It's been going on for over a week now & getting progressively worse. I took advice from a member of this forum after reading one of his posts to another member. That has gotten rid of most of the other malware that was added.
I guess I should back up. I went to onecare & it detected numerous trojans & was able to clean them up except one. From what I gather, it isn't able to be deleted because it is constantly running. It's always trying to throw pop ups up. I did a search for this trojan & found this forum. "ODDJOB" refered another member to "Trojanhunter," that seemed to help some, but I still can not get rid of this one trojan that is getting worse.
I cannot delete them, when I do, they just re-spawn. At first I thought they were microsoft related as the icons used the sheild & what not.
I have to close this without giving further details as the computer is acting up again. When it starts to slow like this it usually closes open windows & replaces them with spam pop-ups.
Last edited by gyrene77 : 12-20-2007 at 02:16 PM.
Reason: pics didn't load properly
Sure enough, it froze again... of course the pop ups caused it. If the pop up's load (this happes about 50% of the time) then if I manually close them, once closed, all other open windows will crash.
Anyway, the last pic (the 2 icons on my desktop) are links to "storageprotector.com" (those bastards).
Can someone please help. With this malware running as soon as the computer is started up, there is o way for me to remove it. Not to mention, when I do a search for it's location, Windows can't find it (even as a hidden file). I am at wit's end & am about to throw this thing out the window.
I don't know where this thing came from in the first place. I've had this laptop for about 2 years now & have always been careful as to what websites I go to. It just suddenly appeared one day out of the blue.
Also, I don't know if this helps or not, trojanhunter refers to it as blackhole.
I don't know how well this will work, but press CTRL+ALT+DEL and select task manager. In task manager open the Processes tab, locate urclgecd.exe, right-click on it and select End process tree. Then tyr to run the anti-virus program again.
If that doesn't work or you can't stop urclgecd.exe, then you need to find out what's starting it. Check you startup programs. If it's not there, open your registry by clicking on Start and them run. In the run dialog box type regedit.exe. This will open the registry but fist backup your regisrty by clicking File > Export in case something goes wrong. The usual suspects are: HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run and HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce, and HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run, HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce and HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnceEx. What you're looking for is regerences to urclgecd.exe. Delete those search the directory to make sure you've gotten all of them. Be careful in the regisrty as you can't undo mistakes!
Also clear out your temp directory and you Internet files.
You may need to restart your computer and run another virus scan.
I couldn't find that one, here are the process's running in my task manager:
(of course all ending in .exe)
jucheck
WLLoginProxy
ApntEx
alg
rapimgr
windows
wscntfy
iexplore
Ymsgr_tray
rhvqsuwb (disapeared)
taskmgr
iexploresistray
svchost
iexplore
ctfmon
wcescomm
spoolsv
mnyexpr
THGuard
explorer
svchost
realsched
hpztsb10
PCMService
svchost
DVDLauncher
tfswctrl
ZuneNcs
svchost
jusched
svchost
ARGSMMSG
Apoint
svchost
ISUSPM
svchost
Keyhook
lsass
services
winlogon
csrss
msnmsgr
svchost
System
System Idle Process
Some good advice there but if you are not confident with hacking the registry, I would suggest you try this:
Firstly, run an online scan from >>HERE<< (Where is says "Scan now. It's free!")
See what this finds and if it removes it for you also.
Another good thing would be, after doing this to turn off the "System Restore" option as viruses have a nasty habit of burying themselves in there also.
Once you have turned it off, run another scan and then turn it back on again.
Ok, another thing is to see if this is all we are dealing with or if something else is going on there.
After you have ran the scan I mentioned. Lets give it another check over to see if anything else a little shady is running by running Prevx CSI and see what it comes up with.
It also checks for rootkits and if it reports all is well, you can begin to breath more easily :-)
Though I still would like to know what Antivirus you are currently running though dude.
God I hate trojans...
My advice is a bit after the horse is out of the barn, but...
A good offline registry scan/cleaner is CCleaner I use it weekly.
It will isolate issues enough for you to determine what is at fault. Plus it finds the items in the folders that initiated the process. If you don't kill the source the registry will rewrite itself.
__________________ It isn't necessary to imagine the world ending in fire or ice there are two other possibilities: one is paperwork, and the other is nostalgia.
1989: Zappa
I suspect that you have the same problem as I do. In my case, its the program called windows that hogs up all the memory. What I did was terminate it, and it would keep poping back up during those memory-hogging periods. And after about 5 minutes, it would disappear. It seemed that everytime i delete the icons, that would happen but i'm not sure. I was suspicious, so i DL Process Explorer and found where the file was hiding. Also, by pure coincidence, i found that a service was created. It is called Microsoft cache control. You might also have a service that starts with ##Id.string_____. From what i gathered, it comes from adobe but i disabled it anyway. When i found the service, i realize that it was that service which keeps on running the windows process. So, i disabled that service and delete the file called windows and now i'm quite happy because the lag bursts are not coming back. (type services.msc into run to open the services control)
The only problem now is how to fully remove the virus. It is called StorageProtector i think, from the url i get from those 2 links. However, my computer doesn't have the symptoms associated with StorageProtector, so i'm quite baffled. I ran a check with AVG free and a few tracking cookies come up, but nothing related to StorageProtector. Any help would be appreciated too.
Last edited by trandoanhung1991 : 12-20-2007 at 07:59 PM.
Oh, another interseting thing is that this "trojan" will also change my privacy & security settings. No matter what I do they will revert back to low to none.
Thanks for the advice G10. In the past (long time ago) I was running McAfee. But have taken the advice from others in this forum & am running Trojan Hunter.
I tried running the scan at the link you posted, but it kept freezing up half way through. I am sure this has to do with the fact that the malware was monopolizing the explorer & was causing it to crash.
Oh, another interseting thing is that this "trojan" will also change my privacy & security settings. No matter what I do they will revert back to low to none.
I run Mcafee Internet Suite (the latest one) and I swear by it.
When I worked in the corporate IT sector, we used to role out Mcafee in the banks as it is pretty good and less of a resoursce hog than Norton
Ok, I still don't know what Antivirus you are running on your system dude.
If you are having a major headache ridding it and have antivirus software installed on your hdd. If you have a spare pc, I would take the hdd out of the this one and slave it into thte second and then let the second one run a full AV scan on it.
ONLY DO THIS AFTER UPDATING THE VIRUS DEFINITIONS ON THE SECOND SYSTEM.
Please then reboot your computer in Safe Mode by doing the following ……
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All ……
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.
Note >> Do not mouseclick combofix's window while it's running. That may cause it to stall.
When finished, it will produce a log for you. The report is called ComboFix.txt.
NOTE THAT Combofix should never take more than 20 minutes (including the reboot if required).
If it takes longer then open Task Manager (press ctrl and alt and del at the same time) > use the Processes tab and end any processes of findstr, find, sed or swreg then Combofix should continue.
If that happened we want to know so please tell us which process you had to end.
Along with the the SDFix report please post the Combofix log in your next reply along with a HijackThis log AND an update on how the computer is operating now.
OJ
__________________ A computer lets you make more mistakes faster than any other invention with the possible exceptions of handguns and TequillaMitch Ratcliffe
For the love of God, will ya please tell me what Antivirus software you are running on your system as I can't take the suspense anymore
btw, did those suggestions work?
I already stated in this thread I'm running "TROJAN HUNTER"
but, no... nothing has worked so far. None of them can remove the program becuase it is always running (I suppose that is the reason anyway). Now it's creating all kinds of files in "My Documents" folder.... hundreds, almost boardering on thousands.
You need to remove the program at startup. HijackThis will do just that, google it. Also if you know the name of the Trojan, you might be able to find a removal tool someone has made available for it which will help weed out all of its components. Google it.
Also do a windows update, they usually release Malicious Software Removal Tools.
__________________
"Y'all mind hanging back? You're jamming my frequency." OpticalDevotee
Last edited by 3ncryptabl3_lick : 12-21-2007 at 10:42 PM.
Please then reboot your computer in Safe Mode by doing the following
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All
I can't get windows to load in safe mode. It took me over an hour just to restart my computer after I tried 3 times in safe mode.
In safe mode an error message pops up... the same one that always pops up. Then a yellow triangle with an exclamation mark pops up with a rather long message. I get about a quarter of the way through the message when both disapear & I am left with a blank screen.
What a freakin' hassle this malware. I'm about a day away from just throwing this computer in the garbage. I've taken allot of advice, but none seems to work, my computer is working against me.
Also, I don't know what "hijack" this is, I can only guess it has something to do with scripts in program files?
Definitely time to reinstall the OS then. If you can't get into safe mode and can't stabilize windows at all... Then you're out of luck. Stick the OS cd in the drive, boot to it and start fresh.
Hope you backed up your stuff before you got infected because you dont want to be backing it up now you'll likley just transfer your problem over...
__________________
"Y'all mind hanging back? You're jamming my frequency." OpticalDevotee
