*_Help w/ a massive virus, please_*

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

==

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

====

If you can, download the above to a flash drive from an internet connected pc and then install it on the infected pc.

What I have found works on some occassions is to do a system restore if your PC will let you! If you can, restore the PC back to before you had the problem. If you manage to do this make sure that you switch off system restore to clear all past restore points (in case you restore back to when you had the virus at a future date) and then switch system restore back on.

Hope that helps

Sally :-)

Note that it is inadvisable to disable system restore unless you know for SURE, that your system is clean.

Hey. Srry for taking so long to respond. I appreciate the help but everytime I try to open those programs, the same message pops up. I tried renaming it but it doesn't work either. Any way around this?

Can you you boot into safe mode? If so does that message come up then?

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

• Kaspersky Online Scanner • Panda Active Scan • Trend Micro HouseCall • F-Secure Online Virus Scanner

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

You will need to use Internet Explorer to complete this scan.

Not trying to be smart, but the OP did mention has not been able to connect to internet for "several days" on the effected machine, so may need to skip this step :-/

Might want to start with either HJT or MalwareBytes and see if you can at least make a sufficient dent so-as to re-enable internet connectivity.

That'll teach me not to read the thread again :).

Delete the MBA-M installation file that is on your pc at present.
Go back to download MBA-M again. Click on the link to download it. Select the "Save" option.
When the panel pops up to ask you where you wish to save the file, before choosing where, rename the file. I chose "bambam" in my screenshot just as an example.

Once you have saved it, try again to install and run it.

Please right click on hijackthis.exe and selectRename. Change the name to analysethis and hit the Enter key.
Run Hijackthis and save the log and post it back here if you are able.

I really appreciate all this help, I couldn't find help in any other site.
Anyways, the virus still doesn't let me run the program regardless of the name. I have a feeling starting from scratch might be my only option.

I really appreciate all this help, I couldn't find help in any other site.
Anyways, the virus still doesn't let me run the program regardless of the name. I have a feeling starting from scratch might be my only option.

My $.02:

Sallybarrett makes two good suggestions - System Restore and Safe Mode . . . Here is what I would suggest in exact order:

1) Boot to Safe Mode and see if problem persists. If so, then
2) go into your I386 Folder and Copy NTVDM.exe and WOWEXEC.exe and place them in your System32 Folder. If you get a message saying that they already exist in the System32 Folder and do you want to replace the existing files, click YES. Now see if the problem persists. If so, then
3) try using System Restore to return to a point before the issues began. See if the problem persists.
Hopefully you'll regain some control/functionality. Sure, you might be infected, but at least then you will be able to attack the problem at hand....

Best Luck :)
PP

Hi There, there is another thing you can try download this software http://www.free-av.de/en/tools/12/avira_antivir_rescue_system.html follow the instructions to create a bootable disk, this is a linux based antivirus software designed to clean pc's that can't be booted anymore. It's worth a try?

2) go into your I386 Folder and Copy NTVDM.exe and WOWEXEC.exe and place them in your System32 Folder.

Correct me if I'm wrong, but isn't "WOWEXEC" a x64 file, ant thus useless advice if user is NOT using Windows x64?? Also, Sys-Restore option already dis-advised by those who know better!

Now here is the advice likely to miff Cruchie off (no offence mate), but will explain reasoning, and should free things up enough that MalwareBytes should be free to run its course without being blocked (seeing as the usual methods/processes are being blocked, no harm in thinking outside the box).

DL and install Ad-Aware free... run it. After running, re-boot in safe-mode and re-run. Now as some will point out, is not the most recommended or up-to-the-minute anti-malware tool. In this case, that's to your advantage... as is the ability to use with full functionality in safe-mode. Using this method should then allow you to use other tools to finish the job, so long as run on first re-boot into normal user-mode.

Correct me if I'm wrong, but isn't "WOWEXEC" a x64 file, ant thus useless advice if user is NOT using Windows x64?? Also, Sys-Restore option already dis-advised by those who know better!

Enough of the crap talk. There is no need to start pointing fingers or calling advice given, as being useless. How do you know the OP is not running 64bit?
Point made about system restore was regarding it's disabling, not the use of it!

Now here is the advice likely to miff Cruchie off (no offence mate), but will explain reasoning, and should free things up enough that MalwareBytes should be free to run its course without being blocked (seeing as the usual methods/processes are being blocked, no harm in thinking outside the box).

DL and install Ad-Aware free... run it. After running, re-boot in safe-mode and re-run. Now as some will point out, is not the most recommended or up-to-the-minute anti-malware tool. In this case, that's to your advantage... as is the ability to use with full functionality in safe-mode. Using this method should then allow you to use other tools to finish the job, so long as run on first re-boot into normal user-mode.

Here is your chance to prove your point, though it has already been disproved at least once here.

Enough of the crap talk. There is no need to start pointing fingers or calling advice given, as being useless. How do you know the OP is not running 64bit?

Point was, that specific piece of advice was x64 dependent, and given that their has been no clarification as to whether OP is running x86 or x64, just seemed a little premature.

Was not trying to be offensive, but highlighting a point. If the average user comes along for assistance, and is told to restore files that don't even exist in their case, is likely not only to cause added confusion, some may start to stress as to their non-existence, think the virus has deleted important files that weren't there in the first place.

Simply want to raise point that might have been best to first confirm which architecture OP was using, before pointing to specific files to restore... that was all :)

Here is your chance to prove your point, though it has already been disproved at least once here.

Note that am not advising as the complete solution, but rather a means to free things up enough to allow MalwareBytes to even run. My guess is that in the current state of things, the malware infection is recognising MBA's core processes, even though MBA has been renamed (because of course renaming the executable won't rename any of the utilities processes). I'm only suggesting that Ad-Aware may well sneak under the radar to at least weaken the grip, and hopefully allow MBA to do its job, without being shut out.

Note that have always recommended a tandem approach in regards to Ad-Aware. Maybe that's just me being pessimistic, but have never trust a single anti-malware utility to do the entire job. Given that I am yet to see a single utility have a 100% hit-rate (usually rather in the high 90+% rate for a decent utility), always seemed to make sense to pair the two together.

But in this case, as did try to explain, was not actually why I recommended in this instance anyhow. Agree that MBA offers the best recover option, but it needs to be free to operate if that's to be the case, and as present situation stands, that seems to be at a dead-lock.

Correct me if I'm wrong, but isn't "WOWEXEC" a x64 file, ant thus useless advice if user is NOT using Windows x64??

I am happy to correct you since you ARE wrong. :)

I am guilty of assumption, however I assumed 32-bit, not 64. I think you got your argument ass-backwards.....

WOWEXEC.exe is required by windows and is used to run 16-Bit programs from within a 32-bit version of the operating system. It's started by the NTVDM when you run a 16 bit application and when it fails it produces errors just like those noted by the original poster.

Also, Sys-Restore option already dis-advised by those who know better!

Not true!
I stand by that advice in the order given. I made no mention of disabling System Restore.
Just out of curiosity, what is wrong with trying System Restore as an effort to get things back to a state where MBA-M and other tools can be run? I'd like to hear an answer......

BTW - you sure pimp AdAware a lot. Lavasoft should put you on the payroll. Good grief......

For your edification: http://support.microsoft.com/kb/196453

PP :)

I am happy to correct you since you ARE wrong. :)

I am guilty of assumption, however I assumed 32-bit, not 64. I think you got your argument ass-backwards.....

WOWEXEC.exe is required by windows and is used to run 16-Bit programs from within a 32-bit version of the operating system. It's started by the NTVDM when you run a 16 bit application and when it fails it produces errors just like those noted by the original poster.

OK, am happy to be proven wrong on that one... obviously confusing as an element of SysWOW... my mistake :$

I stand by that advice in the order given. I made no mention of disabling System Restore.
Just out of curiosity, what is wrong with trying System Restore as an effort to get things back to a state where MBA-M and other tools can be run? I'd like to hear an answer......

I know it was the latter half of that advice which was responded to, but note also sys-restore option never gained any support either... and looking at recently described behaviour of this infection, can see why.

Has long been well seen where malware of many variants (including some run-of-the-mill types) infect the sys-restore shadow copies. But looking here, it seems a higher-class of Malware is at play. Crunchie's advice on renaming both MBA-M and HJT would normally allow both apps to subvert attempts to block DL and running them. Given that, am really not sure Sys-Restore offers all that much of a chance... if even milder malware variants can play havoc with Sys-Restore, not really sure what the OP's restore images may contain.

Ad-Aware is yes, old-school, but that can have its benefits. In this case, is less likely to have been blacklisted by the malware coder, and may slip underneath (or it may too find itself blocked) where more prominent solutions are hitting a wall. Am not recommending Ad-Aware as the entire or final solution, but as a method to find a crack in said wall.

Remember; at this point no-one really has any idea what malware we are dealing with, as all the usual scanning tools are being blocked (which is why running Sys-Restore just at this point may not be the best idea); I'd like to know what we're dealing with first. If nothing else, Ad-Aware (providing it too doesn't hit the wall) may at least provide either a means for more powerful tools to repair his system, or at least show up some of the malware processes/components and give us all a better idea of what we are tackling.

OK, am happy to be proven wrong on that one... obviously confusing as an element of SysWOW... my mistake :$

Personally, I would be more than embarassed. Not only were you wrong, but you accused a valued and longstanding member of giving

useless

advice and not even apologising!
Perhaps you need to stop and think a little before handing out your little snippets in future? Will save a lot of embarrassment :).

EDIT: Thanks, crunchie - I didn't see you there.

PP :)

note also sys-restore option never gained any support either... and looking at recently described behaviour of this infection, can see why.

Good grief. We are obviously on two different wavelengths here.

-- Did you even bother to read post #1 in this thread? How do you know that there is even an infection at play here? There is no “described behavior of the infection.” That is merely an assumption that you (and the rest of us) are making. Experience has taught me, however, not to discount other possible issues involved....

Has long been well seen where malware of many variants (including some run-of-the-mill types) infect the sys-restore shadow copies. But looking here, it seems a higher-class of Malware is at play. Crunchie's advice on renaming both MBA-M and HJT would normally allow both apps to subvert attempts to block DL and running them. Given that, am really not sure Sys-Restore offers all that much of a chance... if even milder malware variants can play havoc with Sys-Restore, not really sure what the OP's restore images may contain.

NONE OF THAT MATTERS as long as the original poster is able to get the tools to run.
I do not know what your problem is with System Restore . . . So, we restore an infected compy. So what? Then we clean it. That is what this Forum does. Good Grief.

BTW – I did not respond to the thread until the poster said that they might give up. I took that to mean reformat. All my suggestions keep in mind that the OP was already willing to take the last resort and format the compy....

Remember; at this point no-one really has any idea what malware we are dealing with, as all the usual scanning tools are being blocked (which is why running Sys-Restore just at this point may not be the best idea); I'd like to know what we're dealing with first.

-- There may not be malware – again an assumption.
-- How do you know the tools are being “blocked?” Maybe NTVDM failure not related to malware? What I am trying to accomplish is to allow the poster to merely begin the cleaning process.
If programs are being blocked, let's try to "un-block" them.

Frankly, the three suggestions made by Sallybarrett are more on point than anything you've offered here.....

Anyhoo, I doubt the OP is coming back.

-- I'm curious - Do you post in the Lavasoft Support Forum?

Cheers :)
PP

Personally, I would be more than embarassed. Not only were you wrong, but you accused a valued and longstanding member of giving advice and not even apologising!

Point gladly taken.

@PhilliePhan - sincerest apologies. Has been a while since last used an OS with 16-bit app support (remember that Vista dropped 16-bit app) so was an honest mistake.... is what I get for scanning though. In that case, trying to restore those files would be an idea :-/

Good grief. We are obviously on two different wavelengths here.

-- Did you even bother to read post #1 in this thread? How do you know that there is even an infection at play here? There is no “described behaviour of the infection.” That is merely an assumption that you (and the rest of us) are making.

I do agree it is indeed an assumption, and had it not been for the fact that the attempts made to follow advice made by Crunchie hit a road-block, it wouldn't have been my first call at all.

In case of regular crashes (ie, corrupted sys files, driver issues, software incompatibilities, and sorts of related issues), I have no issues with Sys Restore at all.... is an extremely useful tool (even more since Vista made the shadow copies fairly comprehensive). In the case of infection though, am more cautious, as in some cases can actually bury the thing further into system.

As I said, yes it is an assumption to think malware, but consider the presented issues (apart from the apparent 16-bit app support failure):

• Sudden lack of internet connectivity (yes, that alone could just as easily be hardware/driver issues)
• Attempts to run MBA-M and HJT blocked on all fronts

To be honest, even scratching the brain, I can't remember any factors relating to 16-bit application support that would effect MBA, HJT etc from running, as am pretty certain are fully x86 in their design. Admittedly, have been a while away from XP as a user, so might be forgetting something here.

I know is hardly comprehensive evidence, but unfortunately the tools normally used to gain said evidence aren't working. That's the only reason I take pause over turning to Sys Restore, and thinking one last attempt (yes, using Ad-Aware) might be advisable as a last effort. If it either can't run, or comes up clean, then Sys Restore becomes the next step.

Saying it again, I agree it is an assumption being made that it may be malware, but just inclined to play it a little safe. At the end of the day, what harm can it do?

Point gladly taken.
@PhilliePhan - sincerest apologies. . . .

No worries! :)

I agree that a lot of assumptions are being made - funny that none of us bothered to ask the OP what virus they had. Many times they will have a good idea what they were dealing with or be able to point you in the right direction. But just because they say malware does not always make it the case.
I once had a thread where the poster said they got a virus that turned their cursor into a dinosaur...... Can you guess how that was solved?

-- The OP said he/she was getting the same error message when trying to run the requested programs. That is why I took the approach that I did.

This is my reasoning - Just wanted to take a quick shot at it while I had some free time on my hands:
1) Safe Mode - Yeah, probably not going to help, but wanted to see if something running on startup was borking WOW. Got to cover that base.

2) Move on to replacing wowexec.exe and ntvdm.exe on the chance that they were borked, possibly by malware. No harm, no foul.

3) Try System Restore in the event that malware has made some registry modifications that are responsible for the errors - hopefully the OP will have a viable restore point from well before issues started and then we can go from there. Again, no harm no foul. I am not at all worried about system restore making things worse.

If that were to fail, we'd probably have to try Recovery Console or something like Sallybarret's suggestion of Avira's similar tool.

In this case, I think we have a situation where too many cooks spoil the broth ;)
Most of the Forums I post in have one volunteer per thread, unless they get stumped and ask for help. Here, we have everybody coming in from all angles, lol!

Anyhoo, I guess I certainly got my $.02 worth on this one! Hope the OP comes back and you guys are able to get it sorted out - I'll have to check back in a week or so when I get my next break.

Cheers All :)
PP

No worries! :)

I agree that a lot of assumptions are being made - funny that none of us bothered to ask the OP what virus they had. Many times they will have a good idea what they were dealing with or be able to point you in the right direction. But just because they say malware does not always make it the case.
I once had a thread where the poster said they got a virus that turned their cursor into a dinosaur...... Can you guess how that was solved?

You gotta be kidding me? I'll pay that one :D

Agree a lot of assumptions, but in this case where there is little hard evidence (kinda happens when usual diagnostic tools out the Windows - pardon the pun) is really all that can be made.

Can definitely follow your course of logic. Have to admit tend to be cautious when I see a series of seemingly unconnected failures. Most legitimate failures (ie HW, OS, driver etc etc) tend to follow a logical sequence... wasn't so sure I could tie the problems together, which raised the red flags.

Actually, one area we didn't try to clarify was in terms of internet connectivity (funny how hind-site is a wonderful thing). Didn't think to question whether or not any error messages were received when trying to connect... I'll remember that one for next time!

In this case, I think we have a situation where too many cooks spoil the broth ;) Most of the Forums I post in have one volunteer per thread, unless they get stumped and ask for help. Here, we have everybody coming in from all angles, lol!

Normally could agree (yes Crunchie did take advice on board), which is why I kept out for a while (well, apart from to point out lack of internet connectivity :D ) ... was not till things hit a wall (and yes, a misuderstanding) that put my nose in. Problem here I think is too many open-ends and too little clarification from OP.

One frustration am quickly learning is the difference in problem solving btwn real-world and on-line. Is not unusual to be fixing a colleague's notebook at work, but at least there am in the driver's seat, and if I need to manually scan and pull out crap via the registry or other methods, can easily do so. There are just some techniques that you really can't guide someone else to do in a forum setting. Am quickly gaining a whole new appreciation for the "old-hats" of this realm :)

I'll have to check back in a week or so when I get my next break.

Hopefully a little more sense made of things by then ;)

Once again, thanks for all the help.

As for the software my computer is running on, its Windows XP.

I copied and pasted the NTVDM file to the system folder but it didn't help. As for the Wowexec, it wasn't in the i386 folder, but it was already in the System32 folder.

I tried installing Ad-Ware and/or Avira AntiVir Rescue System but once again, it prevented me from doing so. The same message continues to appear. I also tried to System Restore the computer but the message appeared again. I think it might be safe to say that I can't install anything at this moment.

I'm guessing I'm running out of options at this moment. Should I take it somewhere so they can erase everything and start from scratch?

Do you have your XP CD? If so, try the following;

Go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.

Unfortunately, I don't have my windows CD. My computer actually doesn't have a CD Drive anymore. The one that I had [which was external], stopped working after a while. Thats why I'm thinking of finding someone to do it for me.

It is starting to look that way. Make certain to back up any data you want.
Unless anyone has any other suggestions, I would say that that is your best bet, although you may want to wait for PhilliePhan to return.

I copied and pasted the NTVDM file to the system folder but it didn't help. As for the Wowexec, it wasn't in the i386 folder, but it was already in the System32 folder.

Just to clarify something, is any other software either failing to run apart from those mentioned, or unable to install?

Now this be a long shot to recover a working version of Wowexec, but can often find several previous versions of sys files, as each time a file gets updated (either through general Win updates or Service Packs), files will be backed up each time.

First go into Folder Properties and make sure hidden and sytem protected files are set as visible.

Open Windows Search, and making sure you use the advanced search options to include hidden and system files. Now if you get several results, you'll want to use the most recent version before the currently utilised file-version.

Now when replacing a protected system file in XP, is not as simple as simply dropping the replacement on top of the original and selecting OK as you would replacing any other file. No doubt the version of NTVDM.exe you so helpfully pasted into Sys32 was replaced within seconds of doing so... given the number of stand-alone GUI and icon-cache replacement I built yrs back, is one element of XP will never forget (gave me a few grey hairs along the way)! You may even find it nesc to boot in safe mode to successfully replace, so will guide you as such.

• Take note of replacement file version's location
• Boot in safe-mode
• Open both applicable file folders
• In Sys32, right-click and drag original Wowexec file to desktop - release mouse button and will get choice of copy or move... select move.
• In alternate file location, again right-click and drag, this time into Sys32 folder - this time select the copy option.
• Note that same technique should be used for NTVDM.exe
• Reboot as normal

Now have to admit, am still not convinced is the sole source of your difficulties, but hopefully should at least see a fix to and 16-bit app support.

BTW, if Sys Restore has infact become last resort, may need to go as far back as possible. Try the file replacement first though and see if this is infact at root of prob.

Unless anyone has any other suggestions, I would say that that is your best bet, although you may want to wait for PhilliePhan to return

I've got limited computer time this week - doubt I can offer timely assistance. Plus, we are just getting in each other's way. You know me - I like to do my own thing and take my own approach to a problem.... ;)

This would be my next step:
I think at this point we would need to get into the registry and have a look if possible - but first, try clicking START > RUN and type command.com and hit ENTER and tell us what happens - does command prompt open?

PP :)

I've got limited computer time this week - doubt I can offer timely assistance. Plus, we are just getting in each other's way. You know me - I like to do my own thing and take my own approach to a problem.... ;)

This would be my next step:
I think at this point we would need to get into the registry and have a look if possible - but first, try clicking START > RUN and type command.com and hit ENTER and tell us what happens - does command prompt open?

PP :)

I am happy to step aside :). You mentioned earlier about the possibility of using the recovery console. I have no working knowledge of how to go about it :).

I am happy to step aside :). You mentioned earlier about the possibility of using the recovery console. I have no working knowledge of how to go about it :).

Can second that. Remembered enough from XP to advise on getting around in-built sys-file protection, but remembering how to use XP's Recovery Console is a whole other matter.

As to remotely guiding someone on registry-based repairs, that ball's all in your hands :cool: