FrostWire repeatedly restarting

[mewgirl]

...was my original problem.  The infection came from a zip file on a p2p program (Ares, not FrostWire).  FrostWire is not my current p2p program, but it is the one that was activated by this virus or malware.

The program did not cause any other  visible problems at the time, but since FrostWire itself immensely slows down computers (especially while starting), I needed to fix this immediately.  Googling FrostWire help forums led me to someone who linked to another topic where the poster had a different infection with the same symptom saying that you need to do what poster #2 advises, which is copy the task manager program to your desktop and run it from there, then end suspicious processes, then "delete suspicious files from the following areas," then delete anything that Specific Virus Scanner detects.  Stupidly, he led people to a non-free program.  Task manager didn't show any suspicious processes, so I ran a virus scanner first.  I also uninstalled FrostWire through Add/Remove, which then stopped popping up.  For the virus scanner, I used AVG because, recently, that has seemed to be the preferred with my computer-knowledgeable friends.  However, AVG doesn't seem to have very many options; it doesn't (as far as I can tell) allow you to "fix" only what you want, and for that matter it doesn't fix anything unless you first enable it in a very hard-to-find options menu.  The first scan took almost 8 hours, and, to the best of my knowledge, did not fix anything.  The major offending file, both in the topic and according to AVG (the only one that triggered the 'major warning" alert), was a file titled svchost.exe in the fonts folder.  I scanned again, scanning only the fonts folder.  To the best of my knowledge, AVG still did not "fix" anything.   I finally found the options menu, and, after running a third or fourth complete scan with no other programs running (except Notepad), it said "All infection healed, restart required now/later?".  I chose "later" and later restarted my computer.

After restarting the computer, there were many random "0x100000c" or whatever errors, some from fake processes and some from legitimate processes (such as Java).  After killing the virus' processes with RunAlyzer, the main process most likely being sdrm64, this stopped.  However the malware has also
-infected Google so that all Google links are redirected - I just discovered that this does not sem to apply when the same address is typed in.  This also deletes all history so you can't click "back" and then "stop" to load the wanted page.  "Meta Refresh" in IE options is is disabled, although I am using Firefox (3).
-probably changed the options to "do not show hidden files & folders," and hidden Folder Options from the control panel (I do not know where else to access it from)
-Prevented the installation of HJT
-Allowed installation of Spybot, but prevents SpyBot from running
-Added "new folder" in C:/, which contains badly done copies of the multi-user folders.  Most oddly, my own user name has a capital letter, but the other two users name's do not have any capital letters, even though they are capitalized on the logon screen.
-"Registry Editing has been disabled by the administrator," which prevents the few built in "fix" options from Safer networking non-Spybot programs as they seem to want to open the registry and have you delete it, rather then deleting it through the program, which is why I downloaded HJT (which, as mentioned, will not install).
-"System Restore has been turned off by group policy."



ProcAlyzer shows three instances of iexplore.exe, tagged correctly (running form the right location as marked as Microsoft.

RunAlyzer does not show these processes.  Task manager does show them, and they restart when ended from there.  I have not started Internet Explorer on this system since the last restart, and to the best of my knowledge the process does not normally start itself.

RootAlyzer shows malware in "C:\new folder\All Users\Application Data".  Deleting "new folder" or any of it's subfolder receives, "This folder contains files with names that are too big for the recycle bin.  Delete permanently yes/no?".  However, in investigating these folders, it showed pictures that actually belong to me, which is strange.  For that reason, not knowing if any of these folders actually contain needed information, I clicked "No" and left the folders in place.  There is no visible "Application Data" folder in "C:\new folder\All Users," and it is for that reason that I believe the malware may have set hidden folders not to appear, especially because "Folder Options" is missing.  However, typing the directory into "Run..."
...actually I just did so again in order to report exactly what the error message said, in case the faked error message could help determine the malware's identity, and this time, it worked.  Perhaps I made a typo the first time.  Although this definitely verifies that "hidden folders" was changed.  However none of the files marked as infected in RootAlyzer show in this folder (I assume they are marked as hidden).

After attempting to use the "Restore Main Window" application for Spybot, which it turns out is something you double-click which then edits or opens the registry (it's file icon is a registry-related one, blue), and henceforth getting the "administrator" error message, I now hear system beeps about twice per second that do not seem to be coming from anywhere.  They are not doing what they usually do when they are do to an actual system error, such as slowing things down, leaving "window trails" or repeating your mouseclicks multiple times, etc.  it is just the noise.

Yes I realize that restarting the computer is generally a bad idea, but AVG requires it (so I guess my friends made a stupid decision for their virus scanner?), and the user who's removal post I was following finished his/her removal by using the virus scanner.  (And the symptoms had apparently stopped at that point leading me to believe file removal was the final step...   not to mention leading me to believe the offending file had been found due to AVG's message... (I do not believe that message was faked by the malware)).

AVG also does not seem to have any options for disabling various parts of it "all-in-one suite" crap, so it really seems like a bad idea.  But these people are generally good with advice on which software to use - one of them runs his own hosting company, for example.

[SuperDave]

Hello mewgirl and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

You said that you are running a P2P file-sharing program  on your computer. While the program itself is probably safe, the files you download with this program are a major source of infections. Therefore, I strongly urge you to uninstall it/them.

==============================================

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.
 
Now download and Run exeHelper.

Please download exeHelper from Raktor to your desktop.

• Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.
  
  Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
  

[mewgirl]

Please tell me what you are having me to do this computer rather then presuming I will blindly follow instructions with programs I have never heard of.

"FireFox cannot find the server at bleepingcomputer.com".  This also applies to Geeks2Go an answers.yahoo.com, but does not apply to mail.yahoo.com.  This also means I cannot access BleepingComputer.com in order to find out what exactly that program will be doing.  I assume it is an automated task killer...   in which case I cannot choose which processes to end.  The program is also not available at CNET.  As mentioned, I have used RunAlyzer to end the malware's processes already, although RunAlyzer's result is slightly different then ProcAlyzer's result.  The processes have not restarted themselves, which RunAlyzer prevents.  iexplore.exe however continues to restart itself if ended.  Internet Explorer does not actually start, though.

Run at 21:51:06 on 02/25/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\msa.exe
Deleting file C:\WINDOWS\system32\sdra64.exe
Error deleting C:\WINDOWS\system32\sdra64.exe - Set for removal on reboot - PLEASE REBOOT
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

A file says, "Set for removal on reboot," but I have not run any virus programs since the last reboot, so I am not sure if I should reboot it again, although I am pretty sure that after the initial reboot another usually doesn't screw things up any worse.

[evilfantasy]

Please tell me what you are having me to do this computer rather then presuming I will blindly follow instructions with programs I have never heard of.

We always give detailed instructions and the logs contain all of the information on what was done. We actually do read all of the information in every log and we invite those we are helping to do so as well. You downloaded a torrent that you had no clue what it would do to your computer. You should have used that digression then.

The tools are specialized and discussing their functions in an open forum is not something we are allowed to or are willing to do. If you are willing to put some faith in us we will get your computer sorted out. If not then we will not be able to help.


Reset Hosts File:

* Go to Start > Run and type Notepad.exe then click OK
* Copy and Paste everything from the Code Box below into Notepad:

Code: [Select]

@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1  localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
* Go to File > Save As
* Save File name as Reset.bat
* Change Save as Type to All Files and save the file to your desktop.

On the desktop double click the Reset.bat to run the batch file. It will self-delete when completed.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[mewgirl]

I had to restart my computer for other reasons.  The "Folder Options" file is now visible (and, of course, I have enabled "Show hidden Files") and Google no longer redirects results links, however registry editing and certain website ("cannot find server") are still disabled.  In addition, there is now an error message at computer restart that is SIMILAR TO, BUT  NOT EXACTLY "wowinrule".  I will edit this when I am able to restart to put in the correct name if necessary, but since the symptoms seem irrelevant to the proposed solutions so far, I am not going to go through that hassle at this exact moment.

Neither "giving "instruction designed for someone who has never used a Windows 95+ computer before" nor the fact that a program produces a log will teem is before I run it.  Perhaps you are telling me to download a spyware checker, and they have a preferred software.  The proper way to post this is one of two thing: "This problem is usually caused by spyware of a type that most scanners can catch, but that virus scanners often do not catch.  If you do not have a spyware checker already installed, I recommend [link].  (Optional:) This particular brand always catches and fixes the particular spyware that I believe you have, so if your current or preferred checker does not fix it, you can also try the one I have linked."

There is no software in the history of software creation is which discussing it's functions is "not allowed".  Telling somebody that Microsoft Word is a document creation/editing program may possibly hurt sale to people who had believed it was a spreadsheet software, but since those people will either return the software or sue Microsoft for refusing to tell them what the program is, they will end up not having lost any sales, but gained them from people who previously had no idea what Microsoft Word was.

As a more obvious and real-world example, it would be very stupid for someone to run a commercial virus scanner, such as Norton or McAfee, and not look through the log and uncheck anything that they themselves installed or purposely changed before running the "fix"es.  It would also be stupid for an experienced user not to fix certain things on their own, if, for example, Norton;s response is to merely delete a file but the user is aware that this is a remnant of an old program and also checks the registry for related entries before deleting the remananlet (at which point he will no longer have a reminder to go to the registry).

The only possibility that telling someone what a program does would be "not allowed" is if someone on this message board has designed it themselves, in which case it quite obviously is "allowed" as they are the one making such decision.

The only thing the previous program recommended to me did, ACCORDING TO IT'S LOG (which is highly unlikely to have ACTUALLY logged EVERY single thing it did, not to mention this ONLY tells you AFTER it has done so even if it were, by some rare mechanism, telling you EVERYTHING), is delete two files.  The poster who told me to do this said he was working "underneath someone else," and since you are both posting everything in bold and red and all that, I am guessing you are that human being.  If that is true I can treat this as one long strain of advice, rather then multiple p3eople giving ideas to try and help.  The log did not give any information other then the fact that "sdra64" is the malware hat has infected here, and I did not post the results of what the computer was or was not still doing. Since my first post already gives the same information the log does by telling you that the malware is "sdra64," well, I don't know what I was originally going to conclude this paragraph with because the *censored* who lives here has interrupted me two many times, but that is definitely odd.

In addition, I have never downloaded a torrent, nor do you have any idea whether or not I am the human who infected this computer.  Also, any file that has ever been voluntarily used  any computer I have used with my knowledge, has explained what it's function is.  (Whether or not this was a lie is a different issue but explaining the function of a software is generally required if you want anyone to use it, ever.  Links that merely say, "Download this!  no explanation given!", tend to be infections.)

You are now telling me to name a file "Reset.bat".  Obviously, it would be a VERY bad idea to run anything entitled "Reset" without knowing what it does.  If my computer is going to he "reset", that should be an OPTION that I have the OPTION to purpose.  If any particular program settings are going to be "reset", I should also have the OPTION to keep my current data, either by saving it in a different manner (recording open FireFox ages into Notepad), copying the %AppData% (in case the infection is not located in %AppData%), or saving Word documents off my desktop.  In addition, one would need to notify any other users of the computer and finish any current tasks they are wording on.

On the other hand, the name of a file rarely has any effect on it's function, although I am aware there are cases in which it does (if, for example, this file is supposed to imitate another file, in which the original file has been infected and I am now creating a clean version of it, which therefore requires a compatible name).

Perhaps I am resetting my display settings, which I would need to know in order to change them back.  All of these things may fix a virus, but could possibly also
-cause worse problems by deleting or resetting some settings for a program that I can't recreate
or
-change / reset settings in an area that I can recreate, but won't know they have changed unless I am told they have been changed (for example, enabling and disabling services)

Next you recommend a virus scanner called "ComboFix".  Does ComboFix just happen to be a really good virus scanner?  Or is it pretty much a piece of crap, but designed for the computer-illiterate people who apparently make up a good portion of "customers" here (due to the highly detailed instructions) and also known to find this particular malware?  Or is it not a piece of crap but still known to be able to find this particular malware which is hidden from many other scanners?

Of course none of the information in the above paragraph isn't NECESSARY for someone to know, but the people who AREN'T computer-illiterate would probably EXPECT to be told this, so it would be good to post so, so that they can make an informed decisions of whether to keep this after download.  If they are very experienced they may be able to tell themselves, but there are also non-illiterate people who may not be able to tell for themselves whether this scanner is a piece of crap or not, mainly because virus scanners' usefulness is based on what it catches rather then just how it looks, and even non-illiterate users may not know if, for example, a particular virus scanner if running a firewall without their permission (non-illiterate but non-experienced).  It is, however, generally expected to mention that the program is a virus scanner...   I think you mentioned this unintentionally.

In addition you missed an opportunity to help someone further their own knowledge, which is another generally-expected thing of a computer forum - if the one being helped is not a complet idiot who is incapable of understanding anything you say, and they are also not arrogant and therefore unwilling and/or uncaring of what you are actually doing (or instructing them to do) - that people tend to just LIKE to educate others as to what to do.  This certainly decreases the likelihood that the poster will need to be helped in future problems.  So in this case, you are having me "write' and execute a program.  Again you don't HAVE to tell me that, but most want to - someone who doesn't know what typing this stuff into Notepad is doing, they will now be aware (if you told them) that they can wrote scripts and merely save them in a Notepad file and run them.  At the same time they probably would have figured this out - since I was not previously unaware I can't accurately perceive whether or not an unaware intelligent human being would realize this.  My post probably would have said something like, "Copy to Notepad etc. - this only with with scripts, btw - programs written in languages such as Java a and C++ have to be compiled first."  (I am not entirely sure if I am correct in that only scripts and web languages can be merely saved to Notepad.t

In any case I am not very comfortable about running a program entitled "restart", especially when the human instructed to do so is typing as a "professional", and isn't necessarily likely to warn me if this will mess with my %AppData% folder, mess with FireFox in any way, change services or other control panel options, etc.  (Maybe you, evilfantasy specifically, would warn me, but in general the likelihood of any "professional-style poster" is significantly less then the likelihood of any human posting in conversational English, so that's not saying YOU wouldn't warn me).  So please tell me what exactly I am "reset"ting, if anything.

[evilfantasy]

At the beginning of the instructions it clearly says Reset Hosts File:

If you can get me some of the logs I am requesting we can move forward. We are busy in this forum and have more requests for help then we do helpers to respond to them. If I am wasting your time let me know so I can move on to someone who will work with me.