Link to home
Start Free TrialLog in
Avatar of nickg5
nickg5Flag for United States of America

asked on

system infected can not open any desktop icons, AVG, IE, ETC.

I was able to get here thru Firefox.
I know these files are infected::
windows\syssvc.exe
system32\iehelper.dll

Windows keeps telling me I'm infected but all these "unknown virus scanners pop up"
I think it is Malware. but Malwarebytes won't open from my desktop, nothing opened except Firefox
Avatar of nickg5
nickg5
Flag of United States of America image

ASKER

barely able to submit this question due to all the popups.

Avatar of nickg5

ASKER

ytbb.exe is infected........endless warnings from windows....
I cut my system off within 5 seconds of the attack. I'm pretty sure it was malware.
Avatar of nickg5

ASKER

Windows is preventing me from doing anything....closing, yes or no always is the wrong answer to clear my damn screen so I can see what is what.
Windows keeps wanting to let Anitvirus System Pro do a scan. It's already done one....
Avatar of nickg5

ASKER

according to some unknown source.....the htreat is Win32/Nuqel.E
Avatar of nickg5

ASKER

also infected: igfxserv.exe
Avatar of nickg5

ASKER

A couple other files said to be infected are:
logonIE.exe and rundll.32

I rebooted in safe mode
did a system restore to Oct. 4th.
rebooted in safe mode
doing an AVG scan but it on the "command" page and I have not used this much so not sure if AVG will remove any infections or I'll need to give some command.

Anyone with detailed help on what should I do next?
Avatar of nickg5

ASKER

AVG is finding alot of locked files.
all are local service, network service, local settings, ntuser.dat, pagefilesys, etc.

Due to safe mode?
Avatar of nickg5

ASKER

I guess running AVG and malwarebytes in safe mode is no value?

What about downloading new versions using Firefox? Can't open any program from my desktop except in safe mode.

Is Antivirus System Pro a Microsoft product? It parks itself in my tool bar near the clock.
Nick..... what brand is your computer? Model? ..... Do you have your drivers and restore discs?
Avatar of nickg5

ASKER

custom made, I have Intel Express Installer driver CD, Windows XP disc, never heard of a restore disc.
This is not my first attack....maybe the 4th, so gotten thru them before with a series of steps........without safe mode......
This one could be unique.

Is all my safe mode scans zero value since I am in safe mode?
Avatar of nickg5

ASKER

Intel Desktop board D945Gcz
Avatar of nickg5

ASKER

a few system 32 files locked from AVG in safe mode.
system32
\default
\sam
\security
\software and software.log
\system and system.log
Hello Nick.... I feel bad for you... you have been dealing with all these issues for months now....
Although, on the bright side.....you've learned a lot about your system, viruses, startup items, services, etc....
My last advice on your initial post, after clearing out all the malware and spending days on it remains......After a severe infestation.....many files are damaged.......at this point you have repaired, got infested again....repaired.....if you want to go through this again....trust me.....it's a can of worms........
 
Avatar of nickg5

ASKER

oh well, AVG scan over in the command box but it disappeared from my screen.
My only choices in the command line composer is start scan or close.
SOLUTION
Avatar of BitsBytesandMore
BitsBytesandMore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you need assistance on how to wipe it out and start fresh...let me know.
By the way..... don't install any 3rd party software until we get your machine working clean and fully protected....
Avatar of nickg5

ASKER

All I know to do is locate the thread from many months ago on my last infection and follow the instructions, if I can find it, but this infection seems to make all shortcuts on the desktop to be unable to be opened.

I can wait here in safe for for some instructions.

BitsBytesandMore:
what is your advice as I wait for others who might want to jump in?

I've got to remove these infections one way or the other.
I've got my system, monitor, on a surge protector, and that button is a few inches from my left knee. I saw the warning of a malware attack and immediately killed power to everything.

How can I run Malwlarebytes? Is that any help?

After spending many hours ... you can probably repair your computer.....but again: after spending many hours or days. At the end....it will be in a working condition but you will have all kinds of "bugs" and/or "lingering problems"....
Avatar of nickg5

ASKER

Firefox lost it's ability to locate the EE server, so I'm using IE.

"Time-wise it would have been better and more efficient if you backed up all your data and did a clean install of Windows XP. Reinstalled your drivers and favorite programs".

Can you provide a list of the drivers you mention above?

backup data is totally unknown to me. I've been asked to do that many times. Do not know how. PERIOD. and the  instructions were too advanced except for me. I've never used a floppy.

I have no problem spending the next many hours fixing things. Nothing better to do.
>>>> ok, suppose I'm ok doing that, many hours, what is the current answer on how to access diagnostic tools in normal mode?

So, what has been infected? My Windows XP?
The drivers are specifically for your system....this is why I asked you before if you had the drivers disc....
You can download them from this site and save them to a safe place.....an external drive, a flash drive.....
http://www.intel.com/support/motherboards/desktop/D945GCZ/
 
In your case specifically..... your most important driver to have is the one for your ethernet (Network Card or NIC)..... if you don't have this one you will not be able to connect to the internet to download anything else...
These are the drivers you will need..... make sure you save them onto a CD, external hard drive...anywhere off the computer that you can later access.... Also make sure you download the ones for "YOUR" OS .... if you are using XP, it would make no sense to download the one for Vista......(some of the drivers say that will work on several OS's.... this is Ok..)
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nickg5

ASKER

save them onto a CD, external hard drive...anywhere off the computer that you can later access

download them from this site and save them to a safe place.....an external drive, a flash drive

do not know how to save anything like above.
-----------------
After spending many hours ... you can probably repair your computer.....but again: after spending many hours or days. At the end....it will be in a working condition but you will have all kinds of "bugs" and/or "lingering problems"....

Can the above be Step 1.....and re-install, driver's etc. be step 2...?
Avatar of nickg5

ASKER

here are 2 threads from last time:
https://www.experts-exchange.com/questions/23991702/my-computer-is-still-infected-and-what-about-my-identity.html
and another thread within the one above.
Avatar of nickg5

ASKER

IE is THE BEST in safe mode.......!!    fast, quick,
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Nick... when you are in safe mode you are not loading anything else but the most essential drivers and services for Windows to work. This is why IE is working fast.
If you do not know how to save files, it might not be a good idea to do a clean install because if you get stuck on the way and loose access to the internet ......without someone to advise you, ... you will be in deep trouble.
At this point I would suggest you click on the "Request Attention" button at the top of the screen (at the right of your question).... try to request that rpggamergirl look into this issue and assist you....she is the most knowledgable person I know in regards to removing and repairing virus and malware damage.
Make sure she is aware ....(make her aware) ....of the history of this issue. You do not have to type everything out....just point her (copy the links of the questions) to the last 3 or 4 threads so she can review the repair steps taken and the results.....
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Experts,
If I may, and with all due respect....before replying to this question, it would be wise and would help a lot more if you would please take a look at the background of this problem. We have been driving Nick "Nuts"......
This is the first one I saw.....but it is my understanding that there was a previous one:
 http://www.experts-exchange.com/Software/Internet_Email/Web_Browsers/Internet_Explorer/Q_24767067.html
This is the one that followed:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_24774412.html
 Bits.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nickg5

ASKER

warturtle:
I can boot in normal mode, but when I first booted today, Any attempts to download anything from the desktop resulted in alot of popup warnings and unwanted websites opening themselves.
I've been in safe mode since.

Kelly:
I could not open up Malwarebytes in safe mode.
I went into safe mode and ran AVG. It found some locked files but as far as it removing anything I'm not sure it did.
Are you saying to run Combofix in safe mode and re-boot and do the other steps in normal mode?
I did not think Combofix would FIX anything until it's results were looked at and certain entries removed.

pankusareen:
does Download FREE Bootable Rescue CDs from Kaspersky involve burning to a CD?

Also been away from my pc for 3 hours...........sorry.
You can download ComboFix on a USB disk and then transfer it to the PC or alternatively, you can download in safe mode and reboot in normal mode and run it.

Hello again Nick,
I thought I had been through before when I explained how to remove viruses and/or malware..... I guess I wasn't:

Go into Safe Mode.
Then go to this website and download these programs:

MalwareBytes Anti Malware.... http://www.malwarebytes.org/mbam.php  
and/or SuperAntiSpyware http://www.superantispyware.com/  

Make sure you update to the latest versions.

Once downloaded (you may need to rename MalwareBytes, Combofix or other tools before saving their files to the desktop as Malware can recognize the name and block them unless renamed)

While still in Safe Mode, Go to Start-Run and type:

Msconfig

Once in the application, go to the services tab and "hide all microsoft services" select the remaining and disable". Then go to the Startup Tab and disable all entries.

Reboot.

After the system boots it will give you a warning regarding the changes made by msconfig. Select do not warn me again.

Now you can run the anti Malware applications recommended above.
 
If the problem persists...go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix  and follow the instructions.  
Avatar of nickg5

ASKER

BitsBytesandMore:
sure I knew all those instructions, did them last week.
However, that was just a couple IE issues and not an actual attack like I had last night.

I thought last night's REAL attack was totally different than the reason for what we did last week.
-----------------------------------
warturtle:
I was in safe mode and ran Combofix. (my error on a log, I was thinking of HijackThis - but I do have the combo fix log from today).
I had to proceed without disabling AVG. I could not disable it and tried to just remove it and re-download. I could not un-install AVG because 1 file could not be found.

The Combofix deleted 2 files:
Windows\Installer\1283ffc.msi
Windows\system32\msblcd32.dll
Do they mean anything to anyone?

It rebooted my system in normal mode, and there is a log if someone should see it.

I am not getting any security alerts or anything. No current indication of infiltrations.

I should be able to run Malwarebytes.com and
repeat the process I did last week with help from BitsBytesandMore:

BitsBytesandMore:
Since that article on yahoo answers about the "sigmatel shutdown end of program" thing, did not work, I'll try disabling all the entries in the startup tab within Msconfig (as suggested by the 1st responder in that other thread) and see if that helps. If so, I can go back and re-enable them one at the time to eliminate the one causing the problem.
Nooooo....wait.....
The " ....as suggested by the 1st responder ...." advise was a troubleshooting advice......it was only the first step towards eliminating which one of the entries in your "Startup Items" was creating the problem...... unfortunately he never answered you again and clarified this for you....
By the way....we don't know if the yahoo answers about the "sigmatel shutdown end of program" thing worked or not since you got yourself infected before actually rebooting ...and testing...
Nick.... really .... I'm serious about this.... I posted a set of instructions for you to follow in order...... you are not following them..... first you've got to get the machine clean..... NO TESTING OF THIS OR THE OTHER..... it first has to be clean......
Follow the instructions above..... then ..... after we know it's clean... you troubleshoot any "lingering issues".....
By the way Nick.... Once you see the message about Malware ..... your already infected. Things like:
 ".....I've got my system, monitor, on a surge protector, and that button is a few inches from my left knee. I saw the warning of a malware attack and immediately killed power to everything...."
can actually damage your hard drive.....never ....never....kill it like that....Those things are only on TV......

Avatar of nickg5

ASKER

BitsBytesandMore:
sorry....I do not see any instructions above, where you told me to repeat last weeks fix. I see instructions about drivers and backup disc, re-install, etc. I asked if getting things in workable condition could be step one and then re-install step two.

I see the below: (after someone suggested combofix and those other 2 members posted their comments) >>> I will now do the following <<< (I could not do the below because I could not boot in normal mode due to the popups and warnings and unwanted sites opening up very quickly, I could not run Malwarebytes, it could not be opened from my desktop).

I can now do the below (vvvvvvvv) since my system seems stable and no indications of any problems. I apologize for not knowing how to do those other things, drivers, etc. before the Combofix comment.

(vvvvvvvv)
Go into Safe Mode.
Then go to this website and download these programs:

MalwareBytes Anti Malware.... http://www.malwarebytes.org/mbam.php 
and/or SuperAntiSpyware http://www.superantispyware.com/ 

Make sure you update to the latest versions.

Once downloaded (you may need to rename MalwareBytes, Combofix or other tools before saving their files to the desktop as Malware can recognize the name and block them unless renamed)

While still in Safe Mode, Go to Start-Run and type:

Msconfig

Once in the application, go to the services tab and "hide all microsoft services" select the remaining and disable". Then go to the Startup Tab and disable all entries.

Reboot.

After the system boots it will give you a warning regarding the changes made by msconfig. Select do not warn me again.

Now you can run the anti Malware applications recommended above.
 
If the problem persists...go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix  and follow the instructions.  
There are many ways of dealing with Malware.....the problem is that everyone will tell you a different way.... and most of them are right.....there are 100 ways of doing the same thing...just stick to one way until you understand it.
The most basic thing you need to do is to disable the startup items, disable all non microsoft services and sometimes even disable system restore.....depending on the malware.....
I remember talking about this with you......this is the most basic approach to diagnosing any problem whether it be malware or other issue.....
Avatar of nickg5

ASKER

I'll repeat the above, and then run combo fix again.
My system shows no indication of virus.
I ran AVG in safe mode before any comments were made. That may or may not have removed anything.
The scan results disappeared.

I'll leave the sigmatel thread open until the rest is done.

If no one here has a comment on the two files removed by Combofix or seeing the Combofix log, I guess I can close this.

I did not do pankusareen's idea but it can be given poiints as something that can be of future help.
I am not knowledgable on doing backup disc, etc.
I do have two Kingston USB data traveler's one is 1GB and the other is 2GB (never used).




Avatar of nickg5

ASKER

The most basic thing you need to do is to disable the startup items, disable all non microsoft services and sometimes even disable system restore.....depending on the malware.

ok...............good..........

I'll run Malwarebytes again and also check those IE problems from last week, but as I said yesterday, they were back, and the only hint I had as to why was my system had not been re-booted for 11 hours.
I have not been able to review that thread or any others.
The attack last night was after I had detected a return of the IE browsers that can not load pages.

with things workable I can aggressively explore the re-install of XP?

The first thing you need to know is how to save your drivers to your Kingston USB drive..... it is basically saving the download to whatever drive letter your system assigns to your flash drive....
Once you have all your drivers......you can play and play knowing that you can recover your system withing an hour or so if you make any mistake or get attacked by any malware.... but you need to learn first....how to install your XP and how to install the drivers.... do a Google search..... it's easy..
Here is the link again.....save (download) all the drivers to your Kingston Flash drive...
Understand...you must read it...what each one is for..... the most important one is the one for your ethernet or you will be "incomunicado"....
Avatar of nickg5

ASKER

BitsBytesandMore:

Here is the link again.....save (download) all the drivers to your Kingston Flash drive...

...did you intend to provide a link?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nickg5

ASKER

Everything seems to be working the way it was before the attack.
Before any one responded to my question, I ran AVG in safe mode and did a system restore back to Oct. 4th, 2 days before the attack.

I ran Combofix and will also complete the process detailed in comment  25509330 above.


I have not used Kaspersky Rescue C or a registry cleaner at this point:
Avatar of nickg5

ASKER

The first mention of combofix was by Kelly_W.
I've used that before and went straight to it.