Question

Total Security 2009 Infection

Asked by: garden_frog

I am working on a friend's computer infected with Total Security 2009.  I have finally gotten it disabled so that it doesn't start on startup, but I can't seem to get any of the anti malware programs to function properly enough to remove it.  I tried the solutions on this article...

http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_24661860.html?sfQueryTermInfo=1+secur+total+viru

The first solution (Spyware Doctor) caught several infections, but in order to remove them I have to buy the software which makes me skeptical.  I've also tried to run ComboFix but after running the progress bar, nothing happens.

Anyone have any ideas how to get this nasty malware off?  I did try starting in safe mode but Total Security seems to have disabled Safe Mode.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-28 at 11:15:39ID24690679
Topics

HijackThis Software

,

Latest Threats

Participating Experts
5
Points
500
Comments
42

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. PC infected with  spyware / malware
    Hi Experts! My computer is again infected with spyware. I use Win XP Pro SP2. A month ago, I reformatted the HDD because I was not able to remove all of these spyware. Now they are back and I don't want to reformat the HDD again. My anti-virus software is Panda and it stopp...
  2. Rundll32.exe is infected by Malware
    On Win XP Pro SP2 PC, when most any program or sytem utility on PC is run an error comes up saying to Choose a Program to open "rundll.32.exe" with (i.e Like when you click a file and select "Open with". I,E THAT WINDOW is the one I mean.) Also same error...
  3. Cannot run HiJackThis or Combofix
    The broadband has been very slow for a couple of days with download speed of 640kbps (normally around 7600) and upload 448kbps (no difference). A change of DSL filter gave a temporary reprise increasing download to 4600kbps. However, a day later and it was slow again. It seem...
  4. Malware Doctor Infection
    Hi all, A friend of mine has a Sony Vaio he uses for his Topography and he got it infected with Malware Doctor last week. Apparently he wanted to install some defragging app and NOD32 was stopping him from doing so (and for good reason). So he disabled the antivirus and insta...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: tiagorferreiraPosted on 2009-08-28 at 11:19:14ID: 25210260

www.malwarebytes.org

go, its the best u can get.

 

by: garden_frogPosted on 2009-08-28 at 11:32:22ID: 25210391

Sorry, I forgot to mention, I did try and run Malwarebytes as well.  It starts to run but then shuts down after a min. or two.

 

by: tiagorferreiraPosted on 2009-08-28 at 11:46:04ID: 25210507

 

by: garden_frogPosted on 2009-08-28 at 11:50:22ID: 25210530

That's the link from the other help article I posted.  It points to a removal tool that you have to buy.  Is there another option available?  Or do I need to manually remove all the files listed?

 

by: tiagorferreiraPosted on 2009-08-28 at 11:52:41ID: 25210549

If u follow their instructions, pretty sure it will work

If you disable the process it will keep it low for a min or two, then u can run

http://remove-malware.net/spyware-doctor/totalsecurity2009/download-total-security-2009-automatic-remover

this, that will auto remove it.

 

by: garden_frogPosted on 2009-08-28 at 11:58:21ID: 25210595

Yes, the automatic remover is actually a program called Spyware Doctor.  It scans for free but you have to buy it to use the remove tool.  To me, that sent up red flags.

The instructions they provided in that link, were the ones I used to disable the Total Security Center long enough to get the computer to do anything.  But as I said in my original post, once I run the removal tool (spyware doctor) it promtps me to buy it in order to remove the infection.  So I'm wondering if there are any tools that remove it without purchasing them?  

I just tried Malwarebytes again.  I get the scan started and then it just shuts down on it's own.

 

by: tiagorferreiraPosted on 2009-08-28 at 12:07:06ID: 25210672

http://www.xp-vista.com/download/Spyhunter-Detection-Utility.exe

try this one then, spyhunter, and its free

 

by: tiagorferreiraPosted on 2009-08-28 at 12:07:24ID: 25210675

err, ignore the previous comment

 

by: tiagorferreiraPosted on 2009-08-28 at 12:10:23ID: 25210698

Apparently there is no much of free choice, i recommend you to use the manual:

Run your PC in Normal or Safe Mode&..

Go To C:/Windows select the system32 folder..
In there u will see TASKMGR.EXE&. right click this file and rename it IEXPLORE.EXE&

Then when you doucle click on IEXPLORE.EXE in system32 folder afterwards.. totalsecurity will let it run thinking its explorer&

The Task manager will then start.. you can then kill the task of TotalSecurity there& once you have successfully killed the program running..

Just install a decent AntiSpyware program, scan and rid it&. Simple As..

Or just delete the files the previous sites, or then, pay for the software..

 

by: garden_frogPosted on 2009-08-28 at 12:24:21ID: 25210821

See that's the problem though, that's what I'm trying to explain (perhaps I'm explaining myself poorly).  I can disable it using those instructions, but it still won't allow me to run any antispyware or antimalware programs.  They all start and they they just stop running for some reason.  

I feel that that spyware doctor is spyware in and of itself as one, in my experience, solutions to these things aren't typically something you have to buy...typically if you are prompted to buy something, it's not truly a removal tool and 2, when I tried to uninstall the software, it wouldn't completely remove from the computer, so that tells me its probably spyware too.  Maybe I'm just being paranoid, but it just doesn't seem right to me.

 

by: tiagorferreiraPosted on 2009-08-28 at 13:27:17ID: 25211305

Well, spyware doctor is world known, http://www.pctools.com/spyware-doctor/

Its not spyware, unless its a bizarre version of it, which i disbelief

 

by: garden_frogPosted on 2009-08-28 at 14:34:01ID: 25211726

I hadn't heard of it before, so the two things I mentioned made me leary.  But here's what's odd...when I look at that link on PC Tools...it says there are 3 versions of Spyware doctor, 2 of which are free.  All three versions supposedly allow you to scan and remove so I SHOULD be able to remove what the search finds but when I try to it says I have to register and that I have to have the paid version.  I wonder if maybe whatever has infected her computer is also causing problems with Spyware Doctor?

Anyone have any other possible solutions?

 

by: upalakshithaPosted on 2009-08-29 at 02:54:55ID: 25213532

Boot in to safe mode  try renaming combofix.exe to combofix.cmd

or
boot pc offline rename system32\config to config.bak
create a new folder config & copy contens from windows\repair to newly created config  restart
try to run combofix normaly & other antivirus tools if success after clean boot in offline again & rename existing config to any & rename config.bak to config & RESTART CLEAN AGAIN & TRY TO INSTALL ANTIVIRUS

 

by: rpggamergirlPosted on 2009-08-29 at 03:29:55ID: 25213639

Do these please.

1.  Download the following file and save to your desktop.
http://live.sysinternals.com/procexp.exe

Rename the file to "winlogon.exe" and then run it.(do not rename with a generic name)
Then look for any random numbers executables e.g.,3425631.exe, highlight any random.exe and rightclick and select "kill process".

Once the process is killed, you can then run MalwareBytes or Combofix.



IF you don't find any random process showing... run these tools and give us the logs please.(Rename RootRepeal to "svchost.exe" if it won;t run.

2.  Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror
http://rootrepeal.googlepages.com/RootRepeal.zip
Secondary Mirror
http://ad13.geekstogo.com/RootRepeal.zip


Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror:
http://ad13.geekstogo.com/RootRepeal.rar
Secondary Mirror:
http://ad13.geekstogo.com/RootRepeal.rar


Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the "Report" tab.
Click the "Scan" button.
Check all seven boxes:

o Drivers
o Files
o Processes
o SSDT
o Stealth Objects
o Hidden Services
o Shadow SSDT

Push Yes
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the "Save Report" button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.




3.  Please download this tool and run it.
http://ad13.geekstogo.com/Win32kDiag.exe

It will create a file "Win32kDiag.txt" on the desktop. Please post the result here.



 

by: rpggamergirlPosted on 2009-08-29 at 03:35:47ID: 25213656

<<<"try this one then, spyhunter, and its free">>>

tiagorferreira,

Please only suggest tools that you have tried or known very well...
Also try and suggest tools that are free to remove any threats it finds and NOT free to scan only.
SpyHunter is NOT free.

 

by: rpggamergirlPosted on 2009-08-29 at 05:23:37ID: 25213812

Have you also tried downloading Combofix and renaming the file before saving it to your desktop?

My first post {http:#25213639}  is assuming that Combofix still won't run after being renamed before saving/before actually downloading the file.

 

by: rpggamergirlPosted on 2009-08-29 at 05:52:04ID: 25213875


<<<" but it still won't allow me to run any antispyware or antimalware programs.  They all start and they they just stop running for some reason. ">>>

1.  Unavailability to run any programs can be caused by rogue programs Security 2009 etc , if that's the case then renaming process explorer to winlogon.exe and killing the random process should let you run MalwareBytes and or Combofix.

2.  A new infections (win2k.sys:1, win2k.sys:2) also block security programs from running (users also alerted of the presence or rogue programs in the system), if so then RootRepeal and Win32Kdiag.exe should confirm it and also help us removing the infection.

 

by: Peak-SupportPosted on 2009-08-29 at 06:06:11ID: 25213923

I know this has already been suggested, but I want to add an idea.

Try use http://www.malwarebytes.org/

You said that it starts to run, but shuts down after a minute or too.. So try the following

1. Navigate to installation folder in C:\Program Files\...
2. Locate the mbam.exe file
3. Rename this file to any name of your chosing such as randname.exe
4. Run that file with the new name.

Most malware/virual infections that prevent an application from running specifically target the process name (in this case mbam.exe) so by giving it a different name it will get around that issue if that is what is being blocked.

 

by: DoctorInfernoPosted on 2009-08-29 at 21:49:48ID: 25216394

 

by: garden_frogPosted on 2009-08-30 at 08:59:49ID: 25218086

rpggamergirl,

Thanks so much!  I followed your instructions (you assumed correctly, I was unable to run malwarebytes or combofix after renaming).  

Root repeal did the same thing malwarebytes does..it ran for a second then just stopped.

When I run the Win32Kdiag.exe it hangs up.  I've posted a screen shot for you to see.

Also, I was able to get Super Anti Spyware to run.  It did catch quite a few infections...since that ran, the Total Security 2009 appears to have cleared up (and with it the numbered.exe processes) but apparently the computer is still infected with something else as I still can not run anything else.

What next?



Upalakashitha, I can not boot in safe mode as I mentioned earlier.

Peak-support and Doctor Inferno, I've tried (unsucsessfully) to rename and run Malware bytes but it hasn't worked.  I've attempted several different times to no avail.

 

by: garden_frogPosted on 2009-08-30 at 09:03:26ID: 25218096

rpggamergirl,

I spoke too soon.  It did save the text file, I just didn't see it until after I posted.  Here it is.

 

by: rpggamergirlPosted on 2009-08-30 at 18:08:51ID: 25220113

Okay thanks for that. this is the new infection that patches files and create junctions.

You need to run Win32kDiag.exe again but  you must use this command.
Click on Start-> Run, and copy-paste the following command (the bolded text)  into the "Open" box, and click OK. When it's finished, there will be a log  called Win32kDiag.txt on your desktop. Please open it with notepad and post the  contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r


After you've done that, run Rootrepeal and show us the log.


Also Download this batch file and save to your desktop.
http://download.bleepingcomputer.com/bats/peek.bat
Double-click on Peek.bat it will produce a LOG.txt  please post the content of that.







 

by: garden_frogPosted on 2009-08-31 at 10:14:18ID: 25224498

Thank you so much!  That worked...all three ran fine.  Attached are the .txt files for each scan.

Let me know what the next step is.

 

by: rpggamergirlPosted on 2009-08-31 at 17:15:28ID: 25227590

Thanks for the logs.... the eventlog.dll is the one patched... so we need to replace that with a clean one using Avenger.
First we need to copy a clean one to the root drive... then move from the rootdrive to system32 to replace the patched one.


Create a batch file to copy the clean eventlog.dll to the C:\.
Copy and paste the bold text into Notepad.
Save this text as "Fix.bat", make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Fix.bat"

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll c:\eventlog.dll
Exit



Once there's a clean copy in the root drive we then use that copy to replace the patched one using Avenger.
1. Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger2/download.php

   * Right click on the Avenger.zip folder and select "Extract All..."
   * Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

   * Right click on the window under Input script here:, and select Paste.
   * You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
   * Click on Execute
   * Answer "Yes" twice when prompted.


4. The Avenger will automatically do the following:

   * It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
   * On reboot, it will briefly open a black command window on your desktop, this is normal.
   * After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
   * The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply.



Then run Win32Diag.exe again using the switch below:

"%userprofile%\desktop\win32kdiag.exe" -f -r


Then run the renamed Combofix..... then RootRepeal to check that it's gone.




 

by: rpggamergirlPosted on 2009-08-31 at 17:22:47ID: 25227617

Please download ComboFix by sUBs:(Rename it before saving to your desktop)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Btw, when you run RootRepeal and on the Drivers or hidden services tab if you still see this, rightclick and use the "Wipe File" button.
Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2


Also on these hidden/locked file and folder use "Wipe File" on this
C:\WINDOWS\system32\intel64.exe
C:\WINDOWS\system32\terrapof32

 

by: garden_frogPosted on 2009-08-31 at 18:02:04ID: 25227781

Should I do Combo Fix after replacing the patched file?

 

by: rpggamergirlPosted on 2009-08-31 at 18:53:44ID: 25228027

Yes, and RootRepeal...Win32Diag.exe as well.

 

by: garden_frogPosted on 2009-09-01 at 19:25:10ID: 25237737

Here is the copy and pasted results from c:aventer.txt   The log file did not open when Avenger was done - however I did find the  text file on the c: drive.

 Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
 Platform: Windows XP

 *******************

 Script file opened successfully.
Script file read successfully.

 Backups directory opened successfully at C:\Avenger

 *******************

 Beginning to process script file:

 Rootkit scan active.
No rootkits found!

 
Error: file "c:\eventlog.dll" not found!
File move operation "c:\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

 
Completed script processing.

 *******************

 Finished! Terminate.

 

 

by: garden_frogPosted on 2009-09-01 at 19:28:22ID: 25237749

Ran the Win32kDiag.exe fine.

Then, attempted to run combofix - appeared to start running, came up
with the blue box that says "scanning for infected files, it may take 10 minutes to
scan, more heavily infected machines will take longer."

 I had to walk away - when I came back, appeared that it was done running, left
it alone for 10 minutes, nothing, could not find a log file for it. Internet
was not working at that point, so I re-booted.

 tried to re-run from icon already on desktop (which renamed it self back to
combofix during first trial). Got to the same point - however, after running
for 5 minutes,it re-booted itself - came back to my desk top and nothing
happened, no log file found. Internet was working this time, however.

I did not run the Root Repeal since Combo fix was not able to finish.

What next?  Should I run Root Repeal or do i need to do something else to get combo fix to run properly?
 

 

by: rpggamergirlPosted on 2009-09-01 at 19:43:38ID: 25237795

<<<"Error: file "c:\eventlog.dll" not found!">>>

Avenger failed to move the file from the root drive to the system32 folder.
You did run the Fix.bat did you? I asked because the Fix.bat was supposed to copy the clean file from the source and into the C:\ ready for Avenger to move to system32.

 

by: garden_frogPosted on 2009-09-01 at 19:46:30ID: 25237808

Yes I did.  I almost forgot to mention though (or rather I did forget but just remembered..), when avenger ran, I got the following error message   during step 4 after rebooting:

c:\cleanup.exe-Windows cannot access the specified device path or file. You  may not have the appropriate permissions to access the item.

Could that be why?  Do I need to restart the process?


 

by: rpggamergirlPosted on 2009-09-02 at 05:23:25ID: 25240181

Let's start again please....


Step 1:
Open notepad and copy/paste the bolded text below into it.
Save this text as "Fix.bat"  Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Fix.bat". You may see a window flashes it's normal.

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll c:\eventlog.dll
copy C:\WINDOWS\ServicePackFiles\i386\dumprep.exe c:\dumprep.exe
Exit



Step 2:
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy, then paste the following bolded text(all text inside the lines below):

--------------------------------------------------------

Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll
C:\dumprep.exe | C:\WINDOWS\system32\dumprep.exe

--------------------------------------------------------

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage

the workings of your system.

Now, open the avenger folder and start The Avenger program by clicking on its icon.

   * Right click on the window under Input script here:, and select Paste.
   * You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
   * Click on Execute
   * Answer "Yes" twice when prompted.


Please copy/paste the content of c:\avenger.txt into your reply.




Step 3:
Click on Start->Run, and copy-paste the following command into the "Open:" box, and click OK.


"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.



Step 4:
Run the renamed MBAM and renamed Combofix.exe and attachs the logfiles.

 

by: garden_frogPosted on 2009-09-02 at 11:31:27ID: 25244067

A couple of questions...

Step 1, When I save the file, I've changed it to all files as instructed, but I also noticed there is the box below that says encoding.  It defaults to ANSI.  I'm assuming I leave it as ANSI?

And on step two...

I've started Avenger as instructed but I don't see an option for "input script manually"  I also don't see a magnifying glass icon.  I have the following options: Load Script from File, Load Script from URL, and Paste a script directly from Clipboard.  

Then I notice further down on step two it also says to start avenger but I've already started it previously.  Should I close out of it once I follow the above instructions then restart following the instructions after?

Sorry this is proving so complicated!!

 

by: rpggamergirlPosted on 2009-09-02 at 16:35:25ID: 25246697

When creating the Fix.bat yes leave it at default ANSI.
And if you check, the eventlog.dll and dumprep.exe should be present on the C:\

Sorry about the Avenger was using the old canned....
when you doubleclicked Avenger it already opens in the "Input script here:" window so just paste it inside that window or click on the 3rd button that says"(when hover it with mouse) "Paste Script from Clipboard.
Click on  "Execute" and reboot when prompted.

 

by: garden_frogPosted on 2009-09-03 at 16:56:53ID: 25256049

OK,  I think I finally got it!!

Here are the log files.  I forgot to upload the Avenger file before I left, so let me know if you still need that one.  It appeared to run properly this time.  (I think the problem last time was I failed to actually run the fix.bat file.  I saved it, but didn't run it.)

Let me know if I need to do any further repairs or if you need the Avenger file before you can tell or if I'm all set.


 

by: rpggamergirlPosted on 2009-09-03 at 18:20:47ID: 25256311

Thanks for the logs...
I assume you let MBAM took care of those bad files where it says in the log "no action taken"?

We just need to remove some leftover files.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\temp\mscipevc.exe
c:\windows\system32\wmiapise.exe
c:\windows\system32\drivers\svchost.exe.sys
c:\documents and settings\HP_Administrator\settings.dat
C:\tujfbtrj.exe
C:\enurmyv.exe
C:\hpbyv.exe
C:\pvewnn.exe
C:\emxtqjit.exe
C:\blyuwrjl.exe

Driver::
WMIAPISE

FileLook::
c:\windows\system32\svcprs32.exe

DirLook::
c:\program files\Common Files\tenu._sy
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.



Can you please submit the below file for online virus check  -->http://virusscan.jotti.org/
C:\windows\system32\svcprs32.exe


You might also like to clean your temp folders.
CCleaner:
http://www.ccleaner.com/download/


 

by: garden_frogPosted on 2009-09-04 at 05:18:32ID: 25258737

Ok - I think we might have it.

When I ran the combofix again it said to submit malware files for further analysis.  I wasn't connected to the internet at that time.  It created a a file to be submitted later, but it is a .htm - which won't upload here.  I looked at bleepingcomputer.com - but didn't see where I should or if I should upload it.

It did also create the regular Combofix.txt which I've attached.

I ran the virusscan.jotti - and found 0 malware.

I also cleaned the temp folders.

Anything else?


 

by: rpggamergirlPosted on 2009-09-04 at 06:36:02ID: 25259480

Things look good.

If you like you can also do an online scan to make sure nothing is missed, either Activescan or Kaspersky.
Panda's Activescan:
http://www.pandasecurity.com/activescan/index/

Kaspersky's online scanner:(save the log because Kaspersky doesn't remove any threats found.
http://www.kaspersky.com/virusscanner
    

 

by: garden_frogPosted on 2009-09-04 at 13:54:35ID: 25263267


I did Kaspersky's scan - took over 4 hours - but no threats were found, so no log was created.

Panda's Activescan gave me some trouble - I received a few messages about scripts not running properly, I ended up canceling out.

Seems to me that we are clean.  Any other thoughts or am I good to go?

Thanks for all of your help.

 

by: rpggamergirlPosted on 2009-09-04 at 22:47:16ID: 25265081

No problem....sounds good then.
Kaspersky is a very thorough scanner so if it didn't find any thing, then I'd say you're good to go.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u



You can run CCleaner also if you like to clean out temp folders etc.
http://www.ccleaner.com/download/



If you have time, please check out these links below:
1.  TonyKlein's article "So how did I get infected in the first place?"
http://www.spywareinfoforum.com/index.php?showtopic=60955

2.  miekiemoes' "How to prevent Malware"
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

3.  Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

 

by: garden_frogPosted on 2009-09-08 at 12:45:22ID: 25285464

Thank you so much for all your help!  I'm reading the articles you posted now, but more importantly, I'll pass them on to my friend's whose computers were infected.  :)

 

by: rpggamergirlPosted on 2009-09-08 at 16:16:04ID: 25286987

No problem, glad to know it's resolved.
Good work for sharing those links.
The more users become aware of malware/viruses and prevention the better, :)

Thank you for using Experts-Exchange!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...