Computer Hope

Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: Jbravo45 on August 06, 2010, 10:40:26 PM

Title: File XXX.exe cannot be executed, this file is infected!
Post by: Jbravo45 on August 06, 2010, 10:40:26 PM

Hi, my issue is very similar to this thread:
http://www.computerhope.com/forum/index.php/topic,95177.0.html
running on windows Vista, with a HP laptop, after not being able to run any programs I restarted the computer and loaded it up in safe mode, while in safe mode I hit Start, and searched for run.  I then typed /msconfig and looked through the start up applications, I found a weird file called vsileudi from manufacturer "unknown" so I disabled it from starting up.  I restarted windows and loaded the normal mode and the "virus" stopped popping up. I was then able to load applications just fine, it says the internet is connected and it works from my desktop but I couldn't get it to work on my laptop.  So I played around with the options in firefox and clicked on the option for "auto-detect proxy settings for this connection" and I was able to surf the web again.  but when I load IE or I use a program that needs internet connection (iTunes) it fails to work.  I went ahead and did the scans required from the sticky thread of what we should do before posting and my logs from superanti spyware, Mbam log, and hijackthis are attached.  any help would be appreciated!


[recovering disk space - old attachment deleted by admin]

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Crush on August 09, 2010, 06:16:18 PM

Hello, and welcome to Computer Hope Forums!

I'm Crush but, you can call me Chris too :) and I will be helping you with your Malware issues

Please note the following information about the malware forum:

• Only members of the Malware Removal Specialist user group are allowed to give advice on removing malware from your computer. Do not follow the advice of anyone without that user title.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, do this:

Reply to this topic with the word BUMP.

• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Now that we have that out of the way:

Please download and run RKill.

    Download mirror 1 (http://download.bleepingcomputer.com/grinler/rkill.com) - Download mirror 2 (http://download.bleepingcomputer.com/grinler/rkill.exe) - Download mirror 3 (http://download.bleepingcomputer.com/grinler/rkill.scr)

   

• Save it to your Desktop.
• Double click the RKill desktop icon.
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
• Please post its log in your next reply.
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.
=======

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

Code: [Select]

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys
/md5stop
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit>Select All, Edit>Copy) the contents of these files, one at a time
    

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Jbravo45 on August 09, 2010, 08:40:19 PM

Rkill, and the OTL logs are all attached

[recovering disk space - old attachment deleted by admin]

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Crush on August 09, 2010, 10:12:11 PM

Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)


Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
• When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Jbravo45 on August 10, 2010, 08:39:41 AM

I disabled my antispyware and antivirus applications, and then I downloaded combofix and renamed it to my desktop, after I click start and search for "%userprofile%\desktop\commy.exe" /stepdel, nothing pops up.  I also changed %userprofile% with the name of the user and it still doesn't do anything.  I tried opening combofix from the desktop and it opens a progress bar and as it fills up green, when it gets to the end a pop up appears saying "Incompatible OS.  ComboFix only works for workstations with Windows 2000 and XP."

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Crush on August 10, 2010, 11:21:52 AM

Is this a 64 bit OS?

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: christy66 on August 10, 2010, 11:32:51 AM

yes

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Crush on August 10, 2010, 11:39:45 AM

Alrighty. This should be fun  ;D

    Please run OTL.exe.
   

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
     
      :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
  
      :commands
  [emptytemp]
  [emptyflash]
     
  
     
• Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
     
• Click the red Run Fix button.
     
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
     
• Close OTL.exe
     

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log along with the OTL fix log

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Jbravo45 on August 11, 2010, 05:56:37 PM

The OTL log and MBAM logs are attached, thanks

[recovering disk space - old attachment deleted by admin]

Title: Re: File XXX.exe cannot be executed, this file is infected!
Post by: Crush on August 12, 2010, 01:02:03 AM

Hi,

How are things running now? Can you please post a fresh OTL log?