Virus (Z-connect/Virtual Mem/Failed Shutdown)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by frostbite23, Mar 3, 2009.

  1. frostbite23

    frostbite23 Private E-2

    Hi all!

    So I have run through the gammot provided via the FAQ. Read & Run Me + Windows cleenup SUPERAntiSpy to MGtools.

    I'm running XP SP2 Dell Latitude E6400.

    So I suspect the problem happened yesterday night (Sunday) when I tried to download software called Anchor-Free to let me watch videos on the net. I tried this b/c I'm in Canada and wanted to watch TV clips that are for "americans" only.

    I instantly noticed the instal seemed sketchy. There was a quick flurry of error messages that just popped up and dissapeared. Nothing happened immediately but I did feel like I got infected at that moment. The instal never fully happened and instead was called "Hotspot Shield" not Anchor Free? DL from: http://anchorfree.com

    This afternoon (Monday) I lost my Dell WLAN Card Utility and had to switch to the Windows network manager to get back on the net. Since then I've been having problems:

    1. - Shutting down hangs up after taking away the desktop icons (leaving just the background to display and no shut down/restart)
    2. - A couple times where windows told me it needed to shut down right after manually turning it off (after shutdown hang-up)
    3. - Random error messages for two .exe's needing to shut down "*.exe has encountered a problem and needs to close. ..." for: g615k3f7g5s7.exe and c4m2m9o4v7p9.exe
    4. - Virtual memory low warnings
    5. - Laptop seeming to continue thinking
    6. - Suspicious bluetooth dialup network entry: z-connect popped up a couple times, even after being manually deleted
    7. - Suspicious .exe sitting in main directory C:\ called "x9y9d3e5l9y8.exe"

    Running SAS, Malwarebytes' Anti-Malware and Spybot:
    1. Found some errors and all were deleted, but no improvement was made.
    2. Laptop still hanging up at shutdown


    Running ComboFix    :
    1. Shutdown seemed smooth (no hard power off needed) and Dell WLAN Card Utility returned
    2. BUT: Still got an error for g615k3f7g5s7.exe failing and needing to close
    3. While installing ComboFix, incurred "Dell.UCM.exe has encountered a problem and needs to close. ..."
    4. Despite this, still think ComboFix executed completely.

    Any suggestions? It seems that since ComboFix, it's a bit better... but I'm still worried there's more damage :( I just got this computer 6Months ago, and it's way too early to get a virus! Any help you can give is a god send!

    Thanks so much,
    Mike
     

    Attached Files:

    frostbite23, Mar 3, 2009
    #1
  2. frostbite23

    frostbite23 Private E-2

    MGTools LOG
     

    Attached Files:

    frostbite23, Mar 3, 2009
    #2
  3. frostbite23

    frostbite23 Private E-2

    Update: After full shut down last night, the problems seemed to recur.

    Dell WLAN utility dissapeared again, CPU is constantly thinking and I got this error at startup:

    Windows cannot find 'C:\WINDOWS\system32\drivers\RegSrv.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the start button and then click search.

    --> I believe RegSrv.exe was one of the files that one of the cleaning programs identified and killed.

    Please note: I did have this error yesterday too, but forgot to post it. Also, opening documents/excel sheets is difficult. If I double click them in their folders, they wont open. I have to open Word or Excel in a blank doc and then open old docs from there.

    Dang... really hope someone knows how to fix this guy! :(
     
    frostbite23, Mar 3, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 5, 2009
    #4
  5. frostbite23

    frostbite23 Private E-2

    Hi chaslang!

    Thanks for helping out!

    So I made the .txt file and dragged it over to combofix on the desktop. Combofix ran and the .txt dissapeared. It showed the deletion of those files at the beginning of the scan. I also didn't have any other programs open.

    I then double clicked the MGtools.exe in my C:\ folder to run the MGTool again. The new log is 1KB smaller than the last one.

    Still think I have the problem though since I got an error from C:\Documents and Settings\Mike\g6l5k3f7g5s7.exe again right after Combofix rebooted.

    The good thing is, that when my laptop starts hanging up again, I can at least run combofix and can connect to the internet again for at least a while at a time.
     

    Attached Files:

    frostbite23, Mar 6, 2009
    #5
  6. frostbite23

    frostbite23 Private E-2

    Oh and, not sure if you know anything about this but someone has suggested I run a live update virus program.

    Trinity Rescue CD
    http://trinityhome.org/Home/index.php?wpid=1&front_id=12 .

    Seems to be a Live Antivirus solution that you can update the definitions on. I haven't yet run it because I'm figuring out what it does and how to use it. It may require me to run it from another computer on this hard drive.

    Whatever virus I have, keeps coming back. Does it have much to do with the blue windows boot screen taking longer than usual?
     
    frostbite23, Mar 6, 2009
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not ask you to run MGtools.exe. I said
    In the future please make sure you follow instructions given.

    Do not do anything we do not ask you to do? If you run things we do not ask for, this thread could be closed. You still have a couple things to remove. Sometimes it just takes a couple of repetitions since infections can spread/mutate after you post your logs but before we give a fix. Thus we need to get the changes in the next round.

    If you are concerned about your Startup time, consider why you have all the below stuff running. These are not malware. You need to decide if/why you need these.



    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to cleanup temp files!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 8, 2009
    #7
  8. frostbite23

    frostbite23 Private E-2

    Hi again, sorry for mixing up some instructions. I followed them to the T this time and ran the reports.

    PS: As for the live update thing, I didn't actually run anything, I just thought It might help to share as much info as possible. Sorry.
     

    Attached Files:

    frostbite23, Mar 9, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A malware service we removed in the fix back in msg # 4 has returned. We need to run another fix.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: RegSrv Service Controler - Unknown owner - C:\WINDOWS\system32\drivers\RegSrv.exe (file missing)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! After attaching your new logs, YOU MUST NOT reboot or power down your PC. Wait until I give you the next steps. Infections like you have can mutate or spread during power downs or reboots thus making your real conditions change and fixes then become incorrect.
     
    Last edited: Mar 17, 2009
    chaslang, Mar 12, 2009
    #9
  10. frostbite23

    frostbite23 Private E-2

    Well, this is starting to get depressing. Still suspect I have problems...

    This must be related to the constant tickering of the disk (the CPU keeps thinking every second or so, subtle but annoying)

    I've attached the logs and followed the steps, including downloading a new MG Tools.

    I'm also concerned about these two file folders in my C:\ drive:

    C:\4ee15ba42ca387933700b98376c769
    C:\fdc439c5edc7d907f088545a86f1
    --> this one has a bunch of .xml files in it

    Do you think we can kill this virus or are we walking down a lonley road? I'll be sure not to restart my computer until I next hear from you.
     

    Attached Files:

    frostbite23, Mar 17, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is not due to malware. It is like due to something you have running. Possibly something doing a download or udate in the background.

    Just folders left over from failed Windows Updates. You can delete them.

    It's already gone. Your logs are clean now.
     
    chaslang, Mar 17, 2009
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds