TechSpot

Infected - Memory Virus - Logs Attached

By Zayan
Feb 15, 2009
  1. I had a worm in my computer which infected all my ' .exe ' files.

    I made a comprehensive virus scan which removed all traces of the virus. And now all my programs work properly EXCEPT iTunes which still shows this error :

    ' The instruction at 0x71751040 referenced memory at 0x71751040. The memory could not be read ' .

    I tried re-installing,repairing and everything but I still fail. I included the 3 logs . Help please :) ?
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Um. No.1 Remove Limewire (that's kinda a must ;) )

    Next:

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log
     
  3. Zayan

    Zayan TS Rookie Topic Starter

    Well they suspected HijackThis as an issue thus I figured I shouldn't remove. You still want me to remove it ?
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I'm not sure what you exactly meant. But if it helps I service hundreds (about 300) TechSpot members a week. And I pride myself on Security (Virus\Malware removal)

    Just do as I say ;) :D

    But your choice and all
     
  5. Zayan

    Zayan TS Rookie Topic Starter

    I'm on it boss :D. Will be up in half an hour.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Um Hm

    It is possible I may be taking a break
    I just saw your post come in, and noticed horrible Limewire and thought I'd post
    Thankfully there are other Malware specialists here, so if I'm not about, I hope they decide to help.

    Otherwise I'll check back later :grinthumb
     
  7. Zayan

    Zayan TS Rookie Topic Starter

    As per Kim's request -
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Please startup HijackThis Scan again
    Place a tick alongside the following entries
    Close all\any Internet browsers, and select Fix
    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply

    Also do another scan with HJT (scan and log file) and attach this to a new reply as well
     
  9. Zayan

    Zayan TS Rookie Topic Starter

    Done. Hope I did it all properly.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It seems that Limewire and Bittorent are still running
    Please note, it is impossible to remove infection on a computer with filesharing programs still running (by the way, these programs installed, means running - ie It allows full or part share to your computer)

    If you feel you cannot be apart from these programs, I would highly suggest that you use a Linux Boot CD, like Ubuntu, instead.
    You would be much safer, and re-infection would not be imminent, ie straight away
     
  11. Zayan

    Zayan TS Rookie Topic Starter

    Well I removed Limewire as you told me to but kept Bittorrent as I wasn't told to uninstall. So I should uninstall and do another HJK scan ?
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Yes

    And just so I don't need to suddenly find out about any other filesharing programs (there are many available across the web)
    Make sure to remove all file sharing programs

    But as I mentioned above, if you are just going to re-install them (and it does sound as though you will) then there is no use continuing, (ie re-infestation highly likely)

    We are up to post 12, and really haven't got very far
    If you happen to notice other threads I've supported on, by Post #12, the thread is usually fully completed. This one looks like we are starting again :confused:

    I should mention (warn) that I may stop supporting on this thread, if I feel I'm not getting anywhere. Basically I already feel this way now. :suspiciou
     
  13. Zayan

    Zayan TS Rookie Topic Starter

    No please I will co-operate. Hold on the HJK scans will be up in 5 minutes.

    And here it is !
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    It looks pretty clean already. Except for some unknown "chat server"

    I've decided to stop now. If others want to reply with support, go for it.

    By the way, I hope we don't need to see you in a couple of days :rolleyes:
     
  15. Zayan

    Zayan TS Rookie Topic Starter

    Thanks for your help:wave:
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    OK in reply to your message.

    OK post the remaining issues you have! give details.

    Mike
     
  17. Zayan

    Zayan TS Rookie Topic Starter

    The only issue I have is everytime I try to start iTunes it gives me this message :

    ' The instruction at 0x745a1040 referenced memory at 0x745a1040. The memory could not be read. '

    I had a worm in my computer which I took care of completely and the virus does not show up on the scanner. As the logs ( submitted above ) show updated full system scan using both the malware and spyware program you have asked to use. Could you help :( ?

    If you require anything I'm waiting.
     
  18. mflynn

    mflynn TS Rookie Posts: 2,655

    Go into Control panel Programs and features and uninstall Itumes Ipod, applle quicktime and Bonjour .

    Then reboot and run CCleaner Temps then on left Panel Registry then scan for issues. Run both repeatedly until clean.

    Then do the below..

    Download Win2003 Resource Kit, then install, must be to the default location do not change. It is fully compatable with XP even tho it says 2003.

    http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

    Then do the below

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt
    Code:
    @echo off
    :: Fix Access denied
    cd /d "C:\Program Files\Windows Resource Kits\Tools"
    
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
    subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
    subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
    
    secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
    exit
    exit
    This will take perhaps 30 mins to an hour depending on Processor, disk speed and size of registry.

    After the above finishes reboot an install Itunes.

    Mike
     
  19. Zayan

    Zayan TS Rookie Topic Starter

    I am running Vista Ultimate 32 BIT . Will the Win2003 Resource Kit work for me ?
     
  20. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes!

    Mike
     
  21. Zayan

    Zayan TS Rookie Topic Starter

    mflynn. BRILLIANT MY FRIEND BRILLIANT :D.

    Works perfectly so far ! Will give an update if it syncs with the iPod perfectly. Thanks :D !
     
  22. mflynn

    mflynn TS Rookie Posts: 2,655

    Good!

    Thread Closing-------------------------------------------------------------------

    Some of these tools update so often they require downloading again later if needed. But keep and run MBAM and SAS to maintain.

    Remove ComboFix
    Start-Run
    type
    combofix /u
    Hit enter or click OK.

    Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

    Save to desktop.

    This will remove all the tools we used to clean your computer.


    Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

    Approve all if prompted by Firewall. Approve Widows Defender or other guards or security programs while OTCleanIt attempting access to the Internet to allow all.

    If prompted to Reboot click, Yes.
    OTCleanit will delete itself when finished, If not delete it by yourself.

    -------------------------------------------------------------------------------------
    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.
    -------------------------------------------------------------------------------------

    Every two weeks or so, run MBAM and SAS until clean.

    They take a while, so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be scheduled not to interfere with computer time.

    If they find something they can not clean, then get back to us.

    Additionally run CCleaner. ATF-Cleaner and KCleaner.
    ----------------------------------------------------------------------------------------
    I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

    It was designed to be used with and to co-exist with other Virus scanners.

    Additionally it uses a totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity.

    It's like looking at it with 2 sets of eyes and from a different angle.

    It works like some Firewalls do to learn what is good/bad.

    After install it will ask you about everything that could be a security issue. For example the first time you run IE or FireFox it will prompt you. You would answer to approve and remember the setting. From then on no more prompts about IE or FireFox unless the exe changes like in an update.

    As it queries you about the prompt to help you determine to approve or not you can google it with one click.

    http://www.threatfire.com/Download/
    -------------------------------------------------------------------------------------
    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.
    http://www.safer-networking.org/en/download/

    I highly reccomend Hostman: Hostman http://majorgeeks.com/HostsMan_d4592.html

    Download install run and allow it to disable DNS Client and select all Host files and then Update and install all host files.

    A Disk Scan (chkdsk) and Defrag are in order.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...