Messed up system

Hello,

I am cleaning a friend's system. Several weeks ago her system ground to a halt - I initially de-installed her out of date antivirus scanner (MacAfee), some other malware from Add/Remove programs, ran AVG Antivirus free, Spybot and AVG AntiSpyware, AdAware - they found LOTS of problems and fixed them. This helped the system enough that she took it back to use it. I just got my hands on it again this weekend to continue the cleaning.

Again ran AVG Antivirus (found a few problems). Before I found your read/run first post, I did some scans: Spybot from normal mode, AVG AntiSpyware - they both found LOTS (>1000) problems and fixed them. Also ran the Kapersky online scanner - found some problems and fixed them, also tried to run the TrendMicro scanner - it found problems, but got stuck fixing them.

Then I found your read/run first post, and followed it: General maintenance etc., then Ccleaner, Safe Mode Spybot and CounterSpy, BitDefender scans. Then I tried to do online Panda scan, but my internet connection wouldn't stay up long enough for download in safe mode, so I had to run the Panda scan from normal mode. (I could start the download, but the connection would drop after about 5-6min. The weird thing about that was I was able to ping the Panda site successfully, but could not reach any site with a browser after that initial 5-6min). Then completed the rest of your read/run first post (hope I did it all right!).

Attached on this post and the next are all the logs.

Thanks for any help!

ergeek

 

More logs attached.

 

Hi ergeek!
Welcome to Major Geeks!

1) Please go to add/remove programs and uninstall the following:

- Java 2 Runtime Environment, SE v1.4.2
- Sunbelt Counterspy <---- we're finished with this now


2) Then delete the below folders which may be left behind by the uninstall:

C:\Documents and Settings\Cindy\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

3) Now REBOOT your computer!

4) After you've rebooted, please install Java Runtime Environment vs. 6.2

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

I am looking at your logs. This takes some time, so it could be tomorrow before I get back to you. If you have any questions about the above procedures, just ask.

abri

 

Hello abri!

Thanks very much for the quick reply. I did all the actions recommended, and will patiently await your recommendations based on the logs.

I very much appreciate your help!

ergeek

 

Hi ergeek!
The computer's badly infected. Please try not to use it until we can get a cleaning procedure together.
Thanks!
abri

 

Ok, abri! I shut it down. No hurry - I have basically confiscated this system from my friend so I could get it clean.

(Now I have to worry about the new laptop she just bought because this desktop wasn't working right - she hasn't let me get her laptop protected yet - she is depending on some stuff they installed at the store. I am scared, very very scared....).

Thanks again for your help!

ergeek

 

Hi ergeek!
What's in this folder? C:\WINDOWS\PEERNET

 

Hi abri!

Contents of C:\WINDOWS\PEERNET:

sqldb20.dll
sqlqp20.dll
sqlse20.dll

Thanks!

ergeek

 

Hi ergeek!

1) Please upload the following file to either VirusTotal or jotti and have it scanned. Let me know the results of the scan. (If you've never done this, either of the links will take you to a website where there's a small window with a "Browse" button next to it. Click on the Browse button to find the file you wish to have scanned in your computer and then submit it for a scan. Jotti and virustotal use many different antivirus programs to scan single files and produce a report).

2) If you do not use Windows Messenger (this is not MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Now scan with HijackThis and check the boxes for the following entries. I'll give you two sets. One to fix and one to think about fixing if they are things that don't need to have in startup.( Make sure ALL browser windows are closed when you click FIX )

4)Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) After you have completed ALL of the above in the correct order, please attach the following logs. Also, let me know how things are running.

• scan results for jotti or virus total
• Avenger Log
• ShowNew Log
• GetRunKey Log
• HijackThis Log

abri

 

Hi abri!!

*1) C:\WINDOWS\ka.ini scan
Ran both Jotti and VirusTotal – neither found anything. (Do you need results?)

*2) Disable/Remove Windows Messenger*
Done.

*3) HijackThis fixes:
DONE (including all optional fixes)

*4) Avenger
Done (log attached).

*5) *ATF Cleaner*
Done.

*6) *After you have completed *ALL* of the above in the correct order, please attach the following logs
Logs attached here and in the next reply.

Thanks very much for all your help!!!

ergeek

 

More logs.

 

Hi ergeek!

1) Please scan with HijackThis and check the boxes for the following entries. If you don't find them, stop here, and go to step 3. I won't need a log for HijackThis if these two entries aren't there.

( Make sure ALL browser windows are closed when you click FIX )


2) After this please

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

3) If this file in My Documents is not a known file, please have it scanned by Jotti or Virustotal.

4) If you found the two 02's in the HJT and fixed them, please post a final HijackThis log to me. Let me know either way.

- HijackThis.log


abri

 

Hi again abri!

Wow, you are fast!

1) Scanned with HijackThis, clicked the check-box on the two 02 objects and clicked 'Fix'. It said it was fixing them, but they are still in the log (attached). I actually tried this twice.

2) Ran ATF cleaner again (only browser in use is IE7).

3) The PDF file in MyDocuments is a known file (I scanned it anyways - Jotti did not find any problems).

4) HJT log attached.

Many many thanks for all your help! The system is running much better, a couple of ZoneAlarm warnings have stopped popping up, etc.

ergeek

 

ergeek,

Try running HijackThis for those two 02 entries with your antivirus, antispyware, and firewall disabled. Please only disable these after turning the computer off and disconnecting from the internet. It's possible they're blocking the fix. If this doesn't work, reconnect and boot up again. Your antivirus, antispyware and firewall should come back on automatically. If not, re-enable them. Let me know if this works. The exact names of the entries are in Step 1 of post number 12. We only want to fix these two.

abri

 

Hi abri!

Still no luck getting rid of those two entries. I disabled ZA, AVG. I tried doing it from safe mode as well. No luck. I have attached the latest HJT log just in case.

Thanks again!

ergeek

 

Hi ergeek!

1) We'll try something different:

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) After this please

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

3) Please post the following logs and let me know how things went. Also, how is the computer running now?

- HijackThis.log
- avenger.txt

abri

 

Hi abri!

Well, I did the suggestions - no luck (see attached logs). Should I try deleting these in the registry myself?

However, the system is running very well.

The only problem I am currently having is that when I don't use the system for some long period of time (hours), the network connection drops (this system is wired to a Dlink router, then to a cable modem). I can ping the router, but cannot ping google, dlink, etc. A release/renew works, but takes a minute or more for the system to finally get to the internet. There is another system wired to this router that sees the internet fine even when this system does not. Not sure if this is malware-related or not - I may try replacing the LAN card to see if that helps.

Thanks again for all your help!! You don't know how much it is appreciated!

-ergeek

 

Try this:

Copy the contents of the below Quote Box (Including the word REGEDIT4) to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

After this run HijackThis again and check if they are gone. If they are gone, please run ATF cleaner and post a fresh HijackThis log back to me. If they are still there, please go into your registry by clicking on Start / Run and type in Regedit. Follow the pathway of these keys starting with HKEY_LOCAL_MACHINE and go until you can highlight Browser Helper Objects. Then go back up to the menus at the top and click on Edit and Search and copy and paste the key number F8241258-7425-E5B8-2794-A607FBD21C67 into the search box and click search. Do the same thing for both and tell me if you find them. You can search for them manually, but searching with copy/paste reduces the possibility of error.

abri

 

Hi abri!

The fixme.reg did not work (entries still there in HJT). So here is the result of the search of the registry for those keys:

I did not delete any - just searched so I can get input from you to make sure I'm not messing anything up.

Still having the weird internet thing, but otherwise system runs great! I am waiting to get the system clean before I mess too much more with that.

Thanks once again!!

ergeek

 

Hi TimW!

Thanks for the thought! I had already done that (first thing I tried) - no help. I may need to move this part of my problem to a different forum once I get the system clean, but I also have a spare LAN card sitting around, so I might try that first.

Thanks for any other thoughts!!

Let me just say you guys are great! A big help! Thank you so much!

ergeek

 

Hello again TimW!

Yes! That worked - they entries in HJT are gone! I have attached both the Avenger and HJT logs.

Am I clean now?

Thank you both so much!!

ergeek

 

Hi again TimW!

Ran CWShredder - it did not find any problems.

Then ran HJT and fixed the entries. Log attached.

Thanks again!

ergeek

 

Hi TimW and abri!

Many thanks for all your help. I am just finishing going thru the final steps of the posts you mentioned. The system is running great and I am about to hand it back to the actual owner. Now I just have to try to educate her and her kids on how they got this way in the first place!

I also think I figured out the internet connection problem - I think it was a ZA setting (duh!).

Again, thank you very much!

ergeek