SAS caused a problem and MGtools may not have run successfully

Hi:

Specs:

eMachines MX4625
AMD Sempron PRocessor
40 GB PATA HD
512 MB DDR

Running:

XP Home
AVG 8.0
Spybot S&D
Spyware Blaster
Windows Defender
Windows Firewall
Firefox (not the new version)

Symptoms:

Firefox extremely unresponsive
TIme lapse when typing and when text appears on screen--keylogger maybe?
Notifications that I have no firewall running (which I do) or no anti-viral (which I do).
Not sure if this is malware related--did some research but turned up nothing--when I minimize windows they do not get sent to the taskbar, but disappear. Must use task manager to get the window back.

Problems:

A friend loaded some Chinese word processing software on here. Defender detected two trojans from it. I've since removed the software, but wonder if the trojans are living in system restore. Unfortunately, I do not know the name of the software as it was written in Chinese characters and my Chinese is not very good. No longer in contact with my friend. Sorry for lack of info on that one.

When running the first scan SAS only detected one thing and "fixed" it. Unfortunately, it was a program installed by emachines called Big Fix which doesn't work properly now. I don't know how to switch it back.

MGtools didn't work right. I got a error message similar--but not identical to error #4.



Spybot S&D fixed some things. AVG 8 fixed some things. Unfortunately, I have so many AVG "warnings" that I'm unsure if everything is now clear. It runs a little bit better, but I still get that "no firewall is running" message which makes me nervous.

Thanks for your help!

 

here's the mg logs

 

Hi staywhereyouare!
Welcome to the Malware Forum!

Sorry there are bad guys in the world.
Please follow the instructions in Running GMER to detect rootkits and SysProt AntiRootkit

Attach the logs when you finish.

Thanks.
abri

 

Logs are attatched. When reading the logs, I noticed that when I uninstalled McAfee it didn't uninstall the firewall, so I guess I will download the McAfee uninstaller from MG and get rid of it after we're through. Or whatever you advise.

Thanks so much!

 

Hi staywhereyouare,

You have a file under Windows which is related to a word program that brings up primarily Chinese websites in google. The file is xdict.ini. The only thing is, this was put on your computer last October, so I'm not sure that it's relevant. We'll look at it further on.

1) Go to add/remove programs and uninstall the below:

Viewpoint Media Player


2) Yes, removing remaining McAfee files is a good idea. Here's the link for that tool:

McAfee Consumer Product Removal Tool (SymNRT)


3) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: (no name) - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe (file missing)

Does the following program need to load at startup? If not, please fix it as well.


O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


Does the following belong to programs you know or want to keep? If not, please fix it also.

O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')

After you click fix, just close hijackthis.


5) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

FILELOOK::
C:\WINDOWS\xdict.INI

DIRLOOK::
C:\Documents and Settings\Owner\Local Settings\Application Data\NOS

REGISTRY::
[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

abri,

Followed instructions. Logs attatched.

Firefox is running well now and I'm not noticing lag time when I type. Yay!

I got this message when running MGtools (sorry, not sure why it's not letting me take a screenshot). Not sure of it's relevance:

Application has generated an exception that could not be handled.

Process id=Oxe 3c (3644), Thread id=0xd84 (3464).

I hit cancel to debug and got a message that it could not debug.

AVG 8.0 keeps having a conflict with SysProtect - I get infected with trojan warnings which I ignore. I suppose I can uninstall the diagnostic tools after we are through?

Also: in response to your last post where you say "You have a file under Windows which is related to a word program that brings up primarily Chinese websites in google. The file is xdict.ini. The only thing is, this was put on your computer last October, so I'm not sure that it's relevant. We'll look at it further on."

This is from that software...I remember it was installed in October right as my class was getting crazy. I think the trojan was to track shopping habits in IE. That's as much as I know.

Thanks for all your hard work on this! Have I told you that you are awesome? You're awesome!

 

Hi staywhereyouare,

1) I would like for you to create a restore point and then continue with the instructions below. If you've never created a new restore point, it is done as follows:
Go to Start / All Programs / Accessories / System Tools / System Restore
check the box to create a new restore point and click next.
Put in the title you want like Before SysProtect Removal and click on okay. It takes a moment to complete.

2) Then please follow the instructions in the following link:

Removing SysProtect


3) Then I would like for you to do a registry search:

Next please download Registry Search (see the link titled RegSearch Download Link )

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter xdict.ini in the top area of the form and then click "Ok".
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Registry Search results.


Let me know how things are running now?

abri

 

Logs attatched:

Got this error msg with MGtools:

Process Id=0xf1c (3868), Thread Id=0xf60 (3936).

Even though SysProtect was just uninstalled, I am still getting an AVG 8 trojan warning. I keep hitting ignore. Please advise.

Also, any clue on the disappearing windows when I minimize? Haven't figured out how to fix it and not even sure if it's malware related. Really annoying though :confused

Thanks!

 

What disappearing windows?


1) Before you continue below, I would like for you to attach the SysProt log. When you use the Manage Attachments button, you'll find it directly under C.
C:\SysProtLog.txt


2) After you attach the above log, please continue as follows:

Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
xdict

FILE::
C:\WINDOWS\xdict.INI
C:\SysProtLog.txt
C:\Documents and Settings\Owner\Desktop\SysProt.zip
C:\Documents and Settings\Owner\Desktop\SysProtect Remover.exe
C:\Documents and Settings\Owner\Desktop\SysProtLog.txt


FOLDER::
C:\Documents and Settings\Owner\Desktop\SysProt

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

Greetings chaslang,

I was trying to determine two things:

If two trojans (which were detected by Windows Defender) from some Chinese to English word processing software (since uninstalled) were gone or if I needed to toggle system restore.

If the problem of minimized windows not being sent to the taskbar (they just disappear) is malware related or not. Since trying to adjust settings to make them visible doesn't work (can only make the windows reappear with task manager) I wasn't sure. I googled the problem--some say malware, some offer solutions that don't work for me and frequently people suggest this tweak, though I'm not sure if it's safe or not.

http://www.kellys-korner-xp.com/xp_tweaks.htm line 240

Not sure why it was requested that I perform Removing SysProtect procedure. I 'm assuming the three trojan warnings from AVG 8 were related to the installation of SysProtect anti root kit program, since that's when they started appearing.

If the computer is clean that's fantastic. Are there specific procedures to uninstall all the tools I loaded or just do it all from uninstall programs?

Thanks for your help.

 

Received this error msg:

Uninstaller Error

An error occurred while trying to remove Hijack This 2.0.2. It may have already been uninstalled.

Would you like to remove Hijack This 2.0.2 from the Add or Remove progams list?

y/n

Had not tried to uninstall it previously. Not running Vista (I have XP). How to proceed?

Also the hidden files and folders were not set back to default settings.

 

Hi staywhereyouare,

What happens if you say yes to uninstalling HijackThis? Does it uninstall something or do you get another error message?

abri

 

Hi Abri,

When saying yes to the error msg, it just deleted it from the list of programs on the add/remove programs list. Nothing was uninstalled.

This is what I can see when I search for MGtools (also don't know why I can't Alt + Prt Scrn--sorry):

C:\MGtools (folder)
C:\MGtools (application)
C:\MGlogs.zip
C:\WINDOWS\Prefetch (MGTOOLS.EXE)
C:\Documents and Settings\Owner\Recent (Shortcut)

Not sure if any of that info is useful to you or not.

Also just remembered this--and not sure if it is related in any way--when trying to uninstall Combo Fix I could not do it as described above. Searched the forums, renamed it "combo-fix" which uninstalled it, though it did not reset the hidden files and folders back to Windows defaults.

Thanks!