FrostWire repeatedly restarting

[mewgirl]

....was my original problem. The infection came from a zip file on a p2p program (Ares, not FrostWire). FrostWire is not my current p2p program, but it is the one that was activated by this virus or malware. Also this was not restarting while using it, but starting on it's own and restarting when the process was ended.

The program did not cause any other visible problems at the time, but since FrostWire itself immensely slows down computers (especially while starting), I needed to fix this immediately. Googling FrostWire help forums led me to someone who linked to another topic where the poster had a different infection with the same symptom saying that you need to do what poster #2 advises, which is copy the task manager program to your desktop and run it from there, then end suspicious processes, then "delete suspicious files from the following areas," then delete anything that Specific Virus Scanner detects. Stupidly, he led people to a non-free program. Task manager didn't show any suspicious processes, so I ran a virus scanner first. I also uninstalled FrostWire through Add/Remove, which then stopped popping up. For the virus scanner, I used AVG because, recently, that has seemed to be the preferred with my computer-knowledgeable friends. However, AVG doesn't seem to have very many options; it doesn't (as far as I can tell) allow you to "fix" only what you want, and for that matter it doesn't fix anything unless you first enable it in a very hard-to-find options menu. The first scan took almost 8 hours, and, to the best of my knowledge, did not fix anything. The major offending file, both in the topic and according to AVG (the only one that triggered the 'major warning" alert), was a file titled svchost.exe in the fonts folder. I scanned again, scanning only the fonts folder. To the best of my knowledge, AVG still did not "fix" anything. I finally found the options menu, and, after running a third or fourth complete scan with no other programs running (except Notepad), it said "All infection healed, restart required now/later?". I chose "later" and later restarted my computer.

After restarting the computer, there were many random "0x100000c" or whatever errors, some from fake processes and some from legitimate processes (such as Java). After killing the virus' processes with RunAlyzer, the main process most likely being sdrm64, this stopped. However the malware has also
-infected Google so that all Google links are redirected - I just discovered that this does not sem to apply when the same address is typed in. This also deletes all history so you can't click "back" and then "stop" to load the wanted page. "Meta Refresh" in IE options is is disabled, although I am using Firefox (3).
-[s]probably[/s] changed the options to "do not show hidden files & folders," and hidden Folder Options from the control panel (I do not know where else to access it from)
-Prevented the installation of HJT
-Allowed installation of Spybot, but prevents SpyBot from running
-Added "new folder" in C:/, which contains badly done copies of the multi-user folders. Most oddly, my own user name has a capital letter, but the other two users name's do not have any capital letters, even though they are capitalized on the logon screen.
-Slow program startup (including control panel functions, Notepad, etc.)
-"Registry Editing has been disabled by the administrator," which prevents the few built in "fix" options from Safer networking non-Spybot programs as they seem to want to open the registry and have you delete it, rather then deleting it through the program, which is why I downloaded HJT (which, as mentioned, will not install).
-"System restore has been turned off by Group Policy."


ProcAlyzer shows three instances of iexplore.exe, tagged correctly (running form the right location as marked as Microsoft.

RunAlyzer does not show these processes. Task manager does show them, and they restart when ended from there. I have not started Internet Explorer on this system since the last restart, and to the best of my knowledge the process does not normally start itself.

RootAlyzer shows malware in "C:\new folder\All Users\Application Data". Deleting "new folder" or any of it's subfolder receives, "This folder contains files with names that are too big for the recycle bin. Delete permanently yes/no?". However, in investigating these folders, it showed pictures that actually belong to me, which is strange. For that reason, not knowing if any of these folders actually contain needed information, I clicked "No" and left the folders in place. There is no visible "Application Data" folder in "C:\new folder\All Users," and it is for that reason that I believe the malware may have set hidden folders not to appear, especially because "Folder Options" is missing. However, typing the directory into "Run..."
...actually I just did so again in order to report exactly what the error message said, in case the faked error message could help determine the malware's identity, and this time, it worked. Perhaps I made a typo the first time. Although this definitely verifies that "hidden folders" was changed. However none of the files marked as infected in RootAlyzer show in this folder (I assume they are marked as hidden).

After attempting to use the "Restore Main Window" application for Spybot, which it turns out is something you double-click which then edits or opens the registry (it's file icon is a registry-related one, blue), and henceforth getting the "administrator" error message, I now hear system beeps about twice per second that do not seem to be coming from anywhere. They are not doing what they usually do when they are do to an actual system error, such as slowing things down, leaving "window trails" or repeating your mouseclicks multiple times, etc. it is just the noise.

Yes I realize that restarting the computer is generally a bad idea, but AVG requires it (so I guess my friends made a stupid decision for their virus scanner?), and the user who's removal post I was following finished his/her removal by using the virus scanner. (And the symptoms had apparently stopped at that point leading me to believe file removal was the final step... not to mention leading me to believe the offending file had been found due to AVG's message... (I do not believe that message was faked by the malware)).

AVG also does not seem to have any options for disabling various parts of it "all-in-one suite" crap, so it really seems like a bad idea. But these people are generally good with advice on which software to use - one of them runs his own hosting company, for example.

[Jintan]

Hello mewgirl,


Why don't we just take a look at things, then decide on what changes or repairs are needed there. If the system was infected through the use of torrent/P2P software use I would expect you have uninstalled any of these, and, in truth, really will need you to do that as part of our repair processes here.


To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Download RSIT (random's system information tool) from here to your desktop. Then click on the RSIT.exe to open the RSIT display, and click the Continue button.

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

RSIT will also create a second log, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can break logs into parts and use separate posts here when replying and posting the log files, if needed.

--------------

Also click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

[mewgirl]

Hi Jintan,

The malware's main process is sdra64. As mentioned in the post above.

Why would I download a software which I have already downloaded (as mentioned in the post above) and which also will not install (as mentioned in the post above)?

Can you please actually read my post before suggesting arbitrary scans and solutions? That would be great. Thanks.

--------------------------

However I do appreciate the fact that you posted as a human being instead of as a "professional for mentally retarded people." Although the instruction to "Click on your desktop and create a new text file," instead of opening Notepad, is a little odd. For that matter pasting it into a Notepad file at all is odd, especially if the computer was acting slow at the time, pasting it directly into the forum without first pasting it into a random document and then recopying it, makes a bit more sense.

[dono]

Comments removed by Moderator.

[mewgirl]

I'm not arrogant. S/he didn't read my post!

It would be ludicrous to take a bunch of additional steps, including doing things that will very specifically have no effect and/or cause further damage to your computer, just because the poster who replied to you did not even read your post!

You are right, the one who responded to me SHOULD show some respect by not posting "solutions" without even knowing what the problem is.

Not that I would have said that on my own about this poster if you hadn't made such a ridiculous statement.

In general, people who reply to topics they clearly have not read are banned from the message boards (because their posts are then continually off-topic and.or irrelevant, most or all of the time).

Not that the above post was IRRELEVANT, but it wasn't about my problem (couldn't have been because they didn't read what the problems are).

[TeamSafari]

Comments removed by Moderator.

[Jintan]

Like walking into a bear trap.

Regardless of intent, posts by others in someone's request thread here is not a precedence we need to be setting, so I did edit out off-task posts.

I am a skilled volunteer mewgirl. Your options are to follow my lead, do the requested steps and get things resolved there, or find some other remedy for your situation. Please post the scan results so we can move forward here.