53 replies to this topic

[Surfer24]

I am having problems and am new to this.

Yesterday around 5pm (Central Time) my computer was running really slow so I decided to Restart it. When it came back up the Desktop screen changed to Blue and had a big Warning, which I dont remember the whole thing. Basically it said "warning your computer is infected with Spyware. Everything you do is recorded on your hard drive even if you try to erase it." It said more too. Also in the background there were a bunch of 1's & 0's in grey behind the lettering.

In the C drive I found a bunch of files that were all created at 5:38 or 5:39 yesterday. I moved them all to the Recycle Bin and took a screen shot of them & uploaded them.

I have tried to run Malwarebytes but have been unsuccessful in doing so. I had to rename the installer file to get it to run and even tried renaming the program file in Malwarebytes Folder. When I do that & start it up it gets about 2 seconds into the scan and quits. Then it wont restart.

I need to know where to start?


Thanks.

Attached Files

•  Screenshot.doc   143K   30 downloads

Edited by Maurice Naggar, 03 September 2009 - 06:08 AM.
modified topic title

[Surfer24]

Sorry I forgot to add this part:

There is a bogus Security Software that keeps popping up too. It is "Total Security" and their are a couple of different versions of it that pops up and says your computer is infected. in the bottom right corner of my computer there is then a red circle with a white x that shows up in addition to a red shield with a white x. There is also a little lock image that will show up in the bottom right corner.

[Maurice Naggar]

Hello,

Your thread is not locked. More important, you need to tell us your Windows version/edition, and what antivirus program is installed on this system. And if you have tried to get & run some required reports as per this topic
http://www.malwareby...?showtopic=9573


Do this to close any rogue (fake) pop-up window. Repeat as needed.
Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

Do NO websurfing or internet transactions, and confine to just this forum and the sites I guide you to.

Next, do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Go >> here <<
and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.
Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Hidden Services
Stealth Objects


You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on if not C) and click Ok again.
The scan will start.
It will take a little while so please be patient. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).
When you have done this, please copy and paste it in this thread.
=
Reply with copy of Rootrepeal.txt

[Surfer24]

Hey Maurice,

I downloaded everything, followed the directions, ran the first two programs but get stuck when I try Roootrepeal.exe. The scan started & then closed. When I tried to start it again a window pops up and says "Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access the item"


I had to do all of this in Safe Mode because the computer wont start up fully in normal mode. I am running Windows XP service pack 3. I have Mcafee installed thru Comcast. no other Antivirus software. I have tried to run hijackthis too but it wont run.


Sorry about the delay in response.

Austin

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not Surfer24 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop and SAVE it as cf.bat.

Link 1
Link 2
Link 3


* IMPORTANT !!! SAVE AS CF.BAT to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on CF.BAT & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the C:\Combofix.txt

[Surfer24]

Maurice,

I am having a hard time connecting to the web before my computer locks up. is there a way for me to download combofix and copy it to my desktop?

[Surfer24]

O.k. i was able to get combofix downloaded, however when I pasted the bold text into Start/Run and click OK i get a window popup tht says "windows cannot find 'c:\documents and settings\owner\desktop\win32kdiag.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click search."


should i just continue with combo-fix?


thanks for thr help!!!!!!!!

[Maurice Naggar]

Make sure you saved WIN32KDIAG to your Desktop, and that you are logged in to same login account as when you downloaded it.
Then if you have not successfuly run the Win32kdiag (as I outlined before) ....go back re-read my note and do as it outlines.

Make sure you saved Combofix as CF.BAT

Do the steps as I oulined in my last reply.

[Surfer24]

I must be going crazy. I dont see in your posts where you mention the "win32kdiag" download. Sorry for the confusion here. Im checking this forum from my PDA so its kind of hard to see sometimes.


Thanks.

[Maurice Naggar]

Sorry, I goofed before and neglected to include the download links. Here you go:
Download and Save to the DESKTOP Win32kDiag from any of the following locations and save it to your Desktop.

• Download Win32kDiag (Win32kDiag.exe) - #1
  
  
• Download Win32kDiag (Win32kDiag.exe) - #2
  
  
• Download Win32kDiag (Win32kDiag.exe) - #3

Click on Start button. Select Run, and copy-paste the following command (the bolded text) into the "Open" textbox, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r


Follow that up with the run of Combofix ( as outlined before).

