Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Soglueda.A infection - Windows XP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 2nd, 2011, 2:30 am

Hello crazyfirex,

The scan time of scanners can depend on how much is on the system, e.g.: more than 1 partition, number of programs, and other files you have such as pictures, music or video. If not done in the morning, let it finish. Do the steps with the XP machine, include the USB.
Please attach the new logs.
I'll be in late Wednesday night, due to a meeting. I'll review results then.
Thanks,

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California
Advertisement
Register to Remove

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 2nd, 2011, 10:24 am

I have no idea where MSE saves its logs, if it does. Here is a screenshot. I will now uninstall MSE, re-enable McAfee, and work on the XP.
You do not have the required permissions to view the files attached to this post.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 2nd, 2011, 1:33 pm

Good morning crazyfirex,

Thanks. I'll need to check on where MSE saves, it should have. You could have waited on uninstalling it for today, so we'd know for sure.Did it say all were cleaned?
You may want to run an online scan with ESET to be sure. We want both machines clean so as to not reinfect again via USB.

I'll await the other information and review it tonight.
As stated, I'll be in late after a meeting. If the CF comes back missing that file again like it has, we've got the fix ready to do it a bit differently. Please don't take out the USB until I say it's clear.

A note for the Vista: Make sure you have Java version 6 update 23 on the Vista machine. Also Adobe Reader, is version 10 (or Adobe Reader X), and check Adobe for Flash/Shockwave current versions. These are are also for the Vista.
If newer versions are available, uninstall the previous versions first.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 2nd, 2011, 10:03 pm

Sorry, I uninstalled MSE already. It did say the Vista was secure. Here's the CF log. Yes, it did miss those files. flash_disinfecter's Hidden folder seems to be holding up.
You do not have the required permissions to view the files attached to this post.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 3rd, 2011, 2:43 am

Good day crazyfirex,

Thanks for the information. Please print or copy the following instructions, for ease in following.
To be sure, please be certain that the USB is attached.

Let's try replacing that file via the Windows Recovery Console which ComboFix installed, and is available as a boot option when the machine starts.To start the Recovery Console:

1. Reboot your computer and as Windows starts it will present you with your startup options for exactly two seconds - you'll have to be quick - which in your case will be Microsoft Windows XP Professional and Microsoft Windows Recovery Console

2. With the arrows keys on your keyboard select the option listed as Microsoft Windows Recovery Console and press the enter key on your keyboard.

3. The Recovery Console will start and ask you which Windows installation you would like to log on to. If you have multiple Windows installations, it will list each one. Enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press enter.

4. It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

5. You should now be presented with a C:\Windows> prompt

At that prompt, type in the following bolded text:

cd system32

Press Enter (you should now be at C:\windows\system32\> prompt)

ren services.exe services.old

Press Enter - If you receive a message similar to 'invalid parameter or bad command, ensure you have a space between ren and services.exe and another space between services.exe and services.old


Next, type in the following bolded text:

copy c:\windows\system32\dllcache\services.exe c:\windows\system32

Press Enter

You should see a message '1 file copied'. If you did not see that message, try again and ensure there is a space after the word copy and another space between the file paths.

If you still do not see '1 file copied', leave it as it is and contact me from another computer.

If you did see '1 file copied', type in exit, press Enter, and the system will reboot.

=================================

After the computer boots into Windows, immediately disable your AV and run ComboFix.exe by double clicking on it.

Please attach the new Combofix log or let me know of any problems

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 4th, 2011, 9:38 pm

ComboFix is running now, Windows Recovery Console was successful
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 4th, 2011, 10:12 pm

Or not. ComboFix has expired. Do you have a new link or should I run in REDUCED FUNCTIONALITY mode?
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 4th, 2011, 10:36 pm

Hello crazyfirex, here are the links:

Please delete ONLY ComboFix.exe
Next, Download ComboFix from one of these locations:

Link 1
Link 2

transfer using a rewritable CD if possible.Then proceed with my previous instructions; disable McAfee before running CF.

Thanks

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 5th, 2011, 3:17 pm

mcafee is on my Vista, not my XP. I have uninstalled ESET from the XP. Symptoms have all vanished, but (obviously) not all malware files. services.msc has re-appeared.

I realized another symptom of the worm showed itself, but I didn't know it was a symptom. the computer kept telling me it would install an update on restart, but never did. This must have been it trying to replace services.exe. This no longer happens

That dates the worm to last fall.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 6th, 2011, 1:39 am

Hi crazyfirex,

Did you run the new Combofix? If so, attach it to your next reply please.
If you haven't, or if CF didn't remove, (due to timing) you will need to re do the above Recovery Console steps, then do the CF immediately. Time is important on this to get it cleared.


Thank you,

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 6th, 2011, 12:15 pm

Here is the log.
You do not have the required permissions to view the files attached to this post.
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 6th, 2011, 3:56 pm

Good day crazyfirex,

Please do the following.

If present please delete ESET Folders:
c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
c:\documents and settings\LocalService\Local Settings\Application Data\ESET
c:\documents and settings\User\Local Settings\Application Data\ESET


------------------------

Post a New HJT Log
  • Start HijackThis.
  • If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.
  • From the Main Menu... Press the "Do System Scan and Save a Log File"...button.
  • When completed...Notepad will open with the new "hijackthis.log" file contents.
  • Copy/paste the entire (hijackthis.log) file contents in your next reply.

Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 6th, 2011, 4:35 pm

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:32:56 PM, on 2/6/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\trend micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [UpdatePPShortCut] "C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerProducer" UpdateWithCreateOnce "Software\CyberLink\PowerProducer\5.0"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [InstallIQUpdater] "C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe" /silent /autorun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 3112092955
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3121114453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6385 bytes
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm

Re: Soglueda.A infection - Windows XP

Unread postby turtledove » February 6th, 2011, 7:25 pm

Good day crazyfirex,

The HJT log looks good. Below are some needed steps for updates needed once XP is able to get on the internet. Then there are steps to take to help in the future.

**Please Print/Copy these so you'll have them when needed**

Unnistall Tools:
Uninstall Combofix

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.



Next:
Please download OTCleanIt v1.0.1.0: OTCleanIt and save it to your desktop.

Double click on OTCleanIt.exe. Click on CleanUp!.

You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.

It will restart your computer automatically. If it doesn't, please restart your computer manually.



-------------------------------------

Uninstall out of date Programs
Add/Remove programs
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the following.
Adobe Reader

Reboot
-------------------------------------
The following is information to help minimize problems in the future.
***Please Copy/Print for reference when you need new Anti Virus/Firewall/Anti spyware.
First:

Before Surfing Be Sure that XP IS fully up to date
Visit Microsoft's Windows Update Site Frequently - This is important
XP Updates


-------------------------------------

Update Adobe Reader

  • You should Download and Install the newest version of Adobe Reader for reading pdf files.
  • Older versions may have vulnerabilities that malware can use to infect your system.
  • Go Here to download and install Adobe Reader X.
    Note: Uncheck Free McAfee® Security Scan Plus (optional)

While at Adobe:
Check for Flash update, current is Adobe Flash Player 10.1.102.64. Check if there is a newer version once connected

-------------------------------------
Please check For Java updates
If above Java 6 update 23 then download the newest version; select link for Windows Offline Installation.

-------------------------------------
Update Firefox
In Firefox, Select Help > Check for updates.

-------------------------------------


Some of your legitimate programs will leave .tmp files as they run. Clean these out regularly. Before running a scan is a good time.

Use the following and KEEP UPDATED
A Realtime monitor : (Replaces Spybot)
Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.

Check for updates at least WEEKLY
Antivirus: *Use only one*
AntiVir
AVAST! Anti-Virus

Needed Firewall: Monitors traffic IN and OUT Bound. Very Important. *Use only one*
Online Armor
Agnitum

Java Updates: *Always remove old Java Before installing New Version*
Java Update



Here are some free programs I recommend that could help you improve your computer's security.


Install Malwarebytes Anti-malware Should you need to obtain the program again
These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
You can find information and Download it from HERE


Install SpywareBlaster
Download and install Javacools SpywareBlaster from Here
SpywareBlaster adds a list of ActiveX controls, tracking cookies and sites which will be blocked in either Internet Explorer or Firefox browsers. You need to manually check for updates regularly.


Install SiteAdvisor
SiteAdvisor is a toolbar for Microsoft Internet Explorer and Mozilla Firefox which alerts you if you're about to enter a potentially dangerous website.
You can find more information and download it from Here


Install WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
For more information, please visit HERE


MVPS Hosts

Install MVPS Hosts File From Here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can Find the Tutorial HERE


Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer
You can do that HERE


Read some information HERE On how to prevent Malware


You can help the fight, report it at Malware Complaints
Stand Up and be Counted!

I would be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.


Thank you

turtledove
User avatar
turtledove
Retired Graduate
 
Posts: 4398
Joined: February 13th, 2006, 3:26 am
Location: California

Re: Soglueda.A infection - Windows XP

Unread postby crazyfirex » February 6th, 2011, 7:43 pm

I do have 2 questions.
1.) Why didn't uninstalling ESET remove those folders?
2.) Can I delete "svchost.exe "?
crazyfirex
Regular Member
 
Posts: 42
Joined: January 2nd, 2011, 10:00 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware