Cannot run antimalware tests.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by amolari, Jun 7, 2008.

  1. amolari

    amolari Private E-2

    As soon as I did open a zip file containing extra voices for a TomTom, my AVG antivirus and my Firewall did disappear, running Spybot returned a "no internet connection" message ( internet connection was OK), so no update available, could not run the program as clicking on it gave no result.
    Could not complete "Read this First " tests.
    Did download Malwarebites, Superantispyware, asquaredfree, comboFix, and MGtools.
    The first three did run without been updated and only removed some irrelevant traces.
    ComboFix (CF.exe) did not run. HijackThis does not run but MGtools did run from the C: root, and gave a log I have avalilable.

    Please help!
    Thank You
     
  2. abri

    abri MajorGeek

    Hi amolari,
    Welcome to Major Geeks!


    Please attach any logs which were requested in the READ & RUN ME and which you were able to get. This would be MalwareBytes, SuperAntiSpyware, Combofix and MGlogs.zip. If you have all four logs, you will need to post twice as you can only attach 3 things per post.

    Thanks.
    abri
     
  3. amolari

    amolari Private E-2

    I don't know what to think anymore.... The "manage attachments" doesn't do anything. I'll upload as I can. There go Hijack :
     

    Attached Files:

    • HJT.txt
      File size:
      9.2 KB
      Views:
      3
    Last edited by a moderator: Jun 7, 2008
  4. amolari

    amolari Private E-2

    In meantime a scan with Ad-aware 2007 has been able to find the following:
    Root:HKLM Path: system\controlset001\emun\root\legacy_srosa.
    Root:HKLM Path:system\controlset001\services\srosa.
    Root:HKLM Path:system\currentcontrolset\enum\root\legacy_srosa.
    Root:HKLM Path:system\currentcontrolset\services\srosa.
    But has been unable do delete or quarantine them.
     

    Attached Files:

  5. abri

    abri MajorGeek

    Hi amolari,

    The infection you listed is a serious one and needs to be removed. It will help us a lot to have the logs we requested and in the form we requested. Please try to complete all the instructions in the READ & RUN ME FIRST and in any situation where you run into a problem, make a note of it to report to us, and then continue one. After we have the logs, we will be in a better position to help you. Also, please be so kind as to attach the HJT log which was removed, as it may be needed still. If you find you are not able to do any of the instructions, please describe what happens.

    Thanks.
    abri
     
  6. amolari

    amolari Private E-2

    Hi Abri, thank you for your help. Spybot won't run, and every time I reboot, scandisk wants to check and "clean" disk C. I stop it, but if the computer should restart unattended probably will reformat C:.
     

    Attached Files:

  7. abri

    abri MajorGeek

    Hi amolari,

    Please do not use your computer too much until we can get a set of instructions posted to you. This takes some time, so thanks for being patient. You have some hidden files which are contributing to the other problems.

    abri
     
  8. abri

    abri MajorGeek

    Hi amolari,

    Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. Then go to C:\ and delete all the files with this structure: sqmnoopt12.sqm or sqmdata04.sqm. You don't need them.

    Next, please go to add/remove programs and uninstall Spybot S&D. After you uninstall it, reboot your computer and then install it from this location. Be sure that UAC is turned off when you install it and that you don't install Teatimer with it.

    Spybot S&D Installing & Running - MAKE SURE YOU DO NOT LET THE TEATIMER BE INSTALLED!!!!

    After you complete the installation, see if you're able to update it and run it?

    I would like for you to use Combofix to delete two files. The instructions will have you copy and paste a bit of text from here into Notepad and store it to the desktop. Please follow these instructions:


    • Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):


    Code:
    KILLALL::
    
    File::
    C:\Users\Angelo\AppData\Local\Temp\CabDE4D.tmp
    C:\Users\Angelo\AppData\Local\Temp\TarDE4E.tmp
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below


    Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


    The infection you have evidence of does not seem to be active on your system. Let's do a Registry Search to see if there are keys left over that can be removed. To do this,


    Download Registry Search (see the link titled RegSearch Download Link )
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • Enter srosa in the top area of the form and then click "Ok".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.
    I'll wait to hear back from you.
    abri
     
  9. amolari

    amolari Private E-2

    Thank You Abri. This is what did happen:
    cleaned sqmnoopt one to 17, sqmdata 1 to 17. Deletes S&D, downloaded again, on installation a message:"a connection with the server could not be established".
    Combofix with your TWO LINES of text provoked a restart and disappeared.
    Registry search gave me a report wich I am attaching.
    Please don't give up on me. I am shutting down this machine, and using a portable so I am able to receive your message.
     

    Attached Files:

  10. abri

    abri MajorGeek

    Hi amolari,

    1) The instance of srosa found in your registry is in a SuperAntiSpyware folder, indicating it's in quarantine. Please go to add/remove programs and uninstall SuperAntiSpyware.

    2) After you complete the uninstall, run CCleaner.

    Then I would like for you to do the following:

    3) Download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the 'Execute' button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt

    4) Run CCleaner again.

    5) After you uninstalled Spybot S&D using add/remove programs, did you reboot before you tried to download it again? If so, please go to How to uninstall - Spybot S&D

    and look for the very small link called "this very small fix" in light blue. This should uninstall any remaining entries you have in your computer for Spybot.

    Then go to the link I gave you in Post 8 for downloading and installing Spybot. Tell me if you are able to download it, install it, update it and run it this time.

    Please note: If you are unable to reach the download site for the instrallation program, it may be necessary for you to download the installation program to another computer and transfer the installation program to your computer with an external medium like a cd or flash drive.

    6) Please attach the Avenger log and let me know how things went.

    Thanks.
    abri
     
    Last edited: Jun 12, 2008
  11. amolari

    amolari Private E-2

    Hi I am writing from the portable. This is what did happen:
    I did remove superAntiSpy, ran CCleaner, downloaded Avenger, that basically said:
    "Error: registry key"\Registry\Machine\System\CurentControlSet\Services\srosa" not found!
    Error : file "c:\users\Angelo\Appdata\Local\Temp\CabDE4D.tmp" not found!
    Run Ccleaner.
    Then I went to how to uninstall Spybot S&D, and went to "This very small fix" where I got a list, I don't know how to use. So embarassed, I went to regedit and deleted very line described in the "very small fix" list. Most of them were not there. Just few of them.
    Feeling very positive, I downloaded the new Spybot Search & Destroy, but during installation I got the message" Error sending request. A connection with the server could not be established"
    I downloaded another copy of it into a memory stick, but during installation, I got the very same message.
    A very concerning issue is that on every reboot I get that Scandisk black screen, saying it will scan the disk (I stop it, but remember having my disk C reformatted in front of my eyes), and now I have another quick BLUE screen where it says something about memory dump.
    I know we are near. Thank you much for all your patience and effort.
    I am sitting here, waiting for you
    Thank You.
     
  12. abri

    abri MajorGeek

    Hi amolari,

    The tmp file was probably not found because it's a temporary file. The srosa file was not found because the only remaining one was in your SAS quarantine. The scan disk and the dump screen are indications that you have problems with your hard drive which could be hardware or software, but in any case which need to be attended to.

    Let's do the following first.

    Go to Start and click on My Computer.
    In the window that opens up, right-click on your C:\ drive and select Properties.
    Go to the Tools tab.
    In the top part of the tools tab you'll see an error check where the disk will be checked for errors. Click on the button there which might say start check or something similar to this. Allow it to run. This will take some time and as it scans the disk, it will be looking for errors which need to be fixed and it will attempt to fix them.

    After you've completed this, tell me how it went.

    Then I would like for you to do a check of your system files as well.

    To do this, go to Start / Run and type (or copy/paste) in sfc /scannow <----- (the space between sfc and the / is important)
    click on okay
    Allow the scan to run. If it finds good files which have been overwritten by bad files, it will attempt to replace them with the original good file.

    Let me know how this goes as well.
    If you have any questions, please ask.
    Thanks.
    abri
     
  13. amolari

    amolari Private E-2

    Thank You Abri.
    Scandisk ran OK (made me sweat!), and sfc scannow went OK, I don't know of replaced files. Computer rebooted OK. I tried to reinstall and run Spybot, but I had the same message "no connection" etcetera.
    I am tempted to do some tests myself, but rather sit duck and wait for you. I am shutting down and checking your answer with another computer. Thank You.
     
  14. abri

    abri MajorGeek

    Hi amolari,
    Is there any chance that Spybot is being blocked by your firewall?
    abri
     
  15. amolari

    amolari Private E-2

    Dear Abri, I have a pair pf alpinist boots up in the attic. The one with nails.
    I ordered my wife to put the right on and kick me in the butt. So I am writing standing up.
    I am seeing the message on PCTools firewall that tells me it cannot connect to the interet, so PCtools is not working, but I didn't know I had a Vista Firewall Control 1.1.1. As soon I did uninstall both of them, I downloaded Spybot S&D, run it, immunize, scan, and the result was: Doubleclick, two instances, wich I deleted.
    Now what?
    I just tried my AVG, and got the message that it is not a valid win32 application.

    Sorry about my mistake. I need your help more than ever.
     
  16. abri

    abri MajorGeek

    Hi amolari,

    I'm going to ask you to do things slightly backwards. Please go to How to Protect Yourself from Malware and download one of the free antivirus installation programs (only the installation program - don't install it yet). Choose one which is not AVG. Make a note of where you download it to so you can find it later.

    Then I want you to physically disconnect your computer from the internet and disable AVG. Once you've disabled it, uninstall it. I believe you can use add/remove programs to uninstall AVG. Be sure to reboot after you uninstall it and do not reconnect to the internet just yet.

    Still disconnected from the internet, please find the installation program for the free antivirus program you selected and allow it to install. Once it's installed, reconnect your computer to the internet and immediately allow it to update. Then run a complete scan of your computer and let me know if it finds anything.

    If you get the same message about not being a Win32 application, I need to know this. This is one of the symptoms of the virus you had, but it's also possible you're getting this because AVG7 is not valid anymore. They switched to a security suite which still has a few bugs in it.

    Let me know how this goes?

    abri
     
  17. amolari

    amolari Private E-2

    Hi Abri, I followed your instructions, and at installation time, PC tool antivirus, alerted me that I have installed a "Trend Micro PC-cillin internet security 2007".

    I stopped, and checked with Install-remove programs and Ccleaner, and didn't find that program; so after installing it, reconnect internet, UPDATE with no problem, I ran a full scan. Near the end of the scan, the computer froze.
    I restarted, re-run the complete scan with zero detections.

    Is this it? Am I off the hook? Can I reinstall ONE firewall?

    Thank You, Abri. Waiting for your reply.
     
  18. abri

    abri MajorGeek

    Hi amolari,

    You have folders (both dated June 6th) in C:\Program Files for Trend Micro and for Panda Security.

    If you go to Start / All Programs, is there a Trend Micro folder? If so, see if their removal tool is in the folder. If not, check the folder C:\Program Files\Trend Micro and see if there is an uninstaller in there.

    Then do the same steps for Panda Security.

    Let me know if you are able to remove these using their uninstallers?

    abri


     
  19. amolari

    amolari Private E-2

    No. No uninstaller. The content of Trend is Hijackthis.exe, and the content of Panda, folder "activesscan 20", are "as2stubie.dll, libcom.dll, npwrapper.dll".
    May I just delete them?

    Abri, for your next answer, could you tell me if is possible to partition the C disk in order to have a D where to move all my data? It is safer this way?
    Thank You
     
  20. abri

    abri MajorGeek

    Hi amolari,

    You don't need to remove Trend Micro's HijackThis unless you want to. As for Panda Security, just delete the whole folder: C:\Program Files\Panda Security

    Then do the following:

    1) Download and install Erunt. Use it to create a backup of your registry.

    2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.
    3) Now run CCleaner at the default setting with the Windows tab as the top one.

    Let me know if you get a success message for the registry patch REGEDIT4 ?
    abri
     
  21. amolari

    amolari Private E-2

    Hi Abri, Panda folder deleted, Erunt installed but gave errors:
    Error saving file C:\Windows\ERUNT\2008-6-12\Security!
    Continue to next file?
    [RegCreateKeyEx 5 - Access is denied]
    Same for \Software\system\Default\Sam\Compon~3\BCD. At that point I stopped trying.

    PCTools antivirus and the newly installed PCTools Firewall, asked to update but when doing it, computer froze couple of times. Do I still have a virus?

    The addition to Registry ran without problems.
     
  22. abri

    abri MajorGeek

    Hi amolari,

    You don't have signs of further malware. Go ahead with the final cleanup instructions. Wait with setting a clean restore point until you feel comfortable that your computer is running okay.
    abri
     
  23. amolari

    amolari Private E-2

    Abri, Thank You Very Much. System is running smoothly.

    Just why I can see srosa.reg in my c: drive? I did delete it and it came back.

    Anyhow, I am more than happy with the system running as is, I did reinstall PCTools Firewall and Avast Antivirus. Made a clean restore point as you advised.

    Abri, thank you, thank you very much.
     
  24. abri

    abri MajorGeek

    Hi amolari,

    Could you tell me the exact pathway of srosa.reg? Is it directly under C:\
    Or make a screen shot of it?

    Thanks.
    abri
     
  25. amolari

    amolari Private E-2

    Yes, right on C: root, Screenshot inside.
     

    Attached Files:

  26. abri

    abri MajorGeek

    Hi amolari,

    If you're deleting and it's coming back and you have Spybot's Teatimer disabled, let's see if it can be removed with Avenger. It's odd that it's there.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the 'Execute' button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt


    After your computer reboots, run CCleaner.

    abri
     
  27. amolari

    amolari Private E-2

    Abri, no good, after running Avenger, the computer would not restart, and I had to restore to the point you suggested I make after cleaning (thank you).


    Now I believe it is time to save the data, partition the disk in order to move the data, and recover C:

    Do you have any suggestion on how to partition the disk without losing or moving the data?

    Thank you.
     
  28. abri

    abri MajorGeek

    Hi amolari,
    Before you repartition and reformat, please allow chaslang to look through your thread and see if I overlooked something. There are characteristics of this infection which are not showing in your computer, which makes it difficult to interpret why you've been able to use any of the tools at all and yet this one file stubbornly remains. It would be worth waiting to see if he has anything to add. The problem with reformatting is if this file is coming in from a different source, then chances are, it will simply come back again even if you go to all the trouble of reformatting.
    I've asked him to look at it and I expect that would be in a few hours.
    abri
     
  29. amolari

    amolari Private E-2

    After several tries, Avenger went thru. It gave me a log I attached. But I had the blue screen with the memory dump as before, the difference is the computer DID come back.
     

    Attached Files:

  30. abri

    abri MajorGeek

    ah! It deleted it!

    And ... did you mean that the file came back after you ran Avenger or the computer came back after the Blue Screen? Could you see if the file's gone this time or if it's still there?

    abri
     
  31. amolari

    amolari Private E-2

    It's GONE, Abri, is gone!

    I did restart the computer several times, and tried things I could not start before, like a 'defragger' and other programs that did not run before. I checked with windows explorer in the root of C: and srosa is not listed.

    That's it! Thank You again for all your effort and interest. If you ask me why Avenger did not work the first time, I don't know, because the procedure was exactly the same, but what matters is that the problem is solved.

    Still, now I would like to partition the disk, so, in any event I must reformat, won't lose the data.

    Thank You a million times.

    amolari.
     
  32. abri

    abri MajorGeek

    Avenger is a complex tool, so it's not completely surprising it took several runs. If you want help with repartitioning, you can get the most input by starting a thread in the Software Forum. I hope this at least gives you a breather now. Thanks for not giving up.
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds