Me and |ttrib.exe have made a mess.. can someone help me?

Status
Not open for further replies.
L

Leela

Hello all.. I just joined this forum today because I am having some problems with my computer and I was hoping that someone here would be willing and able to help me out.

Last night Norman detected a virus - |ttrib.exe - in the Win32 directory, and I tried to start in safe mode and do another virus scan there, but when I rebooted the virusprogram stopped running.
(It won't launch the scanning box, I getthis error: Missing disk - Exeption Processing Message c0000013 Parameters 75b4bf9c 75b4bf9c - and get to choose between cancelling, trying again and continuing)

I have to admit that I have been sinning though, because I have more than one virus program.. :blush:
I have AVG (which I like very much, I only installed norman because I thought AVG was going to stop being free) and some Trojan Guarder Golden version (possibly from last century).

The computer haven't been reformatted since I got it. (possibly once, I can't quite remember) I've been planning to do that for about a year, but I am a coward and a procrastinator, I have noone to help me and I'm not sure how to do it. (Plus I don't have the windows discs, they didn't come with the computer when I bought it?)

If I were to reformat would this remove all viruses and all the other crap that is slowing the computer down? Or is it enough to just remove the viruses detected by the virusprograms? Would someone be kind enough to walk me through one of the two options (or a third if there is one =P) I would greatly appreciate any help, and I am sorry in advance for my total lack of computerskills.

-L

PS. I've been told that computers usually only "last" for three years before they are outdated, so I wondered if someone could tell me if they think that it is ready to be traded for a new one or if I can still use it for a few years?
The computer is a HP pavilion t455.no.
(specifications on thefront: 3000+ (2.17GHz), AMD Athlon XP, 512 MB DDR, 160GB Harddrive, HP DVD burner and DVD reader and ATI Radeon 9200SE)
 
Hello and welcome to TechSpot.

You should uninstall one of your AV programs. As far as I know Grisoft is still planning to offer AVG Free in the future.

Now, go into Add/Remove Programs in your control panel and uninstall anything relating to TrojanGuarder. This is a rogue program, according to Symantec.

Now go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly, then post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread. Also post here the results of the AVG Antirootkit scan.

Regards :)

This thread is for the use of Leela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
 
Hi, and thank you for wanting to help me. I've been doing the steps since yesterday, some of them more sucessfully than others.. I wrote down how it went, so that you could maybe figure something out from that.

Step 1:
- The add/remove programs feature doesn't work anymore (I don't know for how long it has been like that). No programs show up in the window.
- Unable to open install.log file for adware SE Plus when I tried to uninstall it. It's turned off, it has never been used.
- I turned off TrojanGuarder (since I couldn't uninstall it).
- In the Norman configuration box I unchecked everything (it said: to uninstall feature uncheck boxes or something to that effect)
afterward I got a continuous warning message that said something about zanda.exe not running, so I stopped that process in task manager.
I did this to disable Norman... Probably not the best way to do so, but it seemed like a good idea at the time...:|

Step 2: I already have AVG, the free version. When I tried to install the firewalls they wouldn't install (command line error...)

Step 3: Trend Micro scanned the computer and did find some malware, but when I tried to click things in the browser it moved away from the page
where they were displayed.

Step 4, 5, 6, 7, 8 & 9: Done.

Step 10:
Tool1 (SmitFraudFix): I feel a bit dumb, I'm probably doing something wrong, but it just closes when I press enter, I can't find the rapport file either..
The other tools worked fine.

Step 11:
Installer initialization failed due to the following error:
Undefined error: Invalid command line argument "AND".

Step 12: ok

Step 13: All ok, exept I'm not sure if the AVG Antispyware scan quarantined my results, even though I chose that option before I did the scanning.

Question: What do you mean by "rehide your protected OS files"?

I hope you can figure something out from this..

-L:)

View attachment 16355

View attachment 16356

View attachment 16357
 
I'd give instructions, but I have to leave in about 3 minutes. Go ahead, Howard or momok, if you want to ;)

Regards :)
 
Hi,

You may try downloading CCleaner from HERE. It provides options for uninstalling/removing programs.

I notice your AVG log shows No action taken for all items. Please follow the pictorial instructions HERE.

'Rehide your OS protected files' refers to going back to the step where you selected 'show all hidden files and folders', and re-hiding them by changing your selection back.

You may wish to copy and paste the following instructions for easier reference.

Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

wind32.exe
svhost.exe
ieupdate.exe
aoel.exe
Trojan Guarder.exe
ViewpointService.exe

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ViewpointService.exe
suntgtyv.dll
wind32.exe
svhost.exe
ieupdate.exe
aoel.exe
Trojan Guarder.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F1A18D56-399F-1768-E2DC-156471D71AC7} - C:\WINDOWS\system32\suntgtyv.dll (file missing)
O4 - HKLM\..\Run: [Microsoft Update 3.2.1] wind32.exe
O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
O4 - HKLM\..\Run: [window2] ieupdate.exe
O4 - HKLM\..\RunServices: [Microsoft Update 3.2.1] wind32.exe
O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
O4 - HKLM\..\RunServices: [window2] ieupdate.exe
O4 - HKCU\..\Run: [Microsoft Update 3.2.1] wind32.exe
O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
O4 - HKCU\..\Run: [window2] ieupdate.exe
O4 - HKCU\..\Run: [Tsun] C:\Documents and Settings\Eier.MIEMIO\Programdata\aoel.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update 3.2.1] wind32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update 3.2.1] wind32.exe (User 'Default user')
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Programfiler\Trojan Guarder Gold Version\Trojan Guarder.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programfiler\Viewpoint\Common\ViewpointService.exe

Also remove the following entries if you do not recognise the domains:
O15 - Trusted Zone: *.searchmeup.cc
O15 - Trusted Zone: *.searchmeup.cc (HKLM)
O15 - Trusted IP range: 69.31.87.223
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = M
O17 - HKLM\Software\..\Telephony: DomainName = M
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = M
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = M
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = M

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\system32\suntgtyv.dll
C:\Documents and Settings\Eier.MIEMIO\Programdata\aoel.exe
C:\Programfiler\Trojan Guarder Gold Version\
C:\Programfiler\Viewpoint\Common\ViewpointService.exe

Run the killbox program which you downloaded. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. (You can copy and paste the filepaths)

wind32.exe
svhost.exe
ieupdate.exe

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)
 
Are you sure it wouldn't be better to just delete everything and install windows over again? Or is that even more complicated?

Just asking, while I work my way through the list of tasks..:)
 
Hi

Please read this thread HERE to decide whether to clean or reformat your system.

Hope its useful to help you with the decision.

Regards,
Your friendly Momok =)
 
I do use my computer for bank purposes, but I can't imagine my economy would be of any interest to any thiefs.. But to be on the safe side, it might be a good idea to just reformat and start from a clean slate.
Where can I get ahold of a legal version of the windows cds I need for it? (I have the verificationcode, thats the one written on my pc, right?)

I'm sorry if I have wasted your time with my ignorance :eek:

-L
 
Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

svhost.exe

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

svhost.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O4 - HKUS\S-1-5-18\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe (User 'Default user')
O15 - Trusted IP range: 69.31.87.223

Close HJT.

(Please back up your registry before you do the next step)
Go to Start > Run and type regedit. Press Enter.
Press ctrl + F and search for all instances of the following files and delete them (if found):
svhost.exe
wind32.exe
ieupdate.exe
Close the program.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT and ComboFix log from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
504
eriksnyman1
E
M
Virus warning popup
Replies
1
Views
569
Mark Fuller
M
N
HP Elite Prodesk 600 G5 PSU upgrade
Replies
0
Views
80
nic25276
N

Latest posts

Back