Virus challenge for a professional

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by JANMOCK, Nov 18, 2010.

  1. JANMOCK

    JANMOCK Private E-2

    I need professional help with a virus.

    I am running WinXP Pro, Version 2002, SP3 on a HPCompaq dc7700, E4400@2.0Ghz, 3.50GB Ram, Avira version 10.0.0.592 with current updates, and Stopzilla.

    The symptom is a system tray blackout which causes a computer freeze and the only way I can restart is pressing the "on" button for 6 seconds.

    This problem began after midnight 11/02/2010 (actually 11/03/2010). I was working late when the HPMediaServer began its backup. I noticed some screen blips, closed the programs and retired for the evening.

    The next morning I was greeted with the message: "WHSTrayApp.exe has encountered an Application Error. Windows cannot continue from this exception (0xc0000025) has occurred in the application at location 0x01025319. Click continue to terminate."

    Clicking continue brought up more error messages. Trying to shut down the computer, I encountered partial message boxes with partial command options that did not work when clicked. The only way for complete shutdown was to press the "on" button for 6 seconds (is this called a hard boot? cold boot?).

    I tried the various virus/spyware/malware checkers in your READ ME FIRST instructions without finding any problems. I thought my computer was fixed!

    The next morning another system tray freeze occurred. Frustrated, I rebooted the computer from the PCRestore disc that came with the media server to restore to another point, 10/01/2010. I thought that would be back far enough to avoid any virus, and I was told that the hard drive would be restored sector by sector--so I would be returning to a time when things worked smoothly. I proceeded with Stopzilla as usual upon startup.

    The next morning I was greeted with the original message: "WHSTrayApp.exe Application Error..."

    I uninstalled the WHSConnect program and the HPMediaServer and Stopzilla. This time I went step by step through the READ ME FIRST instructions in Normal Mode. No problems found.
    The next morning, another system tray freeze occurred.

    I am at wit's end and ready for any suggestions anyone has out there for a solution. I can provide logs as necessary. I copied the READ ME FIRST programs onto a USB thumb drive from another computer, so the ComboFix program ran from the thumb drive instead of from the desktop. If that causes a complication, please advise.

    I am eager to hear any solutions!!!
     
    JANMOCK, Nov 18, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, for me to rule out malware as being the cause of your issues you will need to attach logs from:
    • SUPERantispyware
    • Malware Bytes
    • Root Repeal (If it runs)
    • Combofix (Yes, it must be ran from the desktop not a flashdrive)
    • MGTools
     
    Kestrel13!, Nov 18, 2010
    #2
  3. JANMOCK

    JANMOCK Private E-2

    THANK YOU, THANK YOU, FOR YOUR PROMPT REPLY.

    The logs you have requested are attached.
     

    Attached Files:

    JANMOCK, Nov 18, 2010
    #3
  4. JANMOCK

    JANMOCK Private E-2

    ComboFix run from desktop, file attached.
     

    Attached Files:

    JANMOCK, Nov 18, 2010
    #4
  5. JANMOCK

    JANMOCK Private E-2

    MGTools log attached.
     

    Attached Files:

    JANMOCK, Nov 18, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are going to have to visit the software forum for I am not seeing anything odd in your logs.

    Which is something I would not reccommend using.

    Let's just do this and also clean up from Stopzilla.

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Use windows explorer to find and delete the below files:

    • C:\SZKGFS.dat
    • C:\WINDOWS\system32\drivers\kgpcpy.cfg

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Nov 19, 2010
    #6
  7. JANMOCK

    JANMOCK Private E-2

    Thank you so much for your help....

    Since I am being redirected to the software forum, this means my issue is due to software conflict(s) somewhere??

    I will subscribe as advised to SuperAntiSpyware and Malwarebytes, leaving Stopzilla deleted and removing Avira Antivirus.

    I have followed the cleanup procedures...my system restore box was already checked to turn off restore points, but I unchecked and rechecked the box and restarted the computer to begin new restore points.

    I am not sure that my problem has been solved...this morning when I checked the computer at 4:55 a.m., the system tray time read 3:13 a.m., the screen was frozen and the computer was making no humming noise. I was unable to use task manager to shutdown the computer, and once again did the cold boot method of holding the "on" button for 6 seconds to get the computer to shut down.

    I will now visit the software forum to see if they have any suggestions.
    I may be forced to go back to the beginning system discs and wipe the drives clean; unfortunately I do not have many of the program install discs for the programs I have used.
    If so, can I use the data files on the HPMediaServer without risking bringing the "virus" back into the machine, or is the Server data a candidate for infection also?

    Once again, I appreciate your time and energy--what amazing challenges this forum brings to your talented brain!!
     
    JANMOCK, Nov 19, 2010
    #7
  8. JANMOCK

    JANMOCK Private E-2

    p.s.
    Just read the "How to protect yourself from malware."
    Now know the answer, do not use data from compromised HD...
    Thanks again!
     
    JANMOCK, Nov 19, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome, safe surfing! :)
     
    Kestrel13!, Nov 19, 2010
    #9
  10. JANMOCK

    JANMOCK Private E-2

    Continuing to investigate virus problem....

    I have noticed several *.szcpf files (61 total) mostly in my Quicken directory; are these files necessary? Could they be viral related? Can I delete them safely?

    Thank you again.
     
    JANMOCK, Nov 20, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, delete them.
     
    Kestrel13!, Nov 21, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds