• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

Task Manager disabled, Winfixer trojan + others, HijackThis log

There are constant "Windows Security Alert" dialog boxes telling me to download an anti spyware program and telling me that the computer is making unauthorised copies of the system. The Task Manager is disabled "by the Administrator" as is the Add/Remove Programs, System Restore and I guess everything else. I installed and ran Superantispyware and it identified Winfixer and SpyCrush among the 6,500+ nasties. While I told Superantispyware to remove these, as I could not disable System Restore, I think Winfixer is still there. I googled for Task Manager disabled and found a symantec help page which suggested this was a trojan called Vicsfram. Along with the instructions was a tool to restore the registry so that I could use Regedit. This actually worked. I removed the lines in the registry as indicated and now I get some unknown errors where the filenames and lots of little squares.
Some time ago someone tried to upgrade Trend Micro antivirus. They told the pc owner that this was fixed, but in fact it appears that it was not installed and Trend Micro shows up an out of date warning. It looks as if the last update was in August. When I first tried to install the upgrade, I got lots of weird error messages. After I ran Superantispyware and fiddled with the registry, I tried again with the Trend Micro installer. This time I got it to run, but it came up with a dialog box telling me that Windows needed to be updated. It's running XP sp1.
So I hooked up to the internet again, and tried to get to the Windows update link, only to find that it wouldn't/couldn't continue because of problems on the computer which needed to be solved first.
So, here I am - I cannot upgrade Trend Micro to do a full scan. I cannot upgrade Windows. I cannot seem to get anything to work.
I ran HijackThis and  analysed it in hijackthis.de and this the link (I think) http://www.hijackthis.de/logfiles/b78eebb48410c426bf38d887bfb53648.html

While I'm waiting for an answer from you, I think I have found an SP2 update file which I will try to run. In the meantime, just where should I start with this mess?
0
JillC
Asked:
JillC
  • 9
  • 8
  • 5
  • +2
1 Solution
 
actemiumCommented:
Hi,

Did you try a system restore in safe mode ?
0
 
JillCAuthor Commented:
Anything like that gets a "The operation has been cancelled due to restictions in effect on this computer. Please contact your administrator" dialog box. Even in Safe Mode.

Since I posted this, I have managed to install SP2 (I think - although there were those kinds of error messages, I think it went through. Can't get to Control Panel yet.

I installed Avira Antivir and it is currently running through. I realise it's not a clever thing to do to have 2 antivirus programs on the one pc but I don't think Trend Micro is working. Anyway, Antivir has found lots of trojans and nasties, but it has been running for just over 2 hours and is still only at 60%. However, the Windows Security Alerts have stopped so I think it has quarantined whatever was causing that.

So, presuming Antivir finishes sometime soon, what will be my next task? There are lots of problems listed in the HijackThis log but I don't know how to fix them.
0
 
actemiumCommented:
Maybe try a virusscanner which you can start from a DOS bootfloppy so you bypass the OS on the Hard Disk.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JillCAuthor Commented:
Is there such a thing?
0
 
actemiumCommented:
0
 
upul007Commented:
Hi,

Not a good predicament to be in.

Had two similar issues and it took me a lot of time to rectify. Before mentioning what I did, need to check with you:

1. The registry entries that you fixed, was it according to instructions on that web page or did you modify/delete data on your own?

2. When you right click My Computer > Properties > System Restore tab - you should be able to turn off system restore from there (dont do it now though). Why cant you do this.

To id and remove unwanted programs:

1. Use system restore to restore back to an earlier date time before you deleted the registry keys.

2. Download and install SpyBot S&D, use the tea timer option as well. - http://www.safer-networking.org/

3. Update this program and run - CHECK FOR PROBLEMS > FIX PROBLEMS

4. Boot in safe mode - re-run Spybot S&D and fix as before.

Hope this helps you.



4.
0
 
IndiGenusCommented:
This computer is pretty seriously infected. Likely that virus or spyware scanners will not fix it at this point. You have many infections going on here as indicated by your HJT log. Including Smitfraud, some SDBots, and various other garbage. The first thing I would advise you to run is SDFix, then Combofix, then upload the logs along with a new HJT log.

Upload logs here, and provide a link when done.

Please download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe 

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.
A text file should automatically open, so please copy the contents and upload it.

------------------------------------------------------------------------------------------------

Download and Run ComboFix

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Disconnect from the Internet, than disable your Anti-virus and any real-time Anti-spyware monitors that are running.
Then double click Combofix.exe & follow the prompts.
When finished, it will produce a log for you. Please upload the log to the following link and let us know once it's there, providing a link to it. Also post a new HJT log.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note 2: Remember to re-enable your Anti-virus and Anti-spyware before reconnecting to the Internet.

0
 
IndiGenusCommented:
Sorry forgot to post log upload link:

http://www.ee-stuff.com
0
 
JillCAuthor Commented:
Hi upul007,

The registry deletions were as per instructions on the Symantec Trojan.Vicsfram page. This is a seriously compromised pc - I cannot get to Control Panel, Add/Remove, Task Manager etc. I cannot even use the Safely Remove Hardware button to remove my USB drive which I'm using to install programs like Antivir.

Hi IndiGenus,

Thanks so much for your instructions. The truth is I had to go home before Antivir had completed. It took forever to pass over the TrendMicro folder, but once done, TrendMicro popups occurred telling me it had found infections of the trojan Zlob and something else. There were 5/6 popups so I think that confirmed my suspicion that Trend Micro had been infected or blocked by a malware. Anyway, when I got this morning the scan had stopped waiting for an ok to deny access to something. So, it has still not finished scanning. In the meantime I looked up Zlob and Vundo which appear to be the most frequent malwares listed. They don't look nice! So far 146 detections.

I will try to follow your instructions, though as far as possible I am trying to do this without being connected to the internet. I don't know how to disable Trend Micro - I have already looked for this because I wanted to run AntiVir - do you have any clues as to how I might do this bearing in mind I cannot get to TaskManager but I can run  Regedit.


0
 
JillCAuthor Commented:
Hi IndiGenus,

Thinks are really looking up now. After I ran SDFix I found that the right click functions were available again and I was able to disable TrendMicro - so please ignore previous message.

I have uploaded 3 files for you to look at:
https://filedb.experts-exchange.com/incoming/ee-stuff/5109-sdfixreport.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/5110-combofixlog.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5111-hijackthis.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5143-kasperskyreport3.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5113-avscan.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5130-kasperskyreport.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5131-hijackthis2.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/5132-kasperskyreport2.txt


Behaving much better now. All normal functions are back - Task Manager, Add/Remove etc. Still taking a while to load up (however that may be because I now have 2 antivirus fighting it out).

A couple of times during the Combofix procedure I got a dialog box entitled "RUNDLL" saying "Error loading C:\WINDOWS\system32\myfcsqsk.dll"

What now?
0
 
actemiumCommented:
Are you able nowto start system restore ?
So yes..do a restore ..go 2 months back..
0
 
IndiGenusCommented:
It's possible a system restore could work here...but I have found that systems that are this infected that the restore points are usually quite infected as well.

I'll get back to you in a while Jill on the logs.

Regards,
Dave
0
 
IndiGenusCommented:
Hi Jill,

Question, did you install the My Secret Codes toolbar? If so then it's up to you whether or not you want to keep it. Some of the .dll's may contain spyware. I would advise you remove it using Add or Remove Programs.

Also, if Winfixer is in your Add or Remove Programs uninstall it. It's obviously a rogue program.

I would also advise you to remove one of your Antivirus programs. Having two can cause system slowdown, conflicts, errors, false positives, ect...

Looking much better.

--------------------

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O3 - Toolbar: (no name) - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O4 - HKLM\..\Run: [5cf9917a] rundll32.exe "C:\WINDOWS\System32\myfcsqsk.dll",sitypnow
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer  2005\uwfx5.exe" /min
O4 - Global Startup: Gator eWallet.lnk = C:\Program Files\Gator.com\Gator\Gator.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O20 - Winlogon Notify: opnkkii - opnkkii.dll (file missing)

Then close all windows except this one and press Fix checked.

--------------------

Delete the following files and folders. NOTE: You may need to enable the viewing of hidden files and folders.

C:\WINDOWS\System32\myfcsqsk.dll
C:\Program Files\WinFixer
C:\Program Files\Gator.com
C:\Program Files\Common Files\GMT\GMT.exe

--------------------

I would advise an online virus scan at this point.

Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.

Please upload the Kaspersky report and a new HijackThis log.

0
 
actemiumCommented:
"IndiGenus:
It's possible a system restore could work here...but I have found that systems that are this infected that the restore points are usually quite infected as well."

This is not my experience.....but give it a try..saves a lot of work..

0
 
upul007Commented:
Yes, you should disable system restore completely before fully removing the adware/malware.

You can also use the VundoFix tool to be found at http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

To be on the safe side, use Spybot S&D (link given above) as well as Lavasoft's Ad-Aware (http://www.lavasoftusa.com/)

Just in case, also download and use the stinger tool set to clean/repair only in its preferences. Thing is, if its Vundo, the McAfee site will not be accessible till you use the other tools. Nifty and painful marketing gimmick that is used by that company which sort of disables access to all other anti virus software sites.

Stinger - http://vil.nai.com/vil/stinger/

Once you are free of this diabolical nuisance, please re-enable system restore on your pc.
0
 
IndiGenusCommented:
I would say that I have to respectfully disagree with disabling system restore until the computer is clean, to make sure we clear out the infection. I understand that Symantec recommends this and I don't agree with them either. My reasoning is twofold.

1. The only way you can get infected from these restore points is if you DO a system restore.
2. A "bad" restore point is better than none at all. Meaning if something were to go wrong during the fix at least there is something to fall back on.

This is the way I have been trained in the Anti-Malware forums and I have to say it makes sense based on those facts. And I do understand the argument for turning it off...that is the way I used to do it also before being "educated" on proper malware cleaning.

A Kaspersky scan log will show those infections in the restore points also. And when the user is all clean then a new restore point can be set.

Just my opinions.

Thanks,
Dave
0
 
IndiGenusCommented:
Also, Combofix has already dealt with the Vundo infection.
0
 
JillCAuthor Commented:
Thank you all for your input so far. The only drawback in living at the far end of the earth is that when I post a question on a forum, everybody else is asleep and it is often the next day before I get a response. So, it is nice to get comprehensive answers. :)

About System Restore - yes, I was trying to disable System Restore initially because everything I read told me to do this and run Vundofix but as I was unable to and the help desk that I initially used to post this question was full of information about using this and other similar fixes.

Let me tell you the history of this PC. It is owned by a little old lady who is just shy of 80. She had an old PC using dialup which was quite sufficient for her to send an email or 2 and book a golf game online. But her daughter got a new computer and decided to hand over this one to Mum. So they set it all up for her and changed her dialup to broadband. Her grandson uses the computer mostly. He's had a mental breakdown and although in his late 20's he has difficulty asking for help. So, the antivirus license ran out, all sorts of problems occurred, but he reassured his grandmother that it was alright. Anytime that she went to use the computer, she would look at all the error messages and just wish she hadn't thrown out her old one, then give up. This has been going on for months. I'm not at all confident that System Restore would go back far enough to find a date when the system was clean.

Hi IndiGenus,

I removed the toolbar and also eGator wallet but Winfixer was not listed.

Antivirus - As mentioned before, the daughter has paid for an upgrade to Trend Micro 2008 but did not install it successfully. So the Trend Micro currently running is an out-of-date version with an out-of-date database. However, as it's been paid for, I will want to get it installed if possible. I have sent a help request direct to Trend Micro and as yet all I've received is an autoresponder promising to respond to me within 48 hours - that was several days ago. So this was the reason I installed AntiVir. I can remove it - but that will mean the system is virtually without an antivirus program.

So far, Antivir has blocked several attempts by Trojan/Zlob to run.

I disabled both antiviruses and started an online scan from Kaspersky. After a bit more than an hour, I noticed it was sitting at 58% and trolling through the trendmicro folder. A couple of hours later it was still there. After 5 1/2 hours it was still only 59% and still stuck in the trendmicro folder. I just cannot complete my day's work without being hooked up to the internet - so I had to disconnect and plug my cable back into my own pc. I created a log file anyway.

I think my best option will be to remove Trend Micro entirely as it appears to be corrupt and/or infected.

The files for you have been uploaded.

Thanks, Jill.
0
 
IndiGenusCommented:
Hi Jill,

Kaspersky is getting hung up in there likely because there is so much in the Trend Micro quarantine folder. If you can't get through the full scan just empty out that folder and try again. I still see some other stuff related to Gator and some other "odds and ends" in there that we can clean up. HJT looks pretty clean. There are a couple of poker site entries in there that can be removed if you don't see them being used.

O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

If those programs exist they should be removed also. Up to you on that.

If you can get Kaspersky to finish that would be great, then I'll put a list of stuff you should remove along with a tool to do so. You really need to get down to running one Antivirus and if it's Trend Micro that is fine. If it needs to be re-installed and you have the means to do so that is fine also. Just make sure to update it, then Antivir needs to be removed.
0
 
JillCAuthor Commented:
Hi IndiGenus,

Ok another Kaspersky log has been uploaded.

I removed those 2 poker games and a couple of others.

I decided to have another go at upgrading Trend Micro - this time I got a warning message telling me that the pc was running less than the minimum memory required! I looked it up on the website and found that the minimum is 256mb RAM 512mb recommended. This system is running 240Mb RAM so I guess some is used up by a video card or something. I took this is a sign. I uninstalled Trend Micro. Although I hadn't noticed that there were a lot of files still there so the online scan got bogged down again so I removed a stack of files in the middle of the scan and eventually Kaspersky picked up speed again.

What a bother!  Looking forward to your next instruction.

Jill.

0
 
IndiGenusCommented:
Hi Jill,

Okay to clean up delete these folders, CMEII and DashBar. They should be located here:

C:\Program Files\Common Files\CMEII
C:\Program Files\DashBar

Click START then Run...
Now type Combofix /u in the run box  and click OK.

This will clean up after combofix and set a new restore point for you, cleaning out the bad ones.

And yes, I would definitely recommend adding another 256mb of RAM. You will notice a definite improvement in performance and RAM is so cheap nowadays. I find XP likes to have at least 512mb. It will run with less but at a noticeable drop in performance. And you will be able to run your Trend Micro, which is a good AV. Let me know if you have any questions.

Hope this helps.
Dave
0
 
JillCAuthor Commented:
Ok, it's looking good. Starting up much faster. Only one question, I think. Sometimes, when I click on the Start button there is a dialog box which says "Some items cannot be shown ..." It is already using small icons and there appears to be heaps of white space. It seems to be misreporting this. Is there anything to do about that?

Jill.
0
 
IndiGenusCommented:
Hi Jill,

Hmm...honestly no, not sure why it would do it. I know that is a common little pop up that is seen, but never really "gets in the way". Maybe someone else will chime in with an idea here. I certainly don't think it's malware related or anything to be concerned about.

Regards,
Dave
0
 
souseranCommented:
JillC:

Re "Some Items Cannot Be Shown," see this article:

http://www.pcmag.com/article2/0,1759,1961473,00.asp
0
 
JillCAuthor Commented:
Thanks souseran,

I had already tried adjusting those settings without luck. Never mind. If it's not malware related it's not worth bothering about.

Jill.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 9
  • 8
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now