System Security

July 1, 2009 at 23:47:25
Specs: Windows XP
Hello,

System Security 2009 popped up on my machine a 12
hours ago. I know what it was immediately and tried to
shut it down using Task Manager. Also my anti-virus
program was fighting against it - deleting, ect. In the
midst of this chaos I restarted my computer. Upon
restarting heres what happened:


While there are no System Security pop ups...
Start Menu/bar is missing
Folder options missing
Unable to open Control Panel
Unable to search
Unable to open Internet Explorer - blinks on before
virus shuts it down
Unable to run regedit.exe - "Blocked by Administrator"
Unable to make changes in gpedit.msc - I access it
correctly but can't double click anything - says "not
configured" for everything.
Unable to open any .exe; prompts "Choose program"
making Malwarebytes useless.
Unable to open CD or flashdrive with regtools.vb or
malwarebytes like programs

I am not able to do much. I can bring up the task
manager and cmd.

I have researched countless forums all day to fix this
problem with no luck. PLEASE HELP!!!!

Let me know you have any questions.

Thank you,

KJA123
Configura


See More: System Security

Report •


#1
Report •

#2
July 3, 2009 at 13:35:22
Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download OTL to your Desktop

1) Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted (for Vista, right click the icon and Run as Administrator).

2) When the window appears, underneath Output at the top change it to Minimal Output.

3) Click the "Scan All Users" checkbox.

4) In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".

5) Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

i) When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.

ii) Upload both the files to rapidshare.com and post download links.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#3
July 3, 2009 at 19:29:56
Thanks for the help.

I downloaded the AVZ file on another computer and put it on
the infected one. But I still can't open/use ".EXE" files.

When I try to use any .exe. the "Open With/ Choose from
program list.." comes up.

How can get around this or fix this?

I've got the regtools.vbs.txt file that I've seen on a lot of
fourms to fix the registry files, but its just a text file.

Please let me know what you think I should do.

Thank you,
KJA123



Report •

Related Solutions

#4
July 3, 2009 at 19:34:11

Report •

#5
July 3, 2009 at 19:53:48
It says:

"Windows cannot open this file:

File: cmd.exe

To open this file....select from a list of programs...."

In Windows Explorer it says dds is a Screen Saver file of
352 kb...just making sure its the right file.

What else can I try?

Thanks again


Report •

#6
July 3, 2009 at 19:57:50

Report •

#7
July 3, 2009 at 21:23:31
My response #3(normal mode) is the same for safe mode.

Report •

#8
July 3, 2009 at 21:35:46
same message comes up..."choose program to run avz.exe"

Report •

#9
Report •

#10
July 4, 2009 at 12:34:53
Great idea to get the .exe back.

got the program AVZ running and did the scan - got the log
file.

was unable to start 2nd program.

System Security pop ups returned also.

However, i'm stuck there. I can't get the virusinfo_syscure
file off the infected computer.
When I right click and selcet "send to D:" nothing happens. It
wont transfer to burn.

Also I cant open my other burn program becasye System
Securtiy wont let me open any programs.
Any suggestions?

I so glad with the progress we've made.

Thank you so much,

KJA


Report •

#11
July 4, 2009 at 12:41:56
Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Zip/Rar Scan log/Summary and upload it to rapidshare.com. Post download link in your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#12
July 5, 2009 at 19:19:50
finally got it...

1. Download Link: Click here to download file
http://rapidshare.com/files/2524465...

MD5: 550704F4A3AF373C383E30AA1B5F56FC

I had to extract the zip file to get the files to move...

hope this is what you need..

Thank you sooo much,

KJA123


Report •

#13
July 5, 2009 at 19:26:08
Please post scan log for Response Number 11 and redo Response Number 2 (changed) - post required logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#14
July 5, 2009 at 22:45:12
When the Virus Removal is done should I select "Neutralize
All"?

Also, for the OTC program I was only able to get one of the
files - an error message came up something about access
denied?

I'll try again tomorrow.

KJA123


Report •

#15
July 6, 2009 at 06:59:09
Yes "Neutralize All" Disinfect if it can't then delete the file. Its ok for OTC what happened with AVZ?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#16
July 6, 2009 at 21:53:31
1. Download Link: Click here to download file
http://rapidshare.com/files/2528748...
MD5: AC3F6CBB72EF0D33BC9343E021F5D50B


Had to be done in safe mode...system security in its orginal
format prevented anything being done in normal mode.


Report •

#17
July 6, 2009 at 21:54:35
1. Download Link: Click here to download file
http://rapidshare.com/files/2528751...
MD5: 8B47A9F613F19689FBF86CCB7657C2ED

OTL file

hope some of this helps...thank you for your patience.



Report •

#18
July 6, 2009 at 21:55:34
OTL was done before virus scan - 93 viruses detected!!!!

Report •

#19
July 6, 2009 at 21:55:34
Wrong file. Re-read Response Number 2 and do it in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
July 6, 2009 at 22:03:56
those are the files inside virusinfo_syscure.zip

i had to extract them to transfer them to the USB flash drive

i added the "2" to end because I had files with same name


Report •

#21
July 6, 2009 at 22:04:52
see #16

Report •

#22
July 6, 2009 at 22:06:10
^^^^^ Response number is on top. I meant Response Number 2 of this post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
July 6, 2009 at 22:15:22
confused

#2 says:
"After the reboot the LOG subfolder is created in the folder
with AVZ, with a file called virusinfo_syscure.zip inside.
Upload that file to rapidshare.com and paste the link here."

To load the file onto rapidshare I had to extract it...it that the
problem?

Here are the links to the 2 files within the ZIP

1. Download Link: Click here to download file
http://rapidshare.com/files/2528788...
MD5: 973959D0CF896DC6DC569142B1070874

1. Download Link: Click here to download file
http://rapidshare.com/files/2528792...
MD5: 66FBD38E3BA5CF4075A066FC174F60A4


Report •

#24
July 6, 2009 at 22:21:38
Please upload the whole zip as it is.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
July 6, 2009 at 22:29:17
1. Download Link: Click here to download file
http://rapidshare.com/files/2528792...
MD5: 66FBD38E3BA5CF4075A066FC174F60A4

there ya go...was a little tricky


Report •

#26
July 6, 2009 at 22:38:57
so stupid...heres the right one


1. Download Link: Click here to download file
http://rapidshare.com/files/2528817...
ml
MD5: 1E4CFEAE055F2D06B237EB89FF766AE9


Report •

#27
July 6, 2009 at 22:40:08
Sorry i can't help you until you read and follow direction carefully/exactly.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
July 6, 2009 at 22:42:23
I'm really sorry, I'm new at this stuff.

Is #26 not a link to the zip file you asked for?


Report •

#29
July 6, 2009 at 22:44:52
No its not Re-read #2 again it will tell you exatly what logs you need upload.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
July 6, 2009 at 23:15:31
http://rapidshare.com/files/2528901...
html

I ran the scan again. Maybe i typed in the script wrong last
time? I just figured out how to copy and paste it (couldn't
open Word perviously - used notepad/altered format)

Do you want OTC files? - your response #15.

If this is still the wrong one I'm sorry, please dont give up on
me.

if it is worng could it be b/c I'm not logged in as
administator? is it because the link ends in html?


Report •

#31
July 7, 2009 at 07:00:20
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 DelBHO('{736b5468-bdad-41be-92d0-22ae2ddf7bcb}');
 DelBHO('{D76AB2A1-00F3-42BD-F434-00BBC39C8953}');
 DelBHO('{8567EDFA-408C-43e9-B929-4C25C04F5003}');
 QuarantineFile('C:\WINDOWS\system32\iehelper.dll','');
 QuarantineFile('C:\WINDOWS\system32\svchosts.dll','');
 QuarantineFile('C:\WINDOWS\system32\gsf83iujid.dll','');
 QuarantineFile('C:\windows\ld11.exe','');
 QuarantineFile('C:\WINDOWS\system32\rhfgv.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\14667504\14667504.exe','');
 QuarantineFile('C:\WINDOWS\sysguard.exe','');
 QuarantineFile('C:\WINDOWS\9129837.exe','');
 QuarantineFile('C:\DOCUME~1\Dane\LOCALS~1\Temp\ms1246495962.exe','');
 QuarantineFile('C:\DOCUME~1\Dane\LOCALS~1\Temp\38446812151mxx.dll','');
 QuarantineFile('c:\windows\system32\sdra64.exe','');
 DeleteFile('c:\windows\system32\sdra64.exe');
 DeleteFile('C:\DOCUME~1\Dane\LOCALS~1\Temp\38446812151mxx.dll');
 DeleteFile('C:\DOCUME~1\Dane\LOCALS~1\Temp\ms1246495962.exe');
 DeleteFile('C:\WINDOWS\9129837.exe');
 DeleteFile('C:\WINDOWS\sysguard.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\14667504\14667504.exe');
 DeleteFile('C:\WINDOWS\system32\rhfgv.exe');
 DeleteFile('C:\windows\ld11.exe');
 DeleteFile('C:\WINDOWS\system32\gsf83iujid.dll');
 DeleteFile('C:\WINDOWS\system32\svchosts.dll');
 DeleteFile('C:\WINDOWS\system32\iehelper.dll');
 ExecuteRepair(1);
 ExecuteRepair(5);
 ExecuteRepair(6);
 ExecuteRepair(10);
 ExecuteRepair(11);
 ExecuteRepair(17);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

2) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

3) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#32
July 7, 2009 at 09:21:39
in trying to install malwarebytes the following error message
came up....

"Run-time error '372'

Failed to load control vbalGrid' from vbalsgrid6.ocx. Your
version of vbalsgrid.ocx may be outdated. MAke sure you
are using the version of the control that was provided with
your application"

I've googled this problem did not find a solid solution. Any
suggestions?

Thanks again for your help! I really appreciate it!


Report •

#33
July 7, 2009 at 09:25:39
Skip malwarebytes for now. Try: SuperAntispyware

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
July 7, 2009 at 09:31:02
Error Message:

Windows Installer:

The system administrator has set policies to prevent this
installation.

Should I logon admin account?

is this thing like a super virus?


Report •

#35
July 7, 2009 at 09:42:06
Redo "Response Number 2" whole of it again including OTL. Yes login as administrator and try to install it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
July 7, 2009 at 10:16:34
1. Download Link: Click here to download file
http://rapidshare.com/files/2530952...
html
MD5: 77F2A856E3A64C0FAAD29C054EBF48D9


2. Download Link: Click here to download file
http://rapidshare.com/files/2530952...
MD5: CFF780E8D7B42AD78E1DB31FB0FDB5DA

3. Download Link: Click here to download file
http://rapidshare.com/files/2530952...
MD5: 1273FA76304EE0E1E9BEE842F8B1AA90


OTLListIt did not come up, OTL.txt did. I hope thats ok. OTL
error message after scan:
"access vlo at C0528BB7 in module OTL.exe read of
address 00e98178"

Also, I let me computer start in normal mode after recent avz
scan and error messages came up upon startup for the
following programs:
Window Defender
Cisco Clean Agent
Odyessy Client
Microsoft Visual C++

Thanks!


Report •

#37
July 7, 2009 at 10:34:19
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 StopService('lich');
 DeleteService('lich');
 QuarantineFile('C:\WINDOWS\system32\lich.exe','');
 DeleteFile('C:\WINDOWS\system32\lich.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

3) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#38
July 7, 2009 at 11:06:27
according to bleepingcomp direction i need to access the
system tray to turn off the anitvirus software...my start
menu/system tray are not displayed as a result of the virus.

What are my other options?


Report •

#39
July 7, 2009 at 11:12:57
Continue if you can't disable it its ok.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#40
July 7, 2009 at 11:17:37
error message came up:

This machine does not have 'microsoft windows recovery
console' installed

without it, combofi shall not attempt the fixing of some
serious infections

click yes to have combofix download/install it
NOTE: this requires active internet connection.

----I dont have an active internet connection on the infected
computer. What should i do - select 'no'?


Report •

#41
July 7, 2009 at 11:21:03
Either you can select yes it will open a website download it on another computer and transfer it via usb and install it or select no. But i recommend you have recovery console.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#42
July 7, 2009 at 11:27:15
I clicked yes, I confirmed that this is a XP home comp and
then nothing happened. I am assuming IE was cutoff by the
virus.

where can I download the console?


Report •

#43
July 7, 2009 at 11:31:08
Refer to: http://www.bleepingcomputer.com/com...

If for any reason you can't install recovery console then continue without it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#44
July 7, 2009 at 12:26:09
btw i had to go without it...sent you the private message with
links


Report •

#45
July 7, 2009 at 12:44:50
Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

Then go to windows update and apply all the security patches.

Then try to redo Response Number 31 step 2 and 3.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#46
July 7, 2009 at 13:09:21
uninstalled combofix

where is winows update? I went to automatic updates in the
control panel, but there is no option for install security
updates...



Report •

#47
July 7, 2009 at 13:11:28
Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#48
July 7, 2009 at 13:16:32
went ahead and tried to install malwarebytes...same error '372'

same error as before wit SuperAnti..."prevented by admin,"


Report •

#49
July 7, 2009 at 13:22:00
http://rapidshare.com/files/2531581...

an error came up while "preparing" :

line -1:
error: vafiable must ve of type "Object"

still made this reporty


Report •

#50
July 7, 2009 at 13:26:22
How is your system running?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#51
July 7, 2009 at 13:27:47
in safe mode...is that what you mean?

Report •

#52
July 7, 2009 at 13:37:29
No normal mode is your original problem solved?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#53
July 7, 2009 at 14:03:08
i just rebooted into normal mode.

I still have no start menu/task bar
I cant access the internet
the errors from #36 are also there

all original problems are still there


Report •

#54
July 7, 2009 at 14:05:59
Do you have your windows installation CD it seems malware corrupted your system files. If you do

Go to the Run box on the Start Menu and type in:

sfc /scannow

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#55
July 7, 2009 at 14:11:42
no, i dont have the cd

what else can i do? is there another way to reformat?


Report •

#56
July 7, 2009 at 14:17:54
Complete "Response Number 11". Then ask in windows forum may be someone can help your fix your registry/system files. Most of the malware is cleared from your system.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#57
July 7, 2009 at 22:27:06
i got the windows xp home edition sp3 cd from a friend...

could you walk me thorugh this a bit?

should i delete the existing partition? I don't care about
loosing files...i just want my comp to work

please let me know

again, i appreciate all you've done


Report •

#58
Report •


Ask Question