Help with: Trojan Dropper.Generic.AINC, Win32/Virut, Others

By jscpa
Mar 4, 2009
Topic Status:
Not open for further replies.
  1. I have encountered several viruses, trojans, and worms over the last few days. I have not saved all the logs, but I have started once I found your site I tried to document what I could and follow your 8 step recommendation. However, I am now stuck on step 5. Please see the below information.

    Thank you for this board and your help!


    Computer System Information:

    OS Name Microsoft Windows XP Professional
    Version 5.1.2600 Service Pack 3 Build 2600
    OS Manufacturer Microsoft Corporation
    System Manufacturer Hewlett-Packard
    System Model Pavilion ZV6100 (PN494AV)
    System Type X86-based PC
    Processor x86 Family 15 Model 15 Stepping 0 AuthenticAMD ~1989 Mhz
    BIOS Version/Date Hewlett-Packard F.14, 5/27/2005
    SMBIOS Version 2.31
    Windows Directory C:\WINDOWS
    System Directory C:\WINDOWS\system32
    Boot Device \Device\HarddiskVolume1
    Locale United States
    Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
    Time Zone Eastern Standard Time
    Total Physical Memory 512.00 MB
    Available Physical Memory 205.33 MB
    Total Virtual Memory 2.00 GB
    Available Virtual Memory 1.96 GB
    Page File Space 1.22 GB
    Page File C:\pagefile.sys


    Below are the procedures and related logs performed on my computer as advised in 8-steps instructions:

    All procedures were performed from Safe Mode with Networking.

    Step 1: AVG v7.5 was removed while loading AVG v8.5. This was run twice on consecutive days. 2 logs attached.

    Step 2: CCleaner was loaded a run. For future assistance, you may want to note the following:
    • From the options/advanced menu, the option “Only delete files in Windows temp folders older than 48 hours” is selected by default, I Unselected it prior to running.
    • My computer has multiple users with unique logons, desktops, documents, etc. This program has to be run from within each user’s profile. Just running CCleaner from within the Administrator’s profile is not enough.
    • I ran a scan for registry issues and attached one log.

    Step 3: I removed AVG 8.5 and BCWipe 3.0 (previously installed).

    Step 4: Malwarebytes’ Anti-Malware – Full Scan performed 6 times. The first 3 and the last times were full scans. The other two, I aborted. Every time, I received an error message stating the log file’s path and “Access denied.” The first three scans did not save a log. The last three, including the two aborted scans, did save a log. Due to attachment limitations, the third of three logs will be attached to the next posting.

    Step 5: SuperAntiSpyware – This is where I am now. While installing this program this message appeared “The system administrator has set policies to prevent this installation.” The program has not been installed.

    Please advise.

    Third of three MBAM logs referenced above:
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Run Startup Control Panel and remove any not required startups: (should be most!)

    Install Avira free AntiVirus

    Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
    You need to run this multiple times, until all hidden Malwares are uncovered and removed

    There you go :) (seeming you couldn't PM ;) )
  3. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    wow - you saw me coming!

    Funny -- I didn't know I couldn't PM. Thanks for picking me up.

    While I was waiting, I saw your AVG removal tool on another post and ran it.

    I also tried to Install Avira free AntiVirus, but got similar error I've seen others have, so I loaded Avast. Do you have a removal tool for that or should I leave it on for now?

    I will load and run start up control panel in just in a min.

    I have also run MBAM several times while waiting in the queue. I plan to run it a few more times as you suggested. Do you want any of these recent MBAM logs?

    thanks!!
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Avast is good
    But I'll tell you what the issue is with Avira, you still have Malware ! :) :suspiciou

    So yes update Avast, then run a full scan with Malwarebytes (updated first of course)

    Actually do this too ;)

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply

    Restart

    Also do another scan with HJT (scan and log file) and attach this to a new reply as well
  5. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    start ups

    I'm not exactly sure which of these remaining programs are "not required" to leave in startup:

    avast
    cpqset
    sunjavaupdatesched
    syntpenh
    ctfmom.exe

    moving to MBAM and combofix next.

    EDIT:
    recieved quite a few virus messages when opening avast to update.
    also says memory is infected.
  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Leave those alone
    Mind you: "ctfmom.exe" I think you meant ctfmon.exe (as there's no ctfmom)

    Anyway, out of Startup Control Panel, and move on to the others ;)
  7. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    ok...

    Since last message I ran 4 scans with MBAM (b/c had lots of probs loading..other progs) - 1 full, 3 quick - see attached logs

    could not run combo fix :darth:
    1- apparently, I could not fully remove avg - got error message at startup of Combofix. Ran removal tool 3 more times - 2x from safe mode, 1x from normal. Still not removed.
    2- received message that C:\Windows\regedit.exe was missing and needs to be loaded from another computer (paraphrased -- kinda like ctfmom) :blackeye:

    loaded and ran HJT - see logs attached
  8. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Combofix couldn't run :confused:

    Try this: Start-> Run-> ComboFix /u ->ok

    Then re-download Combofix
    Then rename Combofix to: ComFix (actually any name, but it must be letters)
    Then run it

    By the way:
    I don't think all these tmp files are exactly gone yet
    But Combofix should get them ;)
    Please try the steps above
  9. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    nope

    ComboFix still wouldn't run

    same problem with AVG "scanning"
    same problem with c:\Windows\regedit.exe missing
  10. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This one's quick ;)

    Download RatsCheddar

    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, Double click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.

    ------------------

    Next try running Combofix in Safe Mode (by repeatably pressing F8 before Windows startup)
  11. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    still not running

    :(

    loaded RatsCheddar, still same error messages

    EDIT:

    Reran RatCheddar, uninstalled / reinstalled / renamed ComboFix 2 more times. - still same prob.
    I also noticed a file in my C directory named "OSMSCKXKBMJOJZWI" it says it is 26,126,384 Kb.

    EDIT: Kim? Help, please?
     
  12. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    sorry - tried to avoid replying to my post...

    Kim -

    I've tried to honor the forum's request not to reply to my own thread (to get noticed), but it's been a couple days since I've heard from you. I also tried to post to your page, but would not allow it due to limitations on number of posts...

    Is my comp trashed? Please let me know if anyone is able to help or if you recommend I seek help elsewhere.

    Thanks again for this forum and the volunteer time all of you put in.
  13. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Oh sorry, I'll have to re-read the thread again, to refresh my mind what's happening again

    Please hold :)

    By the way, I forgot to mention that if a last post is over 2 days old without reply, then you can reply to that thread

    Sorry for delay, I got interrupted here (wouldn't you know it.)

    Here is another AVG removal tool http://support.kaspersky.com/downloads/products2009/avg8.zip
    Please try it

    After this is run please try ComboFix in Safe Mode (press F8 before Windows starts to access Safe Mode)
  14. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    AVG removed. Missing Regedit.exe error remains

    AVG is finally removed! thank you.

    I reloaded and ran ComboFix, I still get the error:

    "Terminal Error - Missing File
    C:\WINDOWS\regedit.exe is missing
    Copy one from another machine"

    EDIT:
    I also tried to start up in Normal mode. Got to "starting Windows" box, then could see my wallpaper, then froze. No icons. Could not even bring up task manager.
  15. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Start->Run-> SFC /ScanNow -> ok
    (please copy and paste that bolded part into run)

    By the way, you will need your Windows Setup CD just for the missing files part (ie no other data or anything will be hurt)

    Also you are best to disable any live protecting programs fist (to stop them interfering with the scan)

    Edit

    Safe mode is good ;)
  16. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    was hoping we wouldn't need windows set up disk. I don't know where it is. The computer is 3.5 years old and I've moved 3 times since I bought it. Is there anywhere else I can get these missing files or are they specific to my computer / copy of windows?

    I still pasted the command into run and I saw a window flash very quickly. nothing else happened.

    thanks -- sorry, seems like this one is going to be tough!
  17. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  18. jscpa

    jscpa Newcomer, in training Topic Starter Posts: 31

    thanks

    k - will order cd and repost when in hand.

    Thanks for the help to this point.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.