[A] Unnamed virus, black screen, no access to task manager or any icons or files

Inactive
By tapersteve
Oct 1, 2012
Topic Status:
Not open for further replies.
  1. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    I hope replacing that system file helped.

    Let's run couple more scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    3. Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Next...

    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall.
    • Confirm with yes.

    4. Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    5. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
  2. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Security Check log file:

    Results of screen317's Security Check version 0.99.51
    Windows XP Service Pack 3 x86
    Internet Explorer 7 Out of date!
    ``````````````Antivirus/Firewall Check:``````````````
    avast! Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Out of date HijackThis installed!
    Spybot - Search & Destroy
    SUPERAntiSpyware
    Malwarebytes Anti-Malware version 1.65.0.1400
    HijackThis 2.0.2
    Java(TM) 6 Update 31
    Java version out of Date!
    Adobe Flash Player 10 Flash Player out of Date!
    Adobe Flash Player 10.3.183.7 Flash Player out of Date!
    Adobe Reader 8 Adobe Reader out of Date!
    Mozilla Firefox (15.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamgui.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 avastUI.exe
    CheckPoint ZoneAlarm vsmon.exe
    CheckPoint ZoneAlarm zatray.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C:: 4%
    ````````````````````End of Log``````````````````````
  3. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Farbar Service Scanner log:

    Farbar Service Scanner Version: 19-09-2012
    Ran by Steve Kwartin (administrator) on 05-10-2012 at 23:12:47
    Running from "C:\Documents and Settings\Steve Kwartin\desktop"
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============
    Dnscache Service is not running. Checking service configuration:
    The start type of Dnscache service is set to Demand. The default start type is Auto.
    The ImagePath of Dnscache service is OK.
    The ServiceDll of Dnscache service is OK.


    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============
    sharedaccess Service is not running. Checking service configuration:
    The start type of sharedaccess service is OK.
    The ImagePath of sharedaccess service is OK.
    The ServiceDll of sharedaccess service is OK.

    netman Service is not running. Checking service configuration:
    The start type of netman service is set to Disabled. The default start type is 3.
    The ImagePath of netman service is OK.
    The ServiceDll of netman service is OK.


    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe
    [2004-08-04 06:00] - [2009-02-06 07:06] - 0110592 ____A (Microsoft Corporation) 020CEAAEDC8EB655B6506B8C70D53BB6


    Extra List:
    =======
    aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
    0x09000000050000000100000002000000030000000400000009000000060000000700000008000000
    IpSec Tag value is correct.

    **** End of log ****
  4. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    AdwCleaner log file:

    # AdwCleaner v2.003 - Logfile created 10/05/2012 at 23:14:50
    # Updated 23/09/2012 by Xplode
    # Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
    # User : Steve Kwartin - STEVE-QUAD
    # Boot Mode : Normal
    # Running from : C:\Documents and Settings\Steve Kwartin\desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Deleted : C:\Documents and Settings\All Users\Application Data\InstallMate
    Folder Deleted : C:\Program Files\Conduit

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
    Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2645238
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v7.0.5730.13

    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v15.0.1 (en-US)

    Profile name : default
    File : C:\Documents and Settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\prefs.js

    C:\Documents and Settings\Steve Kwartin\Application Data\Mozilla\Firefox\Profiles\5l5wp0pq.default\user.js ... Deleted !

    [OK] File is clean.

    Profile name : default
    File : C:\Documents and Settings\Administrator.STEVE-QUAD\Application Data\Mozilla\Firefox\Profiles\8sohzsm4.default\prefs.js

    [OK] File is clean.

    *************************

    AdwCleaner[S1].txt - [2556 octets] - [05/10/2012 23:14:50]

    ########## EOF - C:\AdwCleaner[S1].txt - [2616 octets] ##########
  5. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni, I was able to get those first few scans done. I have TFC on my computer. I tried to run my copy, then a copy downloaded from the first site you listed, then the other. Everyone gets hung up almost immediately, and is unable to stop other running processes. I have used this program many times without any issue, so I really do not know what to do. I have spent the last hour trying this different ways, but no go. Steve
  6. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    Run it from safe mode.
  7. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni,

    Sorry about the delay, but Eset took a while to run, and I went to bed. TFC was able to run in safe mode, and did its thing. I then did the Eset scan, and the log is below. So far, I have not seen MBAM indicate any suspicious traffic, but I will let you know a little later, after I have spent some more time in front of the computer. Thank you yet again. Steve

    Eset log:

    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6583
    # api_version=3.0.2
    # EOSSerial=8df7fe4b42a4cc4ea7d50b4c834bd64e
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2012-10-06 06:01:48
    # local_time=2012-10-06 02:01:48 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 54967300 54967300 0 0
    # compatibility_mode=768 16777215 100 0 55152548 55152548 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 4 0 0 0 0
    # scanned=135500
    # found=9
    # cleaned=9
    # scan_time=5216
    C:\Documents and Settings\Steve Kwartin\desktop\Audio Programs\setup.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Steve Kwartin\desktop\Program Files\Nero-9.4.12.3d_free.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Steve Kwartin\desktop\Program Files\SoftonicDownloader_for_internet-explorer.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Steve Kwartin\My Documents\virus\New Folder\IHBETQ a variant of Java/Exploit.CVE-2012-4681.BC trojan (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Steve Kwartin\My Documents\virus\New Folder\jar_cache6100115203503054071.tmp a variant of Java/Exploit.CVE-2012-4681.BC trojan (deleted - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426702.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426703.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{E5CD8885-81EB-4EA5-9C7D-F91E4C407EEE}\RP1421\A0426704.exe a variant of Win32/SoftonicDownloader.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    H:\Desktop\Audio Programs\setup.exe Win32/Toolbar.Zugo application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
  8. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni,

    Well, it took a little while, but now MBAM is reporting attempts at outgoing communications to an IP address located in China. I don't know if this is something old or something that is part of the recent infection, but whatever it is, it has so far survived all of the attempts to kill it. Steve
  9. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    I am now seeing both incoming and outgoing attempts as reported by MBAM.
  10. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    For x86 (x32) bit systems please download Listparts
    For x64 bit systems please download Listparts64

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
  11. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni,

    Here is the listparts scan log:

    ListParts by Farbar Version: 02-10-2012
    Ran by Steve Kwartin (administrator) on 06-10-2012 at 17:01:58
    Windows XP (X86)
    Running From: C:\Documents and Settings\Steve Kwartin\desktop
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 24%
    Total physical RAM: 3317.1 MB
    Available physical RAM: 2518.7 MB
    Total Pagefile: 3155.15 MB
    Available Pagefile: 2632.92 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2005.17 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:232.82 GB) (Free:62.63 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive f: (Local Disk) (Fixed) (Total:37.26 GB) (Free:5.46 GB) NTFS ==>[Drive with boot components (Windows XP)]
    4 Drive h: (Music 4) (Fixed) (Total:698.64 GB) (Free:102.47 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 932 GB 699 GB
    Disk 1 Online 699 GB 0 B
    Disk 2 Online 37 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 32 KB
    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 233 GB Healthy System (partition with boot components)
    ======================================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 699 GB 32 KB
    ======================================================================================================

    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 H Music 4 NTFS Partition 699 GB Healthy
    ======================================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 37 GB 32 KB
    ======================================================================================================

    Disk: 2
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F Local Disk NTFS Partition 37 GB Healthy
    ======================================================================================================

    ****** End Of Log ******
  12. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    I'm afraid you'll have to get (borrow?) Windows XP CD so you can complete steps from my reply #8 (UBCD)
  13. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni,

    I never got the Windows XP CD, as it came pre-installed on the computer. Also, wouldn't reinstalling it cause me to lose all of the other data on my disK? I do have a back-up of my drive, that is on one of my external drives. I was having drive issues that seemed to indicate it was dying, so I created a complete image of my drive [several months ago] bought a new drive and installed it, and then had the external drive clone the new drive. The original CD from Maxtor for the software was defective, but after searching online, I was able to download and use some other software that was written as a work around. As far as I know, that whole image file is still on that drive.
     
  14. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    My post #8 has nothing to do with reinstalling anything.
    It's about accessing your computer from an external disk.
  15. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Can I go through those steps if one of my friends has an XP CD? Does it have to be XP Pro, or can it be any version of XP? Let me know. Thanks. Steve
  16. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    This is what I'm saying...borrowed CD will do.
    It has to be your version of XP with at least SP1 on it.
  17. tapersteve

    tapersteve Newcomer, in training Topic Starter Posts: 52

    Broni,

    I should have the disc today.

    Steve
  18. Broni

    Broni Malware Annihilator Posts: 45,175   +242

  19. Broni

    Broni Malware Annihilator Posts: 45,175   +242

    This topic is marked as abandoned and closed due to inactivity.
    This member will NOT be eligible to receive any more help in malware removal forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.