Cannot run any AV software

Discussion in 'Malware Help (A Specialist Will Reply)' started by PhilC, Apr 1, 2009.

  1. PhilC

    PhilC Private E-2

    I tried to run through the steps of the READ & RUN ME FIRST as asked.
    When I got to downloading MGtools, nothing happens, it takes me to a randon page of MG.com but does not download anything.
    I continued on.
    When trying to run the programs, SuperAntiSpyware will not run. AntiMalware will not run. Renaming them did not help.
    After reading the (alarming sounding) info for running ComboFix, I decided to ask for help before doing that.

    I run WinXP Home/ SP2
    On DSL with MSN Premium.

    A little more history if it helps:
    Computer crashed 4 days ago from a sudden power outage while I was online, and had to be recovered. I lost everything - the HP recovery disk should have warned that it doesnt try to repair anything - it reformats and reinstalls! I was... angry. HAd I known, I would have not touched it and taken it to a pro.
    I set about reinstalling things I need, and before I got protection installed and running it was infected. Happened FAST!

    I began getting the Spyware Protect 2009 popups, every 15 seconds. Found numerous sites with removal info, all somewhat different. It did calm down after stopping it with Task Manager and finding it in C:\program files and deleting the program. I searched for a hundred various other filenames and found none of them, and found none of the listed registry keys either.
    But, it's not gone. I downloaded Malwarebytes Anti Malware, it will not run, no matter what I do, even renaming it and selecting update and run during setup.

    Nortons finds trojan.fakealert and cannot remove or quarantine it.
    AdawareAE finds win32Trojan.Olmarik and cannot remove it. Adaware keeps rescanning non-stop and generating error messages like "Adaware encountered a problem and shut down". I finally uninstalled it since it has no OFF button.

    I've sat here for the better part of four days and am at my wits end.
     
    PhilC, Apr 1, 2009
    #1
  2. PhilC

    PhilC Private E-2

    Follow up-
    I found the SmitfraudFix and ran it.
    Logs posted below.
    Afterward, I ran Nortons, it now finds nothing.
    I tried to run Anti Malware, it still won't run.
    SuperAntiSpy now runs the setup and installed, but when I run it, it instantly generates the "SUPERAntiSpyware Application has encountered a problem and needs to close. We are sorry for the inconvenience. Please tell Microsoft about this problem..." message.

    First log from SmitfraudFix:
    --------
    SmitFraudFix v2.405

    Scan done at 18:34:08.89, Wed 04/01/2009
    Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Norton Internet Security\ISSVC.exe
    c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\program files\aim toolbar\aimtbServer.exe
    c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\MSN\MSNCoreFiles\msn.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    91.212.65.122 browser-security.microsoft.com

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\iehelper.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\LOCALS~1\Temp


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\HP_Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HP_Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» o4Patch
    !!!Attention, following keys are not inevitably infected!!!

    o4Patch
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
    !!!Attention, following keys are not inevitably infected!!!

    Agent.OMZ.Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
    !!!Attention, following keys are not inevitably infected!!!

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» RK



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.0.1
    DNS Server Search Order: 205.171.3.65

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

    --------------

    Second log from SmitfraudFix:
    ------------
    SmitFraudFix v2.405

    Scan done at 18:41:22.32, Wed 04/01/2009
    Run from C:\Documents and Settings\HP_Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    127.0.0.1 localhost
    ::1 localhost
    91.212.65.122 spyware-protector-2009.com
    91.212.65.122 www.spyware-protector-2009.com
    91.212.65.122 secure.spyware-protector-2009.com
    91.212.65.122 knocker

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\iehelper.dll Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix

    Agent.OMZ.Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» RK


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{E0FCFACF-CAE5-441B-8E2C-B639734A474A}: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 205.171.3.65


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ------------
     
    PhilC, Apr 1, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!


    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide


    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid addtional delay in getting a response, it is strongly advise that after completing the READ & RUN ME you also read this sticky Don't Bump! It Only Hurts You!!!. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, Apr 5, 2009
    #3
  4. PhilC

    PhilC Private E-2

    Thank you, but as I said when I began, I tried to run through all the steps in the Read and Run Me First guide.

    At any rate, I kept reading on this forum and found a utility that forced SuperAntiSpyware to run. Found these:
    Rootkit.cloaked/service-Gen (3)
    adware.tracking.cookie (7)
    Rootkit.agent/Gen-UAFCFake (2)

    Then afterward, Anti-Malware would finally run. Found these:
    Trojan.Vundo.H (2)
    Rootkit.Agent (1)
    Trojan.Agent (6)
    Rootkit.Trace (1)

    Then Nortons found one more...
    Backdoor.Trojan (1)

    I've now updated Windows and IE, and ran everything again, all clean, everthing is working well.

    The forums here were a great help!
    Thanks!
     
    PhilC, Apr 5, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know...but curious as to what "utility" you used to run the two programs.
     
    TimW, Apr 9, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds