Problems with 2 PCs

Two computers have what I'm hoping are just trojan horse infections. I have McAffee antivirus software and it's not helping.

Problem one:
A routine scan yesterday picked up W32/Sality!mem, a trojan horse, in C:\WINDOWS\Explorer.EXE. It said that the trojan was terminated, and a second scan did not pick it up. When the computer was restarted, it was detected again and terminated. I have done several restarts and the virus still comes back. It isn't detected again until the computer is restarted. I have removed restore points, rebooted, scanned, and it's still there. I followed the general cleaning procedures up to the specific directions for windows xp.
I have several questions at this point.
-Would the programs that the XP intructions require me to install conflict with existing antivirus, antispyware, etc. programs?
-I am fed up with McAffee, which I am finding more and more unreliable as it does not seem to actually remove anything it detects. I read the "How to protect yourself..." sticky, and was wondering which of the free programs of each type would be most effective and how to go about removing McAffee and installing them without opening my pc up to virus threats.


Problem two:
This is with a different computer. I am not the sole user of this computer and do not know where the infection came from. A while ago(not sure how long, several weeks at least) McAffee picked up a virus on it. It was quarantined(not removed, although I'd like to find out how to remove it) and I locked down the firewall but did not address the problem at the time. Today, a scan picked up three infections and quarantined them(vundo). I have noticed that this computer has been slower lately, takes a while to start up, and when I disable the lockdown to access the internet for McAffee updates IE freezes up. When I shut it down, it was very slow, had to end an odd program that wasn't responding, and when I came back a few minutes later, was still on the "windows is shutting down" screen. I had to hold down the power button to turn it off. Where should I start with this?

If there is any additional information that I can provide please tell me and I will do my best to provide it. Thanks

 

http://www.majorgeeks.com/images/grenade.gifWelcome! to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

If you have multiple computers then please create a new thread for each computer as we work on one computer per thread.

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!
4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

 

Sorry for the useless post, I should have looked through the instructions more thoroughly. I will use this topic for the first computer and post another thread about the second when I have finished fixing the this one.

I have followed the READ & RUN ME FIRST cleaning procedures carefully, and am in the middle of running the various applications in the XP procedures.

I installed & ran superantispyware and spybot s&d so far. I ran the superantispyware scan twice because I forgot to restart my computer before scanning(mcaffee supposedly terminated the trojan in question for the 7th time). It found nothing in both scans, but I will attactch the logs. spybot detected another trojan and 3 entries associated with hijackers.

The reason I'm posting now is because I can't get malwarebytes to start. I renamed it before installing it, and followed the instructions for the installation. When the installation completed, it showed two identical pop-up messages - the bar at the top said "mbam.exe - Unable to locate Component" and the message was "This application has failed to start because MSVBUM60.DLL was not found. Re-installing the application may fix this problem." I got the same message again twice after clicking finish, when it tried to launch the program. I uninstalled it, got the same message again once after uninstalling it, rebooted, reinstalled it, and the same thing happened(did not uninstall it yet tho). I will continue with the other programs now, thank you for your help.

 

Here are the logs from combofix and MGtools

*when running MG tools I recieved an error message similar to the one mentioned previously, but for analysis.exe

 

Sorry for the extra post, but I rebooted and did a quick scan with McAffee and it found the same trojan - W32/Sality!mem in C:\WINDOWS\Explorer.EXE - as before. This detection is the reason why I first posted here, for a day now it has detected this trojan every time I rebooted. I haven't noticed it appear in any of the other scans tho.

 

Pre-Instructions:

1. First, please disable any antivirus and/or antispy programs you have installed so they will not block this fix.
   
2. Print out these instructions or save them to a text file so that you can operate with All Browser Windows CLOSED.

Step 1:

Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.

Step 2:

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.​

Step 3:

Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

NOTE: If it's "grey" then it's already at the default level.​

Step 4:

Please download ATF-Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF-Cleaner menu to close the program.​

Step 5:

Finally, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

​

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

I ran the programs and have attatched the logs.

After Combofix restarted the computer, McAffee re-enabled its virus scanning, and I was warned by Combofix. I disabled mcaffee again and I did get a second warning saying that mcaffee wasnt disabled, but i believe that's only because I clicked ok immediately after turning off virus scanning and it didn't register. I dont think that there were any problems with this part, just though it was worth mentioning in case it appears in the logs.

The ATF-Cleaner would not run. I recieved the same error message about "This application has failed to start because MSVBUM60.DLL was not found" that I did with malwarebytes.

While MGlogs was running, I got the same error message for analyse.exe about the same dll, which also happened the first time I ran it during the XP cleaning procedures.

Nothing else happened. I haven't really noticed much of a difference, if any, in my computer during the infection. Nothing is different right now, but I'll report any changes that do occur. Thanks for all the help so far, you guys are terrific

 

Again, sorry for double posting, but I forgot to mention that the java program you asked me to uninstall was on my computer and I did remove it. I would have edited my frst post, but I think the edit button disappeared after I exited IE, I remember a post stating that you can edit for up to 30 minutes after the first post. And everything is still running normally, I haven't noticed any changes.

 

Your logs are clean! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks for all the help . I just have one more question, is there anything that I can do about the missing dll file that caused the error in malwarebytes?

 

Download the following file, save to desktop and install. This should take care of your error.

Microsoft VB6 Runtime components

 

Thanks, no more problems now

 

You're Welcome!

Surf Safely!:major