209 replies to this topic

[Gator]

This is problem affecting another pc in this house. Symptoms: 1. Wireless card signal no longer in desktop tray. 2. Trend internet suite icon no longer in desktop tray. 3. Unable to start trend suite from desktop icon or from menu in all programs display.Reports that there is no wireless connection. 4. Task manager unavailable. Dialog box informs that task manager has been shut down by Administrator. I am administrator on this computer and have not shut it down. 5. Unable to shut down windows through normal shutdown routine. Must shut down via on off switch. 6. System restore inoperative even from safe mode. 7. Icon in desktop tray for wireless internet connection has red x even though the internet connection works. Any help would be appreciated.

[LDTate]

DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

================================================================================
====

We strongly suggest you do this first.
ERUNT - Download - Homepage
This ensures we have a valid registry backup. ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore if needed. Removing modern malware infections often requires making changes to the registry, and a corrupt registry can prevent a system from booting. Compatible with Windows NT, 2000, 2003, XP, Vista, 32 & 64-bit versions.

• Download ERUNT
• Double-click erunt_setup.exe to run.
• Follow the prompts and install using the default configuration (setup language, install location, shortcuts...).
• Say No to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later.
  
• Start ERUNT
• Choose a location for the backup
  The default location C:\WINDOWS\ERDNT\[today's date] is preferred
  
• The first two check boxes are ticked by default (System registry and Current user registry).
• Press OK
• When prompted, click YES to create a new folder.
• Progress bars will show backup status.
• A confirmation window will popup when complete. Click OK to close.

[Gator]

Thanks for your response. I am accessing the forum from a clean computer right now. Downloaded and tried to run ATF Cleaner. Finally succeeded on second try. Ran Malwarebytes and had several infections. Clicked to remove them and dialog box appeared stating that regedit had been turned off and that Malwarebytes would turn it back on. Removed them. Clicked to restart machine and would not shutdown. Had to use on off switch. Rebooted machine and came up but would not recognize the wireless internet system. Rebooted machine and it recognized the wireless internet system. Realized that had not updated the Malwarebytes program. Did so and ran another scan. This time found only one infection. Removed it. Clicked on restart and machine would not shutdown. Once again had to use on off switch. Rebooted machine and logged in under my wife's profile. Ran Malwarebytes again and found 3 infections. Clicked to remove them and was once againg presented with the dialog box stating that regedit had been turned off. Removed them and clicked on restart. Machine again would not shut down. Have been trying since then to get the machine to recognize the wireless system to no avail. After many times of rebooting the machine with no success, I am frustrated and will stop for this day. Will try again tomorrow evening to get the infected computer back on line and send you the logs from the 3 scans of Malwarebytes. Thanks again

[LDTate]

[Gator]

Have been trying for 1.5 hours to get the infected machine to go online. No success. Any suggestions?

[LDTate]

#1 and #7 in your first post indicates your wireless card / connection isn't working.
I would suggest posting the below in our Tech Forum area.
http://forums.whatth...email_f123.html

Symptoms:

1. Wireless card signal no longer in desktop tray.
2. Trend internet suite icon no longer in desktop tray.
3. Unable to start trend suite from desktop icon or from menu in all programs display.Reports that there is no wireless connection.
4. Task manager unavailable. Dialog box informs that task manager has been shut down by Administrator. I am administrator on this computer and have not shut it down.
5. Unable to shut down windows through normal shutdown routine. Must shut down via on off switch.
6. System restore inoperative even from safe mode.
7. Icon in desktop tray for wireless internet connection has red x even though the internet connection works.

[Gator]

Ok. #7 of my original post indicated or I thought it did that the internet worked even though the red x was showing. I was able to download and run two of the programs you suggested. Now the internet connection does not work. Will repost in the forum you suggest. Thanks

[LDTate]

Ok.

#7 of my original post indicated or I thought it did that the internet worked even though the red x was showing.

I was able to download and run two of the programs you suggested.

Now the internet connection does not work.

Will repost in the forum you suggest.
Thanks

Click Start> Run> type in CMD tap enter

At the promp type in Ping www.google.com
Does it timeout or do you get a reply?

[Gator]

cmd.exe window opened with C:\Documents and Settings\James. I typed what you specified and the response was Ping request could not find host google.com. Please check the name and try again.

[LDTate]

cmd.exe window opened with C:\Documents and Settings\James. I typed what you specified and the response was
Ping request could not find host google.com. Please check the name and try again.

Try:
Ping www.google.com

[Gator]

Received same message

[LDTate]

That means it's not connecting to the internet.

Try this:
This file will fit on a floppy or thumb drive.

Get a copy of winsockxpfix.exe Copy it to the problem pc. You just run it and
things should work OK after it reboots your system.

http://www.snapfiles...nsockxpfix.html

[Gator]

Ok. Had to run program twice before it worked. Downloaded all the suggested programs and ran. Here is the first Malwarebytes log. Malwarebytes' Anti-Malware 1.30 Database version: 1368 Windows 5.1.2600 Service Pack 3 11/6/2008 5:40:10 PM mbam-log-2008-11-06 (17-40-10).txt Scan type: Quick Scan Objects scanned: 76761 Time elapsed: 15 minute(s), 30 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 1 Files Infected: 6 Memory Processes Infected: C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Failed to unload process. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: c:\windows\system32\~.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Data: system32\~.exe -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\VirusRemover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully. Files Infected: C:\Program Files\VirusRemover2008\Viruses.bdt (Rogue.VirusRemove) -> Quarantined and deleted successfully. C:\Program Files\SAV\sav0.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\Program Files\SAV\sav1.dat (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\Program Files\SAV\sav.ooo (Rogue.SystemAntivirus) -> Quarantined and deleted successfully. C:\WINDOWS\system32\aHNvn4X8.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Delete on reboot. Here is the second Malwarebytes' Anti-Malware 1.30 Database version: 1370 Windows 5.1.2600 Service Pack 3 11/6/2008 6:02:50 PM mbam-log-2008-11-06 (18-02-50).txt Scan type: Quick Scan Objects scanned: 57146 Time elapsed: 4 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Here is the last logged in under my wifes profile. Malwarebytes' Anti-Malware 1.30 Database version: 1370 Windows 5.1.2600 Service Pack 3 11/6/2008 6:47:11 PM mbam-log-2008-11-06 (18-47-11).txt Scan type: Quick Scan Objects scanned: 56913 Time elapsed: 4 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

[LDTate]

Is the internet working now?

[Gator]

Yes it is.