[Resolved] All .EXE files locked - Believe The Cause Is "Security

Welcome to What the Tech! Register for a free account, or login > How does it work? We specialize in the removal of malicious software (malware),
but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn.

Spyware, Virus, Trojan, Rootkit? Remove malware -> Read this before posting a hijackthis log • Need help starting a new topic?

To avoid confusion, please do not post your question in someone else's topic. Start your own. Stay with your original topic when posting a follow up.

What the Tech > Spyware / Malware / Virus Removal > Virus, Spyware & Malware Removal

4 Pages

< 1 2 3 4 >

[Resolved] All .EXE files locked - Believe The Cause Is "Security

Options

T.C. View Member Profile	Nov 6 2009, 11:45 AM Post #31
Authentic Member Group: Authentic Member Posts: 66 Joined: 9-February 07 Member No.: 67,428 Operating System: XP	I think we're good! Thanks again! =) You've been a big help! =) You may close the thread!

CatByte View Member Profile	Nov 6 2009, 12:00 PM Post #32
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, You may not be good, if you are reinfected there may be more work to do, please post the log from the updated combofix The logs you provided were from versions of the tools that have expired. We need to update the tools and run the scans once more

T.C. View Member Profile	Nov 6 2009, 12:03 PM Post #33
Authentic Member Group: Authentic Member Posts: 66 Joined: 9-February 07 Member No.: 67,428 Operating System: XP	don't close the thread. There is still something running in the background. I have used ComboFix and everything is fine... it removes the adware. When you power down the computer and start it back up... it's reappearing. Running in the background. My internet connection won't start up as quickly as usual... it's a 3 minute delay. I also noticed my computer is making humming noises... I would only imagine that means it's working harder than usual on a start up? There must be something else running in the background?

CatByte View Member Profile	Nov 6 2009, 12:06 PM Post #34
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Please download an updated ComboFix as instructed and post the log

CatByte View Member Profile	Nov 6 2009, 12:38 PM Post #36
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') CODE http://forums.whatthetech.com/All_EXE_files_locked_Believe_Cause_Security_Tool_t107984.html&view=findpost&p=608614#entry608614 Collect:: c:\windows\system32\iehelper.dll C:\rycbgcq.exe C:\cmxmwfg.exe C:\wrjcmwbu.exe C:\ilywlxxf.exe C:\txgbaxl.exe C:\isllv.exe C:\13.tmp C:\12.tmp C:\11.tmp C:\10.tmp C:\F.tmp C:\E.tmp C:\D.tmp C:\C.tmp C:\B.tmp c:\documents and settings\HP_Owner\Local Settings\Application Data\snecgx\sgnmsysguard.exe c:\windows\system32\drivers\84b782b3.sys KillAll:: Folder:: c:\documents and settings\HP_Owner\Local Settings\Application Data\snecgx Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b6d223f6-c185-49a2-ba7e-a03e84744702}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ratxsugh"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ratxsugh"=- Driver:: 84b782b3 Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

CatByte View Member Profile	Nov 6 2009, 02:41 PM Post #38
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, Still more to do, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') CODE File:: C:\13.tmp C:\12.tmp C:\11.tmp C:\10.tmp C:\F.tmp C:\E.tmp C:\D.tmp C:\C.tmp C:\B.tmp C:\6.tmp C:\5.tmp C:\4.tmp FCopy:: c:\windows\erdnt\cache\ndis.sys \| c:\windows\system32\drivers\ndis.sys Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

CatByte View Member Profile	Nov 9 2009, 04:02 AM Post #40
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, Please do the following: Please open your MalwareBytes AntiMalware Program Click the Update Tab and search for updates If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- very important When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXT Please go HERE to run Panda's ActiveScan Once you are on the Panda site click the Scan your PC Now button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (Note: It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

T.C. View Member Profile	Nov 9 2009, 10:59 PM Post #41
Authentic Member Group: Authentic Member Posts: 66 Joined: 9-February 07 Member No.: 67,428 Operating System: XP	Malwarebytes' Anti-Malware 1.41 Database version: 3137 Windows 5.1.2600 Service Pack 2 11/9/2009 11:59:23 PM mbam-log-2009-11-09 (23-59-23).txt Scan type: Quick Scan Objects scanned: 114268 Time elapsed: 3 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

T.C. View Member Profile	Nov 10 2009, 06:16 AM Post #42
Authentic Member Group: Authentic Member Posts: 66 Joined: 9-February 07 Member No.: 67,428 Operating System: XP	Panda Scan Results ;***************************************************************************** ***************************************************************************** *************** ANALYSIS: 2009-11-10 07:15:05 PROTECTIONS: 0 MALWARE: 40 SUSPECTS: 7 ;*************************************************************************** ***************************************************************************** ***************** PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================= =================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@trafficmp[1].txt 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@casalemedia[2].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@atdmt[1].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@247realmedia[1].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@fastclick[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@tribalfusion[1].txt 00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@mediaplex[1].txt 00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@www.myaffiliateprogram[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\9t8ng48w.default\cookies.txt[.com.com/] 00167704 Cookie/Xiti TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\9t8ng48w.default\cookies.txt[.xiti.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@statcounter[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@ad.yieldmanager[2].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@apmebf[2].txt 00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@burstnet[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@bs.serving-sys[2].txt 00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@www.burstbeacon[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@advertising[1].txt 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@statse.webtrendslive[1].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@ads.pointroll[2].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@overture[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@realmedia[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@questionmarket[2].txt 00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@zedo[2].txt 00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@bluestreak[1].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@go[2].txt 00213030 application/regclean32 HackTools No 0 Yes No hkey_current_user\software\registry cleaner 00213030 application/regclean32 HackTools No 0 Yes No c:\documents and settings\hp_owner\application data\registry cleaner 00213030 application/regclean32 HackTools No 0 Yes No hkey_current_user\software\registryoptimizer.com 00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\9t8ng48w.default\cookies.txt[.atwola.com/] 00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\hp_owner\cookies\hp_owner@atwola[1].txt 00629064 Generic Malware Virus/Trojan No 0 Yes No c:\tim\timnewcd\applications\morpheus30\morph20 00948556 W32/Protector.A Virus No 0 Yes No c:\qoobox\quarantine\c\windows\system32\drivers\ndis.sys.vir 00948556 W32/Protector.A Virus No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp486\a0099060.sys 00948556 W32/Protector.A Virus No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp486\a0099056.sys 01343147 Application/MyWay HackTools No 0 Yes No d:\i386\apps\app30992\src\hpsummer2005.exe 02279345 Adware/AntivirusSystemPro Adware No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[iehelper.dll] 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098544.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098711.sys 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[ilywlxxf.exe] 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098543.sys 03074964 Trj/CI.A Virus/Trojan No 0 No No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[wrjcmwbu.exe][install.exe] 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\drivers\84b782b3.sys.vir 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\drivers\_84b782b3_.sys.zip[84b782b3.sys] 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[wrjcmwbu.exe] 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\drivers\_84b782b3_.sys.zip[84b782b3.sys.1] 03074964 Trj/CI.A Virus/Trojan No 0 No No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[ilywlxxf.exe][install.exe] 03541233 HackTool/Rebooter HackTools No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098429.exe 03900910 Trj/Downloader.MDW Virus/Trojan No 1 Yes No c:\tim\timnewcd\applications\xcell\setup.exe 03930323 Trj/Rebooter.J Virus/Trojan No 0 Yes No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098422.exe 05564487 Trj/Buzus.AH Virus/Trojan No 1 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[cmxmwfg.exe] 05564487 Trj/Buzus.AH Virus/Trojan No 1 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[txgbaxl.exe] 05579495 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[rycbgcq.exe] ;=============================================================================== ================================================================================= =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================= =================== No c:\hp\recovery\wizard\swr_wizard.exe No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[sgnmsysguard.exe] No c:\qoobox\quarantine\[4]-submit_2009-11-06_14.11.57.zip[isllv.exe] No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098452.com No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098456.com No c:\system volume information\_restore{a2578cba-012a-4ee9-9e3d-27d3f494a2b6}\rp484\a0098700.exe No c:\windows\wpdsvr.exe ;=============================================================================== ================================================================================= =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================= =================== 214076 HIGH MS09-059 971486 HIGH MS09-058 214074 HIGH MS09-057 214073 HIGH MS09-056 214072 HIGH MS09-055 214071 HIGH MS09-054 213109 HIGH MS09-046 212494 HIGH MS09-042 212493 HIGH MS09-041 212490 HIGH MS09-038 212530 HIGH MS09-034 211784 HIGH MS09-032 211781 HIGH MS09-029 210625 HIGH MS09-026 210624 HIGH MS09-025 210621 HIGH MS09-022 210618 HIGH MS09-019 208380 HIGH MS09-015 208379 HIGH MS09-014 208378 HIGH MS09-013 208377 HIGH MS09-012 206981 HIGH MS09-007 206980 HIGH MS09-006 205735 HIGH MS09-002 204670 HIGH MS09-001 203806 HIGH MS08-078 203508 HIGH MS08-073 203505 HIGH MS08-071 196455 MEDIUM MS08-037 194862 HIGH MS08-032 ;=============================================================================== ================================================================================= ===================

CatByte View Member Profile	Nov 10 2009, 07:34 AM Post #43
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, Just a couple of files there to delete, the rest are in quarantine or old restore points. Please navigate to the following files > right click and delete them: c:\tim\timnewcd\applications\morpheus30\morph20 c:\tim\timnewcd\applications\xcell\setup.exe Now use TFC Download TFC to your desktop Close any open windows. Double click the TFC icon to run the program TFC will close all open programs itself in order to run, Click the Start button to begin the process. Allow TFC to run uninterrupted. The program should not take long to finish it's job Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean It's normal after running TFC cleaner that the PC will be slower to boot the first time. NEXT Please post a fresh DDS and Attach.txt and advise how your computer is running now and if there are any outstanding issues.

CatByte View Member Profile	Nov 13 2009, 06:05 AM Post #45
Classroom Administrator Group: Classroom Admin Posts: 12,733 Joined: 18-November 04 From: Canada Member No.: 18,614 Operating System: xp sp3	Hi, One file to delete then you are good to go. Please do the following: Go Start > Run and copy/paste the following single-line command into the Run box and click OK: QUOTE cmd /c del /f/a/q \"C:\\1872244670\" NEXT Click START then RUN Now type Combofix /uninstall in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there. Now follow the previous recommendations provided. Hopefully, things should be good this time

« Next Oldest · Virus, Spyware & Malware Removal · Next Newest »

4 Pages

< 1 2 3 4 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 9th September 2010 - 02:11 AM

Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy