Windows XP Pro SP3
Dell Inspiron 530
Intel Core2 Quad - Q660@2.4
Just got attacked with a bad virus. Froze everything. Ran a scan with AVGFree, froze again and started up with pop-ups - Windows Police Pro. Finally stopped that and got rid of it(hopefully).
Very new to all this. I usually fix things by looking at other threads but no use.
I deleted a.exe, b.exe, c.exe, d.exe out of Temp folder. Deleted Win Police Pro where ever I could find it. Everything seemed back to normal but programs would not work. Downloaded "EXE (lnk and regfile) Fix for Windows XP". Everything works again except for
- Firefox - (never opens)
- IE - (opens then closes quickly)
- Google desktop sidebar
- AVG - doesn't scan
- Ad-Aware "Failed to connect to service"
- Spybot "Windows cannot access the specified device...May not have the appropriate permissions..."
- Adware Away (same as spybot)
- Online scans don't work either - AVG won't close or uninstall.
- and finally Hijackthis. 2.0 would not start. 1.9 starts but as soon as it finishes the scan, it disappears and won't open again. Same message as Spybot & Adware Away.
I run it from my thumb and am able to freeze and printscreen so this is all I have.
I'm very sorry for being a novice at this but gotta get this up and running as soon as possible. Art computer at work. Thanks for any suggestions. First time ever posting anywhere.
**UPDATE**
Firefox & IE are now working!
Still can't run Virus/spyware scanners. Tried uninstalling AVG in SafeMode but would not finish uninstalling.
AVG errors keep popping up in normal mode. Don't think it's on.
I did manage to get this from HijackThis(not sure if it helps):
StartupList report, 8/31/2009, 2:07:43 PM
StartupList version: 1.52.2
Started from : J:\HijackThis_v1.99.1.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16876)
* Using default options
==================================================
--------------------------------------------------
End of report, 8,993 bytes
Report generated in 0.032 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Hi I have same exact problem...
I know C:\WINDOWS\svchasts.exe is part of the virus.
So far I havn't gotten help on another site so I hope someone can help here. I can't even run hijackthis cause it closes right after, as well as any other antivirus software. I am thinking of doing a hard format cause it would be faster to get my laptop working.. :(
justynf...yup, that's what I ended up doing. Back in the office on Monday and had to do something.
Backed up everything and reformatted.
Before that though, I tried the "repair" on Windows XP Setup with disc. Got to 10 minutes left and restarted all of sudden on its own. Went on the "Windows XP" Start up logo, then nothing. Thinking Worm got way in there. Only thing left I could do is reformat.
As for HijackThis, it's not the actual logfile...just the startup list report. Don't know how to read them so not sure on the difference.
Started "Hijack" from a thumb. Instead of running the scan (after running it and it disappearing, mind you) hit "config" Button under other stuff. Then hit "Generate startuplist log". Saved that to the thumb.
Forgot to mention, after IE started working again, and after a couple of times of closing and restarting the program. Windows Police Pro popup started again, but just in IE. Firefox started redirecting to different websites. But Google Chrome worked. Installed with Spyware/malware program(forgot which one). Guess I never got it all off.
Hi guys, new here and really have a major problem, very similar to what has been posted in this thread, but I haven't had the success of resolving this now very headache of an issue.
I have followed the instructions given in this thread. I used the Trend online virus scanner and it was slow, and it just stopped, din't finish the scan. I installed Malwarebytes' Anti-Malware and after trying to scan my computer, the program just disappeared and after I tried opening it again, it came up with an error message saying:
Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item
An hour or so ago, my icon for Internet Explorer, that I hadn't used in months (as I like firefox much more), but used twice the last two days, since firefox was playing up, has become blank and I can't open IE now, error message comes up saying the device is not accessible.
I've tried System Restore to dates last week, but either I am unable to (click next after I choose the date to restore to and nothing happens) or am able to and then get a message saying that "unable to restore to that date, please choose another date to restore from" and I get that same message when choosing another date to restore from.
