09-28-2009 07:17 PM
virus - one. stacey - life back! ok 1st i want to thank anyone who looked into this issue. i have given up. after speaking with microsoft and norton. i am re-formating my system. i know. i know. i shouldn't do it. but i want a clean start. the only thing i do know it happen after the day i updated with a microsoft update. the same morning. i was on the phone with them when it started crashing and not being able to get to safemode. in fact the last person who was able to get to safemode was a microsoft tech. oh well. again... thank you.. good luck killing these viruses and i hope the person who created this one can get a life.
best regards to you all...
09-28-2009 07:21 PM
I wonder where you when to, You gave up quickly.
Safe Mode, (to possibly having to repair after Malware removal)
1. malware is just blocking the use of Safe Mode
2. The "SafeBoot" registry entries were removed,
09-29-2009 08:58 AM
thanks for your concern.
gave up too quickly... hmmmm. 7 days/3hours a day is too quickly. interesting.
i posted on many tech boards. nothing. good advise but nothing worked (for me)...
called MS. but nothing worked (for me)...
called Norton Help Desk. We can help but it will cost you... so.. nothing.
HP was the best help (well reading the manual). Don't recover your system. Which I tried. Completely reinstall your whole system. Which I did finally. I made a new copy of my photos (which are really the only thing that matters) and took my HP Desktop back to the original settings. If you read this and are planning to do it. Call you PC or Laptop Manufacture for instructions. The one thing I did different was not connect to the internet until I upgraded the antivirus software that come with my system to the latest (got to have that CD and Sub CD).
So for now I back to normal (I think). No error messages with stranges *.dll/memory error messages. No redirects. Nothing strange. No shut down or bootup error messages. Norton Security 09 found nothing with latest updates and running fine. No strange sites trying to access my pc every minute. So far so good.
Also, thinking about getting a Mac. I loved my pc until this happen. Big fan of MS etc... Yes I drank the koolaid a long time ago. Going to the MAC store this weekend to see what's up. Also going to speak the people who are thinking about returning theirs. Them to see what they think about MAC. Old fashion foot work.
So. Thanks again for the posts and help. I'm fixed. It seems...
09-29-2009 09:04 AM
I think what Quads meant is that you gave up so quickly after coming to this Forum for help. He's in a different time zone and most likely could have helped you if you had followed his instructions and given him some time. Glad you got your problems fixed. If you run into any problems, be sure to come back here first. If you are running the 2009 version of your program and still have a valid license, you can update to the 2010 version for free.
Success always occurs in private and failure in full view.
09-29-2009 09:17 AM
I understand (time zone).
If you have ever run into a virus and it makes you feel helpless to do your normal day today things (checking emails, kids grades, weather). "Gave up too quickly" is the last thing you want to read. But, I do understand where you are coming from... I will make sure I come her 1st. Even before calling Norton. They told me nicely... $99.95 no tax please... Nice....
Again, thank you to who may have been working on this issue. I hope the fix comes soon for those who want to wait.
I am fixed for now...
Thanks for the info on the Norton 2010 update. I will down load it soon. Right now my eyes hurt from looking at this screen for 7 days...
09-29-2009 09:49 AM - edited 09-29-2009 09:50 AM
If you decide eventually to stick it out and remain a PC girl, be sure to do a couple of things that will render a PC as safe as a Mac.
1. turn on Data Execution Prevention. That is in Control Panel > System > Advanced system settings > Performance. This will be very effective if your processor supports it, but also if it doesn.t.
2. Create a new, standard user account in Control Panel/User accounts, and switch to that account when browsing the net ( I assume the Internet is where you picked up this beast.)
10-10-2009 05:58 PM
I had to sign up to this BBS to post a response on this because it isn't anywhere on the internet I could find.
This new Trojan/redirector was created just last month, around 9/18/09. I picked it up this morning from a Torrent site through a pdf popup that came up. I had McAfee as my antivirus. Notice I said "had".
Running XP Pro 32
Order of events:
McAfee popped up a warning about running system32\rundll32.exe as an app. I said block. This a registry attempt to write to HKey Local Machine\Software\Microsoft\WIndows\Currentversion\
A registry change was trying to be made by D&S\adminisatrator\LS\Temp\qOoh.exe I said block. This was an attempt at the same registry key as above.
It tried to run the rundll32.exe again. I said block. Same as above.
It tried to run a file through explorer.exe. I said block. This was an attempt to install a file to D&S\Administrator\Start Menu\Programs\Startup\scandisk.dll
It tried again but this time it added "scandisk.lnk'C:\windows\system32\rundll32.exe" to the end of the line right above. Basically it tried to go around the block and I told it to block again.
It tried to do the HKey registry change again and the scandisk.dll again and the one right above again. Block, Block, Block when McAfee asks if I want to allow these changes.
Anyhow, it got through somehow. I found all the files on my pc as noted by the poster. McAfee virus scan found nothing and said my pc was clean.
Malwarebytes found the following:
Windows\system32\twex.exe and twain32
Several registry keys
and the main problem D&S\Administrator\Local Settings\Temp\nsrbgxod.bak
Two reboots and scans later and it couldn't remove this trojan.
That file is locked for deletion as it is being "used".
What the virus does is forward you to "thefeedonline" links when you use a browser like google to find links. Typing the link directly will take you to the site fine. At least on my computer it did.
What I did:
Ctrl-Alt-Delete and bringup task manager. Noticed a new rundll32 that wasn't there before. One was valid, one was not. I could not kill the application.
Bring up Process Explorer, and find what software started the 2nd rundll32.exe. It was Windows\system32\calc.dll. I could not kill the application here either.
This file wasn't to be found when I looked for it in that folder.
Brought up "startup" a small software you can install in your start\settings\control panel. It showed that calc.dll is set to startup when the pc starts, and a second one was present and unchecked. It would not let me delete either.
Ran HiJack this. It found the calc.dll file and I checked it to handle it. It did nothing upon reboot, but now I got an error message that says ntuser was not a valid login profile and could not run the application rundll32. Apparently it corrupts this file as well.
Looks like I wounded it...but caused a problem in the process. It still forwards links from google.
2 chances I know of before I wig out.
Installed SuperAntiSpyware Remover from Trend Micro. It spotted the Calc.exe file and the protect.dll file as well.
Rebooted and it was GONE.
I went to the strange file nsrbgxod.bak and hit delete. It allowed me to delete it. Then I went to my startup program and it allowed me to delete the two Calc.dll files.
I looked for the other files and went into the registry and the items shown by malwarebytes that it couldn't remove, are gone. Ran malwarebytes again and am clean. Ran SuperAntiSpyware and shows clean. Rebooted, still get that ntuser error message. To correct that, I ran a system restore to this morning.
McAfee just let this stuff go straight through, and this isn't the first time. This is the third! The first was that **bleep** Alueron, that wouldn't leave until I uninstalled McAfee and ran onecarelive. That was earlier this year. Then last week the "silver shield" fake antivirus scanner got through and McAfee didn't do peep. It said it stopped and removed it but that shield was still running in the background and could be seen in the lower right of my screen by the clock. Looking strongly at Microsoft Essentials, as I never got a virus while running that for the 3 month trial after McAfee failed me the first time.
Regardless, I hope the above helps someone out if Nortons doesn't get rid of it.