TechSpot

Me and |ttrib.exe have made a mess.. can someone help me?

By Leela
Apr 18, 2007
  1. Hello all.. I just joined this forum today because I am having some problems with my computer and I was hoping that someone here would be willing and able to help me out.

    Last night Norman detected a virus - |ttrib.exe - in the Win32 directory, and I tried to start in safe mode and do another virus scan there, but when I rebooted the virusprogram stopped running.
    (It won't launch the scanning box, I getthis error: Missing disk - Exeption Processing Message c0000013 Parameters 75b4bf9c 75b4bf9c - and get to choose between cancelling, trying again and continuing)

    I have to admit that I have been sinning though, because I have more than one virus program.. :blush:
    I have AVG (which I like very much, I only installed norman because I thought AVG was going to stop being free) and some Trojan Guarder Golden version (possibly from last century).

    The computer haven't been reformatted since I got it. (possibly once, I can't quite remember) I've been planning to do that for about a year, but I am a coward and a procrastinator, I have noone to help me and I'm not sure how to do it. (Plus I don't have the windows discs, they didn't come with the computer when I bought it?)

    If I were to reformat would this remove all viruses and all the other crap that is slowing the computer down? Or is it enough to just remove the viruses detected by the virusprograms? Would someone be kind enough to walk me through one of the two options (or a third if there is one =P) I would greatly appreciate any help, and I am sorry in advance for my total lack of computerskills.

    -L

    PS. I've been told that computers usually only "last" for three years before they are outdated, so I wondered if someone could tell me if they think that it is ready to be traded for a new one or if I can still use it for a few years?
    The computer is a HP pavilion t455.no.
    (specifications on thefront: 3000+ (2.17GHz), AMD Athlon XP, 512 MB DDR, 160GB Harddrive, HP DVD burner and DVD reader and ATI Radeon 9200SE)
     
  2. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    Hello and welcome to TechSpot.

    You should uninstall one of your AV programs. As far as I know Grisoft is still planning to offer AVG Free in the future.

    Now, go into Add/Remove Programs in your control panel and uninstall anything relating to TrojanGuarder. This is a rogue program, according to Symantec.

    Now go and read the Viruses/spyware/malware, preliminary removal instructions. Follow all the instructions exactly, then post fresh HJT, ComboFix, and AVG Antispyware logs as attachments into this thread. Also post here the results of the AVG Antirootkit scan.

    Regards :)

    This thread is for the use of Leela only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and the Web forum.
     
  3. Leela

    Leela TS Rookie Topic Starter

    Hi, and thank you for wanting to help me. I've been doing the steps since yesterday, some of them more sucessfully than others.. I wrote down how it went, so that you could maybe figure something out from that.

    Step 1:
    - The add/remove programs feature doesn't work anymore (I don't know for how long it has been like that). No programs show up in the window.
    - Unable to open install.log file for adware SE Plus when I tried to uninstall it. It's turned off, it has never been used.
    - I turned off TrojanGuarder (since I couldn't uninstall it).
    - In the Norman configuration box I unchecked everything (it said: to uninstall feature uncheck boxes or something to that effect)
    afterward I got a continuous warning message that said something about zanda.exe not running, so I stopped that process in task manager.
    I did this to disable Norman... Probably not the best way to do so, but it seemed like a good idea at the time...:|

    Step 2: I already have AVG, the free version. When I tried to install the firewalls they wouldn't install (command line error...)

    Step 3: Trend Micro scanned the computer and did find some malware, but when I tried to click things in the browser it moved away from the page
    where they were displayed.

    Step 4, 5, 6, 7, 8 & 9: Done.

    Step 10:
    Tool1 (SmitFraudFix): I feel a bit dumb, I'm probably doing something wrong, but it just closes when I press enter, I can't find the rapport file either..
    The other tools worked fine.

    Step 11:
    Installer initialization failed due to the following error:
    Undefined error: Invalid command line argument "AND".

    Step 12: ok

    Step 13: All ok, exept I'm not sure if the AVG Antispyware scan quarantined my results, even though I chose that option before I did the scanning.

    Question: What do you mean by "rehide your protected OS files"?

    I hope you can figure something out from this..

    -L:)

    View attachment 16355

    View attachment 16356

    View attachment 16357
     
  4. kitty500cat

    kitty500cat TS Evangelist Posts: 2,154   +6

    I'd give instructions, but I have to leave in about 3 minutes. Go ahead, Howard or momok, if you want to ;)

    Regards :)
     
  5. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may try downloading CCleaner from HERE. It provides options for uninstalling/removing programs.

    I notice your AVG log shows No action taken for all items. Please follow the pictorial instructions HERE.

    'Rehide your OS protected files' refers to going back to the step where you selected 'show all hidden files and folders', and re-hiding them by changing your selection back.

    You may wish to copy and paste the following instructions for easier reference.

    Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    wind32.exe
    svhost.exe
    ieupdate.exe
    aoel.exe
    Trojan Guarder.exe
    ViewpointService.exe


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    ViewpointService.exe
    suntgtyv.dll
    wind32.exe
    svhost.exe
    ieupdate.exe
    aoel.exe
    Trojan Guarder.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {F1A18D56-399F-1768-E2DC-156471D71AC7} - C:\WINDOWS\system32\suntgtyv.dll (file missing)
    O4 - HKLM\..\Run: [Microsoft Update 3.2.1] wind32.exe
    O4 - HKLM\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
    O4 - HKLM\..\Run: [window2] ieupdate.exe
    O4 - HKLM\..\RunServices: [Microsoft Update 3.2.1] wind32.exe
    O4 - HKLM\..\RunServices: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
    O4 - HKLM\..\RunServices: [window2] ieupdate.exe
    O4 - HKCU\..\Run: [Microsoft Update 3.2.1] wind32.exe
    O4 - HKCU\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe
    O4 - HKCU\..\Run: [window2] ieupdate.exe
    O4 - HKCU\..\Run: [Tsun] C:\Documents and Settings\Eier.MIEMIO\Programdata\aoel.exe
    O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update 3.2.1] wind32.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update 3.2.1] wind32.exe (User 'Default user')
    O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Programfiler\Trojan Guarder Gold Version\Trojan Guarder.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programfiler\Viewpoint\Common\ViewpointService.exe

    Also remove the following entries if you do not recognise the domains:
    O15 - Trusted Zone: *.searchmeup.cc
    O15 - Trusted Zone: *.searchmeup.cc (HKLM)
    O15 - Trusted IP range: 69.31.87.223
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = M
    O17 - HKLM\Software\..\Telephony: DomainName = M
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = M
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = M
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = M

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\system32\suntgtyv.dll
    C:\Documents and Settings\Eier.MIEMIO\Programdata\aoel.exe
    C:\Programfiler\Trojan Guarder Gold Version\
    C:\Programfiler\Viewpoint\Common\ViewpointService.exe

    Run the killbox program which you downloaded. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. (You can copy and paste the filepaths)

    wind32.exe
    svhost.exe
    ieupdate.exe


    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and AVG Antispyware log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
     
  6. Leela

    Leela TS Rookie Topic Starter

    Are you sure it wouldn't be better to just delete everything and install windows over again? Or is that even more complicated?

    Just asking, while I work my way through the list of tasks..:)
     
  7. momok

    momok TS Rookie Posts: 2,265

    Hi

    Please read this thread HERE to decide whether to clean or reformat your system.

    Hope its useful to help you with the decision.

    Regards,
    Your friendly Momok =)
     
  8. Leela

    Leela TS Rookie Topic Starter

    I do use my computer for bank purposes, but I can't imagine my economy would be of any interest to any thiefs.. But to be on the safe side, it might be a good idea to just reformat and start from a clean slate.
    Where can I get ahold of a legal version of the windows cds I need for it? (I have the verificationcode, thats the one written on my pc, right?)

    I'm sorry if I have wasted your time with my ignorance :eek:

    -L
     
  9. momok

    momok TS Rookie Posts: 2,265

  10. Leela

    Leela TS Rookie Topic Starter

  11. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    svhost.exe

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    svhost.exe

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
    O4 - HKUS\S-1-5-18\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] svhost.exe (User 'Default user')
    O15 - Trusted IP range: 69.31.87.223

    Close HJT.

    (Please back up your registry before you do the next step)
    Go to Start > Run and type regedit. Press Enter.
    Press ctrl + F and search for all instances of the following files and delete them (if found):
    svhost.exe
    wind32.exe
    ieupdate.exe

    Close the program.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and ComboFix log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...