Virus disabled antivirus and explorer

July 24, 2009 at 10:09:04
Specs: Windows XP
Hi,

I think a virus has disabled my explorer, as well as all of my anti-virus programs (hijackthis, Super anti spyware, anti malware, McAfee). These programs shut down as I try to start the scan function.Same with internet explorer.
I really don't know much about how to detect and quarantine the virus, so I am hoping someone can help. Thanks!


See More: Virus disabled antivirus and explorer

Report •


#1
July 24, 2009 at 10:12:18

Report •

#2
July 24, 2009 at 10:23:57
yes. I have started in safe mode with networking, but I still have the same problems.

Report •

#3
July 24, 2009 at 10:27:45
Try to make these logs. Use USB to transfer files from another computer.

Note: I can help you remove malware manually. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible. First Track this topic. Then follow:

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode and make sure you are connect to internet. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the log file, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteAVUpdateEx( 'http://avz.virusinfo.info/avz_up/', 1, '','','');
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Download and Run DDS which will create a Pseudo HJT Report as part of its log: DDS Tool Download Link. When done, DDS will open two (2) logs

   1. DDS.txt
   2. Attach.txt

Upload the logs to rapidshare.com and paste download link in your next reply.
Note: Disable any script-blocking programs and then double-click on the DDS.scr icon to start the program. If you did not disable a script-blocker that may be part of your antimalware program, you may receive a warning from your antimalware product asking if you would like DDS.scr to run. Please allow it to do so.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

Related Solutions

#4
July 24, 2009 at 11:46:28
Thanks, here's the virusinfo_syscure.zip link:

http://rapidshare.com/files/2596088...

Second step to follow


Report •

#5
July 24, 2009 at 11:54:42
DDS.txt file link:

http://rapidshare.com/files/2596118...

Attach.txt file link:

http://rapidshare.com/files/2596119...

Thank you for your help!


Report •

#6
July 24, 2009 at 12:06:14
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
 DelBHO('{056fb4bd-3f47-4233-9987-128aa89799a8}');
 QuarantineFile('C:\WINDOWS\system32\alqqfk.dll','');
 QuarantineFile('alqqfk.dll','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\lohuzwrk\vsfihkng.exe','');
 QuarantineFile('c:\windows\ld12.exe','');
 QuarantineFile('\\?\globalroot\Device\__max++@gt;\69DB26B0.x86.dll','');
 DeleteFile('\\?\globalroot\Device\__max++@gt;\69DB26B0.x86.dll');
 DeleteFile('c:\windows\ld12.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\lohuzwrk\vsfihkng.exe');
 DeleteFile('alqqfk.dll');
 DeleteFile('C:\WINDOWS\system32\alqqfk.dll');
 ExecuteRepair(6);
 ExecuteRepair(9);
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine1.zip');    
end.


A file called quarantine1.zip should be created in C:\. Upload that file to rapidshare.com and Private message me download link.

3) Redo Response Number 3 and post new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#7
July 24, 2009 at 12:23:24
I can't run AVZ anymore. I get the same response as with explorer and other antivirus:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access them"

I tried re-installing under another name, but that's not working either.


Report •

#8
July 24, 2009 at 12:28:57
Try this AVZ. Delete the old AVZ that you downloaded.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 24, 2009 at 12:44:10
The link is not working. I get the error message that Internet Explorer cannot access the internet site. However, I can access www.z-oleg.com but not sure where to go to download file.


Report •

#10
Report •

#11
July 24, 2009 at 13:08:20
This file is not working either.

Report •

#12
July 24, 2009 at 13:10:36
First try to rename the file to avz.com if still doesn't work try to do Response Number 6 step 1 and 2 in safe mode.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#13
July 24, 2009 at 13:53:30
I tried in normal and safe mode, and the moment I run the custom script in Response 6, the software shuts down and I am not able to open it again.

Report •

#14
July 24, 2009 at 13:55:57
Try to run Response Number 6 again i changed the script. If it still doesn't work we will use some other tools. Did renaming to .com work in normal mode?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#15
July 24, 2009 at 14:19:59
i've sent you a pm with quarantine file. I will re-run response 3 and sent you the links.

thanks


Report •

#16
July 24, 2009 at 14:48:18
Make sure you do it in normal mode. How is your system running now?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#17
July 24, 2009 at 17:26:52
Here's the link to the zip file:
http://rapidshare.com/files/2597002...


Report •

#18
July 24, 2009 at 17:29:12
unfortunately, problems are still there, and it is bugging down the system, so it is taking some time to run files and reboot.

Report •

#19
Report •

#20
July 24, 2009 at 17:41:58
Follow these Steps in order numbered. Don't proceed to next step unless you have successfully completed previous step:

1) Run this script in AVZ like before first then generate a new AVZ log and post it, your computer will reboot:

begin
SetAVZPMStatus(true);
RebootWindows(true);
end.

2) Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

3) Please zip up C:\qoobox\quarantine and upload it, to a filehost such as http://rapidshare.com/ Then, Private Message me the Download links to the uploaded files.


Report •

#21
July 24, 2009 at 19:44:06
combofix text:

http://rapidshare.com/files/2597280...

I am trying to locate the first log as well.


Report •

#22
July 24, 2009 at 20:52:54
Ok post the first log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
July 24, 2009 at 21:04:27
I think that's it:

http://rapidshare.com/files/2597447...


Report •

#24
July 24, 2009 at 21:30:04
Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2

* Double-click the SystemLook and copy/paste the following into the box

:filefind
proquota.exe


* Hit the Look button. Let it finish the scan
* A log will then pop-up to your Desktop.. Post the content of the log here in your next reply.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
July 24, 2009 at 21:39:03
Here you go:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 00:35 on 25/07/2009 by Aruna Ramsamy (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\I386\PROQUOTA.EXE --a--- 50176 bytes [03:22 18/05/2005] [10:00 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe --a--- 50176 bytes [23:30 06/09/2008] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-


Report •

#26
July 24, 2009 at 22:17:57
Copy this file C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe to C:\windows\system32\

Uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok.

Then follow:

1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#27
July 25, 2009 at 07:39:10
Anti-Malware's log:

http://rapidshare.com/files/2599038...


Report •

#28
July 25, 2009 at 07:49:25
I could not install superantispyware properly. It encountered an error during installation (insufficient priviledges to modify the .exe). I ignored it, and went through with the installation, but now I get the same error msg as before (cannot access file).

Report •

#29
July 25, 2009 at 08:08:15
Is mcafee running now? Update it and run full scan with it.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
July 25, 2009 at 08:15:45
mcaffee is not working either

Report •

#31
July 25, 2009 at 08:18:55
Follow these steps in order numbered:

1) Download GMER: http://gmer.net/download.php
[This version will download a randomly named file (Recommended).]

2) Disconnect from the Internet and close all running programs.

3) Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

4) Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.

5) GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)

6) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.

7) Now click the Scan button. If you see a rootkit warning window, click OK.

8) When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log and upload it rapidshare.com. Post the download link to the uploaded file in your post.

9) Exit GMER and re-enable all active protection when done.

Note: Please give me the exact name of the file you downloaded in step 1 + post your log from step 8 in your next post.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#32
July 25, 2009 at 09:53:32
file:
17po7qr7.exe

link:
http://rapidshare.com/files/2599407...


Report •

#33
July 25, 2009 at 10:54:43
You might have Master boot virus. Please follow:

Please download MBR.exe from here ->
http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#34
July 25, 2009 at 11:46:57
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 62 !
PE file found in sector at 0x0950E4C1 !


Report •

#35
July 25, 2009 at 11:54:53
Try to reinstall mcafee and run full scan with it. How is your computer running other wise? Follow Response Number 31 carefully and post another GMER log.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#36
July 25, 2009 at 20:08:20
Computer has turned crazy with all sorts of virus infection. I
think I am just going to try to reformat it. Thanks a lot for the
help.

Report •

#37
July 25, 2009 at 20:35:01
Wait before you reformat there are few more things to try. Run GMER one more time and post the log like before. Also follow:

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Report tab at the bottom of the program window
* Click the Scan button
* In the Select Scan dialog, check:

    * Drivers
    * Processes
    * SSDT
    * Hidden Services

* Click the OK button
* In the next dialog, select all drives showing
* Click OK to start the scan
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Upload rootrepeal.txt to rapidshare.com and post the download link in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".


If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#38
August 12, 2009 at 16:36:29
Hello Sir/Mam,
I am troubleshooting a similar virus that appears to have got in my computer on the 8th of August 09. I have traversed this entire article and I see that the person surrendered to the this rootkit however I would like to resolve it. I will try to work up the correct logs and present them to you. However as of now all my basic virus removal tools are ineffective accept the newer gmer that has the random generated file name it is the only application I can run out of HJT, CF, SDFIX, AUTORUNS. I installed my virus tools from a cd and ran them from the hard drive. It terminated them immediately after opening then corrupted the exe's. So I began running my tools directly from the cd so that it could not be written to. It actually froze the optical drive with the led and the tray wouldnt open. It also REMOVED the optical drive from windows. This is MIND Blowing artificial intelligence.

Report •

#39
September 5, 2009 at 09:12:34
Hi! PCGuy, Does your problem eventually solved?
I got the same infection. Now Im wonder if there is anyone ever fix this ?

Report •

#40
September 5, 2009 at 15:42:48
Dawn, run this userfriendly unhackme program, it will probably do the job for you:
http://www.greatis.com/unhackme/dow...

Here are the easy to follow instructions:
http://www.greatis.com/unhackme/how...

Then I would suggest you runa bootscan with avast and move all it finds to the chest:
http://www.filehippo.com/download_a...

If there are infections in the system files, be sure to google them on another PC to see if they can be removed.

Goodluck

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#41
September 9, 2009 at 07:50:43
this happens because DEP closes the already infected explorer.exe to protect the computer from spreading the viruses on the hard drive

Windows XP user

i would appreciate if everybody that has received help from me to say if my suggestions works


Report •


Ask Question