Another "application cannot be executed" infection

[Crazywumbat]

Hi all, I'm also having this bug. I ran whatever form of McAfee virus scan my school requires us to have uploaded to get access to the network and it removed enough to let applications start and I can start Task Manager again, but my background still changes everytime I start up my computer and Spybot keeps popping up with these Buffer Overflow alerts. I read through some other threads and saw that I should post my own. I tried to download some of the programs you all were talking about, I have hijack this but the majorgeeks website isn't loading for me.

I don't know that much about computers, and I'm a little nervous about accessing my email or bank account information on here until I fix it (I don't know if there's a real danger there, so let me know if I'm just being overly cautious), but any help would be greatly appreciated. Thanks in advance guys.

[evilfantasy]

Welcome to CH.

Run these three scanners as described. Keep the logs to post in your next reply.


Try not to restart the computer until one of the tools we use does it for you or tells you to.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
 
There are 4 different versions. If one of them won't run then download and try to run the next one.
 
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log. Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

 
Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[Crazywumbat]

Thanks for your reply,

Unfortunately neither the rkill tool or the Malwarebytes download links are working for me, I keep getting a Page Load Error screen. Exehelper worked though.

[evilfantasy]

Try this.

Download TDSSKiller and save it to your desktop.

* Right click on the file and choose extract all extract the file to your desktop then run it.
* Once completed it will create a log in your C:\ drive with a name similar to 'TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt'.
* Please post the contents of that log.

[Crazywumbat]

I can't download this one either, takes me to a page load error with:

Though the site seems valid, the browser was unable to establish a connection.

    * Could the site be temporarily unavailable? Try again later.
    * Are you unable to browse other sites?  Check the computer's network connection.
    * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.


And if I try to right click + save it, I get a "File could not be saved because source file could not be read"

I have Hijack This downloaded if that will help anything, and that exehelper from your first post.

[evilfantasy]

Reset Hosts File:

* Go to Start > Run and type Notepad.exe then click OK
* Copy and Paste everything from the Code Box below into Notepad:

Code: [Select]

@Echo off
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1  localhost>HOSTS
attrib +r +h +s hosts
popd
del %0
* Go to File > Save As
* Save File name as Reset.bat
* Change Save as Type to All Files and save the file to your desktop.

On the desktop double click the Reset.bat to run the batch file. It will self-delete when completed.

----------

Now run HijackThis and post the log please.

[Crazywumbat]

Heres the Hijack this log.

[Saving space, attachment deleted by admin]

[evilfantasy]

The computer is infected by one or more backdoo trojans, worms, rootkits or keylogger which have Backdoor Functionality. This can give intruders complete control of the computer, logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately!

* Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change all of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
* Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted.
* Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

* Danger: Remote Access Trojans.
* When should I re-format? How should I reinstall?
* How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?

Should you have any questions, please feel free to ask.
Please let me know your decision and we'll get started with clean up if that's what you choose.

[Crazywumbat]

Thanks for your help. This computer is fairly old, so I won't be too disappointed if nothing can be done. I do have around four years of music, school work, and other documents and stuff on here though. I don't know if this is a dumb question, but if I try to upload the files I'd like to keep on an external HD is there any risk of the external being compromised?

If there's really no possibility of being able to trust the PC to work right then I don't think I'll go the route of trying to clean it I guess. Do you have any further recommendations?

[evilfantasy]

We can try to clean it. It might not be as bad as it appears.


Boot the computer into Safe Mode and try to run rkill and then Malwarebytes right after that.

[Crazywumbat]

Ok, I ran both. Applications are working now, and its not blocking me from downloading .exe files anymore. Also, my background no longer has that "Computer has been infected" message anymore, but it does flash from my prior background to a plain blue screen now after everything loads. Should I redo any of the other applications and repost the logs?

[evilfantasy]

Let's make sure everything is actually gone now.


If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

----------

Now run a new HijackThis scan and post the log along with the ComboFix log.

.

[Crazywumbat]

Ok did that. The annoying background from the virus is gone now, although it did revert my desktop wallpaper to what it was around a year ago rather to what it was before the virus hit, but I'm guessing that's nothing significant. The log files are attached.

[Saving space, attachment deleted by admin]

[evilfantasy]

Still some work to do...


Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - (no file)
- O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
- O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)

- O15 - Trusted Zone: http://*.buy-security-essentials.com
- O15 - Trusted Zone: http://*.download-soft-package.com
- O15 - Trusted Zone: http://*.download-software-package.com
- O15 - Trusted Zone: http://*.get-key-se10.com
- O15 - Trusted Zone: http://*.is-software-download.com
- O15 - Trusted Zone: http://*.buy-security-essentials.com (HKLM)
- O15 - Trusted Zone: http://*.get-key-se10.com (HKLM)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

----------

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

Your Java is out of date.
 
Older versions have vulnerabilities that malicious sites can use to infect your system.
 
First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.
 
Remove the old version(s)
 
Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

RootRepeal - Rootkit Detector

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

----------

Next post please add the MBAM and RootRepeal logs.

[Crazywumbat]

Ok they're run.

MBAM Log:
Malwarebytes' Anti-Malware 1.44
Database version: 3759
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/18/2010 7:42:27 PM
mbam-log-2010-02-18 (19-42-27).txt

Scan type: Quick Scan
Objects scanned: 127122
Time elapsed: 11 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\config\47210688.Evt (Rootkit.Agent.H) -> Quarantined and deleted successfully.


Root Repeal:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/02/18 19:54
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dbmxs.sys
Image Path: dbmxs.sys
Address: 0xF7592000   Size: 54016   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF396B000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AEE000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB862C000   Size: 49152   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\config\31614900.evt
Status: Allocation size mismatch (API: 524288, Raw: 98304)

Path: c:\documents and settings\kevin\local settings\application data\bvrp software\netwaiting\mohlog.txt
Status: Allocation size mismatch (API: 112, Raw: 72)

Hidden Services
-------------------
Service Name: asc3550p
Image Path: C:\WINDOWS\system32\DRIVERS\asc.sys

==EOF==