[Surfer24]

So, I downloaded Win32kDiag, ran that. Have the log saved to the desktop. When I doubleclick on cf.bat.exe it starts, shows that its loading & then a window pops up & says
"iexplore.exe - Application Error. The instruction at "0x7c901e76" referenced memory at "0x00000000". The memory could not be "read". Click OK to terminate the program"

I let it sit for a while because your directions say that but i dont think that its loading up. I am attempting this in SAFE MODE.

What do you want me to do next? Would you like me to post the Win32kDiag.txt?

Thanks.

[Maurice Naggar]

No, I do not need the log from Win32kdiag
And as long as Normal mode is working, that is where I need for you to retry CF.BAT procedure
Just make sure all browsers are closed before you start it.

[Surfer24]

I have been booting up in Safe Mode because whenever I boot up in normal mode the Computer Freezes up.
I will work on getting it to boot up in Normal Mode tonight when I get home from work and Post as soon as I have more info.


Thanks,


Austin

[Maurice Naggar]

If and only if Normal mode is not useable, then select Safe mode with Networking

[Surfer24]

so I have tried many times to get cf.bat to run but ive not had any luck. I keep getting the iexlorer.exe error i advised about before. I'm wondering if it has something to do with a iexplorer.exe icon on my desktop. When i first came across this virus a friend told me to download procexp.exe when i couldnt get task manager to open because of this virus. he changed the name of procexp.exe to iexplorer.exe to get it to open because of the virus. That didnt work & he downloaded procexp.exe again . So now i have iexplorer.exe & procexp.exe on my desktop. To keep my computer from frezing I have to open procexp.exe as soon as the computer boots up and then kill smss.exe Freeware Promotion right away, otherwise the computer freezes up. once i kill the freeware promotion i go to start cf.bat & I get the error & the computer freezes again.

I am beginning to think I am f'ed.

Thanks in advance for any guidance here Maurice Naggar.

[Maurice Naggar]

Look at your desktop. If you have iexplorer.exe & procexp.exe on there, delete them.
Do NOT get any tools or programs on your own. Please only follow my guidance.


(With much thanks to Tetonbob at TSF, whose methods & verbiage I'm using here).

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.

Click Start>Run and
Copy then Paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "c:\Program Files\Internet Explorer\iexplore.exe"


Repeat for these files, or simply find the files, and drag.drop them onto inherit.exe. Any other files you get an access denied message, you can do the same

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\system32\wbem\wmiprvse.exe"

Next, Download DDS and save it to your desktop from http://www.techsuppo...ctools/sUBs/dds here or http://download.blee...om/sUBs/dds.scr or
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

• When done, DDS will open two (2) logs:
  
• DDS.txt
  
• Attach.txt
  
• Save both reports to your desktop.

Please include the following logs in your next reply:
DDS.txt
Attach.txt

[Surfer24]

I am out of town for work tonight but will do this as soon as I get home. I do have a question though.

Since I can only work in "Safe Mode with Networking" this will all have to be done there. My question is: I have to use procexp.exe to kill the rouge "smss.exe freeware PROMO" otherwise it will freeze up the computer & I cant do anything. Is it ok to do this?

The steps would then work this way:
1-open procexp.exe & kill "smss.exe freeware PROMO"

Then start with your directions:
2-try to delete iexplorer.exe - I have tried & it wont let me.
3-try to delete procexp.exe - have not tried this yet.
4-Download "this Tool" to the Desktop and proceed with your directions from there.

Please let me know if this is ok to do?

Thank you Maurice Naggar and Tetonbob at TSF!!!!!

[Maurice Naggar]

OK, yes, kill the rogue process.
And as I said, if there's a iexplore.exe on the desktop, delete it. If no joy, right click on it and try to RENAME to junk.bad

Then proceed forward.

Whatever happens, do this one task:
Download GMER from here and Save the zip file to your Desktop.
Right Click the Zip and Select "Extract All"
Double-click gmer.exe to launch the program. (If you get an immediate message about rootkit activity, ignore and proceed with instructuions please)
Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, press the Copy button, then open NOTEPAD.

Paste the results here in your reply.

[Surfer24]

OK.

sorry for being repetitive but I just want to be clear:

1-try to delete iexplorer
2-Download & run GMER
3-post results

You want me to refrain from doing the tasks you advised me to complete this morning @ 5:41am until I post back with GMER Scan, right?

[Maurice Naggar]

I fear we may get lost. So to prevent that, I need for you 1) delete that stray iexplore on desktop
and also DO the steps I outline at 5:41 this morning, and then do the Gmer run.

You'll be replying with DDS.txt, Attach.txt, and the Gmer log
Those will get me a better look at your system.