Heavily Infected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by BamBam, Sep 4, 2007.

  1. BamBam

    BamBam Private E-2

    Hey all!

    I am having severe problems with my machine. Certain programs will not load, and others take forever to get started. Overall, my machine runs very slowly, even at startup. In fact, when I turn the power on, or even restart, the screen is blank for almost 10 minutes before Windows finally kicks in.

    I have tried to follow the procedures outlined in the "Do this before you post" section. CCleaner will not even install on my computer. I suspect some Malware may be preventing this. CounterSpy runs a system scan, and as it is running, indicates that there are Trojans that have been detected (including Trojan-Spy.Win32.Small.ez, Trojan.Win32.Agent.fd, W32.HLLP.Salityazzle.Cowabanga, Virtual-IE.MSMovies, and Virtumonde) but when the scan is completed, CounterSpy claims that no infections have been found. Again, I suspect Malware interference. Thus, I cannot post a log file from either program.

    Spybot S&D runs, but doesn't typically find much of anything...but I do fix what it does find. The online scanning programs do not work for some reason, in either Normal or Safe Mode. Hijack This works, as does GetRunKey and ShowNew. I have attached logs from all three of these programs.

    My system information is as follows: I have a Dell Dimension E510 running Windows XP.

    I would greatly appreciate any assistance you can offer, as this problem is taking what should be a high-performance machine, and making it a tedious liability. Let me know what I need to do.

    Thanks guys!

    Bam
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated in step 7 of the READ ME, it is critical that you install and rename HijackThis.exe as requested. You did not even extract it from the ZIP file. Please do this now and attach a new log from HJt that is properly installed and renamed. I need this before we can create a proper fix.

    Is your copy of Spyware Doctor a paid version or free trial version? It is also an old version which is out of date.

    Did you know that you are using a version of Spybot that is almost 3 years out of date?


    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_11
    Java 2 SDK, SE v1.4.2_11
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment
     
  3. BamBam

    BamBam Private E-2

    Chas:

    Ok, I installed Hijack This as instructed and completed a system scan. Attached please find the Log File. I exited out of all unnecessary programs, including my Internet browser, but as you can see from the log, IE is listed as a running process. I did NOT start this process. This may be a function of Malware.

    As for Spyware Doctor...I believe I am running a trial version. I remember obtaining the full version, but was unable to run it on my machine without the entire system freezing up.

    Finally, I had NO idea my version of Spybot was that old. Where can I get a new version?

    Thanks again for your help!
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it is a free trial program, uninstall it as it is only wasting system resources since it will not fix anything.

    All you had to do was follow the instructions in the READ & RUN ME and you would have the current version since the link in the READ ME is for the correct version. However, wait until later when I tell you to install the new version.

    Let's get started on your malware removal.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_11
    Java 2 SDK, SE v1.4.2_11
    Spybot - Search & Destroy 1.3 <-- 3 yrs old. New Version to be installed later.
    Sunbelt CounterSpy <-- since we are finished with it
    Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to COM+ Messages
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\Program Files\Common Files\{A4CEE118-0C78-1033-0203-060506220001}\Update.exe

    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [{A4CEE118-0C78-1033-0203-060506220001}] "C:\Program Files\Common Files\{A4CEE118-0C78-1033-0203-060506220001}\Update.exe" te-110-12-0000213
    O21 - SSODL: IEFilter - {0269A114-B04A-462B-9FFF-E8D4BDC30997} - C:\WINDOWS\system32\IEFilter.dll
    O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing) <-- this may already be gone due to above steps.

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now install the current version of Spybot from the link in the READ & RUN. Be sure to follow the directions for setting it up and make sure you uncheck the option to use Teatimer that you will see during the installation.

    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
  5. BamBam

    BamBam Private E-2

    Hey!

    Ok, I went through all the above steps, with the exception of the last step involving CCleaner, which still will not install on my machine.

    Here are the log files you asked for.

    Thanks again!
     

    Attached Files:

  6. BamBam

    BamBam Private E-2

    And the HJT Log, which I couldn't fit in previous reply.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please explain the problem in detail instead of just saying it will not install. Do you get any messages? If so, give the exact word for word message?

    Note for future reference, Spybot should not be running when you get your HJT log.




    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O21 - SSODL: IEFilter - {3813319B-AF02-4AF4-A3C9-11FE6078A3DF} - C:\WINDOWS\system32\IEFilter.dll (file missing)

    After clicking Fix, exit HJT.
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Sep 9, 2007
  8. BamBam

    BamBam Private E-2

    Ok, I executed all of the steps in your previous post. CCleaner now will actually install on my machine, so I ran that as well. Prior to this, I would attempt to install the program and the installation window would simply disappear...no error message, no anything.

    I'll attach all the logs you asked for. You should be aware that when I rebooted from the Avenger run, it still took about 10 minutes for my computer to boot. Basically, the Dell screen comes up, the initial Windows XP screen comes up (the one that immediately precedes the login screen) but the screen then goes blank. Ten minutes later, the login screen appears.

    Let me know if you have any additional steps I can take. Thanks!
     

    Attached Files:

  9. BamBam

    BamBam Private E-2

    And the HJT log.
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What kind of processor is in your PC? (Dell or AMD)
    What is the processor speed?
    How much RAM do you have?
    When did you first notice your PC to have slow boot ups?
     
  11. BamBam

    BamBam Private E-2

    Here is the informationyou asked for:

    I have a Dell Dimension E510. It has a 3.20 GHz Pentium 4 Processor and has 1.00 GB of RAM.

    I'm not exactly sure when I first noticed the slow boot ups. Maybe a month or two ago? I usually just keep the computer on all the time (is this a mistake) and thus I usually don't boot up all that often.

    I took note of the boot-up process earlier tonight. The screen is blank, like I described, but the fan seems to be running at high speed. Right before the thing finally boots up, the fan goes quiet. Then the login screen appears. By the way, as I type this, my fan is running at high speed. I can hear it. It's pretty constant and has been going pretty much the whole time the computer has been on (about 20 minutes at this point).

    Another tidbit of info: For some reason, when I close out IE and leave it for a while (like when I'm at work), when I try to open IE again, it tells me that it cannot display the web page. Typing in an address results in an Address Not Valid display. This is any web site I try. The only remedy is to reboot.

    I have recently defragmented my hard drive, in case that helps. I'd appreciate any thoughts. Thanks again!

    P.S. 25 minutes in...fan just stopped running.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It sounds like you have hardware problems and or software issues (possibly Windows file system issues or driver issues) that are not malware related. As such I would suggest you post your slow bootup issue in the Software Forum and that could lead to posting in the Hardware Forum. I would ask one additional question, what are your bootup and login times like when you boot in safe mode?
     
  13. BamBam

    BamBam Private E-2

    Safe Mode also experiences a long boot up time...the same as Normal Mode. I'll run this by the Software guys and see what they say.

    Thanks for your help with the Malware!
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds