Jump to content

A-Squared unable to delete files


Recommended Posts

A couple of days ago, my computer began acting up. Popups appeared randomly and when I clicked on google links, they took me to other popup-like websites (advertisements, etc). My computer would not recognize Malwarebytes (it said the file did not exist), and adaware kept finding one or two files. I ran Super Antispyware and ATF-cleaner, after that my computer could run MalwareBytes (it found several more files).

I kept having problems with my computer so I just ran A-Squared Anti-Malware. It found several more suspect files. When I tried to quarantine them, I received several popups from the program saying the items could not be quarantined. What should I do? I've attached the A-Squared report after the other files were quarantined.

Thank you for your help!

Link to post
Share on other sites

The installed version of Java on this computer is out-dated. Install Java Runtime Environment (JRE) 6u16 available from Sun Microsystems.

-----------------------------------------------------------

Using Add or Remove Programs in the Control Panel; uninstall the following:

J2SE Runtime Environment 5.0 Update 2

-----------------------------------------------------------

Your logs show no malware.

The a-squared log is showing System Restore Points. Simply disable system restore to clear all Restore Points and then enable system restore to create a new Restore Point for your computer.

Link to post
Share on other sites

I did the Java update you suggested, but I'm still having problems. When I click on links in google, they take me to popup-like advertisements. This only happens sometimes... if it does go to a popup, I can try the same link several more times and finally it will take me to my chosen website destination. If the logs aren't showing malware, what should I do now?

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:

1. Do not mouseclick combofix's window while it's running. That may cause it to stall!

2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

-----------------------------------------------------------

Post fresh logs for:

  • ComboFix (C:\combofix.txt)
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

When I run Combofix, it tells me that I have A-Squared Anti-Malware still active on my computer. The problem is that I don't see the A-squared icon in the system tray. When I open up Windows Task Manager, I see the file as A2service.exe under the "Processes" tab, but I can't end the task. I don't want this to affect the program. What should I do?

Link to post
Share on other sites

Stop the a-squared Anti-Malware Service:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to a-squared Anti-Malware Service ... right click the entry, select 'Properties' and press 'Stop'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Run Combofix

Start the a-squared Anti-Malware Service:

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to a-squared Anti-Malware Service ... right click the entry, select 'Properties' and press 'Start'. When it shows that it is started, next please set the 'Start-up Type' to 'Automatic'. Press 'OK' until you get back to Windows.

Link to post
Share on other sites

I tried to stop a-squared through services.msc, but ComboFix still says that it's active. I'm not sure if this is related to that, but combofix is not producing a log. I left it on overnight to run and in the morning it still said "Scanning for infected files..." with a warning that it might take 10 minutes or double that and nothing else. I'm trying it again this morning and I'm still getting nothing after 20 minutes.

Link to post
Share on other sites

Download OTL to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O4 - HKCU..\Run: [Aim6]  File not found
    O8 - Extra context menu item: &Viewpoint Search - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll File not found
    O21 - SSODL: dudibopub - {f3feab4e-ad21-4444-ae8d-a4a4a2ee8bbb} - CLSID or File not found.
    O21 - SSODL: zevekojoj - {db9be343-883e-4515-8759-01502b96dd57} - CLSID or File not found.
    O22 - SharedTaskScheduler: {db9be343-883e-4515-8759-01502b96dd57} - mujuzedij - Reg Error: Key error. File not found
    O22 - SharedTaskScheduler: {f3feab4e-ad21-4444-ae8d-a4a4a2ee8bbb} - kupuhivus - Reg Error: Key error. File not found
    
    :Files
    C:\WINDOWS\*.tmp
    C:\WINDOWS\System32\*.tmp
    C:\Documents and Settings\Amanda Triana\My Documents\*.tmp
    C:\WINDOWS\System32\CF31666.exe
    C:\WINDOWS\System32\CF24744.exe
    C:\WINDOWS\System32\CF679.exe
    C:\WINDOWS\System32\CF19226.exe
    C:\WINDOWS\System32\CF31417.exe
    @C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to post
Share on other sites

I tried ComboFix again, but it still won't run. It stays stuck on "Scanning for infected files...". When the program first opens up, it still says that a-squared is active (and there is no a-squared symbol in the tray). Oddly enough, the a-squared symbol is in the tray when the computer first starts, but then it just disappears before I can close it myself.

Link to post
Share on other sites

Open the Task manger, ctrl+alt+del, look for a2guard in the list of running processes. If it is present the terminate the process. Then run ComboFix. If it isn't present then something is killing the a2 background guard and we will have to figure out what that is.

Link to post
Share on other sites

Ok, so I was able to exit A-Squared before the icon disappeared from the tray, but ComboFix is still warning me that the program is active. When I looked for A2guard under the system processes, it wasn't there. What should I do now?

Link to post
Share on other sites

We'll skip using ComboFix for the moment.

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to post
Share on other sites

Run OTL.exe

  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
    
    :Files
    C:\WINDOWS\System32\CF28918.exe
    C:\WINDOWS\System32\CF57.exe
    C:\WINDOWS\System32\CF6435.exe
    C:\WINDOWS\System32\CF11330.exe
    C:\WINDOWS\System32\bizakuvo
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Link to post
Share on other sites

Now to remove most of the tools that we have used, so far:

  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

-----------------------------------------------------------

Post fresh logs for:

  • a-squared Free/Anti-Malware
  • ISeeYouXP

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

Your logs look fine.

Unless you are having problems from Malware it is time to do the final steps.

If you used ComboFix, uninstall ComboFix:

  • Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.)
  • AvoidTDSS /u or combofix /u
    Note: The space before /u, must be there.
    This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  • Delete the C:\AvoidTDSS or C:\ComboFix folder from combofix.
    Delete everything in C:\!KillBox

Delete the following from your Desktop (If they exist)

Avenger.exe

Avenger.txt

Avenger.zip

DisableAutoRuns.reg

FixMe.reg

FixReg.reg

ISeeYouXP.exe

ISeeYouXP.lnk

ISeeYouXP.txt

Anything else I had you use

Delete the following: (If they exist)

C:\Avenger.txt

C:\Avenger

C:\ComboFix.txt

C:\ComboFix

C:\SDFix

C:\Qoobox

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Empty the Recycle Bin

Run ATF Cleaner

In the ISeeYouXP folder double-click HideIT.bat.

Turn off System restore to flush all your restore points then turn system restore back on.

To manually turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4 Click Yes when you receive the prompt to the turn off System Restore.

To turn on System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Delete C:\ISeeYouXP

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

That should take care of everything.

Safe Surfing!

Link to post
Share on other sites

Hi horika1,

Your message was removed in accordance with the rules for this section of the forum.

You cannot post into other users threads in this section

Please create new thread with your own request in order to resolve the problem.

My regards

Link to post
Share on other sites

Download RootRepeal.zip and unzip it to your Desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/10/22 08:32

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xEDB4B000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7BC8000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB8783000 Size: 49152 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 041 Function Name: NtCreateKey

Status: Hooked by "PCTCore.sys" at address 0xf7414d72

#: 047 Function Name: NtCreateProcess

Status: Hooked by "PCTCore.sys" at address 0xf73f59a6

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "PCTCore.sys" at address 0xf73f5b98

#: 063 Function Name: NtDeleteKey

Status: Hooked by "PCTCore.sys" at address 0xf7415568

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "PCTCore.sys" at address 0xf7415820

#: 119 Function Name: NtOpenKey

Status: Hooked by "PCTCore.sys" at address 0xf7413a80

#: 192 Function Name: NtRenameKey

Status: Hooked by "PCTCore.sys" at address 0xf7415c8a

#: 247 Function Name: NtSetValueKey

Status: Hooked by "PCTCore.sys" at address 0xf7415036

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xedc2f0b0

Stealth Objects

-------------------

Object: Hidden Module [Name: tdlcmd.dll]

Process: svchost.exe (PID: 820) Address: 0x10000000 Size: 24576

Object: Hidden Module [Name: tdlwsp.dll]

Process: Explorer.EXE (PID: 2324) Address: 0x10000000 Size: 28672

==EOF==

Link to post
Share on other sites

Download to your Desktop:

- Malwarebytes' Anti-Malware

Double-click mbam-setup.exe and follow the prompts to install the program. Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version.

  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save the log to a convenient location, you will be posting the log later.

Link to post
Share on other sites

Run RootRepeal.exe

  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Stealth Objects

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Click on the Stealth Objects tab

    [*]Right-click on tdlcmd.dll select "Force Delete"

    [*]Right-click on tdlwsp.dll select "Force Delete"

    [*]Exit RootRepeal

Reboot your computer

Post fresh logs for:

  • a-squared Free/Anti-Malware
  • ISeeYouXP
  • HiJackFree

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

Link to post
Share on other sites

OK, let's use a different tool.

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

Link to post
Share on other sites

  • Close all windows then double click on AVZ.exe
  • Click File > Custom scripts
  • Copy & paste the contents of the following codebox in the box in the program
    begin
    SearchRootkit(true, true);
    DeleteFile('pujadoli.dll');
    RebootWindows(true);
    end.


  • Note: When you run the script, your PC will be restarted
  • Click Run
  • Restart your PC if it doesn't do it automatically.

-----------------------------------------------------------

Download -->> OTL <<-- to your desktop.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Attach both logs with your next reply.

Link to post
Share on other sites

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"=-
"C:\Program Files\AIM\aim.exe"=-
"C:\WINDOWS\system32\windir32.exe"=-
"C:\Program Files\Hexacto Games\Lemonade Tycoon\Lemonade.exe"=-
"C:\Program Files\Restaurant Empire\re.exe"=-
"C:\Program Files\GlobalStar Software\School Tycoon\SchoolTycoon.exe"=-
"C:\WINDOWS\system32\drivers\svchost.exe"=-
"C:\Program Files\Sony Pictures Games\Rock and Roll JEOPARDY!\Rock & Roll JEOPARDY!.exe"=-

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

-----------------------------------------------------------

ouble click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available. Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Attach it to your reply.

Link to post
Share on other sites

Run OTL

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under Custom Scan paste this in
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %SYSTEMDRIVE%\tdlcmd.dll /s
    %SYSTEMDRIVE%\tdlwsp.dll /s
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach both files.

Link to post
Share on other sites

Download GMER

1. Click-on the "Download Exe" button, this will generate a random name for GMER, accept the default file name and save the file to your Desktop.

2. Double click the file you just downloaded.

3. Click the Rootkit tab and then click the Scan button.

4. IMPORTANT: Do NOT use the computer while the scan is in progress

5. Do not select the "Show all" checkbox during the scan.

6. When it finishes, click the Copy button. This will copy the results to your clipboard.

7. Paste the clipboard into a notepad file and save it to a log (like gmer.log).

Attach the GMER log with your next reply.

Link to post
Share on other sites

OK, run this again:

Download avz4.zip from here

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window: AVZupdate.jpg
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

  • After the update, from the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach the Compressed file, virusinfo_syscheck.zip, to your next reply, along with a fresh HijackThis log

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...