I got spywareblaster and it doesn't scan the computer, just stays in the backgorund detecting spyware that may come in after. Also went to download.com and got Ad-Aware Aniversary Edition and like Malwarebytes' Anti-Malware, it just closes suddenly a few seconds after it starts to scan and then I get a "can't access this" error message if I try to use it again.
Don't know where to go. Firefox and email running slow. My AVG Free Antivirus now doesn't even scan, as I've found out today by trying to scan the few files I've downloaded, like spywareblaster and Ad-Aware Aniversary Edition.
I downloaded and installed superantispyware, same result as with Malwarebytes' Anti-Malware, when I start it up, it quickly disappears and when I try to get it to run again, I get an error message like before and I can't access it anymore. What ever this is, I assume Trojan crap, it is smart and detects when programs that can detect it are running and has the ability to completely shut them dowm.
I partitioned my hard drive when I got it a few years ago, a smart thing as it allowed me to fix a pretty major problem some two years ago. Now, I tried to scan the larger partition of the hard rive (which I always use and is infected ofcourse) a couple of hours ago. The three programs I used worked (superantispyware, Malwarebytes' Anti-Malware and Combo-Fix) worked from the small partition and detected and elimated 9 trojan (one was a backdoor.bot). I then restarted the computer, loaded with the usual partition that was/is infected and thought things would likely be fixed now. I was wrong! Still can't run superantispyware, Malwarebytes' Anti-Malware and haven't tried ComboFix yet. AVG Free antivirus still does not scan when I try to use it and firefox wasn't even loading up any of the webpages, though now I happen to have fixed that and it functions again.
I will paste the logs that have appeared,I assume might give some information that might help you experts in trying to help me resolve this very nasty problem:
ComboFix 09-09-09.04 - mig 10/09/2009 19:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.243 [GMT 9:00]
Running from: c:\combo-fix\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
Originally posted by justynf: Are you able to run a hijackthis log after running combofix?
Thankyou dearly for the reply, I thought I wasn't going to get any and I was on the verge of just reinstalling XP Pro.
See, I can only scan my large partition (Drive D),that I always use, from the small partition (Drive C). I am not able to do any scans with any of the mentioned programs from Drive D (the infected partition). The scan with combofix was from drive C, scanning drive D. Can I o the same with hijaclthis? That is, can I scan Drive D from Drive C? If so, show how, as I thought hijackthis was only able to do a scan on the drive that is running at the time, the drive that XP is loaded from currently
Also the reason files become inaccessable after they get closed by the malware is that the malware is changing security permissions to deny everyone. Which you can temporarily fix (Because opening it again will just cause it to deny access again until the malware is removed).
go to the access denied file:
Right click properties.
Click security tab.
Click edit, click the name everyone and Click remove.
now click add and type your login username and click check names.
now once it finds it click Ok.
Next click your name and tick full control on allow side.
This will give you access to the file again afterwards.
If that still wont work you can go to advanced, owner tab.
Click edit then click your name then apply to take ownership of the file.
GMER has picked far more files than superantispyware and Malwarebytes' Anti-Malware did, much more in fact. I think I have to select the files on the log and choose delete myself, not sure yet.
Looks real promising and hopefully all will be back to normal soon. Thanks heaps and I will post saying whether everything gets good again or not
Don't go deleting every listed thing right away, not everything listed is malware, But I know for sure the GEYEKR******** files are malware. Which is what was in my system previously.
GMER will probably close itself once it reaches the FILES part of the scanning process. If it does close on you just uncheck that part and run scan again, then delete the following:
With those parts gone, you should be able to reboot and run the scans that closed on you previously, such as malwarebytes, combo-fix, and a hijackthis log.
Originally posted by justynf: Don't go deleting every listed thing right away, not everything listed is malware, But I know for sure the GEYEKR******** files are malware. Which is what was in my system previously.
GMER will probably close itself once it reaches the FILES part of the scanning process. If it does close on you just uncheck that part and run scan again, then delete the following:
Once those are done, Run GMER again searching for FILES only (That is if it closed on you before it got to that part).
GMER closed soon after I got back on my computer this morning, after leaving it on all night as it is a long scan. The computer restare, but not before I tried deleting:
Service system32\drivers\geyekrboiesmpr.sys (*** hidden *** ) [SYSTEM] geyekrxvkopxep <-- ROOTKIT !!!
A couple of error messages came up and the file was not deleted. I tried a second time, the same error messages came up and the file disappeared, not sure if it was deleted or not.
I tried deleting a couple and when I right clicked on one or both files at the same time, the option to "delete service" and the other "dosable service", were not available, I couldn't select them. Found it strange.
Just a sec I will try to create a script for you to run to disable and delete it. anyways these files are suspicious if you haven't deleted them, try to. Unless you know what they are.
C:\warhor
C:\heyho
now download The Avenger and run it and paste this script in it:
Back up your files just to be safe if you didn't already.
Drivers to disable:
svchast.exe
geyekrboiesmpr.sys
Drivers to delete:
svchast.exe
geyekrboiesmpr.sys
Files to delete:
c:\windows\system32\svchast.exe
c:\system32\drivers\geyekrboiesmpr.sys
c:\system32\geyekrtueqaavn.dll
c:\system32\geyekryviuwmtt.dat
c:\system32\geyekrqrrnrxdu.dll
c:\system32\geyekrymfoxweh.dat
c:\system32\geyekrfulkdubo.dll
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep
HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep
Run it and when it asks to restart reboot click yes.
Your computer will reboot twice.
That may not be all to removing it yet but it is a start if it works. Reply to tell me if it helped any and run new scans to see if anything was forgotten.
Also Run CCleaner, it will delete all the temp files and folders where there may be leftover malware files. It still isn't 100% removed but it's a start, then continue running all scans and posting more logs.
Originally posted by justynf: Just a sec I will try to create a script for you to run to disable and delete it. anyways these files are suspicious if you haven't deleted them, try to. Unless you know what they are.
C:\warhor
C:\heyho
now download The Avenger and run it and paste this script in it:
Back up your files just to be safe if you didn't already.
Drivers to disable:
svchast.exe
geyekrboiesmpr.sys
Drivers to delete:
svchast.exe
geyekrboiesmpr.sys
Files to delete:
c:\windows\system32\svchast.exe
c:\system32\drivers\geyekrboiesmpr.sys
c:\system32\geyekrtueqaavn.dll
c:\system32\geyekryviuwmtt.dat
c:\system32\geyekrqrrnrxdu.dll
c:\system32\geyekrymfoxweh.dat
c:\system32\geyekrfulkdubo.dll
Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrxvkopxep
HKLM\SYSTEM\ControlSet003\Services\geyekrxvkopxep
Run it and when it asks to restart reboot click yes.
Your computer will reboot twice.
That may not be all to removing it yet but it is a start if it works. Reply to tell me if it helped any and run new scans to see if anything was forgotten.
Also Run CCleaner, it will delete all the temp files and folders where there may be leftover malware files. It still isn't 100% removed but it's a start, then continue running all scans and posting more logs.
I've unblocked Malwarebytes' Anti-Malware and SUPERAntiSpyware, but wasn't able to do so for HiJackThis and Internet Explorer. The blocking happened at the setup file which installs all the program, not the .exe file that runs the program (after install). Do you know how to overcome this?
Also, I unblock ComboFix, but it goes back to being blocked straight away, it doesn't get unblocked. I haven't had that with any of the mentioned programs so it is strange.
I have downloaded CCleaner and am doing a scan right now, will edit this post or make a new post with the results. Does seem like this infection/worm is real bad and can't be fully removed. Will reinstall XP tonight if I just can't find a total solution.
I managed then to run a full scan with Malwarebytes' Anti-Malware and the results were the same as when I was able to run the first and only scan on Tuesday, before the program was blocked). The log is below:
Malwarebytes' Anti-Malware 1.41
Database version: 2784
Windows 5.1.2600 Service Pack 2
13/09/2009 9:52:31 AM
mbam-log-2009-09-13 (09-52-31).txt
Scan type: Full Scan (D:\|)
Objects scanned: 198013
Time elapsed: 1 hour(s), 52 minute(s), 34 second(s)
rename the setup file .src and try to run it. Tell me if that works. After partially removing the malware with malwarebytes and restarting your computer, does it allow you to run any programs that were being blocked before?
Forgot to add, sometimes it is a good idea to rename the programs before saving them to the computer, this can help sometimes if the malware service is blocking it by name or something.
Anyways, another thing you can try is downloading and running silentrunners and posting the log.
If you can get a list of startup services running on your computer we could figure out which ones are malware and try to disable them so you can try to run programs to finish removing the malware files.
Originally posted by justynf: Forgot to add, sometimes it is a good idea to rename the programs before saving them to the computer, this can help sometimes if the malware service is blocking it by name or something.
Anyways, another thing you can try is downloading and running silentrunners and posting the log.
If you can get a list of startup services running on your computer we could figure out which ones are malware and try to disable them so you can try to run programs to finish removing the malware files.
Hope this helps.
I can't run Silent Runners.vbs
It opens it notepad,so I have to use command prompt. I followed the instructions in the FAQ on the site and I get the message in command prompt (DOS) that Silent Runners.vbs can not be found, yet I'm in the correct directory so it should be present.
I still can't access IE, ComboFix and HiJackThis. I get the same error message saying I don't have access to those programs
Last thing I can think of to try to disable the Malware driver. If this works it will let you run certain scans I mentioned. The avenger and the script I gave, Etc.
Originally posted by justynf: Last thing I can think of to try to disable the Malware driver. If this works it will let you run certain scans I mentioned. The avenger and the script I gave, Etc.
Select all that is shown when notepad opens, and delete it. Save it once done.
Now open The Avenger and run the script I gave. Other programs as well if it lets you.
I've delted all the gey******** files, managed to do that Saturday. Looks like it's something else. With running the script, don't you use cscript, as the FAQ on the Silent Running site says? Avenger, is that something else?
I found a file in D:\WINDOWS\system32, called qmgr.dll. I looked back at the first Combo-Fix scan I did last Thurssday. It didn't finish, closed after 30secs or so, but it did post the following log:
ComboFix 09-09-09.04 - mig 10/09/2009 19:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.243 [GMT 9:00]
Running from: c:\combo-fix\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
It says that qmgr.dll is infected. I tried deleting it, can't and will try in safemode. Is it better to startup in Safemode or Safemode with Networking?
There are plenty of posts by others who needed help that 2oldgeek helped fix,find any of those threads will give you some idea of how to go about at least getting your comp to a usable standard.
below is a link for a free live cd that is for fixing virus infected computers,i have never used it however PCMech recommends it so it's safe to assume it's legit
Personally i'd save any data & reformat,if you can't boot or the virus makes things awkward then place the hdd in an external housing & get any data you need that way,coz you'll more than likely find once infected & even if you repair it,things just won't work the same.
Next some freebies so it don't happen again unless your stupid,these 3 should solve any future problems,unless you install crap without scanning it first,all three are free & realtime scanners
Originally posted by scorpNZ: There are plenty of posts by others who needed help that 2oldgeek helped fix,find any of those threads will give you some idea of how to go about at least getting your comp to a usable standard.
below is a link for a free live cd that is for fixing virus infected computers,i have never used it however PCMech recommends it so it's safe to assume it's legit
Personally i'd save any data & reformat,if you can't boot or the virus makes things awkward then place the hdd in an external housing & get any data you need that way,coz you'll more than likely find once infected & even if you repair it,things just won't work the same.
Next some freebies so it don't happen again unless your stupid,these 3 should solve any future problems,unless you install crap without scanning it first,all three are free & realtime scanners
I had searched the forum here and none of the information on the other few threads about the same sort of infection worked for me. Malwarebytes' Anti-Malware looked like it would work, but like the other programs explained,it too didn't scan and then was inaccessible.
Chances are I will do a reinstall of XP, because the little issues left on my computer (like not being able to unblock IE, ComboFix and still not being able to scan with AVG Free Antivirus)
Another way to retrieve data if an external housing & another computer are unavailable is to install linux to any free space,something like ubuntu as it can install automatically for you,it's free as is kubuntu & puppy linux there are many other free linux OS's available,all can be viewed at distro watch
