Resolved Malware/virus problem!

Status
Not open for further replies.
X

Xerxes

Posts: 15   +0
Hey,

(note: I'm not English so please don't pay attention to bad grammar, and my pc is dutch, so I will transalate some things and that might look weird.)

I really need help with my computer, since last week my computer is doing weird things but I was really bussy with school so I just didn't use it, now I have time and I'm sure that it's a big viruss.

Symptomps:
It made McAfee stop working, I can't click on it or any thing.
My skin/theme of windows is back to windows classic (it was XP version before).
I can't copy anything (except from notpad).
My sounds won't work.
Can't start Internet Explorer.
I downloaded Avast! and it said: Warning, system not secured.
When I start my computer and the Windows XP thing is loaded and I type my pass to log in, I need to wait like 3 minutes before it starts (before it was 10 seconds).
The computer is slower and it gives almost on everything I click an error.
I don't know what this is but I see it alot: áæéÇê-åøå.
----------------------------------------------------------------------------------------------------------------------------------

I've been trying to find out what is wrong on forums and now I'm very sure it's a viruss.
I've tryed out to start some scanners that would start and the best I found is EMISOFT A-Squared Anti-Malware and Free. I've deleted some infected things, high risk and some low risk. I will attatch the logs.

I've had Malware some years ago and I remembered that I deleted that with a program called Malwarebytes', so I downloaded it... But now the problem comes up:
Run-time error '373': Failed to load control 'vbalGrid' from vbalsgrid6.oxc.
Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version
of the control that was provided with your application.

I've also tried to do the 8-step trick but that didn't go as well as I hoped:
1. I scanned with A-Squared Anti-Malware deep scan and short
2. I used TFC by Oldtimer v3.1.5.0
3. Can't download windows updates: IE won't start, can't go in System or update files.
Java is up to date.
Adobe reader can't install because it needs Windows installer and that gives an error to.
4. Run-time error '373': Failed to load control 'vbalGrid' from vbalsgrid6.oxc.
Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version
of the control that was provided with your application.

Now im stuck. Please help! I really don't know what to do.

Thanks!
Xerxes.
 

Attachments

  • a2scan_100424-134047.txt
    2 KB · Views: 1
  • a2scan_100422-183338.txt
    6.9 KB · Views: 1
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: 
    :Processes	

:Services

:Reg

:Files  
C:\Documents and Settings\xxx\Mijn documenten\Downloads\rsclient.exe	
D:\Mijn documenten\Mijn ontvangen bestanden\Enemy Terr n7 n7et 1.6x [81071].rar/n7et16x.exe	
D:\Mijn documenten\Downloads\Sony Vegas 7.0D KEYGEN\keygen.exe	
D:\Downloaded Program Files\Keyfinder\Keyfinder.2.0.1\keyfinder.exe	
C:\Documents and Settings\xxx\Bureaublad\XerXes Sound Base\XerXes Sound Base.rar/áæéÇê-åøå	
C:\Program Files\WinRAR\Themes\WinRAR_XP_48x48\WinRAR_XP_48x48.theme.rar/áæéÇê-åøå	
D:\Mijn documenten\H4CkZ\Java Scripts installer.rar/áæéÇê-åøå	
D:\Mijn documenten\H4CkZ\Snake V8 Beta.rar/áæéÇê-åøå	
D:\Mijn documenten\Mijn ontvangen bestanden\Enemy Terr n7 n7et 1.6x [81071].rar/áæéÇê-åøå	
D:\Mijn documenten\ViruskillerWindowsv2.8.rar/áæéÇê-åøå	
D:\Mijn documenten\Windows Software\wmp11_windowsxp_x86_nl.rar/áæéÇê-åøå	
D:\Mijn documenten\XerXes Sound Base\XerXes Sound Base.rar/áæéÇê-åøå	

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================================
Program logs are worth a thousand words! Scan with Malwarebytes and give us the log. If you can't run Mbam, run this first:

Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running a scan again.

Edit: There is an indication tht you may have a pirated program and/or attempting to get 'keys' to pirate programs.
Sony Vegas 7.0D KEYGEN\keygen.exe
 
Done, but I don't think this worked!
Please look at the log and tell me what to do, I haven't tryed the Malwarebyte thing yet because I first want to be sure if this was ok.
 

Attachments

  • 04292010_111154.log
    5.9 KB · Views: 3
Do you have any idea what áæéÇê-åøå means? I tried numerous translations and couldn't find it. It may just be symbols from the files.

Go ahead and run the other programs.It would be easier for me if it could be all English and not part Dutch.
 
I got no idea what it means. I tryed to run the program but it didn't change anything, if you want me to transalate something, just say it ;), what should i do now? both didn't work, did they? It was hard to get to copy the stuff because i can't copy, so i had to type all in notepad so i could copy it :|

BTW: when i started OTMovit it said:
Error:
Invalid time flag! [n7et16x.exe ]
Must be numerical
 
Sir, you may be frustrated, but don't take it out on me. The things you did didn't work because you didn't do them right.

Why can't you copy? It is very important that you copy the script in the Code box. Every space, every dot ha a meaning and trying to type the script in doesn't work- that's why you got the error.

About translating: this is a global board. I see logs with German, Dutch, French and other operating systems. If I can't read an entry, I can't tell whether it malware or not. IT was not very smart to do this: "I got no idea what it means. I tryed to run the program but it didn't change anything,"

I asked you if you knew what the symbols meant because I attempted a translation in 7 different languages and couldn't get anything. They could have been the name of a file in Greek that you gave it-or-they could have been from malware.

You said you were stuck so I tried tor remove enough to get you going. Now, here's where I'm at:

Copy and paste the script into OTMoveIt and run it.
When finished, go to the steps we have set up HERE and follow them. They have links to the current versions of the programs you need to run.

Trying to run a program you had "some years ago" and then wondering why you get an error telling you it's outdated sounds about right to me.

Leave the logs in your next reply.

Don't run any other cleaning programs or scans unless I ask you to. So far, you pretty much haven't done anything but complain.
 
Bobbye,

I really appreciate that you help me, and I'm not frustrated at all, I know that computers can be ****'s... But I think you really don't understand what I ment in my previous posts.
Why can't I copy?: Because it doesn't work, the malware disabled it, as I posted at symptoms. I can only copy from Notepad. The I typed the script right without any spelling errors, I looked if made any wrong things like 5 times and my friend to and we both couldn't find any errors. And I still get the error, not my fold.

About: I got no idea what it means: I don't know what this "áæéÇê-åøå" means, I think it's just a file name, it's not a language. If you search on google and type that it might be Spanish, but i doubt that, I study languages and this doesn't look like one. And it isn't Greek.

And about "I tryed to run the program but it didn't change anything": The Malwarebyte's name changer, it gave the same error as before.

I have already copied the script, I will try doing the steps for the second time.

About the program I had some years ago, I did already delete that from my computer, i just knew it was Malwarebytes', I downloaded the current version of it, not the old one. If you look this error up, many people have it. It's just so you can't delete the virus with Malwarebyte's, same as it did delete McAfee.

Now, I'm really sorry if you think that i complained, but I didn't try to, I just don't know what to do and I ask for help, and I really appreciate your help.
I will post the logs in my next reply.

Thnx.
 
So I tryed to the 8 steps and it didn't work out. Same problems come up.
Windows Installer is bugged (infected?) and it gives errors when instaling SP3, I can't update java because it needs windows installer and same to Adobe Reader.
 
Due to inactivity, this thread is being closed.

If you need it reopened, please send a PM to the helper. This applies only to the member who started the thread.
 
Thread reopened at request of member. And I will try and help you. But I need information first.

The steps in the preliminary virus and malware removal thread HERE are set up to both help find and remove malware and give us additional information to help you. I would like you to try running Malwarebytes, DDS and GMER and attach the logs in your next reply since there is a problem pasting.

Please refer to the following steps HERE:
  • Step 1: Antivirus scanning>> if a-squared is the antivirus program you use and it is currently updating, keep it. You do not need to run another scan. If you do not have an antivirus program on the system, please get one of those recommended.
  • Step 2: Temporary File Cleaner>> you have done this and don't need to repeat it.
  • Step 3: Updates>> omit for now.
  • Step 4: Malwarebytes Anti-Malware>> please remove the older version your have and download this one.
  • Step 5: GMER
  • Step 6: DDS
  • Step 7: Log Handling Instructions>> since you are having a problem with copy and paste, please attach the logs.

