I am a novice administrator for my office computer and I use Avast. I recently had a malware infection on my computer. A trojan horse appears on my computer. A fake window titled “Windows XP Restore” pops up and the program runs a scan which then identifies a number of infected programs. The malware then pushes me to purchase a module to fix the problem. The problem is that I’m not able to identify the malware and remove it.
The error message that I’m getting says:
“The system has detected a problem with one or more installed IDE / SATA hard disks”
This is a fake security alert and you should check out this link for removal instructions. Whilst this isn’t the exact name, it is close and there are variations on a theme, so give this a try.
I ran rkill on my local using a flash drive. Here is the rkill log message:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 06/21/2011 at 12:03:30.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
I just finished running Malwarebytes and Unhide.exe. Malwarebytes detected one problem and I removed it. When I ran Unhide.exe, my desktop icons came back, but the program folder on the Window’s start menu shows that all of the program files are empty.
I should say that when I finished Unhide.exe, I received a warning that my security may have prevented some program files from being unhidden. The warning suggested that I disable my security and then rerun Unhide.exe.
Should I do this? If so, how would I go about disabling Avast security while I rerun Unhide.exe?
[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 6 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
In my experience there is always something remaining that the automated tools fail to locate/recognise
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: James Salt [Admin rights]
Mode: Shortcuts HJfix – Date : 06/22/2011 13:28:53
Bad processes: 1
[SUSP PATH] stsystra.exe – c:\windows\stsystra.exe → KILLED
If so they may be in these locations :
[b]C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\1
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\2
C:\Documents and Settings\James Salt..\James Salt\Local Settings\Temp\smtmp\4
[/b]Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-36251927-1638785509-880291012-1004\] > -> HKEY_USERS\S-1-5-21-36251927-1638785509-880291012-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "PRghsOiVNM" -> [C:\Documents and Settings\All Users\Application Data\PRghsOiVNM.exe]
[Files/Folders - Modified Within 30 Days]
NY -> ~15720228r -> C:\Documents and Settings\All Users\Application Data\~15720228r
NY -> ~15720228 -> C:\Documents and Settings\All Users\Application Data\~15720228
NY -> 15720228 -> C:\Documents and Settings\All Users\Application Data\15720228
[Files - No Company Name]
NY -> ~15720228r -> C:\Documents and Settings\All Users\Application Data\~15720228r
NY -> ~15720228 -> C:\Documents and Settings\All Users\Application Data\~15720228
NY -> 15720228 -> C:\Documents and Settings\All Users\Application Data\15720228
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Essex Boy, I’m having a difficult time removing malware from a computer in our office. I’ve tried working with the Avast support ticket system but we still have not been able to solve the problem. Would you be willing to advise me?