Generic.Peed.Eml

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tiggsy, Oct 14, 2007.

  1. tiggsy

    tiggsy Private E-2

    Help

    I've got a problem with multiple variants (i think) of Generic.Peed.Eml which has Peed all over my computer.

    I have done every step in your read and run me first thread, but when i ran Panda scan it dropped out twice

    The first time i was not at the computer when it closed without warning

    The second time i was watching. At this point it had picked up 10 Spyware and not disinfected them, plus 1 Hacker and Root Kit (also not disinfected). It was scanning C://ntldr and then it just closed both the popup and the main window without any message or warning. (A similar thing happened yesterday when I ran Avast!).

    This means I don't have a panda log. But I am attaching the others except that I have a problem with bdscan.log, because it is 7.94Mb and too big for your system to upload... what do i do about this?

    Also yesterday I tried to update AdAware (the paid version) and it would not work, asked for the key, would not accept it, and a fresh download behaved the same way. This made me very suspicious, as you might expect... so i ran Spybot S&D which came up with a long list of stuff, said it had removed them, then listed them all again on a re-run. I downloaded the latest version of spybot when I started reading your thing, and that version found nothing (doing it in sequence with the stuff in your instructions). Not sure how reassuring this is...
     

    Attached Files:

  2. tiggsy

    tiggsy Private E-2

    I already posted a "reply", but cant find it, so here it is again, with remaining files from Read and Run Me First guide

    also attached ewido log
     

    Attached Files:

  3. tiggsy

    tiggsy Private E-2

    i just finished a kaspersky scan. im still finding malware, every scan i do finds stuff, some says its been removed...

    log attached

    btw your link for trend on Alternative Scans gets a 404. i used this: http://uk.trendmicro-europe.com/housecall/v6.5/?
     

    Attached Files:

  4. tiggsy

    tiggsy Private E-2

    it's possible im getting somewhere. Zone Alarm just came up negative

    otoh, i canna be sure

    onward
     
  5. tiggsy

    tiggsy Private E-2

    every single of the anti-rootkit links on the alternative scans page comes up with a 500 error. i'm hoping it's genuine, in a way. but i'm paranoid.
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Then you need to attach all of the other logs that were requested.
    • BitDefender - I know you said it was too large. But why?? What was in it that made it so large? Were lots of cookies being found or was it files in System Volume Information, or files in Quarantines, or was it email related files? You may be able to compress it into a ZIP file but that may still be too large. You could rescan to see if whatever was detected the first time was cleaned up and maybe the log will be smalled.
    • HijackThis
    Also you need to go back and make sure you are following the directions properly for installing and running both GetRunKey and ShowNew. They did not run properly. You must make sure you extract ALL files from the ZIP file and run the .bat files from outside of the ZIP file. Also you must check for the mentioned error messages. Then you will need to attach new logs from GetRunKey and ShowNew.

    From what you have posted thus far, I'm not seeing any issues. How do you know you have a problem with Peed?

    The 500 error message you are having downloading files from Major Geeks is due to current problems with our download pages. We are aware of it and working on it.
     
  7. tiggsy

    tiggsy Private E-2

    I ran it again last night before I heard from you, and it came up with 6336 files infected. You know, it puts 3 lines in for each infection found, so i guess this would account for the size. I saved the new log as html, so i can, if you like put it online and give you the address, would this be feasible?

    I did upload this, don't understand why it's not there. will attach it to this

    Well, ok, but my normal way is to have the instructions open and go down them step by step, if necessary i paste them into notepad or even print them as a last resort, though the screen is easier to read...

    bitdefender told me so, repeatedly, the scan before the first one i did for youse. also, the bug with adaware i mentioned seemed suspicious, as did the fact that avast closed without warning - and the same thing happened with panda, which i ran as one of the steps in your instructions, as mentioned above. Then there were the 20 or so items listed in spybot s&d which it "removed" but still listed on a second pass... oh, and the computer i use is an alienware, and has got quite sluggish, with unexplained waits which can be quite lengthy at times, certainly noticeable.

    I guess that's some kind of a relief. I get those, too, sometimes when i screw up a .htaccess file
     

    Attached Files:

    Last edited: Oct 15, 2007
  8. tiggsy

    tiggsy Private E-2

    ok, i just ran winprofix, since you said the file was empty (though it didnt look that way to me) and I downloaded getkey.zip again, unzipped it again to a folder called getkey in a folder called major geeks stuff at the root level of drive C:

    i went into that folder, just like before, clicked on the batch file, it ran, i closed the notepad, and attach the results herewith
     

    Attached Files:

  9. tiggsy

    tiggsy Private E-2

    ok, i downloaded the zip for shownew again, unzipped it to a folder called shownew in a folder called major geeks tools (replace all - which i also did with getkeys above), went to the folder and ran it, attached is result.

    its odd as it says it cant execute locate.com in that folder, many times, it's obviously finding it... this malware appears to be extremely well crafted
     

    Attached Files:

  10. tiggsy

    tiggsy Private E-2

    i have to go out for a few hours, so i will close down - my poor Beast hasn't had any downtime for over 48 hours
     
  11. tiggsy

    tiggsy Private E-2

    attaching zip with both bdscans, less than 250kb!!
     

    Attached Files:

  12. tiggsy

    tiggsy Private E-2

    results of gmer rootkit check attached in zip file
     

    Attached Files:

  13. tiggsy

    tiggsy Private E-2

    my beloved computer is still sick

    why is nobody saying anything? i need help here, please :(
     
  14. tiggsy

    tiggsy Private E-2

    i ran the rootkit hook analyser and found 8 hooks. it would not allow me to export the file, and hung up every time i tried, so i took screenshots and saved them. they are 2 to a zip, because the zips were too big otherwise. here are the first 3 zip files
     

    Attached Files:

  15. tiggsy

    tiggsy Private E-2

    the rest of the hook analysis files
     

    Attached Files:

  16. tiggsy

    tiggsy Private E-2

    attached is the rootkitreveal log, which found some discrepancies

    when i was going to choose where to save it, i got "Desktop refers to a location that does not exist..." but it did let me save to c:
     

    Attached Files:

  17. tiggsy

    tiggsy Private E-2

    Here is the result of the sophos anti-rootkit check
     

    Attached Files:

  18. tiggsy

    tiggsy Private E-2

    here is the result of the sysprot rootkit check
     

    Attached Files:

  19. tiggsy

    tiggsy Private E-2

    here is the result of the trend micro rootbuster scan
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Generic.Peed.Eml problem you have mentioned only appears in your BitDefender online scan log and all of the problems mentioned are in your email folders. You will need to clean this up manually or you will need to delete your email account and files and then create a new one. This is the only method by which things like this will normally be removed.

    None of the other scans are showing any problems. What prompted you to come here and run the READ ME to begin with?
     
  21. tiggsy

    tiggsy Private E-2

    i was searching for solutions through google. i tried all the ones online apart from you first, because they were one-step, but since they involved deleting a file which does not exist on my computer (Deleted Items.dbx) - i have hidden and system files permanently visible and no such file exists in any of my Application Data folders - i had no other choice

    i don't know how to find the emails that are infected. i have tried this in the past. searching for what bd says is the identifier gets you nowhere, but i don't even know if im looking in the right file for this, anyway.

    anyway, here are the 2 logs which i managed to create having changed the containing folder name to one without spaces so that they could run things contained in it

    ive been on lots of forums, never seen the word bump meaning posting. nowhere on your forum does it say to read ALL the stickies before proceeding, only the read me first says to read it first, which is what i did - and it asks for a lot of info, which i was providing.

    I have done nothing now for 3 days (this started before I came onto major geeks) but try and get my beloved computer working properly again. my computer means everything to me, and i don't know what to do to fix it.

    and what are all the hooks that the hook finders point out? and why won't panda and avast complete? how is it possible that there is "nothing wrong" if these things are happening?
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Had no other choice for what?

    You need to run your email program (Thunderbird) and delete the emails that are mentioned permanently. If you don't see them, that could mean they are marked as deleted within the database but the old records have not been purged. You would then have to figure out how to do this purging and compressing of the email database so those old infected records are removed. The only other way would be to uinstall ALL of Thunderbird and then delete all related files and folders for it from your PC. Then after a reboot you could reinstall it. However before you waste anytime doing that you may want to just check another scan from BitDefender to see if it still finds anything because it did say it deleted/updated the files (but this may or may not be true).

    Is your only visible problem the fact that BitDefender reported Peed in your email program.


    All those unnecessary rootkit scans detected nothing but valid system processes and processes from software you have installed. Just because scans do not run thru to completion does not mean you have malware. This happens quite frequently. In some cases it is due to file system or registry corruption. In other cases it could be physical problems with a hard disk or issues with partitioning . Sometimes it is due to conflicts with other software that is running (like other protection software). It may be necessary for you to shutdown all other tools while running your scans never run more than one scanner at any time. Also you should try not doing anything else at all while scanning with Avast and Panda. Also make sure only the browser windows for Panda is opened when scanning with Panda. Did you run Panda in safe boot mode or normal boot mode? Whatever you did, you can try the other mode.


    You do need to uninstall all the below old Sun Java versions as requested in step 6 of the READ ME:
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 7
    Java(TM) 6 Update 2
    Java(TM) SE Development Kit 6 Update 2
    Java(TM) SE Runtime Environment 6

    You should also uninstall the CounterSpy trial now since we are finished with it and you should also consider uninstalling all of the rootkit detectors you installed since you don't need them and it would be best to always download the current version before using them anyway.

    Also since Ccleaner appears to have not run properly for you, you should use the below to cleanup a ton of junk.

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    Is AffiliateWindow Alerts something you installed?
     
  23. tiggsy

    tiggsy Private E-2

    I could find no other source of advice for the problems i was having.

    I did run it again, but it was all the same, and as it takes 7 hours or so, i stopped it to do other scans.

    Well, that's a relief. I don't know how to recognise that sort of thing.

    Well, OK. I had these mental alerts when stuff like the failed scans happened, but what really worried me was when the AdAware incident happened on top of all the other stuff: I downloaded a program update, it asked for the key, i typed it once, and it said not valid, so i pasted it, and it said not valid, then i went and got a new download and had them resend the key, but the same thing happened. this was when i started getting paranoid. but i will try again, as there's definitely a lot less garbage now. There were 13 different items listed by trojanscan, including bluestreak, doubleclick, mediaplex and a load of others, which made me even more suspicious. My daughter (quite a geek) who i was chatting to while waiting for some results was really freaked when i read her the list, so that got me even more worried...

    ok, done that. sorry.

    ok ive done that as well

    ok, i will uninstall them, have done all this. thanks

    yes, it pops up when something interesting happens on a site im signed up to. do you think i should get rid of it?
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then as I stated you will have to resolve the problems yourself.

    These are just cookies and cookies are not problems as all. See step 11 of this sticky thread: How to Protect yourself from malware!


    If you like it and trust it, then keep it. The name just makes it sound like what we would classify as malware or at the least, adware.
     
  25. tiggsy

    tiggsy Private E-2

    Just thought I would let you know, as I notice many don't seem to bother, that I got a clean bill of health from Bit Defender at last.

    So thanks for all your help (doing cartwheels here)
     
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. That is what I expected when I said to rerun Bitdefender in message # 22.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    2. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    3. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds