win32/Heur Virus - an SOS message

[Collins]

Find attached the LOP and RSIT scanning reports.

[attachment deleted by admin]

[evilfantasy]

Disable Windows Defender

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

• Open Windows Defender
  
• Click on Tools > Option
  
• Scroll down and uncheck Use real-time protection (recommended)
  
• After you uncheck this, click on the Save button and then exit Windows Defender
  
• Now on your keyboard press and hold Ctrl+Alt and then press the Delete key tow times to bring up the Task Manager.
  
• Locate MSASCui.exe then right click on it and choose End Process. Click Yes on the Task Manager Security Warning.

After all of the fixes are complete it is very important that you enable real-time protection again.
.
----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
- O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
- O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
- O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}]

:files
C:\Program Files\AskTBar
C:\rsit
C:\lopR.txt
C:\Lop SD
C:\ComboFix.txt
C:\WINDOWS\zip.exe
C:\WINDOWS\VFIND.exe
C:\WINDOWS\SWXCACLS.exe
C:\WINDOWS\SWSC.exe
C:\WINDOWS\SWREG.exe
C:\WINDOWS\sed.exe
C:\WINDOWS\NIRCMD.exe
C:\WINDOWS\grep.exe
C:\WINDOWS\fdsv.exe
C:\Qoobox
C:\SDFix
C:\VundoFix.txt
C:\VundoFix Backups

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.If not, reboot anyway.

Is everything back to normal now?

[evilfantasy]

Bump/ Post edited.

[Collins]

Hi,
I could not open the Windows Defender.  I got an error message saying in brief "the shortcut MSAQSCui.exe is missing".
For this reason I could not go to the Windows defender tools.
I also realised that "regedit" is working and I get the message that "Regedit has been disabled by the administrator".

[evilfantasy]

OK just go ahead with the next step.

[Collins]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\\ not found.
========== FILES ==========
C:\Program Files\AskTBar\PopSwatr\History moved successfully.
C:\Program Files\AskTBar\PopSwatr moved successfully.
C:\Program Files\AskTBar\bar\Settings moved successfully.
C:\Program Files\AskTBar\bar\History moved successfully.
C:\Program Files\AskTBar\bar\Cache moved successfully.
C:\Program Files\AskTBar\bar\1.bin moved successfully.
C:\Program Files\AskTBar\bar moved successfully.
C:\Program Files\AskTBar moved successfully.
C:\rsit moved successfully.
C:\lopR.txt moved successfully.
C:\Lop SD moved successfully.
C:\ComboFix.txt moved successfully.
C:\WINDOWS\zip.exe moved successfully.
C:\WINDOWS\VFIND.exe moved successfully.
C:\WINDOWS\SWXCACLS.exe moved successfully.
C:\WINDOWS\SWSC.exe moved successfully.
C:\WINDOWS\SWREG.exe moved successfully.
C:\WINDOWS\sed.exe moved successfully.
C:\WINDOWS\NIRCMD.exe moved successfully.
C:\WINDOWS\grep.exe moved successfully.
C:\WINDOWS\fdsv.exe moved successfully.
C:\Qoobox\Quarantine\Registry_backups moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\Qoobox\Quarantine\C\WINDOWS moved successfully.
C:\Qoobox\Quarantine\C moved successfully.
C:\Qoobox\Quarantine moved successfully.
C:\Qoobox\BackEnv moved successfully.
C:\Qoobox moved successfully.
C:\SDFix\backups_old moved successfully.
C:\SDFix\backups moved successfully.
C:\SDFix\apps\Replace\xp moved successfully.
C:\SDFix\apps\Replace\w2k moved successfully.
C:\SDFix\apps\Replace moved successfully.
C:\SDFix\apps moved successfully.
C:\SDFix moved successfully.
C:\VundoFix.txt moved successfully.
C:\VundoFix Backups moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\COLLINS\LOCALS~1\Temp\etilqs_BdkLuol4TTQFddMNpohV scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\899be76b-d426-4ad3-bb5b-26b17b4b034c.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP00000001E10A252DA4832AA9 scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03032009_030240

[evilfantasy]

* Download and run the following file to repair file and registry permissions: fixacl.exe

Download FixPolicies.exe by Bill Castner

Double-click FixPolicies.exe.
Click the Install button on the bottom toolbar of the box that will open.
The program will create a new Folder called FixPolicies.
Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
A black box will briefly appear and then close.
Restart the computer so the changes can take effect.

How is everything now?

[Collins]

Hi,
If by "everything working well' you mean the Task Manager is enabled, then I will say no.
What next pls?

[evilfantasy]

* Download and then install SubInACL (SubInACL.exe) file from Microsoft.
* Click Start > Run and type notepad.exe and click OK to bring up Windows Notepad.
* Copy and then paste the following text into Notepad.

Code: [Select]

cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
* Save this Notepad file as Reset.cmd to your desktop. Be sure the Save as type is set to all files.
* Once you have save it properly, double-click the Reset.cmd file to run the script.
** Note: This script file may take a long time to run. Additionally, you have to run this script as an administrator.
* Now reboot your computer! You must do this before the above will take effect.

[Collins]

Hard Luck.  The Task Manager is still disabled and access to the Regedit denied even after going through the instructions given.

[evilfantasy]

OK another method...

Download the file UnHookExec.inf and save it to your desktop. http://www.filedropper.com/unhookexec

Go to the desktop and Right-click the UnHookExec.inf file and click Install. (This is a small file. It does not display any notice or boxes when you run it.)

Delete the UnHookExec.inf

See if you can open them now.

If not...

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

[Collins]

The unhookexec did not work.

I did not receive any "success" remark when I did the fixme.reg merging.  I rather got the message "Registry editing has been disabled by your administrator".

I am beginning to believe the Win32/Heur virus is a dreadful one, indeed.

[evilfantasy]

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[/list]

[Collins]

I am unable to download this link.  It would be loading for hours on end without success.  Is there any other site I can load this program from?

[evilfantasy]

>>>Click Here<<<