[alicekmom]

I have a Dell desktop running windows XP. I thought I had another good redirect problem, but when I just cut it back on to start the fix, I can't get anywhere. I get a security warning window that says " Application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus software now?" Also there is a box in the bottom right of the screen that says antivirus software alert. Infiltration alert. Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan-dropper or similar. Details
Attack from: 90.137.197.172, port 55878
Attacked port: 34154
Threat BankerFox.A
Do you want to block this attack?
Randomly internet explorer will open and the web address reads adult.com or [bleep].com but it always says internet explorer cannot display the webpage.

You guys have helped me a ton before. Please help!! Thanks so much!
Alice

Edited by piano9playa5, 30 June 2010 - 07:06 AM.

[Advertisements]

Hello! Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

• Please be patient. We are all volunteers here with lives that can keep us busy elsewhere.
• Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
• Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise.
  This makes things easier for me.
• Ensure "WordWrap" is disabled in Notepad.
  • Click Start > All Programs > Accessories > Notepad.
  • Click Format > Word Wrap (if checked, if not, leave it)
• To everyone else: The instructions following were created specifically for this machine, please do not perform these steps unless instructed by a Trusted Helper.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Step № One
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)


Step № Two
Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scans/Fixes box at the bottom, paste in the following:

  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

• Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Logs&Info
Remember to post back the following logs:

• exehelperlog.txt
• OTL.txt
• Extras.txt

[Onaipian]

Hello! Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

• Please be patient. We are all volunteers here with lives that can keep us busy elsewhere.
• Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
• Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise.
  This makes things easier for me.
• Ensure "WordWrap" is disabled in Notepad.
  • Click Start > All Programs > Accessories > Notepad.
  • Click Format > Word Wrap (if checked, if not, leave it)
• To everyone else: The instructions following were created specifically for this machine, please do not perform these steps unless instructed by a Trusted Helper.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Step № One
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)


Step № Two
Download OTL to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scans/Fixes box at the bottom, paste in the following:

  netsvcs
  drivers32 /all
  %SYSTEMDRIVE%\*.*
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\user32.dll /md5
  %systemroot%\system32\ws2_32.dll /md5
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

• Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Logs&Info
Remember to post back the following logs:

• exehelperlog.txt
• OTL.txt
• Extras.txt

[alicekmom]

I am posting on another computer. I cannot access the internet on the computer with the problem and therefore cannot download any of the above. What to do?

[Onaipian]

Do you have a USB Stick you could use to transfer files over?
Can this computer (not infected) burn CDs?
Are these two computers on a network that you can share files on?

It'll be tricky, but we'll find a way.

edit: Had an after thought. When you say that you can't access the Internet, do you mean that you can't get Internet Explorer to open, or that you actually can't use the Internet itself? If the first is the case, can you try to use IE when the virus randomly opens it? If the latter is the case, what happens when you try?

Edited by piano9playa5, 24 June 2010 - 09:05 PM.
After thought

[alicekmom]

Yes, I could put files on a flash drive. Yes, it burns cds. No, it's not on a network.
Internet Explorer opens when I tell it to and it opens when I click on one of these boxes, but it always says internet explorer cannot access the site. I guess the computer is accessing it somehow since these messages are coming in, but I can't get to any website or email. Also it keeps opening tab after tab of IE but I can't get anything in any of them.

[Onaipian]

Okay. Use the USB Stick to transfer files over.

[alicekmom]

It's got a TON of stuff on it. So you think during this process I will lose everything on the computer?

[Onaipian]

I highly doubt it.

Once you've ran the tools, you'll have to use the USB stick again to transfer the logs backover for me to look at.

[alicekmom]

Ok, I have everything I need moved to an exterior hard drive.

[Onaipian]

Hi there,
Plug the exterior hard drive into the infected computer, access the files, and run them as per my instructions my first reply. When you've run them all, you should end up with 3 .txt files. Copy these onto the exterior hard drive and then plug the HD into the non-infected computer. Open the .txt files one by one, and copy\paste them in a reply for me to read here.

Any questions?

[alicekmom]

OK, I copied the exehelper to the flash drive. I tried to run it on the desktop and immediately after it starts to run I get the popup Security warning that says "application cannot be execute. The file exehelper.com is infected. Do you want to activate your antivirus software now?" If I push no it goes away only briefly and if I push yes it tries to get to IE but cannot display the page. The names of the websites in the bar are adult.com, [bleep].com and viagra.com. Anything I try to run other than just accessing my files comes up with this same "security warning" so I can't run ANYTHING! Would going back to a restore point do any good?

[Onaipian]

Probably not considering the virus has probably disabled System Restore to prevent you from doing so... We're definitely not out of options yet Usually, these viruses target .exe files, however it seems that exeHelper(.com) was blocked as well. We're going to have to be sneaky to get this one to work.

Download OTL to the uninfected computer.

• Rename it to svchost before transferring it onto the external HD.
• Copy the file onto the HD, then plug the HD into the infected coputer. Locate the file..
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL (svchost in this case).
• They should already be on the HD, but if they're not, copy them onto it and plug it into the non-infected computer again.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

[alicekmom]

Did as you stated. When I double clicked the icon, the security warning appeared immediately, not allowing me to open/ run the renamed otl.

[Onaipian]

Hmm... that usually does the trick. Let's try this:

On the non-infected computer:

• Go to Start > All Programs > Accessories > Notepad
• Please Copy\Paste the following to notepad:
  (Starting with Windows Registry Editor Version 5.00)
  
  

  Windows Registry Editor Version 5.00
  
  [HKEY_LOCAL_MACHINE\Software\Classes\.exe]
  @="exefile"
  "Content Type"="application/x-msdownload"
  
  [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command]
  @="\"%1\" %*"
  
  [HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\runas\command]
  @="\"%1\" %*"

• Go to File > Save As:
  • On the Save In: save it to your HD
  • In File Name: type in RegFix.reg
  • In Save as Type: use the drop-down menu to change it to All Files
  • Click Save
• Close Notepad

Now, move the HD over to the infected computer. From the infected computer:

• Right-Click on RegFix, and select Merge
• A confirmation prompt will appear. Click Ok.

[alicekmom]

Same thing happened. I right clicked and when I clicked merge I got the same security warning this time saying that regedit.exe is infected. It won't let me do anything else.