Solved

Nasty virus on my machine.

Posted on 2006-07-16
16
3,150 Views
Last Modified: 2010-08-05
Not sure if this is the right place to post. But here goes.
I think I have a nasty virus or Spyware on my machine. I am running windows XP, with NORTON antivirus 2005 installed. I cannot run any programs on my machine, and something has deleted my NORTON. I can’t run any .EXE files, and all my file associations have gone to CRAP. I  am also receiving tons of FU$%ING annoying  popups from:

.amaena.com/
.gojournalists.com/
.bigdispatch.com/
a.as-us.falkag.net/dat/dlv/aslframe.html?dat=
allcomprehend.com/

 I have tried a repair install of Windows, with no luck. Restore has been corrupted, and I can’t open any .exe files downloaded from the internet or from my removable drive. The funny thing is I can open the files on my removable drive from my laptop. Is there any way to get these bastards of my machine?
 I can provide more info if needed.

I have a print screen of my machine at: http://www.4shared.com/file/2542015/da421438/printscreen.html

Thanks for any help,

Justin



0
Comment
Question by:yogiyogi69
  • 6
  • 3
  • 3
  • +3
16 Comments
 
LVL 5

Assisted Solution

by:mistymisty
mistymisty earned 25 total points
ID: 17117512
Can you reboot to Safe Mode?  Restart your computer and press the F8 key on boot and choose safe mode.  

Then if you can go to Start, Run, type "msconfig" without the quotes, press enter.  

Go to the startup tab and take everything out, go to the service tab and check "Hide all microsoft services" then uncheck everything else in there.  Then go to the registry by clicking start, run, type "regedit" without the quotes.  Navigate to Local machine, software, microsoft, windows, current version, run.  Click the run key and see if there are any strange entries on the right side.  If so remove them.  You could leave things like antivirus and such, but since it's not working anyways then you could just go ahead and remove all things listed there.  

Then I would reboot and go back press F8 on boot, and this time go to "safe mode with network support"

From there try downloading adaware, spybot and do an online virus scan.  

If you can't get to msconfig or regedit then post back and we will try something else.
0
 

Author Comment

by:yogiyogi69
ID: 17117563
Tried to run msconfig and regedit, no dice. Heres what I get http://www.4shared.com/file/2543034/27cf2149/print.html

and I still get the popus in safemode. Also can download spybot and adaware, but I cant open the file.

Thanx mistymisty
0
 
LVL 3

Accepted Solution

by:
Tony Gimenez earned 25 total points
ID: 17117877
First try to fix that broken exe association by following the tutorial here.
http://filext.com/info/showthread.php?t=12

Tell me how it goes.
0
 
LVL 5

Assisted Solution

by:CyberneticsConnoisseur
CyberneticsConnoisseur earned 100 total points
ID: 17117989
from the screenshot you have sent, I can easily that the problem is worse than what you have described. its not just the .exe files, i can see that your .lnk association as also gone bad, and if i am guessing it right, and if its indeed virus caused, most probably other extensions like .reg / .pif / .scr / .bat / .com are also not working on your system. i hope that the file system that you have on your system is FAT32, coz if it is, then it will be easy for you to recover faster from this situation. all you need is a Win98SE bootdisk and get McAfee's "stinger" tool. boot from the 98 bootable disk and run the stinger tool.
alternatively, if you can, get an antivirus (e.g.) trendmicro that provides creating emergency boot disk that includes antivirus detection and removal. boot from it and run the virus cleaner from dos prompt.

BTW, if once your .exe problem gets resolved, (and i hope you have winzip and it starts to work after that) go here :

http://www.dougknox.com/xp/file_assoc.htm

this has a complete list of file association fixes that you require in your case.

but, yes, for these to work, your .reg association should be working.

hope this helps.

do let me know if you need more help.

Carpe Diem.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
ID: 17118010
in fact i would recommend that you visit the page i provided first. it has described everything, like how to correct .zip associations, and use the tools directly. it will get you up and running in minutes. read the note given in red on how to use the files from that site in case .exe association is not working or you want to import the .reg files to registry. one more thing, at times, some viruses rename files so as to cause search failures. so if regedit.exe doesnt work, try regedit.com. might just work. All kind of virus tricks used these days.  :-)

will wait for your reply.
Carpe diem.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
ID: 17118037
Download Stinger here:

http://download.nai.com/products/mcafee-avert/stng260.exe

More info on this tool here :

http://vil.nai.com/vil/stinger/

Carpe Diem
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
ID: 17118087
Alternately, you may download fixreg.com from Grisoft.com site and run it. This utility fixes the exefile association in the registry automatically.

download link :
http://www.grisoft.cz/softw/70/filedir/util/avg_rem_sup.dir/fixreg.com

BTW, it looks like a sircam infection .... read this
You cannot start programs when your computer is infected with the SirCam virus (http://support.microsoft.com/default.aspx?kbid=311446)

or it may be the Swen worm ... read this
You receive an error message when you try to start a program that has an .exe file name extension (http://support.microsoft.com/?kbid=837334)


i think that is a lot of info together.... take time to read and see what works best for you...

Carpe diem.
0
 
LVL 9

Expert Comment

by:lojk
ID: 17118134
Repairing installations is generally not a great idea.

Salvage the data from the disk using something like Barts Boot Disk or Yeungs WinPe and just format the disk and install a clean installation. It will drastically reduce the chance of reinfection, not to mention saving a *boat load* of hassle...
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 17118487
See if hijackthis runs, if it doesn't try renaming it. Have you tried fixing your file associations as already suggested?


Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.


OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save".  Then post the link to the saved list here.
0
 

Author Comment

by:yogiyogi69
ID: 17119217
Well it looks like I may have my associations back "whew". I am able to run programs now etc...............

Here is my hijackthis logfile:
http://www.hijackthis.de/logfiles/83e99d187593ce8eefa8bf079b5242ea.html

Also my desktop background has changed to black and on the lower right hand of the screen it reads:
"Your computer is in danger!
Windows security center has detected adware/spyware infection!
It is strongly recommended to use special antispyware tools to prevent data loss.

Thanks for all your help guys and girls...........................

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17119564
A lot of bad entries there! at least 2 infections showing.
Please download and run this 2 tools and then post a new link to a fresh Hijackthis log, so we can check what bad entries are left behind.

1. Please download Look2Me-Destroyer.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=7
Close all windows before continuing.
Double-click "Look2Me-Destroyer.exe" to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

Please post the contents of C:\Look2Me-Destroyer.txt.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

Then:
2. Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
"smitfraudfix.cmd"
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
ID: 17122642
yogiyogi69,
I am glad your associations have been restored and the system is working now.
You didnt mention what worked? and what about the .lnk files... it was showing in the screenshot that they too were not working, is that restored too?
looking at your hijackthis log, your system does have a virus & spyware infection.

I am not so sure if your norton is still working or not as you said something deleted your norton. I gave you the link for the stinger tool. its a basic scan and removal tool for the latest most common viruses (not an alternative for an antivirus, just the latest common threats). have you tried a system scan with it yet. if not, do it now, and if norton is restored to proper working conditions (maybe you need to reinstall a fresh copy) upgrade the antivirus definitions and run a full system scan for viruses. that would take care of your virus problem.

for your spyware infection, Ad-Aware SE or Spyware Doctor are two "really good" spyware detection and auto-removal tools. Ewido is another similar software for spyware removal.
0
 
LVL 5

Expert Comment

by:CyberneticsConnoisseur
ID: 17122721
the shortest and fastest way to disable those browser hijack infections till the time you are run the spyware removal tool is given here:

1. open IE properties window (in IE windows, go to tools > options)
2. go to the advanced tab
3. scroll down to the line "enable third party browser extension(requires restart)"
4. uncheck this option and save the changes by clicking OK.

this temporarily disables all the external toolbars/BHO that got installed due to spyware infection. now you can run Ad-Aware/Spyware Doctor to do a complete scan and auto-removal of all spywares installed on the system. whichever product you choose to use, make sure you update the definitions database from the internet first to get the latest protection.

Carpe Diem.
0
 

Author Comment

by:yogiyogi69
ID: 17126420
Sorry it has taken me so long to get back, but I have been busy working.
All of the tools used on my machine seemed to have gotten rid of the infection and the file extensions are back to normal (GREAT TOOLS). Im still getting a few popups though, and my file extensions seemed to have gotten corupt again, but I followed the instructions again above and they work again now. I'm running a virus scan using NORTON, and so far 10 have been detected.  SmitfraudFix and Look2Me-Destroyer worked great with those damn malware and spyware programs, but i'm contemplating just formatting and starting over.

Thank you all for your help and concern, it is much appreciated..................:)

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17126770
Perhaps formatting and starting afresh is the best, :)


Closing Questions:
http://www.experts-exchange.com/help.jsp#hs5

Or post at Community Support to ask your question to be closed:
http://www.experts-exchange.com/Community_Support/


0
 
LVL 9

Expert Comment

by:lojk
ID: 17129534
as I said before rpggamergirl, format and fresh prep is *nearly always* the best way to go... Copying the data to another machine with *decent* antivirus will scrub the files during the copy process ready for when you copy them back.

I have just put a fiver on my table to say that this poor bod might be posting a similar question in a few weeks... :-(
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now