Avast WEBforum
Other => Viruses and worms => Topic started by: choirgirl1 on November 26, 2011, 10:15:17 AM
-
I hope someone can help me.
"provacy Protection" program has invaded my laptop and has disabled Avast and MalwareBytes.When trying to open those programs it says the file is infected with a WIN32 Blaster Worm. It got rid of my Avast shortcut and replaced it with one of its own (masquerading as a windows icon) and won't even let me open the virus programs from the start menu. It has a fake firewall warning with "block" and "allow" buttons that I'm afraid to close in case I activate something. It does not show up in the programs list (though I found it interesting that, while experimenting, it would have let me remove Quicktime, but not Paretologic) and will not let me use the tskmgr either.
I tried looking it up, but the only removal advice seems hopelessly involved, and I don't trust it anyway! Is there a reasonable, reliable fix for this? Or should I take it to the Geek Squad? I have work on it quite sensitive and need to be able to safely use it as quickly as possible. My OS is Win XP Pro 64 v2003, service pack 2.
I read somewhere that, on start up, all hell breaks loose, so I'm afraid to turn my computer off. I hope you can help (Avast senior member please!) Thank you!!
-
Hichoirgirl1,
Since it's an XP 64bit system the tools we will be able use may be limited. Let's a look at what's going on.
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
- Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output
- Check the boxes beside LOP Check and Purity Check.
- In the window under Custom Scans/Fixes copy and paste the following
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
If the post seem to long you can attach them.
-
Thank you for your response oldman.
I'm a little confused though - you say to download the OTL to my desktop - which is the computer I'm using now to talk to you. My laptop is the infected computer and I ended up turning it off as the viral program wouldn't allow the screensaver to run. Do I download the OTL to my laptop? And should I start it in SAFE mode? If so, can I save the OTL to a travel drive and download it in safe mode on my laptop? (I'm not familiar with using safe mode)
Thanks so much for your help!
-
you must of course download and run OTL on the infected computer ::)
Definition
desktop: http://searchwinit.techtarget.com/definition/desktop
Definition
desktop computer: http://searchenterprisedesktop.techtarget.com/definition/desktop-computer
-
Okay...now I feel silly. :-[ But should I go ahead and start up like normal? Or Safe mode? This program seems to debilitate everything before it gets started.
-
try Normal, if no success try safe mode
Oldman and/or Essexboy will be back in here and help you tomorrow.....
well tomorrow is already 2 hours old over here ;D
-
Thanks so much. I'll try it right now :D
-
The Program is not allowinig the OTL to open or run (says it also has the worm) :-\
-
you mean avast...right click avast tray icon and disable for 10min
-
I've been trying to follow oldman's instructions with his OTL download. And one of the first things the malicious thing did was get rid of all Avast icons and won't let the program open from anywhere...
-
*By "malicious thing" I mean the invading program, not OTL!
-
The Program is not allowinig the OTL to open or run (says it also has the worm) :-\
you mean avast...right click avast tray icon and disable for 10min
I've been trying to follow oldman's instructions with his OTL download. And one of the first things the malicious thing did was get rid of all Avast icons and won't let the program open from anywhere...
*By "malicious thing" I mean the invading program, not OTL!
I think choirgirl1 is talking about Privacy Protection, Pondus. ;)
try Normal, if no success try safe mode
-
OK i guess you need to kill the running malware process before you can run it...and we have a program that can do that...but i suggest you wait until Oldman or Essexboy is back here to do that...
-
Thanks Pondus - do you know about what time GMT he comes on? We're 8 hours ahead. I'll try to stay near the computer as late as I can. And thank you Donovansrb10 for your clarification...it's getting a bit confusing!
-
Thanks Pondus - do you know about what time GMT he comes on? We're 8 hours ahead. I'll try to stay near the computer as late as I can. And thank you Donovansrb10 for your clarification...it's getting a bit confusing!
No Problem. ;)
-
Essexboy (UK time) is usually in here around 08:00pm - 11:59pm in weekdays..
so sunday tomorrow (now ;D ) around miday...maybe
Oldman i dont know
-
Thank you so much. I'll check back periodically :)
-
Hi choirgirl1,
You can do a couple of things to try to get OTL to run.
First ignore the messages from the rogue that OTL is infected. That is don't acknowledge or close the popup.
If that doesn't work, right click OTL and click rename. On the keyboard type explorer.exe and hit enter.
Try running it again by double clicking the renamed file.
Lastly you can try safe mode. To start your computer in Safe Mode :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
-
Hi Oldman :)
PP ("Privacy Protection") allowed me to rename the OTL program, but wouldn't let me open the text. I tried to rename it too, but it wasn't fooled I guess :P So I manually typed in the code and ran the scan. I'm savimg it to travel drive now and will proceed to post it here...I hope you're still there!
-
The text files are VERY long and I'm not really comfortable "posting" them in public. How do I attach them? Is there a securer way to send them to you?
