Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I've picked up an odd virus and I have been unable to learn much about it. Any help, particularly a removal tool or online instructions, would be greatly appreciated.
Two of the files installed are "proper.exe" and "winter.exe." They have both been removed, but the system still attempts to load proper.exe at startup.
Other symptoms are numerous, mostly registry changes I believe: The Control Panel is no longer accessible, and the icon has disappeared from the Start menu. The Task Mangaer was disabled. Registry editing was disabled. TweakUI was inaccessable. And I'm still getting an error message while trying to open Set Program Access and Defaults.
"This operation has been canceled due to restrictions in effect on this computer. Please contact your system admininstrator."
Any idea what virus this is?
Other files associated with this virus are:
autos.exe
infos.exe
skuns.dat.I think I've fixed most of it, but I still am missing the Control Panel and can't use the Set Program Acess and Defaults. I assume these are due to registry changes, but I've so far been unable to track them down.
0 
I have no idea as of what scans you have done, there are some good free ones listed in the red link. Run them to help clear things up.
Also what AV are you using?
You can also find a link to Avast Free in the red link. I would suggest you download it install it and let it do a bootscan on reboot. You will be surprised at what it will find. I would suggest you move all the infections to the chest.then after reboot you will have to disable Avast or your other AV you use....you can't have 2 AV's running at the same time.
Some HELP in posting on Cnet plus free progs and instructions Glad to Help!
0
I had the same problem. I tried AVG Antivirus, smitrem, smitfraudfix, Windows Defender and Spybot Search and Destroy and was left in the same state as described by Bobthearch. I used HijackThis to remove the start-up entries for the files mentioned but was still in trouble (could not run Control Panel) until I downloaded and ran ComboFix. This removed Explore.exe and fixed the Windows problems.
0
So far I've used AVG, Hijack This, and Spybot S&D. That's eliminated the virus programs I think, but not restored the system settings that were altered.
I'll try ComboFix. Thanks for the suggestion.
0
Way to recover after deleting virus files:
start\run - type: cmd - type: gpedit.msc
to enable control panel: User Configuration\Administrative Templates\Control Panel -> change the value of Prohibit access to the Control Panel to DISABLE
to enable task manager: User Configuration\Administrative Templates\System\Control+Alt+Del Options -> change the value of Remove Task manager to DISABLE
Complete 2 steps above, back to the command line, type: gpupdate/ force
Let's check the resultTo enable Regedit command, download this file: http://www.dougknox.com/security/sc...
run it, then restart computer, see the result!Good luck!
Duong Nguyen
duong@cert24.com
0
I appears that gpedit is not included with my version of XP.
ComboFix worked fine.
Your time and knowledge is sincerely appreciated!
0
Dear Friends. I have the same problem as Bobthearch, but Combofix is not working for me. I have run every anti-spyware program i can think of.
AVG anti-Spyware
SuperAntiSpyware
Adaware SE
Spybot Search + Destry
...etc,I succeeded in enabling the task manager through the technique outlined above.
0
My advice (but at your own risk):
Run HijackThis and delete entries to any of the files listed:
proper.exe
winter.exe
autos.exe
infos.exe
skuns.datAlso delete any entries which disable regedit. Then try again with ComboFix.
gpedit.msc is only found in XP Professional
0
Start-up entries that need to be removed using Hjack This:
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - Startup: infos.exe
O4 - Global Startup: autos.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
Then try running ComboFix - it worked for me.
0
I tried running some of the files past the scanners at www.virustotal.com. Winter.exe and proper.exe are now identified by AVG Antivirus as small.2.bb. So there is a good chance if you install AVG Antivirus and update it, NOW (2nd November 2007) it will remove this problem.
0
my virus seems to hijack my norton 360 symantec virus program. I have run combofix...but maybe I don't understand what it does. Does it actually fix things or just give report. Plus...I can't really tell what report means?...I guess or more computer illiterate than I thought! Should I run combofix in safe mode or does it matter? I have run spybot and my symantec scans too. If I posted the combofix report could someone interpret that for me? Thanks
Ral
0
I also am having problems with this virus, has anyone else noticed a file called bronto.dll? I think this file is connected its found in the system32 folder. Also skuns.dat keeps recreating it's self any suggestions? I'm currently running in safe mode with networking cleaning up my computer and any help would be appreciated.
0
I have this infection on my old P266 laptop running Win2k. Spywarebegone does not recognize this as an infection. Additional symptoms: IE keeps trying to launch sopntaneously (I use only Firefox), and repeatedly volunteers to take me to a spyware download (where they can separate me from my wallet), crippling my performance. It causes Spybot S&D to abort on installation, and made installation of Norton Systemworks 2004 a multi-try job. It also may be why I can't update my Norton virus definitions.
I'm going to proceed as detailed above, but if there are any alterations
0
Follow-on to response 14: Combofix deleted a ton of files with inscrutable alpha-string names, but unfortunately, Norton SystemWorks 2004 in the background, detected some of the routine as malicious script. Combofix appeared to finish, but now lsass.exe generates errors and shuts down shortly after startup. I also get a Norton malicious code warning on pobymaf22011.exe. With the spontaneous shutdowns, it will be tough to do further diagnostics. Anyone have suggestions?
0
a machine at my office had this a week ago. we cleaned off all the files in question and fixed the registry entries. it still had the "canceled due to restrictions" error
but I fixed that by going to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel=1
and changing the value to 0.However, some internet functionality is missing: can't expand/collapse navigational elements on some pages, and navigational links don't work on some pages.
The problem is only affecting one user profile- if i log on under a different profile everything's ok.
0
I still cant access my Control Panel although I have used Hijackthis to remove the exe files as stated above. My log files attached. Please advise which files to be removed further.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>;*windowsupdate.com;download.microsoft.com;*windowsupdate.microsoft.com;codecs.microsoft.com;activex.microsoft.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;service1.symantec.com;*.nai.com;*.networkassociates.com;*.trademe.co.nz
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\SlipStream Web Accelerator\PBHelper.dll
O2 - BHO: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: Parental Control Toolbar - {4E7BD74F-2B8D-469E-9FA5-A33DE8DBE931} - C:\PROGRA~1\PARENT~1\PARENT~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DispSwitchLauncher] C:\Program Files\Fujitsu\DispSwitch\DispSwitchLauncher.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\Npm\bin\ZLH.exe /LOAD /SPLASH
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.exe
O4 - HKLM\..\Run: [parentalcontrol] "C:\Program Files\parentalcontrol\parentalcontrol.exe" "C:\Program Files\parentalcontrol\parentalcontrol.dll" "parentalcontrol"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\Documents and Settings\Kit del Rosario II\Desktop\install_en.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\HOTSYNC.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Spinach AntiSpyware.lnk = C:\Program Files\Spinach AntiSpyware\AntiSpyware.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipaccel.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/250
O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\slipaccel.exe/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Norman eLogger service 6 (eLoggerSvc6) - Norman ASA - C:\Norman\Npm\bin\ELOGSVC.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\Npm\bin\NJEEVES.exe
O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.exe
O23 - Service: Norman ZANDA - Norman ASA - C:\Norman\Npm\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman ASA - C:\Norman\Nvc\BIN\NVCSCHED.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
0
Here is a site that has the solutions to re-enable those functions that were shut down.
http://www.rusnakweb.com/src/reg.html
0
If having problems with the file in the AppInit (mine was sol868.txt or something like that), copy over it with a blank file. Then via hijackthis setup to delete the file upon reboot. Also there is a rename command that is renaming a file in your user's Local Setting to the "sol" AppInit file. Set this up to delete upon reboot as well as delete it now.close down all apps.
kill Explorer.exe
turn off computer - to not do a shutdown
re-start
you should now be ok to start re-enabling your access.
then just delete the AppInit reg entry (I blanked it out).
this worked for me
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
