Virus infection

[howard_hopkinso]

The good news is the nasty entry has now gone.

The bad news is you still haven`t renamed HJT as per the instructions.

Here are step by step instructions.

1: Go to the following directory. C:\Program Files\Analyze.exe\HijackThis.exe

2: Right click on the HijackThis.exe file and choose rename.

3: Click in the title box and clear whatever is there by pressing the delete key.

4: Type Analyze.exe into the title box and press the enter key.

5: Right click on the Analyxe.exe file and choose send to desktop.

6: Close all windows that are open.

7: Double click on the Analyze.exe desktop icon and run a HJT scan.

8: Click the save log button and save the file to your desktop.

9: Close all open windows.

10: Attach the HJT log file on your desktop to your next reply.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[tomrca]

hi lanimal.
to change the name of hjt: go to hjt location and change its name. you have hjt in a folder called analyse exe. to need to change the actual name of hijackthis.exe which is the dynamite plunger

 

[lanimal]

I'm seriously having problems now, my computer's been acting up, it's now telling me my virtual memory is low, shutting down applications.
Here's the new log

It's totally weird now, my computer's been acting up, it's with a lot of luck that i'm able to send this

 

[howard_hopkinso]

Your HJT log is clean.

I suspect the reason your computer is acting up is due to you running too many antivirus programmes. This is not recommended and can cause serious conflicts.

These are the antivirus programme you`re running.

McAfee
Symantec/Norton
AVG free

Uninstall all antivirus programmes except for one. Personally, I recommend you keep AVG free and get rid of the rest.

Post a fresh HJT log when done.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

What about the right-click menu i can no longer access and the Search menu?

 

[howard_hopkinso]

Have you managed to uninstall all but one of the antivius programmes? If so, post a fresh HJT log and tell me which antivirus programme you decided to keep.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

New log

I decided to follow your advice and keep AVG

 

[howard_hopkinso]

There`s still lots of McAfee entries showing up in your HJT log.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

McAfee
MSC
Network Associates
VirusScan
mshr

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

Log

Here's my last log. If you know anything about fixing the right-click issue and the Search one i'm having please help me with it.
Regards

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

McAfee
MSC
Network Associates
VirusScan
mna
Symantec
LiveUpdate
mshr

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Automatic LiveUpdate Scheduler
McAfee Log Manager (McLogManagerService)
McAfee Update Manager (mcmispupdmgr)

McAfee Network Agent (McNASvc)
McAfee Protection Manager (mcpromgr)
Network Associates McShield (McShield)

Network Associates Task Manager (McTaskManager)
McAfee Task Scheduler (mctskshd.exe)
McAfee User Manager (mcusrmgr)

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ShrCL.EXE
ALUSchedulerSvc.exe
mclogsrv.exe

mcupdmgr.exe
mcnasvc.exe
mcpromgr.exe

Mcshield.exe
VsTskMgr.exe
mctskshd.exe

mcusrmgr.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\5F22BQ8M\MAKING~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\BBQTMUL9\PBRX_1~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\VX6JKW89\TOPCAP~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\5F22BQ8M\OFFSIT~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\XPRAZ9ZZ\SANTAB~1.SH!

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: McAfee Log Manager (McLogManagerService) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe (file missing)

O23 - Service: McAfee Update Manager (mcmispupdmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe (file missing)

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)

O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)

O23 - Service: Network Associates McShield (McShield) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Mcshield.exe (file missing)

O23 - Service: Network Associates Task Manager (McTaskManager) - Unknown owner - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe (file missing)

O23 - Service: McAfee Task Scheduler (mctskshd.exe) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mctskshd.exe (file missing)

O23 - Service: McAfee User Manager (mcusrmgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\McAfee<Delete the entire folder.
C:\Program Files\Network Associates<Delete the entire folder.
C:\Program Files\Symantec<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

Log

Thanks a great deal, it runs much better than it did a few days ago, but it's still closing several programs when they start such as MSN Messenger, Outlook, Itunes...etc

 

[howard_hopkinso]

That`s looking much better, though there are a couple of McAfee entries still running.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

McAfee Protection Manager (mcpromgr)<Disable the service name and/or the name in brackets.

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

mcpromgr.exe
ShrCL.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\RunOnce: [DelayShred] "c:\program files\mcafee\mshr\ShrCL.EXE" /P7 /q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HSPERF~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\5F22BQ8M\MAKING~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\BBQTMUL9\PBRX_1~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\VX6JKW89\TOPCAP~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\5F22BQ8M\OFFSIT~1.SH! C:\DOCUME~1\ADMINI~1\LOCALS~1\TEMPOR~1\Content.IE5\XPRAZ9ZZ\SANTAB~1.SH!

O23 - Service: McAfee Protection Manager (mcpromgr) - Unknown owner - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\program files\mcafee\mshr\ShrCL.EXE

Reboot your computer and post a fresh HJT log.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

New log

It's weird because i cannot find the 023 mcaffee, i erased all of those files already, and the files you suggest to end the process for are never on the task mngr

 

[howard_hopkinso]

Just one McAfee entry to get rid of now.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

McENUI.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\PROGRA~1\McAfee\MHN\McENUI.exe

Reboot your computer and post a fresh HJT log. Let me know how your system is running.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[tomrca]

i see you have a P2p programme active in your log. may i suggest that you take more care when downloading from such sites, and never download an 'exe' file. if you wish to download software, make sure it is in zipped folders that you capable of scanning and use more than one programme scan them with. in addition to this make sure that the scanning programme is a good one too. or you will be visiting professor Howard a lot.

 

[lanimal]

New log

Thanks for the advice on the P2P.

 

[howard_hopkinso]

Your HJT log is clean as a whistle.

Please let us know if you`re still having problems.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

I still don't have access to the right-click menu and the search menu as well. The computer is still shutting down some programs, i n other words i'm still not at full capacity.
Needless is to say that i would not be where i am now without your help, therefore i'd like to extend my gratitude to all of you who helped.

 

[howard_hopkinso]

OK, the next thing to try, is a Windows repair as per this thread HERE.

Please let me know the outcome.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

I just checked the thread and it's requiring XP's CD which i told you i don't have, so i don't know how i can do that. If you have an advice about bypassing that please let me know before i get home and start working on it.

 

[howard_hopkinso]

It`s unfortunate that you don`t have a Windows disk.

So, lets carry on trying to find out if your system is still infected.

Download and run the Blacklight programme. follow all the instructions carefully.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Attach the Combofix log and let me know if the Blacklight programme found anything.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

CombFix

Blacklight didn't find anything, but here's the log for the ComboFix

 

[tomrca]

for howard:
Ares.exe

Ares.exe is the virus form of the Gaobot.ee worm. Fairly old, it installs itself with the "ARES" P2P file sharing program. It's security level is low, hardly doing any damage to one's computer; it has been reported/attributed to, not proven to, however, download and install spyware, more viruses, trojans, and worms. Also being a P2P virus, it has been reported to have the P2P client-unique downloading and installation of random files (perhaps to create more sharers) from its members, such as music, pornography, and even full games. Gaobot.EE is a worm that sends large numbers of unsolicited e-mails using its own SMTP engine. This worm also opens a backdoor on a random TCP port, notifies attackers through a predetermined IRC channel, and attempts to terminate various security products and system monitoring tools.

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

 

[howard_hopkinso]

See these links to Ares.exe. HERE and HERE. I disagree that in this case it`s a worm, but do agree that it is undesirable to have on ones system as is any other p2p programme. However, it`s upto lanimal whether or not to keep it or uninstall it.

lanimal:

It seems your system is infected with some kind of rootkit.

Please go HERE and follow the instructions exactly.

Let me know the results.

Regards Howard

This thread is for the use of lanimal only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lanimal]

Logs

Here are the new logs