-
lower left corner > additional options > attach
-
Attachments
-
Hi choirgirl1,
I see signs of a very nasty infection that we may not be able to clean. Is the option to reformat and reinstall the operating system a possibilty. We can clean up as much as possible and see how deep this goes.
If you are transfering files to the infected computer we will do this fix differently. It should be easier for you.
There are signs of an autorun infection on E:\ drive which is most likely a usb storage device such as a flashdrive. Is the flashdrive you are using recognized as E:\? Leave the flash drive connected to the infected computer when you run the fix.
To protect your clean computer do this first:
On the clean computer with the flashdrive attached:
Download
Flash_Disinfector.exe (http://download.bleepingcomputer.com//sUBs/Flash_Disinfector.exe) by sUBs(and save it to your desktop.- Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
- The utility may ask you to insert your flash drive anl/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
- Wait until it has finished scanning and then exit the program.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
Additional info: there is no user interface for this tool. You may see a black window briefly flash on the screen.
Next
Download the attached file, scan.txt, and transfer it to the desktop of the infected computer.
Next,
On the infected computer:
Please rename the copy of OTL that you renamed to svchost.exe.
Double click on svchost.exe - Under the Custom Scans/Fixes box at the bottom, double click on the white window
- You will get a window asking if you want to load a custon scan, click ok
- Set the look in box at the top to your desktop and click open
- the box should now fill with text
- Then click the Run Fix button at the top
- Let the program run unhindered
- Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.
How is the computer?
[/list]
-
Hi - I'm here. Give me a couple of minutes to read your post and make sure I understand. Yes, reloading the OS is an option - I fairly recently backed up all my files to an external harddrive and my most recent work to a flash when this problem popped up, just to be safe - I didn't want to infect the external. But I'd really rather not start fresh if it can be avoided - I have SO much work to do as soon as possible. Be right back...
-
Hi choirgirl1,
Take your time. If the one infection that I think may be there you may be looking at a reformat as there isn't a manual removal for it at the present. But let's take it one step at a time.
-
Question: I still have OTL open (I didn't want to close it in case I needed it again) should I close it and reopen as the new name? Or can we use it as is?
-
Hi choirgirl1,
Give it a try as it is. Just make sure the white field at the bottom is empty before you import the file.
-
Never mind...I did the rename anyway and it's scanning...
-
:D Yay! Computer rebooted with no recurrence of PP popup, I'm able to open the programs I couldn't before, and my Avast tray icon is back! I haven't reconnected to the internet yet - I'll wait to see what you think. I'm scared to be too happy, but !!!!!
I've attached the fix log.
-
Hi
Before you connect to the internet please run this custom scan.
Rename OTL back to OTL.exe
Delete scan.txt from your desktop.
Download the attached file and transfer it to your infected computer's desktop.
Use the same steps as before to import the file to OTL but this time click the Run Scan button.
-
Running...
-
Here's the resulting file:
-
I also ran a thorough Malwarebytes scan and a custom (EVERYTHING) Avast scan and nothing was detected. I'm assuming everybody is shut down for the night, so I will too. Must do day job tomorrow, but will check back in the afternoon (Pacific time). I'll work offline until I hear back from someone, but it looks clean. Thank you! :)
-
Hi choirgirl1,
Were Avast and MBAM updated when you ran the scans? If they were then you must have been connected to the internet. Did you notice anything unusual in the computer's behavior?
There are a couple of oddities in the log but I think that may be due to your operating system. When you post back please give me an update on the computer, ie it's running fine, better etc.
Thanks
-
Hi OLdman
No, I had disconnected from our wireless and the programs didn't update. The laptop seems to be working fine therwise, but I still haven't tried internet yet. Should I go ahead, connect, then update Avast & MBAM? Is there anything I should watch out for that would hint at a lurking problem? Thanks for all your help!
-
Hi choirgirl1,
Yes, connect and update both programs. Please post the MBAM log.
-
Avast updated but MBAM wouldn't - gave me an error message which I passed on to their support. I ran MBAM yesterday after starting up my laptop, so I'm attaching those logs. LAptop seems fine, and Firfox seems fine, but Internet Explorer isn't - doesn't load some pages or parts of pages. I think it had to do with Java script and I might have changed some settings, but have tried to put them back, so I don't know. So I'm still a little nervous about using the internet for business, payments, etc. What do you think?
-
That is a very old version of MBAM
Malwarebytes' Anti-Malware 1.40
Database version: 2551
The current version is 1.51.2.1300 and the database is at 8269
http://www.filehippo.com/download_malwarebytes_anti_malware
Please go to PROFILE then Modify Profile then Forum Profile Information then select your country in Please select your country: then update your Signature: with information like my signature as this helps the helpers offer pertinent advice.
-
Hi choirgirl1 ,
I honestly don't know what to tell you. Your Operating System is a sense is unique and there aren't many of the tools we use that will run on it. For this reason many forums will not work on an XP 64bit machine. When xp64 came out it was thought of as "bullet proof" as it couldn't be infected with a rootkit and only the 32bit side could become infected which could easily be cleaned. The foks that develop the tools must have decided for those reasons and the fact that the OS was rare that it wasn't necessary to program the tools to deal with the OS. Even though it's a 64bit system it is not quite the same as a Vista or Win7 64 system and some of the routines that the tools use will not work.
I've compared your log to the few I could find on the internet and they look the same as far as what is shown in your log. Going on that we can clean this machine as best we can.
MBAM being that old may have tried to overinstall itself during the update. I've had that happen, an uninstall reinstall set things right. Stick with the MBAM topic as it may well be something else.
Was IE working properly before the infection? You can try the steps in the link elow to see if restting IE will help. There is also some info on what a reset will do. I suggest you not use the Fixt Tool as it may not be compatible with the OS. The FixIt Tool is an automated version of the manual steps outlined.
Give it a try and let us know how it goes.
http://support.microsoft.com/kb/923737
-
Thank you, I will. And yes, IE had been working okay - though maybe a little slow, but not buggy. I don't have much time im the next couple of days, but I'll see what MBAM has to say and follow your link, probably Thursday. I'll let you know what I find out. Thanks so much for hangin' in there with me! :)
-
Hi choirgirl1,
How you making out? We have a wee bit more to do but I was waiting for you.
-
Hi Oldman!
Finally had time to do something. I've downloaded and installed the updated version of MBAM. I ran a scan and it crashed, restarting my computer, so I ran it again. This time it actually found a Fake Trojan, which is certainly what that malicious program was. I've attached the resulting log. I will also look into the other lonk you sent, though I've played with the settings for IE and things seem to be working, but I'm not sure it's set securely enough. I probably need to update IE too, so will be looking at that too. You mentioned something else we should do, so I'll be back!
-
Hi choirgirl1,
Don't worry about the MBAM detection it was a file we had quarantined with OTL. The rest will be removed when we remove OTL. I think we have this cleaned up as best we can except for the old and most likely infected System Restore points. We'll clean those up.
Create a new restore point
You must be logged on to an administrator account - Go to Start - All Programs - Accessories - System Tools - System Restore.
- Click Create a restore point, and then click Next.
- In the text box labeled Restore Point Description, type a name for this restore point
- click create
* Remove old restore points
- Go to Start - All Programs - Accessories - system tools.
- Launch the Disk Cleanup tool and let it run.
- When it finishes a box with tabs will appear, select the more options tab.
- On this tab you will find a section for System Restore.
- If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
From your desktop, please delete, if present- any notepads/logs that we created
Next
Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click [color="red"]Yes[/color]. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.
I suggest you keep MBAM. Keep it updated and use it regularly.
Updates and Upgrades
Looks like you have removed the Extra.txt from this thread so I'll have to go by memory. I seem to recall seeing some old java installed on the computer, possibly even version 4. The current version is Java SE 7u1.
- Go to Java (http://www.oracle.com/technetwork/java/javase/downloads/index.html)
- Scroll down to Java Platform, Standard Edition section. The subheading is Java SE 7 U1,
- Click the Download JRE button on the right.
If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.
- Accept the license agreement,
- Scroll down and click on jre-7u1-windows-x64.exe
- Save the file jre-7u1-windows-x64.exe to your desktop;
Do not select Run . Do not install it yet.
When the download is complete, close yous browser.
Open Control Panel > Add/Remove Programs and uninstall
All older versions of java
Do not uninstall Java TM 7 Update 1 if found!
Reboot your computer.
- Double-click on the saved file ( jre-7u1-windows-x64.exe) to install the update.
- Decline the offer to install Ask ToolBar
- Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Next, clear the java cache
To clear the Java Plug-in cache:- Click Start > Control Panel.
- Double-click the Java icon in the control panel.
- On the General tab, Click Settings under Temporary Internet Files.
- On the Temporary Files Settings screen, Click Delete Files.
- check all boxes
- Click OK
Some Recommendations and prevention tips
Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.
* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.
Click FIREWALL (http://www.bleepingcomputer.com/forums/tutorial60.htm") for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)
You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.
- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.
OR
A guide to understanding and using the hosts file.
Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)
Please read the info on disabling the DNS Client before installing a custom hosts file.
-Secure your Internet Explorer
From within Internet Explorer click on the Tools menu and then click on Options.- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us)(using Internet Explorer) and download and install all critical updates on a regular basis
- Make sure you have reset Automatic Updates to your chosen optionClick your start button > Control Panel > System > Automatic Updates tab
- Keep your antivirus program updated, as well as any other security programs you have.
Please post back if you have any problems.
Take care
-
Thank you for ALL your help Oldman. I did everything you suggested and I sincerely appreciate your patience and careful explaining to me. We'll see how it goes, but everything seems fine right now. Have a wonderful Christmas season! Thanks again!
-
Hi choirgirl1,
You're welcome.
Merry Christmas to you and yours too. If you have any problems you can always come back.
Take care, keep safe.