Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Major virus problem, please help anyone

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Major virus problem, please help anyone

Unread postby junipaire » July 31st, 2006, 12:48 pm

Hi, I wonder if anyone could help

Just got a virus I think on my machine, everything slowed down till I had to turn it off at the back, it came back up and I tried to use my AVG virus protector to do a scan but it wouldn't open the test centre so I did a spybot check and adware and they worked then tried the one for shredder to check for trojans and it wouldn't open that up, so I tried rebooting it, for ages I couldn't get back on, tried safe mode and it would go to the blur screen and say windows is loading or starting, one of them and wouldn't go any further, it normally says welcome doesn't it. anyway after a while of trying, I managed to get on in safe mode but still can't run my avg or get online, can you get online in safe mode by the way.

Oh I also tried to use system restore and yes you guessed it , it didn't do anything on tht either, you click on it but nothing comes up, almost like the virus is stopping me anyway of getting rid of it.

I have tried go into safe mode networking and it goes to the blue screen for me to choose user or administrator, but then after my choice just goes to a black screen with safe mode in the corners but doesn't load anything else.

have tried going into safe mode dot promt and putting in c:\windows\system32\restore\rstrui.exe
all it did was move down and say
c:\Documents and Settings\administrator\ again

I also can't use my recovery disc My reload windows disc doesn't work for a start as I had to pay for it from Time when I bought the machine and it went ages ago did my computer like this and I tried the reload disc then and it never worked , its a Time Mirage computer and I managed, forgot how to solve it and got my machine back, I think it kept crashing and I used anticrash and its worked fine from then.

It stops me opening up certain programs, included sadly hijackthis and cw shredder, yet I can open spybot and adware fine

Also a strange thing happened I got on in safe mode and shut down as normal, then starting it up without safe mode and it went on and starting windows, I couldn't get internet explorer to work but did get firefox to get up, it was really slow and didn't load my home page but google seemed to come up and I put in housecall and it came up with their site link only wouldn't go to the site, just had an error page, that is very strange cause obviously the internet connection was working but wouldn't let me go to any other site but google. How could a virus do that?

Does anyone have any more ideas?

Phil
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am
Advertisement
Register to Remove

Unread postby Bob4 » July 31st, 2006, 2:29 pm

_________________________________
Welcome to the Malware removal forums. I will be more than happy to help you work on your problems.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


This isn't sounding very good at all. But I will try and see if we can get things to where we can repair them.


Here are a couple of steps to try and run HijackThis. Follow them in order. If one step doesn't work, continue to the next step:

Step # 1

Rename HijackThis.exe to H.exe. Try a scan. If it works, post the log back here. If not, proceed to the next step.

Step # 2

Go to this link and download version 1.98 of HijackThis.exe:
It's listed in the left side ..scroll down a bit to see it .

http:/www.tomcoyote.org/hjt/

Try a scan. If it works, post the log back here. If not, proceed to the next step.

Step # 3

Click here and download Itty Bitty Process Manager (IBProcMan.zip): http://www.merijn.org/files/ibprocman.zip .

Unzip it to it's own directory and try running it - it will provide a 'taskmanager' like process viewer in which you can stop running processes. Don't stop any yet, just list all that it has so I can check them and give advice. Post the list back here.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby junipaire » July 31st, 2006, 4:24 pm

Hi I tried the first one and it sadly didn't work, the other two I couldn't do either cause it won't let me onto the internet . I did try copying the downloads onto a external hard drive I have but it still wouldn't open these.

Did you think it will have to be a new PC or is there anything else I could try. someone from pc advisor forum that I posted on yesterday did suggest maybe trying buying a norton anti virus disc but I don't know if it would open that either.

I did try to copy a downloaded avg that I put on my external harddrive using this laptop that I'm on now by the way posting here. and on the hard drive on my PC it did open it but asked for a purchased code or something even though it was the free edition so don't know why that was.

any other suggestions
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Bob4 » July 31st, 2006, 4:53 pm

Your getting onto the internet somehow to post here. Try the other 2 and copy the programs from one computer that does get on the internet to a usb/flash drive or cdrom.. I'm also pretty certain that both programs would fit on a floppy drive.

Then run them on the infected machine.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » July 31st, 2006, 4:54 pm

I just reread your post you tried running the other 2 programs copied to an external drive ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby junipaire » August 1st, 2006, 2:16 am

yeah I'm on my laptop posting on here, and yeah I tried putting them on my external hard drive but wouldn't open unfortunatly.
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Bob4 » August 1st, 2006, 7:39 am

I'm not sure how much help I can be if we can't get anything to run on it.


Tell me what Operating system your using.

Do you have an anti virus program installed ?
_________________________
Lets try something simple. Open the task manager and write down all the processes from the process tab that you see. Post them here.

Do you have an windows instalation disk that works ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby junipaire » August 2nd, 2006, 5:18 am

heres what it said in the task manager

vsmon.exe 00 23,784K
RcMon.exe 00 7,088K
CISVC.EXE 00 2,084K
Unlocker Assistant 00 4,168K
realsched.exe 00 192K
PDVDServ.exe 00 4,460K
2LCLIENT.EXE 00 3,584K
ATIPTAXX.EXE 00 5,896K
RUNDLL32 00 4,044K
CTDVDDET.EXE 00 4,056K
CTSysVol.exe 00 4,148K
SOUNDMAN.EXE 00 4,148K
CDACIIBA.EXE 00 3,500K
Ati2evxx.exe 00 2,380K
cidaemon.exe 00 1,284K
SPOOLSV.EXE 00 4,232K
svchost.exe 00 3.644K
svchost.exe 00 1,856K
svchost.exe 00 2,968K
tabletservice.exe 00 5,548K
Ymsgr_tray.exe 00 6,064K
svchost.exe 00 15,904K
Integrator.exe 00 5,772K
svchost.exe 00 3,000K
Ati2evxx.exe 00 2,432K
isass.exe 00 912K
services.exe 00 4,992K
taskmgr.exe 00 4,260K
csrss.exe 00 3,964K
snmp.exe 00 5,388K
E_S10IC2.EXE 00 4,348K
SMSS.EXE 00 463K
SAgent2.exe 00 4,960K
MFindexer.exe 00 5,932K
CTsvcCDA.exe 00 3,604K
system 00 216K
system Idle Process SYSTEM 80 20K


No sadly I don't have a windows installation disk that work, I did get a recovery disc free when I bought the Time Mirage PC but sadly it doesn't work with this machine so they gave me the wrong one and they as you probably know went bust last year.

cheers
Phil
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Bob4 » August 2nd, 2006, 6:47 am

In task Manager stop the following processes. By right clicking on these processes and choose stop.
And after you do that see if you can run hijackthis. Post the log if possible.

You may also want to disconnect any hardware that is not needed for a while. Priters scanners Extenal Hard drives that arent running windows ... ect.

RcMon.exe
Unlocker Assistant
realsched.exe
PDVDServ.exe
2LCLIENT.EXE
CTDVDDET.EXE
SPOOLSV.EXE
Ymsgr_tray.exe
isass.exe
E_S10IC2.EXE
SAgent2.exe
MFindexer.exe
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby junipaire » August 2nd, 2006, 10:07 am

Just tried and couldn't get rid of lsass.exe which iI can pesume is the virus in question is it?, it just won't let me get rid of that.

I also tried in safe mode but couldn't stop it there either.

It also wouldn't let me open hijack this again without the other stuff gone

Phil
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby Bob4 » August 2nd, 2006, 7:51 pm

Just tried and couldn't get rid of lsass.exe
NO! That is a legitimate file.

Don't try to delete that one. The one were looking for is isass.exe
Note the spelling. It is a trojan that has backdoor capabilities.

Please read this carefully!

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found here

I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.




_______________________

I will check with others here to see if they have suggestions on how to help you.

I assume you can not get this machine online at all ?

___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


Do an all files search for isass.exe and in this order:

If you find more than 1 copy do this with them all.
deleting it
renaming it ..
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Bob4 » August 2nd, 2006, 8:01 pm

I would like to ask you again if you can try downloading Hijackthis and placing it on a CD or a usb flash drive. Or even a floppy disk and try running it that way.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby junipaire » August 4th, 2006, 4:49 am

Hi Bob

I tried all and it seemed the damn thing doesn't want to play ball, so decided yesterday to give up and get a new machine, all my important files are on the external hard drive and have done 3 virus checks on it to hopefully not pass this thing on.

Just thought I'd let you know and thank you for you help, I really appreciate it. On the new one I will purchase a anti virus and not use the free AVG one as don't want this happening again.

cheers again
Philip
junipaire
Active Member
 
Posts: 10
Joined: April 4th, 2005, 10:04 am

Unread postby NonSuch » August 4th, 2006, 2:49 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware