Anti-Virus/Malware/Root-kit and Trojans

[Mainman]

Yes, I saw a thread by Brian about opening the System Volume Information folder. According to a spyware program (SpyHunter 4.0), I am being told that I have two Trojans hiding in my Windows XP Pro "System Volume Information" folder. One is the Zlob.Trojan (A00006738.dll) and the PATH is: F:\System Volume Information\_restore {B20C9CBB-CE68-4259-8285-BAC5CED65F3E}\RP1\A0006738.dll. The other Trojan is the Trojan.Autoit.as (A0013051.exe. The PATH for this trojan is:
F:\System Volume Information\_restore {B20C9CBB-CE68-4259-8285-8AC5CED65F3E}\RP2\A0013051.exe.

When I click on My Computer, then clicked on my F:\drive (which contains this file) I DO NOT see any System Volume Information
folder. I have clicked on TOOLS at the top of the page, then clicked on Folder Options, then View, here I unchecked the Hide Protected files and folders, then I checked Open Hidden Files and folders and unchecked [Hide Folders and Files].
Returned to the [F] drive, right-clicked on the drive to view folders and the System Volume Information still does not appear.

I don't know how good SpyHunter 4.0 is, but it was more successful in locating 33 potential threats, better than Malwarebytes, Comodo, Kaspersky, and a few others.

I am now able to install Malwarebytes (the older version) but if I click on the Upgrade, after it installs I receive an Application error message A000001d, then I have to delete the program.

Simply put, the only self-booting software that I had success with self booting is ESET. Kaspersky 10 Rescue Disc, and others simply will not start up on a fresh boot. Heck, I wouldn't have even known about all the adware and media files that have invaded my machine if it had not been for SpyHunter 4.0. According to this software, I have 33 Internet SpeedTracker Toolbar installations; five CaSaleMedia infections.

Please HELP!!! Is there any other procedure you know of on how I might delete these Trojan infections? And the Internet SpeedTracker Toolbar (which I cannot find); and these Casale Media infections? Everybody will offer you a free download but once the scan is completed, they want you to buy their product to "supposedly" remove these issues.

[GuiltySpark]

Spy hunter is rogueware another snake oil product it will tell you, you have multiple problems and can fix it for you for a price.

When in actuality there is nothing wrong.

MalwareBytes stopped supporting XP a couple of months back that's why you're getting that error.
As to kaspersky make sure your system meets the requirements https://support.kaspersky.co.uk/viruses/rescuedisk#requirements

Superantispyware still runs on XP if you wish to use that https://www.superantispyware.com

[Mainman]

GuiltySpark;

That should tell you just how much I know. I had no idea that Malwarebytes stopped supporting Windows XP. However, on their home page I did see where they offered a patch -- possibly patch is for those who are still using Windows XP.

The problem I am experiencing is this: about three weeks ago when I would boot up in Normal Mode all the program icons would be displayed on the Desktop. While it would take sometime to load, Avast Anti-virus kept freezing up even when I would run a Smart scan. I have SuperAntiMalware, but when I run a scan with this program (quick scan) no virus are revealed. Yet it takes forever and a day to open a program. . . any program.

I use Process Explorer which shows me where all my resources are being used. Oddly enough, the results is pretty much stays in the red.

I know that my system is basically old, while I have moved up to a rev. 2.0 Gigabyte Motherboard with a 1.2 GHz Processor. But with all the new technology available today, I know my system can not keep up with what's available.

My point is this: before all these issues cropped up, my system was running fairly good. When I clicked on a particular program, it would open up almost immediately. Now, I think I could go out and eat a six course meal, return, and still wait another 5 to 10 minutes.

But here is the odd part. When I boot up in SAFE MODE, everything runs normal. I understand that in SAFE MODE not all drivers open, so this said to me that there issues with a driver (or drivers) in Normal Mode.

Are you familiar with a program called SpeedZooka? Well when I run this program it supposedly reveals several issues, which I click to correct. My point: this program has not revealed any particular issues.

Can I safely assume that Vipre is another rogue software? The reason I ask is because when I ran this program it said that I had two Trojans. Now I don't know.

I can't even get any type of Anitvirus or malware program to free-boot so I can see if a virus had taken over any of the program drivers in Normal mode. They will not boot up when I use my CD; all except ESET as I stated in my email.

How you can help!!!!!!

[GuiltySpark]

Quote:That should tell you just how much I know. I had no idea that Malwarebytes stopped supporting Windows XP. However, on their home page I did see where they offered a patch -- possibly patch is for those who are still using Windows XP.

I don't know about that patch (I can't find it). But MBAM is only supporting XP via the Premium Suite only.

Quote:The problem I am experiencing is this: about three weeks ago when I would boot up in Normal Mode all the program icons would be displayed on the Desktop. While it would take sometime to load, Avast Anti-virus kept freezing up even when I would run a Smart scan. I have SuperAntiMalware, but when I run a scan with this program (quick scan) no virus are revealed. Yet it takes forever and a day to open a program. . . any program.

Ideally you shouldn't be running programs directly off the desktop (unless these are just shortcuts) as the desktop uses RAM as opposed to the HDD, so you could be overstraining your memory.

Quote:But here is the odd part. When I boot up in SAFE MODE, everything runs normal. I understand that in SAFE MODE not all drivers open, so this said to me that there issues with a driver (or drivers) in Normal Mode.

Not all drivers / services are being used just the basic Windows ones, this suggests that a third party is the culprit (possibly even malware).

Quote:Are you familiar with a program called SpeedZooka? Well when I run this program it supposedly reveals several issues, which I click to correct. My point: this program has not revealed any particular issues.

I know of SpeedZooka but I certainly wouldn't recommend it, it's just another Optimizer / Reg Cleaner which can often do more harm than good.

Quote:Can I safely assume that Vipre is another rogue software? The reason I ask is because when I ran this program it said that I had two Trojans. Now I don't know.

Vipre is a legit Anti-Virus program but it may be a little heavy especially as you're running Avast as well (two AV's running together in real time will slow a system right down).

Quote:I can't even get any type of Anitvirus or malware program to free-boot so I can see if a virus had taken over any of the program drivers in Normal mode. They will not boot up when I use my CD; all except ESET as I stated in my email.

You should boot into Safe Mode and bring up the "msconfig" settings.

To do this:

Hold the Winkey+R (windows key looks like a windows flag)

In the Run box that pops up type "msconfig" minus quotes.

Tap Enter (return key)

Select the Start Up tab (if not already selected)

Uncheck all except the Microsoft OS (you should see it in the list as Microsoft Operating System) and your main Anti-Virus (avast or vipre only pick one to keep on start up).

Select Apply.

Select Services tab.

Check the box that says "Hide All Microsoft Services".

Uncheck all services except for your Anti-Virus service (avast services or vipre services, whichever you've chosen to keep on).

Select Apply.

Select OK.

Restart the computer normally and see if things are quicker, post back your report.

[Ankh Warrior]

(08-02-2015, 12:46 AM)Mainman Wrote:  Please HELP!!! Is there any other procedure you know of on how I might delete these Trojan infections? And the Internet SpeedTracker Toolbar (which I cannot find); and these Casale Media infections? Everybody will offer you a free download but once the scan is completed, they want you to buy their product to "supposedly" remove these issues.

If you have a problems with viruses, i can help you :

Please download FRST and save it to your desktop.

Run tool as Administrator, and on UAC popup click Yes.

NOTE: If you don't know which version is your OS, download and run both of them. One that works is right version you need.

Accept disclaimer by clicking on Yes,and wait while tool is making a registry backup which takes few seconds.

When you get message in header "The tool is ready to use", click on Scan button, but make sure that Addition is checked before doing it.

Program will generate two logs : FRST.txt and Addition.txt.

Attach logs to your reply.

[Mainman]

GuiltySpark;
Sorry that I haven't been able to respond to your thread until now. Man, what I have been experiencing has been a sure-nuff head scratch-er.
I followed your directions to the letter with regard to accessing "msconfig" in Safe Mode. I clicked on the Services tab and then checked the "Hide all Microsoft services". After all the Microsoft services were hid, I unchecked all other posted services EXCEPT Avast Anti-virus, then clicked APPLY. I then clicked on the Startup tab and unchecked any Startup programs that wasn't really necessary to load at Startup. Clicked Apply, then clicked OK, and Re-booted the system.

Then the problems started. My system booted up without any hitches. However, as soon as the Windows Display screen appeared, there was a notice that due to the changes, I needed to re-activate my copy of Windows XP Pro. So, I clicked OK to re-activate. When the Activation screen appeared, I clicked on Activate via the Internet. A message came back informing me that there was NO Internet connection. On the desktop, I clicked on START, then Control Panel, then Services. When I clicked on the Hardware tab, then Device Manager, the loaded devices did not appear. It was as if the system had froze. I waited and waited to see if the hardware list would appear but nothing happened.

Trying some other paths, I again clicked on the Services icon, then hardware, then Device Manager. This time the hardware list appeared. I quickly noticed that my Ethernet card has a red "X" beside it. I clicked on the service and clicked on Properties. Somehow my Internet Ethernet card had been disabled. After enabling the Ethernet card, I attempted to access the Internet. Finally I had an Internet connection, but the System Information box kept popping up. The "Selected" option was checked. However, that Microsoft Activation box kept telling me that I had to re-figure my startup path to Normal Startup in order to reactivate Windows.

After hours (and I mean literally hours) I am -- as you see -- able to access the Internet and re-register my copy of Windows. But when I click on a desktop program icon, the program takes longer than normal to load.

I have defraged my HDD several times thinking this could be the culprit yet it doesn't seem to work when accessing desktop programs.

Oh yes, I managed to get Kaspersky Rescue 10 to boot via my CD-ROM drive; ran it but nothing really significant showed up in the report log.

Now, when I reboot my system, the mouse frequently hangs up if not moved.

Also, when I attempt to run a scan with Avast, it hangs or freezes about five (5) minutes into the scan, but does not reveal the file or virus which cause the freeze.

Sorry I was so long-winded, but I wanted to let you know what was going on.

[Ankh Warrior]

(08-07-2015, 02:12 PM)Mainman Wrote:  *******
Sorry I was so long-winded, but I wanted to let you know what was going on.

Can you please run FRST just to make sure are you infected or not ?

[GuiltySpark]

It certainly shouldn't have caused an issue with the activation of XP, those only tend to occur when hardware has been changed.

Follow Ankhs advice and run the FRST scan. Let's see if there is any malware lurking.

[Mainman]

Can you please run FRST just to make sure are you infected or not ?
[/quote]

Sorry. I have sent the FRST attachment as requested. Hopefully you can find something I must have overlooked in this scan report.

[Compton]

I don,t see any attachment