Multiple infections and Error 1402

Hi all,

Here’s another one…

A neighbour of mine has a desktop PC (Dell Dimension 4500S, Windows XP Home 2002, SP3, Pentium 4 1.8 GHz, 128MB RAM) that was so slow it was almost running backwards, and they asked me to have a look. Norton Antivirus 2002 had expired in 2006… so you can guess what sort of mess this pile of plastic was in. I installed CCleaner, MyDefrag, MBAM and Avast, and started a basic clean-up. Avast found multiple infections (dozens of different bugs like Agent KR, Trojano, Adware-gen, Crypt-FOV, Hoax Alarm, Winshow, and probably swine flu and Ebola).

The PC is now quite a bit faster. However, the machine often freezes, and some programmes (like Firefox and Skype) crash consistently. Also, I have tried to uninstall Norton, but when it gets to the stage of removing system registry values, I keep getting the following error message “Error 1402: Could not open key: HKEY_LOCAL_MACHINE\Software\Microsoft Windows\Current version\explorer\Browser Helper Objects” and it says there is a permissions issue; the uninsall programme then fails. I’m using the admin account so I assume this has something to do with malware and maybe a quarantined file.

Would love some guidance…
Thanks,
MP

OK boyo you know the routine ;D

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select Scan all users
[*]Under the Custom Scan box paste this in


netsvcs
drivers32
%SYSTEMDRIVE%*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /180

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

have tried to uninstall Norton, but when it gets to the stage of removing system registry values,
You will find the Norton removal tool here, Nr.24a http://uninstallers.blogspot.com/

Pondus - many thanks for that.

Essexboy - I have attached two out of the three .txt files. I can’t attach the OTL.txt file as it is too big - the forum limit is 200kb, and the file is 247kb. I’ll cut and paste the content into a separate post instead. No I can’t do that either, there’s just far too much text! Can you give me an email address to forward it to?

One other thing to note in case its relevant: after running GMER, OTL wouldn’t run - when trying to open it I got an error message telling me that the system did not have enough resources or something to that effect. A re-boot let me get to it though.

Thanks,
MP

The Ark text is empty ???

I have PM’d my e-mail ;D

I already made this inquiry in a post I made, but how can you get the avast team to see if the avast software has problems. If any of you remember, some time ago the avast software had a major error that made it flag multiple files as viruses. perhaps this is the case again, or perhaps there is an error in the code.

update: already sent a ticket to the avast team

In which case we would have a lot of people on here with this problem as opposed to just one. One mistake does not mean every detection is erronious

If you look around the forums you will find similar cases to mine. Some report that it started about a week ago so it matches with the time avast began acting up. And perhaps many people do not have accounts in the forums to post issues.

As of today I have seen no indication of multiple file infections that could be related to Avast, I use Avast and nothing untoward is ocurring on my system

Trust me when you get multiple false positives this forum will become swamped

You are correct. If you look at my original post you will see that my problem may have been fixed. Did a full scan with Malwarebytes and deleted all the stuff and now my system should be clean. Avast is no longer finding multiple viruses. Now the only problem I have is that I don’t know where the viruses that Malwarebytes found originated from.

Hi Essexboy,

I have emailed the OTL file. As regards the ark.txt file, I have run GMER again to generate another report, but now I can’t save the file - every time I try, I get the error message that the selected location (desktop, My Documents, C:drive…everywhere) is not accessible, because “insufficent system resources exist to complete the requested service”. I have tried a reboot, run a disk cleaner, defragmenter etc, but no joy.

Damn!
MP

I managed to find a workaround - here is the ark.txt file.

MP

I have e-mailed the OTL fix as it was tooooo big for the forum, and I feel I may have missed a few as I started going cross eyed :o. That is a new use of ADS first time I have seen that. First a warning

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

  1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

  2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

OK to continue, once you have dragged and dropped the fix.txt into OTL as per instructions and the system has rebooted

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK, here is the ComboFix report… the programme ran for over an hour!

Thanks again essexboy,
MP

OK a few more ADS to kill I feel - your system restore has been compromised so I will clear and then reset that. Let me know how it runs on completion

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
c:\windows\sy.exe

:Files
@c:\windows\vhadn.dat:ohzjfc
@c:\windows\falim.dat:odlacc 
@c:\windows\FeatherTexture.bmp:pucrox 
@c:\windows\stub38.ini:dnlhkg
@c:\windows\stub50.ini:ornbbl 
@c:\windows\stub50.ini:pjvckt
@c:\windows\stub72.ini:dicjih
@c:\windows\stub82.ini:pzqmic 
@c:\windows\ODBCINST.INI:poihox
@c:\windows\kbqai.txt:pusygy
@c:\windows\wjjua.txt:dvtxsz
@c:\windows\lodbf09.ini:ovqkba
@c:\windows\saxda.dat:dzjeeg
@c:\windows\SchedLgU.Txt:pvihmi 
@c:\windows\kuvyw.dat:dqllww
@c:\windows\gqqlj.txt:oqebek 
@c:\windows\ygjhg.dat:dkdvlm
@c:\windows\eqocu.dat:omutjj 
@c:\windows\fwubl.txt:djlqed
@c:\windows\iol.ico:dtvpvm
@c:\windows\stub87.ini:padpcd 
@c:\windows\syejf.txt:omsivx
@c:\windows\yoeqm.dat:pnkdfk 
@c:\windows\jnmes.txt:drfokf 
@c:\windows\qsxbm.txt:psqjaw
@c:\windows\VBADDIN.INI:ocrjcj 
@c:\windows\zpzkc.dat:dixhht
@c:\windows\_DEFAULT.PIF:dejmwt 
@c:\windows\_DEFAULT.PIF:dhbzub
@c:\windows\_DEFAULT.PIF:dlfzlc
@c:\windows\_DEFAULT.PIF:dmmqeh 
@c:\windows\_DEFAULT.PIF:oeaumc
@c:\windows\_DEFAULT.PIF:okasdg 
@c:\windows\_DEFAULT.PIF:ouxcyi
@c:\windows\_DEFAULT.PIF:owryzz
@c:\windows\_DEFAULT.PIF:pnsqmk 
@c:\windows\_DEFAULT.PIF:ppzbdc 
@c:\windows\_DEFAULT.PIF:pzhvez

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS] 
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

OK, OTL produced two logs so I’m adding them both here - a log produced after the Custom Fix, and the log after the Quick Scan.

MP

Near the end now I believe - on completion of this can you let me know what problems remain

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
@Alternate Data Stream - 3567 bytes -> C:\WINDOWS\stub79.iniwqaol
@Alternate Data Stream - 3567 bytes -> C:\WINDOWS\stub35.inizvcwt
@Alternate Data Stream - 3567 bytes -> C:\WINDOWS\stub13.iniymrwy
@Alternate Data Stream - 3567 bytes -> C:\WINDOWS\_DEFAULT.PIFuunhk
@Alternate Data Stream - 197761 bytes -> C:\WINDOWS\_DEFAULT.PIFoqmjr
@Alternate Data Stream - 197761 bytes -> C:\WINDOWS\_DEFAULT.PIFkdzvo
@Alternate Data Stream - 197756 bytes -> C:\WINDOWS\_DEFAULT.PIFlgdnb
@Alternate Data Stream - 13581 bytes -> C:\WINDOWS\stub64.inisrjbt
@Alternate Data Stream - 13581 bytes -> C:\WINDOWS\stub17.inigbljl
@Alternate Data Stream - 13581 bytes -> C:\WINDOWS\MSDFMAP.INIjmnyi

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.