Avira Deleted Malware - Now I Cannot Boot Up

[Smartkid]

I came across a warning message from Avira while browsing the internet. It had detected something and proposed that I delete it.

Virus or unwanted program 'EXP/Pidief.yag [exploit]'
detected in file 'C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\hug6wxlm.default\Cache\705660DDd01.
Action performed: Delete file

As soon as I clicked OK, my system restarted. However, after getting the Windows loading screen, it restarted again.. and again and again. I cannot get past the Windows screen. It does the same thing when I try to run in Safe Mode, but if I press Esc, it successfully launches Safe Mode.

I tried a System Restore for yesterdays date, but it didn't help.

The bolded message above is an extract from my events log in Avira. Any idea what has gone wrong?

 

[momok]

Do you have HijackThis on your system? Try booting into safe mode with networking to download HijackThis and also Combofix.
Then boot into safe mode without networking and run both. Paste the logs in your reply.

 

[Smartkid]

I'm having trouble downloading ComboFix. I'll do it via another computer and try again tomorrow.

In the meantime, I've attached the logs for MBAM, SuperAntiSpyware, and HiJackThis.

Looks like some sort of Registry problem? Please note that I had to run a quick scan in MBAM because when I ran the full scan, my PC seemed to freeze up. I'll try again tomorrow. I also haven't asked MBAM to repair the detected item yet. I don't want anything to get worse.

Thanks

 

[WinXPert]

So you can launch into safe mode then try using these two programs to clean your system.

1. CCleaner. Open CCleaner then click Registry | Scan for issues | Fix selected issues.... Repeat until no more errors are reported. Click Cleaner | Run Cleaner
2. Glary Utilities Portable. Launch and select 1-Click Maintenance | Scan for Issues | Repair Problems. Repeat until no more errors are reported.

 

[Bobbye]

Please hold off on the CCleaner and other scans for now.

You have a malware infection called Norton 2009 Reset (.norton2009Reset) It is added by a variant of the Trojan.Generic TROJAN! Note: It is showing up in Safe Mode.

I'd rather you be in just plain Safe Mode instead of with Networking. The security programs don't load when using 'with Networking, so do this:

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in services.msc> double-click on Norton 2009 Reset (.norton2009Reset)> change the Startp type to Disabled> Stop the Service> Close the Services.

Using Windows Explorer: (right click on Taskbar> Explore) click on My Computer> then Local Drive>
Look for Documents & Settings> All Users> Application Data> right click on Norton> Delete

There may be one more step, but see if this will allow you to get into Normal Mode.

 

[Smartkid]

I was just about to run the CCleaner on my Registry.

I did the steps that Bobbye recommended, but I still cannot start up in Normal Mode. Can you please advise whether I should proceed with the other scans now?

 

[momok]

Just to check, is the Norton 2009 Reset service disabled, and the files deleted?
In the meantime, have you been able to get hold of a copy of Combofix?

 

[Smartkid]

Thanks momok.

Attached is a ComboFix log and a new HijackThis log.

While ComboFix was running, it found a rootkit error and rebooted the system and started up in Normal Mode. My Avira was turned back on and it kept trying to deny access to Combofix so I just kept choosing ignore so that the scan could run properly.

What are all the Windows/installer files that were deleted?

Any further steps to be taken?

 

[WinXPert]

Boot in Safe Mode

Configure Antivir | Expert Mode | Scanner | Scan | Exception... add combofix to your list
Guard | Scan | Exception ... add combofix to your list [Full path and filename]

Scan with Avira. I like to see you log.

 

[Bobbye]

momok, there are 5 years worth of msi entries still on the system. Can you figure out what's causing them? Many were deleted in Combofix, but it looks like more remain. WebFolders are showing from 2004- from IE5. Curious.

I see that Combo did delete the Norton reset entry also.

 

[Smartkid]

Attached is the Avira log.

 

[Bobbye]

Okay, the AV scan is clean. From the information I read, it sounds like Avira was warning you of script on the site you were on. See the site below for suggestions:

http://www.finheaven.com/forums/f9/merged-virus-alert-trojans-258792-2.html

I don't think Avira caused the problem, Try this:
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

Do another scan with Malwarebytes. Check for the removal of the malware it finds- if you don't do that, you are just spinning your wheels. If you can do this, I'll have you uninstall Combofix, then reinstall it and scan again to see if the entries are removed.

If you have a flash drive, it would also be helpful to remove the temp files: Dowloan the TFC to the flash drive, then run it on the problem system.

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

When through please empty the Recycle Bin.

 

[momok]

I'm not sure what these folders do. Did you create them?

C:\123
C:\SOS
C:\Smd

Bobbye is right. Usually the system saves your uninstallation files in such a folder.

however judging by the crazy names and sheer amount of items there, I have no idea what are those files; they are likely randomly generated files created by the infection. In any case, you don't need them on your system.

We'll need to remove these files as well as some other bad stuff from your system.

Please copy the following text in the box below and paste into a notepad file. Save it as CFScript.txt and put it in the same folder (I presume its desktop) as combofix.

drag the file over to combofix.exe and release and let the program do its job.

file::
c:\windows\System32\NOTEPAD.EXE
c:\windows\Installer\fc84.msi
c:\windows\Installer\f9d74.msi
c:\windows\Installer\f04c4e.msi
c:\windows\Installer\a83270.msi
c:\windows\Installer\a8326a.msi
c:\windows\Installer\a8325e.msi
c:\windows\Installer\a34b6.msi
c:\windows\Installer\8fd1e6.msi
c:\windows\Installer\4d831a.msi
c:\windows\Installer\435d1.msi
c:\windows\Installer\3e7a57.msi
c:\windows\Installer\3c31e8.msp
c:\windows\Installer\3c31e1.msp
c:\windows\Installer\3a3265.msi
c:\windows\Installer\2e48dc.msi
c:\windows\Installer\2d3c93.msi
c:\windows\Installer\2d3c82.msi
c:\windows\Installer\2d3c6d.msi
c:\windows\Installer\2d3bcf.msi
c:\windows\Installer\2d3b9b.msi
c:\windows\Installer\2d3b8f.msi
c:\windows\Installer\2d3b83.msi
c:\windows\Installer\2d3b4b.msi
c:\windows\Installer\2d3b3f.msi
c:\windows\Installer\2d373a.msi
c:\windows\Installer\2c4e0.msi
c:\windows\Installer\2c4da.msi
c:\windows\Installer\2c4d2.msi
c:\windows\Installer\2c4c2.msi
c:\windows\Installer\2c4a6.msi
c:\windows\Installer\29e83a.msi
c:\windows\Installer\29e81c.msi
c:\windows\Installer\21d0a8.msi
c:\windows\Installer\21d090.msi
c:\windows\Installer\21d08a.msi
c:\windows\Installer\21d082.msi
c:\windows\Installer\21d07b.msi
c:\windows\Installer\21d06f.msi
c:\windows\Installer\21d047.msi
c:\windows\Installer\1ec9d.msi
c:\windows\Installer\1ec88.msi
c:\windows\Installer\1ec82.msi
c:\windows\Installer\19316b.msi
c:\windows\Installer\168bcf.msi
c:\windows\Installer\168bc9.msi
c:\windows\Installer\168bc3.msi
c:\windows\Installer\168bbc.msi
c:\windows\Installer\168bb6.msi
c:\windows\Installer\168b96.msi
c:\windows\Installer\168b90.msi
c:\windows\Installer\168b8a.msi
c:\windows\Installer\168b84.msi
c:\windows\Installer\168b7c.msi
c:\windows\Installer\168b71.msi
c:\windows\Installer\cc9d5c.msp
c:\windows\Installer\cc9d2f.msp
c:\windows\Installer\c89ad.msi
c:\windows\Installer\a83264.msi
c:\windows\Installer\a6f049.msp
c:\windows\Installer\9c7c5b.msp
c:\windows\Installer\9c7c43.msp
c:\windows\Installer\9c413e.msi
c:\windows\Installer\8fd247.msp
c:\windows\Installer\8cd65a.msi
c:\windows\Installer\79919a.msp
c:\windows\Installer\7683a3.msp
c:\windows\Installer\768388.msp
c:\windows\Installer\768371.msp
c:\windows\Installer\763fef.msi
c:\windows\Installer\660043.msp
c:\windows\Installer\5381b8.msi
c:\windows\Installer\4c8c72.msi
c:\windows\Installer\4c8c64.msi
c:\windows\Installer\4ac5aa.msi
c:\windows\Installer\4606b8.msi
c:\windows\Installer\45a696.msp
c:\windows\Installer\438e9f.msp
c:\windows\Installer\438e5a.msp
c:\windows\Installer\4100a5.msp
c:\windows\Installer\3d50cb.msi
c:\windows\Installer\3d50bd.msi
c:\windows\Installer\3d50b7.msi
c:\windows\Installer\3d50b1.msi
c:\windows\Installer\3d50ab.msi
c:\windows\Installer\3d50a5.msi
c:\windows\Installer\3d509f.msi
c:\windows\Installer\3d5099.msi
c:\windows\Installer\3d5093.msi
c:\windows\Installer\3d508d.msi
c:\windows\Installer\3d5087.msi
c:\windows\Installer\3d5081.msi
c:\windows\Installer\3d507b.msi
c:\windows\Installer\3d5074.msi
c:\windows\Installer\3d506e.msi
c:\windows\Installer\3d5067.msi
c:\windows\Installer\3d5061.msi
c:\windows\Installer\3d505a.msi
c:\windows\Installer\3d5054.msi
c:\windows\Installer\3d504e.msi
c:\windows\Installer\3d5048.msi
c:\windows\Installer\3d5042.msi
c:\windows\Installer\3d503c.msi
c:\windows\Installer\3d5036.msi
c:\windows\Installer\3d502f.msi
c:\windows\Installer\3c31bd.msp
c:\windows\Installer\2cbb7b.msp
c:\windows\Installer\2c4b6.msi
c:\windows\Installer\2b8102.msi
c:\windows\Installer\2b80fe.msi
c:\windows\Installer\2ac1e9.msp
c:\windows\Installer\2ac1d2.msp
c:\windows\Installer\29e854.msp
c:\windows\Installer\28c2cf.msp
c:\windows\Installer\28c2b6.msp
c:\windows\Installer\21d0e0.msp
c:\windows\Installer\21d0ae.msi
c:\windows\Installer\21d0a2.msi
c:\windows\Installer\21d09c.msi
c:\windows\Installer\21d096.msi
c:\windows\Installer\21d075.msi
c:\windows\Installer\21d069.msi
c:\windows\Installer\21d059.msi
c:\windows\Installer\21d053.msi
c:\windows\Installer\21d04d.msi
c:\windows\Installer\21d041.msi
c:\windows\Installer\1ecbc.msi
c:\windows\Installer\1ecb6.msi
c:\windows\Installer\1ecb2.msi
c:\windows\Installer\1ecaa.msi
c:\windows\Installer\1eca6.msi
c:\windows\Installer\1eca1.msi
c:\windows\Installer\1ec171.msi
c:\windows\Installer\193765.msi
c:\windows\Installer\168b9c.msi
c:\windows\Installer\16031b.msi
c:\windows\Installer\14d13e.msi
c:\windows\Installer\11d4da6.msi
c:\windows\Installer\11d4b3d.msi
c:\windows\Installer\11d4b0d.msi
c:\windows\Installer\11c6009.msp
c:\windows\Installer\11c5ff2.msp
c:\windows\Installer\dee4ff.msp
c:\windows\Installer\cc9d46.msp
c:\windows\Installer\a6f09f.msp
c:\windows\Installer\a6f088.msp
c:\windows\Installer\a6f070.msp
c:\windows\Installer\9c7c72.msp
c:\windows\Installer\8fd231.msp
c:\windows\Installer\7af437.msp
c:\windows\Installer\7683bc.msp
c:\windows\Installer\438e88.msp
c:\windows\Installer\438e71.msp
c:\windows\Installer\3c31cf.msp
c:\windows\Installer\3c3175.msp
c:\windows\Installer\2d36b2.msi
c:\windows\Installer\2d2d5d.msi
c:\windows\Installer\2cbb65.msp
c:\windows\Installer\2cbb4f.msp
c:\windows\Installer\2c4a1.msi
c:\windows\Installer\2c33b.msi
c:\windows\Installer\29e832.msp
c:\windows\Installer\28c2fd.msp
c:\windows\Installer\28c2e6.msp
c:\windows\Installer\21d0df.msi
c:\windows\Installer\11c604f.msp
c:\windows\Installer\11c6038.msp
c:\windows\Installer\11c6021.msp
c:\windows\Installer\3c316c.msp

Post back with your new combofix log, thanks

 

[Smartkid]

Bobbye, I ran the TFC which removed 167mb worth of files from my PC and then ran MBAM in safe mode. It didn't detect any malware. Attached is the log.

I also ran CCleaner on my Registry because one of the earlier posts had suggested it. I've attached a log of the errors that it detected. (I have NOT told it to fix anything yet. I thought it would be best to check here first.)

momok, I deleted those three directories because I have no idea what they are. I've run ComboFix based on your instructions and the log is attached. Looks like Combofix deleted my Notepad application.

 

[Bobbye]

Please don't install, uninstall or run any programs or apps that you aren't directed to do. Don't do anything with the Registry entries.

Combofix shows this is the 4th scan over several months:
ComboFix-quarantined-files.txt 2009-10-17 21:10
ComboFix2.txt 2009-10-15 02:25
ComboFix3.txt 2009-05-03 19:51
ComboFix4.txt 2009-04-10 20:34

momok may want you to uninstall, then reinstall Combofix and rescan. I'll leave that up to him.

I also ran CCleaner on my Registry because one of the earlier posts had suggested it.

Occasionally a member will offer a suggestion in the middle of a cleaning. They do not realize that the order of programs run can make a significant difference.It is best to only do what your main malware helpers tell you to. In this case, it's momok and me.

 

[Smartkid]

Thanks Bobbye. Does is look like there are still infections on my computer? My PC is running somewhat slower than usual.

I'll be waiting for momok's response to see what additional steps I should take....

 

[momok]

Oh gosh I'm so sorry.

I accidentally left the notepad entry in the code box so it deleted your notepad.

edit: conflicting instructions. please follow kritius's advice.
----------------------------

On the bright side of things, your system is looking alot cleaner now. Are you facing any problems in particular?

Just to be sure, could you post a hijackthis log for a quick look? Thanks!

 

[kritius]

Please be more carefull when using ComboFix, if you can't, then don't is usually a good rule when running this.

If you want to use ComboFix to restore the file then use this script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open wordpad and copy/paste the text in the quotebox below into it:

DEQUARANTINE::
c:\Qoobox\quarantine\c\windows\system32\NOTEPAD.EXE.vir
Quit::

Save this as CFScript.txt, and as type Unicode text document in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\DeQuarantine_log.txt which I will require in your next reply.

 

[Bobbye]

Thank you kritius.

Let me know if you would like me to go through the clean and close when done.

 

[Smartkid]

Thanks everyone for helping me out.

Attached is the Dequarantine log from Combofix.

I noticed that the link to Notepad from my start menu still doesn't work. How do I go about fixing that? (see image attached.)

I also noticed that now the service agreement pops up whenever I open iTunes (see image attached.)

Finally, my Firefox is not retaining web browsing history.

 

[kritius]

Open notepad and copy and paste the following in.

@Echo off
Ren c:\windows\system32\NOTEPAD.EXE.vir NOTEPAD.EXE
exit

Save this as fix.bat to your desktop and double click to run. A black box will pop up and disappear, this is normal.

Try your notepad again and see if you get the same error.

 

[Smartkid]

Thanks kritius. I tried it but I'm still getting the same error for Notepad.

I also tried upgrading my iTunes to the latest version but I still have to go through the service agreements each time I open the program.

 

[kritius]

Go to tools, folder options, view, uncheck hide extensions for known file types.

Go to C:\Windows\System32\ and look for notepad.exe.vir rename it to notepad.exe.

Don't know about the iTunes issue. Would suggest backing up the iTunes music folder and then removing it and reinstalling.

 

[Smartkid]

I was out of town attending a friend's wedding so I haven't been using my PC in the last 3 weeks.

I still haven't been able to figure out the iTunes issue but my Notepad is working fine now. However, I noticed that when I boot up, the PC stays on my background image for several minutes (with the rotating hourglass) before all the icons and toolbars load up. It seems to be running slower - as if something may been running in the background. I've attached all my logs. Are there still infections present?

I haven't done anything since the last time I was here except install some critical windows updates.