Malware·2,759 discussions

cannot connect to microsoft or symantec

Locked

Background;
For the past week or so I’v been plaqued by this virus that places three links on the desktop to some sort of adult site. From then on I cannot connect to MS sites or AV sites. Instead I’m redirected to someplace with an address a mile long that begins “clicker_cn”(replace the ‘_’ with a ‘.’). Frustrated, I preformed a clean install of WinXP. The instant I install the NIC driver and connect, I’m infected again. I tried to startup in safe mode and cleanup with various AV and anti-spyware programs. Of course since I could not access AV sites I had to rely on out-of-date copies I had on my external HD which contains my software and driver download stores that I’ve aquired over the years, all 250Gb of it. After taking a break and clearing my head it dawned on me that the ExtHD might be the problem, duh! Sure enough after removing it from the equation I now have a working clean install.

Delima;
All my software, documents, software keys, data backups, etc. are on the ExtHD!

Question or Confimation of next step:
How do I clean the ExtHD without contracting the virus again? My plan is to disconnect from the internet, connect the ExtHD and clean from Safe Mode with SpyBot S&D and Avast. I also thought of making the “hosts” file read only first. Will this work or just infect me again? I invite any an all suggestions, precautions, proceedures, etc. Anything that will prevent reinfestation!

With regards and respect,
Rodman

Topic

Clarifications

In reply to cannot connect to microsoft or symantec

Clarifications

OK as you have already performed a Clean Install you

In reply to cannot connect to microsoft or symantec

Need to Wipe the HDD with a Utility like Kill Disc. This will take several hours depending on the size of the HDD and it’s Speed.

http://www.killdisk.com/downloadfree.htm

If you have a IDE Drive use Boot & Nuke from here as it does a better job of wiping the HDD but if you have a SATA Drive use Kill Disc.

Darik’s Boot and Nuke – DBAN

Then after you have wiped the HDD you need to perform a new install tot he Blank HDD. After this is finished and the drivers are installed you should install the AV Product and Update it then you can proceed to the Windows Update Servers and update the OS. The install Malware Bytes and update as required

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

Spy Bot S&D

http://www.safer-networking.org/en/download/index.html

After this is finished you can first connect the External Drive scan it with all AV & Malware Products installed and then import the Documents & Settings from your Backup but make sure that you have a Working & Upgraded AV Product In Place before starting the Import of the Documents & Settings. 😉

Col

!! “Need to Wipe the HD” !!!

In reply to OK as you have already performed a Clean Install you

Here in lies the Delimma!

Wiping the drive mean fixing the problem but losing about 10 years of work. Not mention extremely valuable and irreplaceable scripts, templates, graphics, software and thier keys. I’d rather connect the External HD, re-infect the root drive and do without updates from Microsoft before I even contimplate wiping the drive. I’ve already updated AV and Anti-Spyware to the root drive.
Thanxs for the suggestion, but No Thanxs

Well I’m at a loss as you have previously said

In reply to !! “Need to Wipe the HD” !!!

[i]All my software, documents, software keys, data backups, etc. are on the ExtHD![/i]

So there is nothing important that you can not afford to loose on the Boot Drive so how will you wipe out 10 years of work?

Here you need to wipe the Boot Drive and reload. I very much doubt that you have a clean Boot drive as you think you have

[i] Frustrated, I preformed a clean install of WinXP[/i]

If you did a clean install of XP you formatted the drive which isn’t good enough to kill some infections. Just because it doesn’t show doesn’t mean that it’s clean, just that you have yet to trigger the reinfection routine which appears to happen when you install the NIC Drivers if your description is correct. [i]The instant I install the NIC driver and connect, I’m infected again[/i]

So you need to start with a [b]Known Clean[/b] system. Of course if you have not done a Clean Install and just a Repair Install that is a different story as you have not really attempted to kill the Infection.

If you have another computer you could fully update that install the necessary AV and Malware Removal Tools and scan the Boot Drive which you would need to remove from this computer and the external drive to Kill Any infections that you may have.

if you do not have another computer you could just by a new HDD that suits your computer remove the current Boot Drive and load the new Drive with the OS and tools so that you can do the same thing as you would with a different computer.

Either way you need [b]Up To Date[/b] AV, Spyware and Malware products installed to kill the infection if it is possible or at the very least identify the Infection so you can then take steps to kill it.

Failing that if you have not actually done a New Clean Install follow Jacky’s Instructions below. They are exactly what I would have suggested if you had not of said that you where reinfecting a New Clean Install of XP. 😉

Col

Sorry, I misunderstood

In reply to Well I’m at a loss as you have previously said

I developed a root drive ‘wipe’ as standard procedure for a “clean install” in these cases long ago. So, I thought you were speaking of the External. In any case I proceeded, and it appears the problem has been resolved. However, I do greatly appreaciate you taking the time and effort to respond to the post. Have a great day

Gratefully,
Rodman

Install MalwareBytes and Spybot as suggested

In reply to cannot connect to microsoft or symantec

update them and your Antivirus before connecting the external drive. Try this and then MBAM, Spybot.

Better disable the autorun first.

Copy and paste this into Notepad and save it as NoAutINF.reg

—->copy below<---- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" ---->copy above<---- Navigate to the location that you saved it to and double click on it and select Merge. Restart the System for it to take effect. Open a Command Prompt by pressing the WinKey + r and then typing cmd in the run box. At the command prompt type the (drive letter): and press Enter.

drive letter is the drive letter that you are connecting to.

type dir /ah and press Enter.

This will display a list of the Hidden files on the Drive. Check whether the following file is there Autorun.inf and also look for suspicious .exe files.

If the file is there

type notepad autorun.inf and press Enter.

Save the file to another location with an extension .txt as this will contain the executable file that is being invoked.

Type attrib -h -r -s (drive letter):\autorun.inf and press Enter.

Type del (drive letter):\autorun.inf

To remove the files from the Registry and the Locations that they are invoked from follow these instructions.

Tip! The executable file will be named in the file that you previously saved with Notepad.

Press the WinKey + r and type in msconfig and press Enter. Click on the startup Tab.

Check the list to find the file that you are looking for, expand the Location column to see where it is loading from in the registry.

Press the WinKey + r and type in regedt32 and click OK. Browse to the key listed in the Location column for Msconfig.

Delete the key on the right hand side only, that specifically matches that startup file.

Note the Command folder in msconfig. Browse to the folder, and delete the .exe file.

:::::eXample:::::

The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

Command c:\Windows\system32\pop.exe

and

Location will guide you to it’s location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

With the registry editor open find the Run key in the left window. On the right hand pane you’ll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

Repeat these steps for each item that you want to remove.

Let us know how you get on.

Edit: to add disable the autorun

OK, Let me see if I understand

In reply to Install MalwareBytes and Spybot as suggested

Because, the instant I connect the External Hard Drive and it spins up, I’m going to re-infect the root drive. Are the instructions you’re giving a fix to the re-infestation? I’ve already updated the AV and AntiSpy software on the clean root drive in addition to MS updates.
Is the infection this “POP.EXE” and these instruction you’re giveing the fix to that infection? If so, then I guess reinfection is unavoidable. Is this correct?

NO!

In reply to OK, Let me see if I understand

What I’m suggesting is to try and avoid a reinfection. The registry fix will disable the autorun file from running and possibly reinfecting your System. This is assuming it is that type of Virus.

Checking for the autorun.inf and checking the contents will tell you the name of the executable file that is on your external hard drive that is causing the infection. The contents of the file could include any one of these files.

Ravmon.exe
New Folder.exe
svchost.exe
Heap41a

If it is the autorun Virus you would be able to delete the referenced file before it can do any damage.

eXample:
attrib -s -h -r /s /d will remove the file attributes to expose them as they are normally hidden.

If you find ravmon.exe you would then

type del ravmon.exe

You would only have to run msconfig if the System was reinfected. pop.exe is only an eXample of what you are looking for. It could be one of the above files or something else altogether.

When you have checked for, found and deleted the file it is time to scan the drive with your other Antiviral/Malware software.

Problem resolved!

In reply to NO!

Thanks for clarifing, I was confused. I proceded with connecting the Ext. Drive and Checked

“whether the following file is there Autorun.inf and also look for suspicious .exe files.”

and found no such files. I’ve since completed full scans and am back up and running. With respect and gratitude I thank you for your time and effort in helping me resolving my delimma. Have a great day and may things always go your way!

Rodman

Opps! I spoke too soon

In reply to Problem resolved!

my problem is back. I tried to execute you previous instructions but, had problems
First when I dblClick noautoinf.reg it just opens notepad. samething if I rtClick and merge

C:\>dir /ah
Volume in drive C is OS DRIVE
Volume Serial Number is D84D-3529

Directory of C:\

09/11/2009 10:43 PM 211 boot.ini
09/11/2009 10:51 PM 0 IO.SYS
09/11/2009 10:51 PM 0 MSDOS.SYS
09/13/2009 10:10 AM

MSOCache
08/04/2004 07:00 AM 47,564 NTDETECT.COM
09/12/2009 09:40 AM 250,048 ntldr
09/15/2009 07:42 PM 805,306,368 pagefile.sys
09/12/2009 05:04 AM RECYCLER
09/11/2009 10:57 PM System Volume Information
6 File(s) 805,604,191 bytes
3 Dir(s) 33,107,988,480 bytes free
—————————————————-
D:\>dir /ah
Volume in drive D is DATA DRIVE
Volume Serial Number is D490-FE7C

Directory of D:\

09/12/2009 05:05 AM

RECYCLER
09/12/2009 06:10 AM System Volume Information
0 File(s) 0 bytes
2 Dir(s) 38,028,722,176 bytes free
—————————————————-
E:\>dir /ah
Volume in drive E is EXT. DRIVE
Volume Serial Number is A033-AD76

Directory of E:\

09/13/2009 09:55 AM

RECYCLER
08/31/2009 08:44 PM System Volume Information
0 File(s) 0 bytes
2 Dir(s) 40,064,401,408 bytes free
—————————————————-

Don’t see anything suspect. Do You?
avast! has sent “i4j.exe” to the virus chest

Rodman

Check in the registry for HKCR\regfile

In reply to Opps! I spoke too soon

Expand the tree under regfile to /open/command and see that the default value is type REG_SZ with data regedit.exe “%1”

An infection may have tried to disable registry merging for you.

HKEY_CLASSES_ROOT\regfile\shell\open\command

In reply to Check in the registry for HKCR\regfile

Has a data value of:NOTEPAD.EXE %1.

Is this correct?

No. Incorrect.

In reply to Check in the registry for HKCR\regfile

As stated previously, it should be
regedit.exe “%1”

This is why you cannot merge .reg files to the registry. Edit the entry accordingly, and you can then merge the .reg file. 🙂

A couple of checks

In reply to Install MalwareBytes and Spybot as suggested

Have you enabled Hidden files and file extensions, your .reg file may have a .txt extension.

In Explorer go to the Menu and select Tools, Folders Options, View. Uncheck “Show hidden files and folders”.
Hide extensions for known types and Hide protected operating system files. Click OK. Now check the extension on your .reg file.

I don’t think that it’s related to the autorun virus looking at your post.

Press the WinKey + r type regedt32 and press Enter. Can you access the registry?

Download HijackThis and run it and then go to the site below to analyze it.

http://aumha.org/downloads/hijackthis.exe

HijackThis log file analysis

Hijack This opens you a possibility to find and fix nasty entries on your computer easier. Therefore it will scan special parts in the registry and on your harddisk and compare them with the default settings. If there is some abnormality detected on your computer HijackThis will save them into a logfile. In order to find out what entries are nasty and what are installed by the user, you need some background information.

A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page. Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.

http://hijackthis.de/

Let us know the results of the scan and what it detects. You could also post the HJT log file for us to have a look at.

Did you download, install, update MalwareBytes, and then run it?

Hijackthis log

In reply to A couple of checks

Files and extensions are hidden.

NoAutINF has an extention of .reg.

Yes, I can open regedit32. But, NoAutINF.reg still will not merge.

Yes, I have current versions of avast!, MalwareBytes, and SpyBot S&D

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:10 PM, on 9/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hotmail.msn.com/cgi-bin/sbox?action=inbox
O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 – BHO: AskBar BHO – {201f27d4-3704-41d6-89c1-aa35e39143ed} – C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 – BHO: Spybot-S&D IE Protection – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 – Toolbar: Ask Toolbar – {3041d03e-fd4b-44e0-b742-2d9b88305f98} – C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 – HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 – HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 – HKCU\..\Run: [AlcoholAutomount] “C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” /automount
O4 – HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
O4 – HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe (User ‘Administrator’)
O4 – HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Administrator’)
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 – Extra button: (no name) – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra ‘Tools’ menuitem: Spybot – Search & Destroy Configuration – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252762969718
O23 – Service: ASKService – Unknown owner – C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 – Service: ASKUpgrade – Unknown owner – C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: iolo FileInfoList Service (ioloFileInfoList) – Unknown owner – C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 – Service: iolo System Service (ioloSystemService) – Unknown owner – C:\Program Files\iolo\common\lib\ioloServiceManager.exe

I really appreciate this help!
Rodman

I don’t see anything wrong in there.

In reply to Hijackthis log

But my eyes are killing me. :p

Did you

In reply to Hijackthis log

run HJT after running MBAM. It looks like MBAM is set to run on the next boot.

If so restart the System and let MBAM run through. Check the log file and let us know what the files were that it removed. There maybe files with different extensions EG: .dll .exe

Could you go back to your OOPs post and rearrange the dir’s to < dir > with a space between < dir it is causing the following posts to cascade.

LOL

In reply to Did you

should have ran a HJT after installing MBAM on a clean System before posting. It’s normal for that reference to be there.

Ok Guys, I give up.

In reply to LOL

Nothing seems to resolve the problem with the exception of wiping the drive and re-installing. I’ve gotten so confused I don’t know if I’m coming or going. So, I’m going to do the wipe and start anew with the external drive disconnected. make sure all the Anti-this and Anti-that is up to date and in the paranoid state before attempting to turn it on. I greatly appreciate all the time attention all of you have given. If there are any suggestions to keep the external drive from reinfecting my new clean-install please feel free. Just keep in mind I don’t do this every day so keep it simple

Again Thank a lot,
Rodman

P.S. Whom ever wrote this dastardly piece of code(the Virus) should be prosecuted. It is akin to kidnapping and torture and should be dealt with appropriately. OK I’m off the box

Best of luck to you.

In reply to Ok Guys, I give up.

Just remember that “wipe” means “nuke & pave”. See
http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=317102&messageID=3158855
for OH Smeg’s notes on this. A reformat or deleting partitions may not be enough.

Also note that any writable, removable media should be scanned before use (with autorun disabled) if it has been attached to the problem machine. (USB flash devices, floppies, etc.) Otherwise, they may re-infect the computer, or any other they come into contact with.

Again, good luck. Maybe take a couple aspirin. 😉

If you need any help

In reply to Ok Guys, I give up.

just let us know. Start a new thread and give us the details. You are correct in keeping the external drive disconnected.

When you have reinstalled the Operating System install your Antivirus and let it Update before connecting to the internet. Install MalwareBytes and Spybot again and update them.

Turn off System Restore before connecting the external drive and when you do connect the external drive check in System Restore and stop monitoring the external drive if it is being monitored. The nastys like to hide in restore points. Good luck.

[Author]

Replies