I'd like to point something out to you regarding copy and paste vs typing and how easy it is to type a wrong character and not realize it:
4. Run-time error '373': Failed to load control 'vbalGrid' from vbalsgrid6.oxc.
Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version
of the control that was provided with your application.
Click to expand...

The correct name of this file is: vbalsgrid6.ocx This was what you typed the second time. But the first time you typed: vbalsgrid6.oxc.

Do you see the difference? One letter makes it an invalid file name.

I am uncertain about the copy problem. This is not something that is usually affected by malware. There is a section in one of the logs that may point to a system problem. I will look for it.

When we script script in the code box for you to copy and paste, it is almost impossible for you to type it in accurately, but we'll see how it goes.
 
Bobbye, I did the gmer scan but it took like 9 hours, and I checked 2 boxes, the C:\ and D:\ drives. I attach the log, but I don't understand why there is only C:\ Files in the log, and no D:\.

I will try the next steps now.
 

Attachments

  • gmer.log
    100.8 KB · Views: 1
You have a Rootkit infection. And you are running both McAfee and Avast. Multiple antivirus programs can make a system more vulnerable.

Download TDSSKiller. Extract the zipped file to your desktop.

Go to Start ->Run. Type/Copy and Paste the following text into the prompt:
Code: 
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\report.txt -v
  • This will have the program write a detailed log
  • The screen will resemble this black screen:
2663_5.jpg

  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list..
  • You should get a screen like this:
TDSSKillerResults.jpg

  • A log file named report.txt should have been created and saved to the root directory (usually C:\report.txt).
  • Follow the prompts and attach the report to your next reply.
==============================
Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
============================
I will need to write script for some entries in Combofix. Have you worked out how to copy the contents in the code box and paste it into notepad?

Also, please scan with Eset again since time has passed. That will also require the copy and paste.

Include all logs in next reply.
 
Ouch, a rootkit. About the Avast - McAfee, I had McAfee when the rootkit came on my computer, it disabled McAfee and I couldn't do anything with it, not delete, nor disable.
I used TDSSKiller, log attached.
I still can't copy.
I did COMBOFIX, log attached.

About the script for Combofix, if you can put it on notepad and attach it to your reply, I can copy it. Notepad is the only thing where I can copy things from (I don't know why).

About the logs, they might be Dutch, I can't change my PC language (because of rootkit probably). If you don't understand some of the titles. Please, tell me, I will transalate, or use a transalator.

Thank you.
 

Attachments

  • report.txt
    42.7 KB · Views: 2
  • ComboFix.txt
    54.1 KB · Views: 3
Okay, you need to do some cleaning up:

1. You have processes for 3 antivirus programs loading:
McAfee.
avast5
a-squared
Please uninstall two of them.
I don't need anymore scans from a-squared. I will have you run an online AV scan at the appropriate time.

2. P2P or 'file sharing' Warning:
I notice that you have both BitTorrent and LimeWire
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall BitTorrent and LimeWire for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

If you decide not to uninstall them, do not use them while I am helping clean your system.

3. Can you describe this for me please? The search information didn't make much sense:
Start Page = hxxp://www.google.com/intl/xx-hacker/

4. I note this HomePage in Firefox:
FF - prefs.js: browser.startup.homepage - hxxp://www.blackle.com/
Blackle is a website powered by Google Custom Search, which aims to save energy by displaying a black background and using grayish-white font color for search results.
Click to expand...
Is this for real?

5. I recommend that you take all three of these sites out of the Trusted Zone. "Nothing" needs to be in this Zone- it has lower security and allows connections without some of the usual 'internet' safeguards:
Trusted Zone: voorpaginanieuws.be
Trusted Zone: youtube.com
Trusted Zone: youtube.nl

6. Do you have any idea what this represents?
<NO NAME>"="¯Ðr]@OðoI÷¿R^eCr?íxØ"
=======================================
Custom CFScript is attached.
 
I'm at school at the moment and i want to answer questions 2,3 and 4.
I understand about the P2P programs. I will delete them, altough I have only used Limewire, never used Bittorrent.
The google.com/intl/xx-hacker/ is just a mode of google, it has nothing to do with hacks, it makes the site into l33t-style (wich is like game language). It's same as google.
Blackle is real too. It's just safe, its google custom search.

Oh, and 5.
I can't do that because I can't use IE, only FF.

6. I got no idea.

What do I have to do with the script?

Thank you.
 
BitTorent is on the system so at some point it was used.\:
BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]

For #5: Control Panel> Internet Options> Security tab> Trusted Zone> Sites.
You don't need IE for this.

The instructions for handling the script are in the attachment:
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
Click to expand...

I don't know what the copy and paste problem is but I am reasonably sure it has nothing to do with malware. Check the mouse and keyboard settings in the Control Panel. Do you understand that you must either highlight what you want to copy or use the 'Select all' feature on the right click in order to copy? Then you can use either CTRL+C or Copy in Edit or Copy on right click to copy and although you won't see the content on the clipboard, going to the area where you want to paste it and clicking on that screen first, then using either Ctrl+V or Paste
 
Hey Bobbye,

I did delete the trusted sites.
About the script: I can't drag (same as the copy paste problem). But I managed to still open it by saying: Open CFScript.txt with ComboFix.exe. Couldn't drag. I attach the log.

And because you don't understand my copy paste problem I just captured my computer and uploaded the video to youtube, click the link below to see that I really can't copy (It's just youtube, a site where you can watch videos... One of the biggest sites ever... I hope you know it :|)

link: http://www.youtube.com/watch?v=HNbx3GFbVV0
I will delete the video as soon as u saw it.
 

Attachments

  • ComboFix.txt
    52.4 KB · Views: 1
I appreciate your video efforts, but I don't take references for that in this forum.

Other than the inability to do a copy and paste, please describe exactly what system problems you're still having.

Let's talk about what you are running on the system:
  • File Sharing programs:
    [o] BitTorrent
    [o] Gogertum
    [o] LimeWire
  • Questionable program:
    [o] Net Tools:>>Net Tools is a comprehensive set of host monitoring, network scanning, security, administration tools and much more, all with a highly intuitive user interface. It's an ideal tool for those who work in the network security, administration, training, internet forensics or law enforcement internet crimes fields
  • Multiple antivirus programs:
    [o] Alwil
    [o] a-Squared
    [o] McAfee
  • System maintenance including Registry cleaner:
    [o] Glary Utilities
  • Pirated Program & Program to get keys
    [o] Sony 7
    [o] Keyfinder
  • Unknown, changing netsrv:
    [o] Yxiahycnzoi

And you are running the Combofix script with the security programs active.
 
First about the things that are on my system:
Bittorrent (uninstalled)
Gogertum (what is this? never heard of it and it isn't in my software list)
Limewire (uninstalled)

NetTools (My friend said I should download it, but as soon as I downloaded it I heard from another friend that It's almost always infected, It might be the problem of my computer, but as soon as I had it I deleted it and i ran a full system scan)

Alwil (What is this? Never heard of it and neither in my software list)
A-squared (Yes, this is the only virusscan I use at the moment)
McAfee (Probably infected, I cant click on it, I can't uninstall it, I just can't do anything with it, it is same problem as IE, when i click on it, it sais it loads for like 2 seconds and then it doesn't do anything.)

Glary Utilities (I really like this program, I already have it for a while, I just use it to clean my pc)

Sony (vegas) 7 (I didn't know that it was infected)
Keyfinder (Probably for sv7, I already have these on my computer for like a year I guess :S)

Yxiahycnzoi (What? I have no idea what this is)

I can't disable the virusscans, I get warnings, im just unable to.

System problem list:
Anti virus can't fully secure my pc.
My Windows XP theme is changed to Windows classic
When I minimalize a program it isn't shown on... (the thing next to start, I don't know how to call that)
I can't copy (except from notepad)
My sounds wont work, I can't use Windows Media player.
I can't start IE.
When I start my pc it needs to load for like 3 minutes (before it was like 3 seconds).
I can't use Windows Installer
I can't update Windows.
I can't print.
 
I don't react. I thought my reply #20 summed things up. You may have malware, but the main problem is with your system and I think you need someone with hands on to help you. I seldom refer anyone to a computer shop, but sometimes that is the best way
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
799
losdavos
losdavos
M
Virus warning popup
Replies
1
Views
530
Mark Fuller
M
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
464
eriksnyman1
E

Latest posts

Back