consequences of security tool virus

Security tool is anything but...

Ive contained startup programs _ex-08.exe, 31431517.exe, found a new system file in sys32\drivers qoehpvnx.sys, removed rootkit.win32.agent.abmh, and cleaned the registry as best as I could. But now I still have a painfully slow startup, and IE will only open 1 window. It locks up if I try to open other tabs or a new browser page.

Ive tried to run GMER but the computer will get 60%-70% thru the scan and then restart.

If there is anything you folks can do to help me, or give me a script to run on the Kasperski Virus Removal Tool that would really be appreciated. I have a backup but it's a royal pain to have to wipe a drive and start again clean.

Thank you

Pls. don't rename attched files.

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore


Fix in Hijackthis:
[CODE]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmus.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab[/CODE]

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('c:\program files\common files\akamai\rswin_3647.dll','');
DeleteFile('c:\program files\common files\akamai\rswin_3647.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Clear hosts- file: [url]http://virusinfo.info/showthread.php?t=61042[/url] over replacing it.
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool [URL="http://support.microsoft.com/?scid=kb%3Ben-us%3B315246&x=17&y=6"]cleanmgr[/URL] or [URL="http://www.ccleaner.com/"]CCleaner[/URL] or [URL="http://www.clearprog.de/"]ClearProg[/URL]
- Close all the programs and start only Internet Explorer!!!
- Repeat the logs.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=69907[/url]
- Attach new logs to your new post..

THX AGAIN!
I appreciate your clear direction. Just fixed Hijackthis log and my browser is functioning normally. Will complete and post when finished.

I have followed the above instructions but there was a restart before the run of AVZ. Hope that doesnt cause a problem. In addition I did a virus scan with CureIt this time instead of the Kasperski Virus removal tool that I used on the first run. CureIt found 2 more trojans and I quaranteened them

The only remaining problems I have is that after the restart IE will only allow 1 browser window without freezing and my boot time is quite slow after clicking on my user name (I am the only user setup in the system)

Attached are my log files as requested.

[QUOTE=lioninstreet;580233]I have followed the above instructions .[/QUOTE]No, you haven't. It's not allowed to attach quarantine to the message, I've got you the link for this purpose.

Pls. update Java RE. It it should not be solving - try to reinstall IE8

[B]Rene-gad[/B], I am working on the fix you told me. I dont understand your post about Quar... Are you saying dont type that word on the forum? I think the translator from russian to english is not clear.

[QUOTE=Rene-gad;577236]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=69907[/url][/QUOTE]What kind of question do you have to this sentence?

I see what I overlooked. My mistake

I completed the Java RE update and did the IE8 reinstall. Then ran Cureit in safe mode. It only recognized the files that it had prevously quarantened. Rebooted to std mode and re ran AVZ and HJT. Here are the log files and the missing quarantened files from the run.

I cannot find any suspicious item in the last logs. Is your problem solved?

[B]Rene-gad[/B], Thank you for the help. All seems to be working properly with the exception of IE8. The problem is this:

IE8 opens correctly in Safe Mode and will open multiple windows and multiple tabs. No worries.

When I try to open it in Regular Mode, it allmost allways hangs and does not show the home page address in the address bar and also does not connect to the internet. Task manager shows IE8 trying to open 2 seperate browsers at the same time but there is only one browser window open. Then the browser locks and task manager shows the 2 browsers not responding. Should I be able to get a single browser open (with a single browser showing in task manager) and I try to open a second tab or a second browser, the same thing as I described above happens.

I tried to reload ie8 by downloading the program from microsoft and then while installing the program uninstalled the browser and re-installed it. This did not work either. The only think left I can think of is to remove IE8 in add-remove programs and try to reload it and see if that helps.

IE8 did function correctly after I performed the first fix you suggested above but then failed as described after a restart.

I would switch browsers but several companies I work for have on line data bases that require IE8 to open. Any ideas or suggestions?

Uninstall IE8: [url]http://support.microsoft.com/?scid=kb%3Ben-us%3B957700&x=11&y=12[/url]
Download ClearProg (link in the post #2), choose Clear All, reboot your system.
After that execute follow script:
[CODE]begin
ExecuteRepair(2);
ExecuteRepair(3);
ExecuteRepair(4);
RebootWindows(true);
end.[/CODE]
After reboot try to install IE8.

Ok I appreciate the advice but before I start a few questions. On the scripts you suggest. What program am I running the scripts with, AVZ as described in post 2?

Since my German isnt so good I downloaded clearprog from [U]Softpedia[/U]. but when I tried to run it my anti-virus popped up with a warning that the program included something called win32/yabector.a, some kind of trojan that creates outbound traffic. I then used my anti-virus to delete it and it wiped out the entire download.

Were you aware of this with [U]Softpedia[/U]?

Then I was able to do a successful download using the link you provided (although since my IE8 is so quirky I had to enter the url in the address bar to find the site...However as I cant seem to link to anything I cant get to the uninstall IE8 site you placed the link for in your last post. I tried to cut and paste it as well and got a page not found error. Could you double check the link and repost it?

So I will try tomorrow and reply when I am up again.

[QUOTE=lioninstreet;583074]What program am I running the scripts with, AVZ as described in post 2? [/QUOTE]Yes, it is AVZ :)
[QUOTE]when I tried to run it my anti-virus popped up with a warning that the program included something called win32/yabector.a,[/QUOTE]It's a false-positive, setup-packet contains an ebay-tool, which would be seen as malware. Disable your antivirus for processing with ClearProg.
[QUOTE]I cant get to the uninstall IE8 site you placed the link for in your last post.[/QUOTE]Why? The link is OK, I've checked it just now. To copy/paste you should click REPLY-button and copy the link from your planned answer: all long links will be shorted per forum software.

OK per your suggestion I was able to cut and paste the links address into my address bar and it worked for me.

Since I'm on XP I think the root program of my IE is IE6. Do you think it would be wise to uninstall IE7 as well before doing the reinstall? I saw that some were suggesting to uninstall as much of IE as the system would allow when dealing with IE troubleshooting issues.

[QUOTE=lioninstreet;583497]
Since I'm on XP I think the root program of my IE is IE6. [/QUOTE]What do you mean under ROOT PROGRAM?
[QUOTE=lioninstreet;583497]
Do you think it would be wise to uninstall IE7 as well before doing the reinstall? [/QUOTE]I'm not sure, it's possible. I think that the possibility to uninstall IE exists only beginning from IE8.
I had never have any problem such kind with IE8.

[QUOTE=Rene-gad;583595]What do you mean under ROOT PROGRAM?
I'm not sure, it's possible. I think that the possibility to uninstall IE exists only beginning from IE8.
I had never have any problem such kind with IE8.[/QUOTE]

As I was reading the results of a google search on "uninstall internet explorer" and "uninstall internet explorer completely" I found a page from Microsoft that was describing how the xp and prior OS integrated with IE. It seems that depending on what OS you have, the "legacy" version of IE at the time the OS was introduced is the "root" browser.

For example if you have ME the root browser is IE5, Win2k is IE5.5, XP is IE6, etc. The browser also integrates with the OS and helps it to perform search functions (and other functions I skimmed past as I was reading...). This is one of the main reasons it can't be completely removed as the functinality of the OS becomes compromised.

Bottom line is, with XP it looks like I could remove IE8 and IE7, but most likely I couldnt remove much more than that. There are instructons on the Microsoft site detaling how to remove IE7 after prevously removing IE8. If I try to open another brower window to find the page where it's at and paste in the link for your readers, my browser just locks and I have to end task to clear everything.

My thought was that since I'm also having difficulty with IE8 locking up when I try to open a new brower tab, it might be worth uninstalling both 8 and 7 to fully remove the tabed browser functionality, go back to reinstal IE8, and hope for the best ....

Your thoughts?

[QUOTE=lioninstreet;583941]Your thoughts?[/QUOTE]My thoughts are no object in such case :) , the best of all you'd try to ask in any forum or newsgroup specialized on Internet Explorer. As I just said - I don't have any experience with uninstalling of IE/

[QUOTE=Rene-gad;584029] the best of all you'd try to ask in any forum or newsgroup specialized on Internet Explorer[/QUOTE]


I'll see what I can find and update this thread as I go. Thanks again for help with the disinfection. :clapping:

I spent most of the afternoon yesterday trying to get IE8 functioning after the clean up from security tool virus. The results were less than spectacular.

I reviewed several sites on the subject of removing IE and discovered there is an issue with just removing the program and leaving updates in place. Apparently IE is so interwoven with the OS (in my case XP) that the updates must be removed in the order they were installed to retain optimal functionality.

So I started with disabling my anti-virus, firewall, auto-updates and disable my network connection.. then went to add remove programs to remove all the IE8 updates. Suprisingly this alone allowed IE8 to function as it should. I tried several restarts and it would still work.

However the updates I removed apparently affected XP updates from 9 months ago so I had to remove them as well. Once this was done out came IE8. After 2 restarts IE7 showed as the browser and I had full functionality. I replaced all the XP updates and IE7 still worked.

Then I installed IE8, so far so good. But after installing the IE8 updates my browser problem came back.

I have since tried to do a chkdsk from the OS disk and found there are unrepairable errors on my C: drive. So it looks like if I want a fully functional IE I have no choice but to reformat my C: drive and reload the OS on to it.

So here is my question.
I am running 2 WD740's in RAID-0 with my boot record and OS mounted on my partitioned C: drive and also have 2 other drives ( E: & F: ) partitioned on the RAID array. My desire is to avoid wiping the entire array. Is this possible?

Can I just reformat the C: drive, then reload the RAID drivers and OS on to it?

[QUOTE=lioninstreet;586128]
So here is my question.
I am running 2 WD740's in RAID-0 with my boot record and OS mounted on my partitioned C: drive and also have 2 other drives ( E: & F: ) partitioned on the RAID array. My desire is to avoid wiping the entire array. Is this possible?[/QUOTE]
I'm not really competent in any question about RAID, but in normal case you can remove and re-install the system partition without to disturb any other one.