[DARussellUK]

Hi there,

OK a few days ago we got a warning up claiming to be XP internet security 2010, at the time we were suspicious but didn't think to much of it other than to run an extra scan with McAfee. This didn't detect anything so we put the netbook on lockdown and bought Kaspersky Internet Security 2010 assuming it was a problem with McAfee.

Tonight we disabled the wifi and uninstalled McAfee so we could put Kaspersky on the netbook. Anyway once Kaspersky had been installed we ran a scan and it found a trojan - sorry not able to say which one been up a long time now and didnt think to write it down - anyway next thing we are getting lots of windows up with "bad image" messages and the computer automatically shuts itself down.

Re-started the netbook but we are now unable to access any .exe files.

Went into the application folder and found the following file DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF, came up in google as a trojan?

This was when we started looking online for help... probably should have done this in the first place. Anyway we found this site and were hoping someone might have an idea of whats going on??? Not completely computer illiterate but not far off so help appreciated.

Will we have to re-install Windows XP???

Thanks v much for any help.

[DARussellUK]

PS Should probably add that I tried to follow the Malware-Spyware Cleaning Guide but I cannot run any of the programs... The .exe problem I mentioned earlier. Comes up with "Open With" and my options are Adobe Reader, IE, Paint, Scalc, Swriter, VLC, Media Player,Windows Pic n Fax Viewer, Wordpad. Not sure what to do.

Can't get into Add/remove software to do anything in there either.

Service Pack 3 for XP was also recently installed before the melt down... This wouldn't effect anything would it???

Thanks

D

[ldtate]

DO NOT use any TOOLS such as Combofix, SmitfraudFix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them


1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Let me know if that fixed the .exe issue.

[DARussellUK]

Hi there,

Ran the program you suggested. Log file is below. Hasn't made any difference, still cannot use any .exe files =(

Any other ideas?

Thanks.

exeHelper by Raktor
Build 20091220
Run at 22:51:51 on 03/10/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

[ldtate]

Open Taskmanager (Ctrl/Alt/Del) and end the process for the file AV.EXE if listed

Are you running XP 32bit or 64bit?

[DARussellUK]

No AV.exe but there is an AVP.exe, is that what you are looking for?

Think it's 32-bit but can't get into My Computer/Properties to confirm. Running XP Home 5.1 SP3.

[ldtate]

avp.exe is a process belonging to Kaspersky Internet Security Suite

Lets try this.

Download Combofix from any of the links below but rename it to ABCD.com before saving it to your desktop.

* IMPORTANT !!! Save ABCD.com to your Desktop

Link 1
Link 2<--Right Click and use Save As if using this link.



Double click on the ABCD.com ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[DARussellUK]

OK first link I tried it in came up with the following error msg:

Windows cannot access the specified device, path, or file. You may not have he appropriate permission to access the item.

Just tried the second link and had the same problem... There is only one user for the nebook so assumed this would have admin rights should I boot up in safe mode and try it from there?

[ldtate]

Right Click on the link and select Save Target As.
Save it to your desktop as ABCD.COM

[DARussellUK]

Tried it again and got the following msg:

C:\Documents and Settings\User\Desktop\ABCD.COM

This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix the problem.

Anyway reinstalled it. Can see a little progress bar for ComboFix which seems to be complee but nothing has happened other than the "Open With" window appearing?

Sorry if I am being thick!

PS The open with file is for hidec.exe?

[ldtate]

Try this

Go to -> Run -> copy/paste in the following single line command & click OK

"%userprofile%\desktop\ABCD.COM" /killall

• Click OK and this will start ComboFix in a special way.
  
• When finished, it will produce a log. Please save that log to a Notepad File to post in your next reply along with a fresh HJT log.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

* After you have saved the logs, restart your system to re-enable all the programs that were disabled during the running of ComboFix.

* Reconnect to the internet

* Post the following logs/Reports:

• ComboFix.txt

[DARussellUK]

Got a window up telling me that Kaspersky is active and that Antivirus programs interfere with ComboFix. It wants me disable Kaspersky but I cannot access the sofware so am unable to do so. Do I hit OK and run ComboFix anyway?

[ldtate]

Run it anyway

[DARussellUK]

Ignore what I just typed, Kaspersky has just kicked in and I can access it. Will try to disable it.

[ldtate]

Disable your AntiVirus and AntiSpyware applications[/b], usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs