Solved Vista 2012 Virus - Unable to remove

June 23, 2011 at 12:03:40
Specs: Windows XP
I've been following the processes outlined http://www.bleepingcomputer.com/vir... but when I get to Step 5, my computer will not let me download the rkill file at all. It comes back with an error stating "C:\Users\Jacob\Desktop\iExplore.exe could not be saved, because an unknown error occurred. Try saving to a different location." The only option is an <OK> button.
No matter which named version I try, I get the same error. It also does not matter what folder I try to save the file - I even tried to save it to the flash drive that I used to get the registry file to the infected computer.

How can I get past Step 5?


See More: Vista 2012 Virus - Unable to remove

Report •


#1
June 23, 2011 at 13:37:25
For some reason, the link I posted didn't work.
Try this for the steps I was using:
http://www.bleepingcomputer.com/vir...


Report •

#2
June 23, 2011 at 16:36:48
✔ Best Answer
Minime8484,

Try the following program. It also looks for malicious processes and ends them:

Download RogueKiller
http://tigzy.geekstogo.com/Tools/Ro...
Save it to your Desktop.

Now, close all open programs.

XP users, double-click the file to run it.
For Vista/Windows 7, right click the file and select: Run as Administrator

When prompted, type 1 and hit Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

>>Please post the contents of the >RKreport.txt< in your reply.<<

Next, press on to use Malwarebytes' Anti-Malware per those instructions.

>>Also post the Malwarebytes' results in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#3
June 23, 2011 at 22:58:28
This seemed to have worked!

Here is the report from the Rogue Killer process:

<RogueKiller V5.2.4 [06/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Jacob [Admin rights]
Mode: Scan -- Date : 06/23/2011 16:44:33

Bad processes: 2
[SUSP PATH] sttray.exe -- c:\windows\sttray.exe -> KILLED
[SUSP PATH] rhw.exe -- c:\users\jacob\appdata\local\rhw.exe -> KILLED

Registry Entries: 9
[SUSP PATH] HKCU\[...]\Run : conhost (C:\Users\Jacob\AppData\Roaming\Microsoft\conhost.exe) -> FOUND
[ROGUE ST] HKCU\[...]\Run : 4265663444 (C:\Users\Jacob\AppData\Local\rhw.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-751151514-4145099362-3676042802-1000[...]\Run : conhost (C:\Users\Jacob\AppData\Roaming\Microsoft\conhost.exe) -> FOUND
[ROGUE ST] HKUS\S-1-5-21-751151514-4145099362-3676042802-1000[...]\Run : 4265663444 (C:\Users\Jacob\AppData\Local\rhw.exe) -> FOUND
[SUSP PATH] HKCU\[...]\Winlogon : Shell (explorer.exe,C:\Users\Jacob\AppData\Roaming\dwm.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-751151514-4145099362-3676042802-1000[...]\Winlogon : Shell (explorer.exe,C:\Users\Jacob\AppData\Roaming\dwm.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (http=127.0.0.1:54848) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:

127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt
>

The MalwareByte program said is wrote out a log, but it didn't indicate where it was located; I did some searching on my C drive, but couldn't find it after the re-boot. If you can help me find it, I can paste it here too.

Regardless, thanks so much for your help!!!


Report •

Related Solutions

#4
June 24, 2011 at 08:25:48
We're not done yet...

Now, please run RougeKiller once again, and use option 2
(To remove malicious entries)

Press: Enter, and post the new RKreport.txt that appears on your Desktop.

Once again, run RougeKiller, this time use option 6
(For shortcuts and diasapeared Desktop files/folders, startup menu/etc.)

Press: Enter, and post the new RKreport.txt that appears on your Desktop.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#5
June 24, 2011 at 08:34:44
OK - sorry - must've jumped the gun! Thanks for your patience with me!

Ran RogueKiller (Option 2); the following log was written to NotePad:
-----------
RogueKiller V5.2.4 [06/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Jacob [Admin rights]
Mode: Remove -- Date : 06/24/2011 08:29:13

Bad processes: 1
[SUSP PATH] sttray.exe -- c:\windows\sttray.exe -> KILLED

Registry Entries: 3
[SUSP PATH] HKCU\[...]\Run : conhost (C:\Users\Jacob\AppData\Roaming\Microsoft\conhost.exe) -> DELETED
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:

127.0.0.1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
-----------

I then ran RogueKiller (Option 6); the following log was written to Notepad:

-----------
RogueKiller V5.2.4 [06/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Jacob [Admin rights]
Mode: Shortcuts HJfix -- Date : 06/24/2011 08:31:36

Bad processes: 0

File attributes restored:
Desktop: Success 16 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 15 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 199 / Fail 0
My documents: Success 3 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 482 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume4 -- 0x2 --> Restored

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

-----------

Still more to do?


Report •

#6
June 24, 2011 at 13:50:48
Good job, Minime88!!

Please run Malwarebytes’ Anti-Malware once again, and update the program.
Once updated, select Perform Full Scan and click the 'Scan' button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the 'Remove Selected' button to get rid of the malware (if any).

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.

The scan log is displayed in Notepad, and should be on your Desktop. If not, go to the 'Logs' tab, and it should be there.

>>Please post the >Malwarebytes log< in your reply.<< so we can see where we are at.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#7
June 24, 2011 at 16:05:26
Reran the MalwareByte full scan - didn't find anything. Here is the log:

===========================
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6940

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/24/2011 3:38:05 PM
mbam-log-2011-06-24 (15-38-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 299930
Time elapsed: 1 hour(s), 41 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
===========================================

And, now that I know where to look, here is what the log for yesterday had:

============================================
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/23/2011 10:38:10 PM
mbam-log-2011-06-23 (22-38-10).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 299000
Time elapsed: 1 hour(s), 52 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{E8CFC029-8420-4EAE-ADEF-915BDC77E1DC} (Spyware.AdaEbook) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\help.MyNSHandler (Spyware.AdaEbook) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4265663444 (Trojan.ExeShell.Gen) -> Value: 4265663444 -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Jacob\AppData\Local\rhw.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\Windows\Temp\tmp00000002091cc745b16910a2 (Trojan.Dropper) -> Quarantined and deleted successfully.

=============================================

Am I good to go now?

I have McAfee Anti-Virus that apparently didn't catch this, but I hope it will get updated eventually to stop it before it gets this bad in the future!

Thanks again!


Report •

#8
June 24, 2011 at 20:10:21
Good to go, Minime8484!! ;-)

Use the computer for a few days, and if you have the same problem (hopefully not) post back.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •


Ask Question