Need help removing virus/malware

t1plus1 · Mar 29, 2013

I believe my computer has been infected with a virus and I am unable to remove it. I was trying to download a program called "DVD Flick" from their website but the download link ended up downloading other programs instead including a zip-file program, a dvd program (other than dvd flick), and an uninstaller program that went with them.

My computer is now having issues. Most of my icons on the desktop are not responding when clicked. i can still use firefox. I am unable to use malewarebytes, system restore, ccleaner, system recovery (both in normal mode and safe mode).

I tried installing a new version of malewarebytes and had a ieframe.dll error message.

I am using an emachines desktop running windows xp service pack 3.

Any help you can give would be appreciated.

Thank you.

t1plus1 · Mar 30, 2013

Sorry, I did not see the email about what to do before making a post. I have since followed the instructions.

I am unable to open programs using the icons on the desktop. Also the icons that are normally beside the Start button have disappeared. I am using windows XP 32bit. Certain programs will not open at all such as microsoft word, ccleaner, malwarebytes, system restore, etc.

I have followed all of the instructions that were provided in the Read and Run First section. The logs are attached. the only program I was unable to run was Malwarebytes, i have even tried reinstalling it on my machine (does not work in safe mode either). The messages I get when using malwarebytes are: "CoCreateInstance Failed, Code 0x80040154 class not registered" (happens during installation). And also after installation when trying to run the program "Run Time Error 372 Failed to load control "webbrowser" from ieframe.dll. your version of ieframe.dll may be outdated. Make sure you are using the version of the control that was provided with your application."

thank you,

t1plus1

Kestrel13! · Apr 2, 2013

If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

[TASK][SUSP PATH] At16.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At15.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At14.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At13.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At12.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At11.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At10.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At1.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At25.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At24.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At23.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At22.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At21.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At20.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At2.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At19.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At18.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At17.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At34.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At33.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At32.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At31.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At30.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At3.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At29.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At28.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At27.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At26.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At43.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At42.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At41.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At40.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At4.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At39.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At38.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At37.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At36.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At35.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At9.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At8.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At7.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At6.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At5.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe -> FOUND

[TASK][SUSP PATH] At48.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At47.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At46.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At45.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

[TASK][SUSP PATH] At44.job : C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe_ -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

...and the same for these items on the file/folder tab please.

[ZeroAccess][FOLDER] U : C:\WINDOWS\Installer\{8c3b346c-73ee-a332-f97c-aed3f7818fa4}\U --> FOUND

[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini [-] --> FOUND

[ZeroAccess][FOLDER] $NtUninstallKB58020$ : C:\WINDOWS\$NtUninstallKB58020$ --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Files
C:\Documents and Settings\All Users\Application Data\4xG2Ip4t.exe
C:\WINDOWS\system32\AI_RecycleBin
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job


:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)

Now select the Start Repairs tab.

The click the Start button.

Create a System Restore point if prompted.

On the next screen, click the Unselect All button to first deselect all repairs.

Now select the following repair options:

Reset Registry Permissions

Reset File Permissions

Register System Files

Repair WMI

Repair Windows Firewall

Remove Policies Set By Infections

Repair Winsock & DNS Cache

Repair Proxy Settings

Repair Windows Updates

Set Windows Services To Default Startup

Now on the lower right side check the box to Restart/Shutdown System When Finished

Then make sure the Restart System radio button is enabled.

Shutdown any other programs that you are running now before continuing.

Now click the Start button.

Be patient while the tool repairs the selected items.

It should reboot automatically when finished.

After reboot, check to see if your firewall is working.

Nor rerun RogueKiller, just a scan and attach that log too.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Log in or Sign up

Need help removing virus/malware

t1plus1 Private E-2

t1plus1 Private E-2

Attached Files:

RKreport[1]_S_03302013_02d0951.txt

HitmanPro_20130330_1012.log

TDSSKiller.2.8.16.0_30.03.2013_10.02.05_log.txt

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member