Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Search redirector and gets kicked out of cleaner programs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby jbnjr » September 26th, 2007, 1:40 pm

I deleted the files requested and copied/pasted the entire line in the white box for the start/run field but got an error message that read "cmd is not a valid WIN32 application". I tried manually tping it in but got same message. The only option was OK. John
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm
Advertisement
Register to Remove

Unread postby askey127 » September 26th, 2007, 1:56 pm

The infection trashed cmd.exe
Do search for cmd.exe and see if there are any copies anywhere.
If so we can copy to its proper location in C{\Windows\System32\

While you are at it see if there are any files resulting from a search for "torrent" (no quote marks)
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 26th, 2007, 2:18 pm

I got several Torrents (7 files & 2 folders) and several cmd.exe but it shows a cmd.exe in C:\WINDOWS\system32; C:\WINDOWS\ServicePackFiles\i386 (MIGHT be j386); and in C:\WINDOWS\$NtServicePackUninstall$.

There are several other files which contain cmd.exe but are part of another name, i.e NeroCmd.exe, evntcmd.exe, CMD.EXE-087B4001.pf.

I tried to copy/paste the search but it won't paste to this. Sorry. John
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 26th, 2007, 2:38 pm

Delete all the "torrent" files and folders, including any labeled "bittorrent".


Do you get a black DOS box if you type cmd.exe in Start, Run?
(type Exit to get out)
How about if you type just cmd into Start, Run?
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 26th, 2007, 2:49 pm

First let me say I really do appreciate all of your help.

I deleted (sent to recycle bin/recycler) everything file with "torrent" in the name.

I get a black box on Start/Run cmd.exe but an "cmd is not a valid Win32 application." on just cmd.

Another weird thing that was started happening is that whenever I click on the red x to close an IE window, I get a message that they send to whomever those messages go to. John
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 26th, 2007, 3:02 pm

Since cmd.exe actually exists in the correct place, what is likely going on is that the infection has introduced a bogus file named cmd.com or cmd.bat (both of those extensions have preference) to intercept the normal command operation.
Lets see:

If you have a file called look.txt on your desktop, delete it.
-----------------------------------------------------------
Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "cmd." >> "%userprofile%\desktop\look.txt"

A file called look.txt should appear on your Desktop. Please post the contents of this file.

If this shows us, we will repair the other half dozen files as well.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 26th, 2007, 4:06 pm

Here is the files you requested:

c:\program files\ahead\nero\nerocmd.exe
c:\windows\$ntservicepackuninstall$\cmd.exe
c:\windows\$ntservicepackuninstall$\evntcmd.exe
c:\windows\prefetch\cmd.exe-087b4001.pf
c:\windows\prefetch\nerocmd.exe-20a0198c.pf
c:\windows\servicepackfiles\i386\cmd.exe
c:\windows\servicepackfiles\i386\evntcmd.exe
c:\windows\system32\cmd.com
c:\windows\system32\cmd.exe
c:\windows\system32\dllcache\esucmd.dll
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 26th, 2007, 4:42 pm

jbnjr,
You are doing a great job on a very difficult infection, but we are winning.
It's a pleasure to work with you.
-----------------------------------------------------------
File Deletion
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete. Be careful not to delete any file without double-checking the exact spelling of the filename. (One or both may not be there)

C:\onoes.dll
C:\Windows\System32\bszip.dll

If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
(Each of the following commands will tack on its results to the end of the look.txt file on your desktop)
Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "netstat." >> "%userprofile%\desktop\look.txt"


Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "ping." >> "%userprofile%\desktop\look.txt"


Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "tracert." >> "%userprofile%\desktop\look.txt"


Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "tasklist." >> "%userprofile%\desktop\look.txt"


Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "taskkill." >> "%userprofile%\desktop\look.txt"


Press Start->Run, copy/paste the following command into the box and press OK:
cmd.exe /c dir C:\*.* /L /A /B /S|Find "regedit." >> "%userprofile%\desktop\look.txt"


A file called look.txt will be on your Desktop. Please post the contents of that file.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 26th, 2007, 5:22 pm

OK, sorry for delay (had to pick up the boy who downloaded all this :) ). Anyway, I could not find "onoes.dll" and when I ran the "Run" cut/pastes, all the boxes that appeared did not contain any text :(.

c:\program files\ahead\nero\nerocmd.exe
c:\windows\$ntservicepackuninstall$\cmd.exe
c:\windows\$ntservicepackuninstall$\evntcmd.exe
c:\windows\prefetch\cmd.exe-087b4001.pf
c:\windows\prefetch\nerocmd.exe-20a0198c.pf
c:\windows\servicepackfiles\i386\cmd.exe
c:\windows\servicepackfiles\i386\evntcmd.exe
c:\windows\system32\cmd.com
c:\windows\system32\cmd.exe
c:\windows\system32\dllcache\esucmd.dll
c:\windows\$ntservicepackuninstall$\netstat.exe
c:\windows\servicepackfiles\i386\netstat.exe
c:\windows\system32\netstat.com
c:\windows\system32\netstat.exe
c:\windows\$ntservicepackuninstall$\ping.exe
c:\windows\servicepackfiles\i386\ping.exe
c:\windows\system32\pathping.exe
c:\windows\system32\ping.com
c:\windows\system32\ping.exe
c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\nlsdownlevelmapping.cat
c:\windows\system32\dllcache\pathping.exe
c:\windows\system32\macromed\shockwave 10\pluginping.dll
c:\windows\system32\macromed\shockwave 8\pluginping.dll
c:\windows\system32\wbem\repository\fs\mapping.ver
c:\windows\$ntservicepackuninstall$\tracert.exe
c:\windows\servicepackfiles\i386\tracert.exe
c:\windows\system32\tracert.com
c:\windows\system32\tracert.exe
c:\windows\system32\tasklist.com
c:\windows\system32\taskkill.com
c:\windows\regedit.exe
c:\windows\$ntservicepackuninstall$\regedit.exe
c:\windows\help\regedit.chm
c:\windows\help\regedit.hlp
c:\windows\prefetch\regedit.exe-1b606482.pf
c:\windows\servicepackfiles\i386\regedit.exe
c:\windows\regedit.exe
c:\windows\$ntservicepackuninstall$\regedit.exe
c:\windows\help\regedit.chm
c:\windows\help\regedit.hlp
c:\windows\prefetch\regedit.exe-1b606482.pf
c:\windows\servicepackfiles\i386\regedit.exe
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 26th, 2007, 5:33 pm

jbnjr,
That was Ok.
It may take a while (even till tomorrow AM my time) to generate the fix stuff.
Thanks. It worked exactly as expected.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » September 27th, 2007, 6:41 am

jbnjr,
----------------------------------------------------
Compose and Run A Batch File
Please highlight, copy (Ctrl+C) and paste (Ctrl+V) the text inside the quote into a new Notepad document.
attrib -r -h -s "c:\windows\system32\cmd.com"
attrib -r -h -s "c:\windows\system32\netstat.com"
attrib -r -h -s "c:\windows\system32\ping.com"
attrib -r -h -s "c:\windows\system32\tracert.com"
attrib -r -h -s "c:\windows\system32\tasklist.com"
attrib -r -h -s "c:\windows\system32\taskkill.com"
del /q "c:\windows\system32\cmd.com"
del /q "c:\windows\system32\netstat.com"
del /q "c:\windows\system32\ping.com"
del /q "c:\windows\system32\tracert.com"
del /q "c:\windows\system32\tasklist.com"
del /q "c:\windows\system32\taskkill.com"

Save it on your Desktop as file type "All Files" (NOT as "Text Documents") and name it FixMe.bat
Close Notepad.
Double click FixMe.bat on your Desktop.
A window will open and close. This is normal.
----------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
----------------------------------------------------
I am assuming that you are running Windows XP Home edition.
Can you tell me if that is correct?

Now if you go to Start, Run and type cmd you should get a black command window.
If you don't, let me know.
Tell me how it's running, and what difficulties remain.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 28th, 2007, 1:21 pm

Sorry for delay; I never got the email saying you responded. I downloaded SpywareBlaster. The black box appears.

The problems still evident are 1) can't add any search engines to the search selector (upper right corner) and must access through Yahoo Images; cursor stills moves slowly on own occasionally (not near as much as before and it is not a big deal); everytime I click red x on an IE window, a MS message appears saying an error has occured; and finally, I don't know what to do with all these logs, bat, software, etc. I download (do I delete, turn on, ???).

Again, the biggest hassle is everything must go initially thru Yahoo Images search then switch to "web" search.

Again, thanks for all of your help!
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 28th, 2007, 1:56 pm

jbnjr,
Sorry about the e-mail issue. Happens sometimes.
You may have some system problems, as you have indicated, but I think the malware is gone.
----------------------------------------------------------------------------------
You can delete all of these from your desktop:
KAV.txt
AVG Anti-Spyware Reports
install.txt
look.txt
FixMe.bat

----------------------------------------------------------------------------------
I would keep AVG Anti-Spyware
after 30 days, if you don't choose the paid version, you have to update manually, but it's a good scanner.
-----------------------------------------------------------
Reset Options in CCleaner for Regular Use.
Open CCleaner if it's not already running.
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. Then under Internet Explorer, Uncheck "History". In the [b]Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Check Only delete files in Windows Temp folders older than 48 hours.
  • Set CCleaner to Run When Computer Starts. Click on the Options block on the left, then choose Settings. Check Run Ccleaner when computer starts.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
----------------------------------------------------------------------------------
I think you need to Uninstall IE7.
Afterward, if you want to re-install it, should be OK

You may wish to download and install Firefox first, as a safety valve.
It's here: http://www.mozilla.com/en-US/firefox/

The Uninstall should leave you with IE6 operational
MicroSoft's detailed Instructions to do this are here:
http://support.microsoft.com/kb/927177
------------------------------------------------------------------------------------
Going forward, if you like to think ahead, I would consider installing a strong HOSTS file to protect your machine, especially with a young person as a co-user. For your consideration, this is a complete instruction, and sites with information about it. I would read some of the articles first.
If you want to do it and need help, please ask.
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system.
If you use a proxy server, or if you are on AOL, or if you use Norton to scan e-mail, be sure to read the special instructions in the tutorial below..

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Download BlueTack's HOSTS Manager here:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
Download and install the Hosts Manager first, then run it and click Download.
When it finishes, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

If you have a firewall, you may have to give permission to Unlock the present default HOSTS file before you copy / install the new one.
You may also have to give additional permission during installation of the new one.

Read an excellent instruction about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406

There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
-------------------------------------------------------------------------------------------------------------
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (70k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.

Tell me how it goes and ask any further questions.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby jbnjr » September 28th, 2007, 2:42 pm

Thanks for all of your help!

I have deleted the files you indicated, corrected CCLeaner, and will printout and follow instructions for uninstalling and reinstalling IE7. How do I turn on the other anti-stuff, i.e AVG, spyblaster, etc.?

I will read about the Hosts programs. If I have questions regarding that, do I start another post or use this one if it is still shown?

Thanks again!! John
jbnjr
Regular Member
 
Posts: 43
Joined: September 19th, 2007, 4:16 pm

Unread postby askey127 » September 28th, 2007, 4:20 pm

jbnjr,
SpywareBlaster is a passive program, i.e. when you run it it just changes settings in your browsers.

AVG AntiSpyware is mostly used as a scanner, but you can use the Guard feature for the first 30 days, if you don't pay for it. To activate it, right click the icon in the lower right system tray and click on "Resident Shield". The icon should be in color when the Resident Shield is active, gray when it's turned off.

We will archive this post in about 10 days. If it's still up you can use it.
I would save the address of this thread though, (top bar, everything to the left of the &sid..) in case another helper might want to see the history of it.
Starting a new one on a different subject like a HOSTS file is OK anytime.
Be sure to post an HJT log, even if it doesn't seem relevant.

Good Job.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13900
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware