dadbug Posted November 16, 2009 Report Share Posted November 16, 2009 malware has infected my computer. trace.registry.VirusShield2009!A2. I cannot seem to remove the system defender program. also, iseeyou is not working. i am getting a message "The process cannot access teh file because it is being used by another process. ~ INLINE LOGS REMOVED {Lynx} really appreciate any help. Link to comment Share on other sites More sharing options...
Lynx Posted November 16, 2009 Report Share Posted November 16, 2009 Hi dadbug, and welcome to the nee forum. The rules are changed compare to the old forum, where you were requesting assistance in the past Read START HERE, if you don't we are just going to send you back to this thread <--click and attach all required log files You ran Smart Scan. Update a-squared; rerun and attach Deep Scan report Provide brief description of the problems and/or the symptoms of the system's misbehaviour, if any My regards P.S. In addition if you are using Symantec/Norton Adaware. etc or was using those previously, irrespectively submit flagged items from detection list to EMSI developers for analysis. Some of the detections could be False Positives (e.g. C:\WINDOWS\system32\drivers\atapi.sys if not poisoned it's legit system file) Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 19, 2009 Report Share Posted November 19, 2009 Thread Closed Reason: Lack of Response PM either ShadowPuterDude or Lynx to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread Link to comment Share on other sites More sharing options...
Lynx Posted November 20, 2009 Report Share Posted November 20, 2009 This case was reopened despite no PM was sent by the user. New created thread was locked Attach all required log files only after removing /uninstalling illegal pirated Software as it was pointed here Link to comment Share on other sites More sharing options...
dadbug Posted November 22, 2009 Author Report Share Posted November 22, 2009 all instructions followed as requested. i have attached the a-squared free and hijackfree logs. in regards to ISeeYouXP log, i get this message: The system cannot execute the specified program. The process cannot access the file because it is being used by another process. the "system defender" is preventing any other antiviral program from functioning it seems. thank you for you help. dadbug Link to comment Share on other sites More sharing options...
Lynx Posted November 22, 2009 Report Share Posted November 22, 2009 The Malware Fighter will reply and have a look at the removal of the illegal Software... ...but 11 seconds for the Deep Scan of just 188 files Scan type: Deep ScanObjects: Memory, Traces, Cookies, C:\, F:\ Scan start: 11/21/2009 10:56:09 PM Scanned Files: 188 Processes: 9 Scan end: 11/21/2009 10:56:20 PM Scan time: 0:00:11 That's something really "new"... Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 22, 2009 Report Share Posted November 22, 2009 Download ComboFix from one of these locations: Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 Link 3 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsSee HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. ----------------------------------------------------------- Attach fresh logs for: ComboFix (C:\combofix.txt) a-squared Free/Anti-Malware ISeeYouXP HiJackFree Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
dadbug Posted November 25, 2009 Author Report Share Posted November 25, 2009 ok. here are the new logs. thanks Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 26, 2009 Report Share Posted November 26, 2009 You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everything you used MsConfig to disable. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: J2SE Runtime Environment 5.0 Update 12 ----------------------------------------------------------- Download Avenger from HERE and unzip to your desktop. Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box:Files to delete: c:\documents and settings\yong\application data\microsoft\internet explorer\quick launch\system defender.lnk c:\documents and settings\yong\application data\system defender\instructions.ini c:\documents and settings\all users\application data\wsddsys\wsd.cfg C:\WINDOWS\temp\6a423fed-613d-4320-9c4d-392aacd734b0.tmp Folders to delete: c:\documents and settings\all users\application data\wsddsys c:\documents and settings\yong\application data\system defender Registry keys to delete: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- a-squared Free - Version 4.5 Last update: 11/21/2009 10:39:52 PM You are scanning with out-dated definitions for a-squared Free. Updated a-squared Free. ----------------------------------------------------------- Attach fresh logs for: Avenger (C:\avenger.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
dadbug Posted November 29, 2009 Author Report Share Posted November 29, 2009 ok. here are the new logs. You are using MsConfig to prevent several items from loading at Windows start. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. Enable everything you used MsConfig to disable. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig. ----------------------------------------------------------- Using Add or Remove Programs in the Control Panel; uninstall the following: ----------------------------------------------------------- Download Avenger from HERE and unzip to your desktop. Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box:Files to delete: c:\documents and settings\yong\application data\microsoft\internet explorer\quick launch\system defender.lnk c:\documents and settings\yong\application data\system defender\instructions.ini c:\documents and settings\all users\application data\wsddsys\wsd.cfg C:\WINDOWS\temp\6a423fed-613d-4320-9c4d-392aacd734b0.tmp Folders to delete: c:\documents and settings\all users\application data\wsddsys c:\documents and settings\yong\application data\system defender Registry keys to delete: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- a-squared Free - Version 4.5 Last update: 11/21/2009 10:39:52 PM You are scanning with out-dated definitions for a-squared Free. Updated a-squared Free. ----------------------------------------------------------- Attach fresh logs for: Avenger (C:\avenger.txt) a-squared Free/Anti-Malware ISeeYouXP Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 29, 2009 Report Share Posted November 29, 2009 Submit the following file to http://www.virustotal.com C:\WINDOWS\system32\drivers\atapi.sys Provide the link to the scan results. Link to comment Share on other sites More sharing options...
dadbug Posted November 30, 2009 Author Report Share Posted November 30, 2009 ok. here is the link: http://www.virustotal.com/analisis/9e445e72e542f99e074faecdab539356b582e7b242a51390a689b8cfbc21b71f-1259547201 thank you Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted November 30, 2009 Report Share Posted November 30, 2009 Download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield::filefind atapi.sy? Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Attach this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Link to comment Share on other sites More sharing options...
dadbug Posted December 1, 2009 Author Report Share Posted December 1, 2009 ok. here it is. Download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield::filefind atapi.sy? Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Attach this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted December 1, 2009 Report Share Posted December 1, 2009 Open notepad Copy and Paste the below lines of code to notepad: @echo off copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\atapi.sys Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop. Double-click on fixes.bat to execute it. ----------------------------------------------------------- Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box:Files to delete: C:\WINDOWS\system32\drivers\atapi.sys Files to move: C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- Post fresh logs for: Avenger (C:\avenger.txt) a-squared Free Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
dadbug Posted December 2, 2009 Author Report Share Posted December 2, 2009 ok. Open notepad Copy and Paste the below lines of code to notepad: @echo off copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys c:\atapi.sys Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your Desktop. Double-click on fixes.bat to execute it. ----------------------------------------------------------- Run Avenger Read the prompt that appears, and press OK Copy & paste the following text in Input script Box:Files to delete: C:\WINDOWS\system32\drivers\atapi.sys Files to move: C:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys Then click "Execute". You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.Note: It is possible that Avenger will reboot your system TWICE. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post. ----------------------------------------------------------- Post fresh logs for: Avenger (C:\avenger.txt) a-squared Free Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted December 3, 2009 Report Share Posted December 3, 2009 Everything looks good. How are things running? Link to comment Share on other sites More sharing options...
dadbug Posted December 4, 2009 Author Report Share Posted December 4, 2009 the computer seems to be running fine. no problems except that avg antiviral program keeps alerting me that C:\Avenger\atapi.sys has a trojan horse BackDoor.Generic12.LZF. other than that, no problems. if i purchase the A squared antimalware program, would i be protected again such attacks in the future? so many programs state that they protect, but do not seem to do so well. dadbug Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted December 4, 2009 Report Share Posted December 4, 2009 Any security vendor is going to tell you that their software will protect your computer across the entire range of threats. When in reality, well written malware is designed to bypass security software and avoid detection. It's a game of cat and mouse and the good guys are in reactive mode. a-squared Anti-Malware is a very good application with high detection rates, and probably the best proactive protection on the market. However, the application has it's limitations just like any other application. There is only so much a software application can do to protect your system and it still be usable. In my experience it is a users habits that determine how quickly and/or how often a system becomes infected. As long and you take adequate steps to protect your system and have good computing habits, it is difficult to infect a system. ----------------------------------------------------------- Unless you are having problems from Malware it is time to do the final steps. If you used ComboFix, uninstall ComboFix: Click START then RUN and enter the below into the run box and then click OK. (Use only the command of the same name as your copy of combofix.) AvoidTDSS /uninstall or combofix /uninstall or Combo-Fix /uninstallNote: The space before /uninstall, must be there. Which command you use depends on if I had you rename ComboFix during download.This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults. Delete everything in C:\!KillBox (If I didn't have you use KillBox, then this won't be present) Delete the following from your Desktop (If they exist) Avenger.exe Avenger.txt Avenger.zip CFscript.txt dds.scr dds.pif DisableAutoRuns.reg fixes.bat FixMe.reg FixReg.reg ISeeYouXP.exe ISeeYouXP.lnk ISeeYouXP.txt Win32kDiag.exe Win32kDiag.txt Anything else I had you use Delete the following files: (If they exist) C:\Avenger.txt C:\ComboFix.txt Delete the following folders: (If they exist) C:\Avenger C:\AvoidTDSSS C:\ComboFix C:\SDFix C:\Qoobox You can delete and uninstall any programs I had you download, that you do not wish to keep on the system. Empty the Recycle Bin Run CCleaner Turn off System restore to flush all your restore points then turn system restore back on. To manually turn off System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. 4. Click Yes when you receive the prompt to the turn off System Restore. To turn on System Restore, follow these steps: 1. Click Start, right-click My Computer, and then click Properties. 2. Click the System Restore tab. 3. Click to clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK. Delete C:\ISeeYouXP Run Windows Update and update your Windows Operating System. Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated. That should take care of everything. Safe Surfing! Link to comment Share on other sites More sharing options...
dadbug Posted December 7, 2009 Author Report Share Posted December 7, 2009 thank you as usual for all of your help! Link to comment Share on other sites More sharing options...
ShadowPuterDude Posted December 7, 2009 Report Share Posted December 7, 2009 Thread Closed Reason: Resolved The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread Link to comment Share on other sites More sharing options...
Recommended Posts