Results of Windows XP Cleaning Procedure - logs

Hi - thanks for taking the time to look over this.

Here are my PC details:

O/S - Windows XP Home SP3
Anti Virus - McAfee SecurityCentre v9.3 (incorporating VirusScan 13.3, Personal Firewall 10.3, Anti-Spam 10.3)
Anti-spyware - SuperAntiSpyware Free Edition

I have a problem that began on Friday 27th March at around 18:30 GMT. The problem was initially characterised by IE spitting out loads of popups - I even have details of these popups, as for some reason Google recorded them in my search history. I had left the computer, and only realised something was wrong a few hours later.

I have had issues with spyware before, and (perhaps unwisely) decided to use hijackthis to see what the issues were, and if I could fix them. I ran the program and checked the results against information at the following links:
http://www.bleepingcomputer.com/tutorials/tutorial42.html
www.systemlookup.com

Some of the items that appeared were not recognised by any of the assistance sites or by the auto analyze at hijackthis.de. I have records of the first hijackthis log, as well as subsequent ones. I attempted to 'fix' these using hijackthis, and while several of the O1 problems went (briefly), some of the more worrying O4 ones eg:
[garijofigo] Rundll32.exe "C:\WINDOWS\system32\viridipe.dll",s
returned immediately after performing another scan.

I'm wishing now that I had just gone and tried to get professional help for this at that point, but of course I decided I new what I was doing...

I rebooted into safe mode, navigated to the folder where these worrying items were, and tried to delete them manually. Some of these went, but two of them could not be deleted as I 'did not have permission'. I have records of these also.

So going back into normal mode, the popups are back with avengance and I notice that when I use internet explorer, it will divert me to other sites when I try to search in Google. I completed another hijackthis log.

At this point, I decided to get some help, and started working through the 'READ AND RUN ME FIRST' post on this site, with variable success.

1. Housekeeping
- Remove Malware programs - checked, but did not find any of the ones listed in my add/remove programs (used CCleaner)
- Update Sun Java - had already updated in the last few weeks - should I update again?
- Msconfig already in normal startup mode
- Empty Quarantine - I tried to find out how to empty McAfee's quarantine folder, but could not find out, could someone advise me how to do this?
- Emptied recycle bin
- Already had CCleaner, cleared out main account
2. Enable hidden / system files
- Done
3. Windows XP Cleaning procedure
3.1 Downloading tools
- Downloaded most via another laptop, as I wanted to try to keep the infected desktop offline as much as possible, transferred over using usb key
- Renamed as suggested
3.2 Installing tools and running scans
SAS
- already had on PC
- manually downloaded updates from other PC and updated
- Set up as suggested, crashed twice though and restarted computer, so changed as suggested unchecking 'Kernel' items
- Finished scan and restarted computer (forgot to get the log immediately)

Changes I now notice are there seems to be more attention being paid by windows and McAfee to the system problems - Windows now comes up with a DEP error every 5 seconds (literally!) telling me that 'Run a DLL as an App' is being closed, then I click close message and the 'send error report' dialogue comes up. Mcafee keeps telling me that potentially unwanted programs are running, and asks me if I want to block them. I also keep being told that windows components have been changed, and to insert the windows xp home disk (which I don't have), I click cancel and it asks me if I really want to keep the unrecognized versions - again, it does this every 5 seconds or so.

Later I go back to SAS to get a log as suggested - however, when I click on the latest log and click view report - nothing. If I double click it - nothing. Turns out that notepad is not working. I changed the file view settings so that txt and log files are viewed in wordpad - doesn't work either (opening wordpad produces an immediate window saying 'WordPad MFC Application has encountered a problem and needs to close'). So I then changed them to view in MS Word - now it works, but I still can't get the SAS logs to open by viewing or double clicking! If you can let me know where the logs are on the system I could upload them - there was nothing obvious in the SAS Program Files folder.

Malwarebytes Anti-Malware
- Installed and updated manually as before
- Ran as instructed, attached log file

ComboFix
- took a few goes - the DEP pop ups meant that I had to close them all every now and then and click on the combofix window (otherwise it would just hang at whichever stage it was one previously)
- Also restarted PC (which I wasn't expecting) which caused McAfee virus and firewall protection to come back on and prevent log file from being created
- finally worked ok - log file attached

MGTools
- Didn't go well with this, when I double click exe file, Windows DEP window comes up saying it has closed the program to protect the computer, Name: Find String (grep) Utility, Publisher: Microsoft Corporation
- tried to manually run some of the bat files - GetLogs.bat gave the same response, GetUnKeys just produced a txt file and zipped it, the txt file says 'Zipping GetUnKey.txt'
- Ran the analyse.exe hijackthis file, but have not posted the log as I have several of these at various stages if you want to see them, so will upload all together.

After I have run all of these, the problems I am still noticing are the DEP pop up files ('Run a DLL as an APP' every 5 seconds, though only when other programs are open, it sometimes stays quiet for a while). Also, notepad still doesn't work, Wordpad too, and I've not tried to run programs but I can't open system in the control panel, or any other control panel icons. Still getting the occassional message about Windows unrecognized files, sometimes get a 'Working offline' message despite not using internet explorer.

As well as this, I'm not sure at what stage it happened as I disconnected from the internet while I performed the scans with McAfee switched off, but now when I try to connect it won't work. Tried the SAS repair internet link tool, but no joy.

Finally, McAfee did a scan this morning on the PC, and quarantined a few files and suggested I fix a few more (I didn't), I'm hoping this doesn't mean I have to run all these scans again! If necessary I can switch it off now, let me know if this would be helpful.

Let me know if the hijackthis logs would be useful, or any other information you need. Thank you so much for taking the time to look over this - I appreciate that there is a lot of these to get through, and that the reply may take a while!

Thanks,

Dan

 

Hi Chaslang,

Thanks for the Welcome, and thanks for looking over my reports. Weighing up the options, I think it would be most sensible for me to start again and reformat the PC. This is something I'm not adverse to, as before the major problems started on friday, the computer had slowed down dramatically compared to when I first had it (though of course this may have been spyware I hadn't noticed yet...).

Currently the main use of the PC is for audio production (I was originally planning to keep it disconnected from the internet, a decision I went back on which I'm regretting now!), so it will take me some time to duplicate all the settings, I'm not even aware of some of them as they were set up by the company that created the PC. Maybe it's time to format it, sell it, and move on to a newer system, as I think the PC is around 4 years old now.

When I'm moving over personal data, the main thing I'd be keeping would be Cubase files and audio files, but there are also some plugins that are just dll files that I'd really like to keep - are these safe to move over, or is there any way to check that they're safe (e.g. scanning with mcafee before I copy them over)? Would you recommend checking any other data before I copy it over? Also, what is the best way to copy the files over (unfortunately the CD drive on the pc doesn't work to burn discs!), I have an 80GB external HD I was planning to use.

Thanks again,

Dan