hit any key to start, then a message saying "Windows is loading files . . ." with a left-right scroll bar, followed by a screen asking me to make language selections to re-install Vista.
    Sorry I'm having so many problems.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    What exact kind of disk are you using?
     
  13. Harry96

    Harry96 TS Rookie Topic Starter

    It's the Vista Operating System Disc. Is that the wrong one?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Select English and let me know what you see on next screen.
     
  15. Harry96

    Harry96 TS Rookie Topic Starter

    There was a "Repair Your Computer" option on that screen, so I clicked it. The next screen said to select operating system to repair, but none was listed. It said if you don't see it, load drivers. I clicked that, and it said to insert installation media device and click ok to select driver. I didn't know if that was the disc already in or not, so I clicked it to see what happened. It gave me a pop-up window of a list of stuff in a folder, but I didn't know what to do, so I closed the window and shut down the computer (so I could restart in safe mode to use my browser).
     
  16. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    Let's try something else.
    Restart to safe mode with networking.

    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click Rkill and choose Run as Administrator
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.exe
    • Double-click on the Rkill icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  17. Broni

    Broni Malware Annihilator Posts: 47,163   +264

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.