Artemis and Vundo and who knows what else

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nando1, May 22, 2010.

  1. nando1

    nando1 Private E-2

    Hello,

    I've been battling multiple viruses that came the same day about two weeks ago. I tried removing them myself the first week, realized I couldn't then followed the directions on this forum last week. At first, MalwareBytes and ComboFix wouldn't download so I changed the file name in MalwareBytes like instructed and it worked. Afterwards, ComboFix was able to download.

    Once I went through all the steps my computer worked much better and seemed to be fixed but I was still suspicious even though my virus scans were coming up clean. Then the next day ComboFix was deleted and I knew I still had something on my system.

    Another symptom I currently have that actually never went away (which is probably why I was still suspicious) is that I cannot perform an online virus scan. IE displays an error message and today it actually told me malware is preventing it from doing what I want.

    Other symptoms I had that I fixed were that I couldn't run Windows Defender and Task Manager was disabled. At one point I also had 3 porn shortcuts added to my desktop.

    Since it's been several days since I went through all of the steps I did them again today. Attached are the logs.

    Thanks for the help.
     

    Attached Files:

    nando1, May 22, 2010
    #1
  2. nando1

    nando1 Private E-2

    Here's the last log. Also, before I forget I should mention that I did remove an old version of Java and I downloaded the newest version about a week ago.

    Thanks.
     

    Attached Files:

    nando1, May 22, 2010
    #2
  3. nando1

    nando1 Private E-2

    Just to give more info, below are two examples of the IE errors I always get when trying to do an online scan from any website (one happens to be from Microsoft and the other from eset).

    Microsoft website error message:

    http://onecare.live.com/site/en-us/center/howsafe.htm

    Internet Explorer has closed this webpage to help protect your computer

    A malfunctioning or malicious add-on has caused Internet Explorer to close this webpage.

    What you can do:
    Go to your home page

    Try to return to live.com

    More information

    Windows Data Execution Prevention detected an add-on trying to use system memory incorrectly. This can be caused by a malfunction or a malicious add-on.
    Other things you can do:
    Go online to learn about the Data Execution Prevention (DEP) security feature

    eset website error message:

    http://www.eset.com/online-scanner

    The instruction at "0x05000068" referenced memory at "0x05000068". The memory could not be "written".

    The same error from eset also happened on the symantec website.

    http://security.symantec.com/sscv6/home.asp?langid=ie&venid=sym&plfid=23&pkj=MEHHFRTMYRMGIUXHNUQ
     
    nando1, May 22, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are clean; however you do have some problems to address. The main one is that you ignored the warning in the READ & RUN ME about having multiple antivirus programs installed. You have both McAfee SecurityCenter and StopSign Internet Security installed. The later is not recommended and at one time used to even be on the rogue software list. You need to uninstall all the Stop Sign (eAcceleration) software immediately. Running too many active security applications can cause a variety of problems including crashes.

    Also if Registry Mechanic 9.0 is only a trial, uninstall it too. If you installed Spyware Doctor with the trial, also make sure you uninstall it.

    You also need to uninstall the below old Sun Java version:
    Java 2 Runtime Environment, SE v1.4.2_03

    I also suggest that you uninstall your trial copy of PrevX which is wasting resources since it does nothing for you unless purchases and it has false detection issues.

    Now delete the below folders if they still exist:
    C:\Documents and Settings\Fernando\Local Settings\Application Data\beqrwhbbu
    C:\Documents and Settings\Fernando\Local Settings\Application Data\ddwtweyxl
    C:\Documents and Settings\Fernando\Local Settings\Application Data\hjvcuodey
    C:\Documents and Settings\All Users\Application Data\eAcceleration
    C:\Program Files\Acceleration Software
    C:\Program Files\eAcceleration
    C:\Program Files\StopSign



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 24, 2010
    #4
  5. nando1

    nando1 Private E-2

    Ok, based on your recommendation I have uninstalled StopSign. I have also uninstalled Java 2 Runtime Environment, SE v1.4.2_03. I deleted any remaining folders from the list provided.

    Registry Mechanic and PrevX are paid software and not trials. I have not uninstalled them. If you feel it is essential to uninstall PrevX please let me know.

    I went back to the Microsoft site to see if I can do an online scan and I am getting the same message as before. If you think my logs are clean could the errors I'm getting with attempting online scans be an IE or other software problem and not due to any remaining malware per se?

    My updated logs are attached.
    Thanks.
     

    Attached Files:

    nando1, May 24, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes your logs are clean. Your problems are not due to any malware being present. You may want to try a few things to see if they are related to software you are running:

    1. See what happens if you shutdown or uninstall PrevX, Windows Defender, and McAfee. Sometimes protection software itself becomes a problem especially if it gets corrupted which can happen when multiple applications are installed at the same time. Do not suggest having PrevX and Windows Defender running anyway with McAfee since it already has its own antispyware protection builtin.
    2. Try running scans in safe boot mode to see what happens.
    3. Try using another browser like Mozilla FireFox
    Since you are not having malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 25, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds