Malware, Trojans & Hijacked Domains, Oh My!

Hello, First off - you guys/gals - ARE AWESOME!!!

Now, my problem. My wifes computer had major problems, Destop Icons disappeared, Task manager not available via Ctrl-Alt-Del, and the bottom task bar with Start button not available either. Then the dreaded, Blue screen of death or commonly referred to as BSOD.

Prior to this particular incident, we noticed things misbehaving like: when clicking on a found/searched for item in ANY search engine, it would go somewhere completely different! Computer was really acting weird and very slow. So, ran all of the virus protectors, anti malware programs, etc. We had the following installed on her computer:

• AVG
• Antivir
• SuperAnti Spyware
• Malware bytes anti malware
• CCleaner
• Advanced System Care

We ran all of them and each time there were items found and we clicked to have them cleaned and removed. But still had problems. Then the problem as described above happened.

We have other computers in the house, so after many attempts to try this & that, I found a link to Microsofts Knowledge Base # KB307545 so, ...

I took a deep breath & tried it! But, while in the Windows Recovery Console, as I was typing in the individual commands, the computer kept on freezing! Keyboard locked up many times during this process. But I figured keep on going, what have I got to lose? I was desperately trying to help my wife get to a point where I could backup her docs, contacts, & other important misc files she wanted but never backed up. Like so many of us poor fools out here! So I just persisted, pushed the ON/Off button & rebooted to the console and started where I left off. Finally I completed the whole process and voila, I restored to a point about a week or more earlier. But there were major problems there that we did not really know about.

So I returned to the web & found this site & this forum. I printed & followed your step by step instructions. I deleted all AV's, etc, and started from scratch & downloaded per your instructions. All went very smoothly and many bad things were found & removed, I hope? I got all the way to MGTools and I got two error messages in their own boxes that were not listed in the "Possible errors that might be encountered" during the run of MGTools.
#1 error (typed verbatim-had a yellow triangle with an Exc.Point!)

2nd error message - again in a box with a yellow triangle & ! inside it

I then clicked on the ok's of each box & exited MGTools.

I don't know what a domain is. Could you also explain this and the message above?

I am now at a desktop having completed step #2

I am answering the question posed at the beginning of step 3 - Yes, I think I still have problems! As you are aware, the only thing I did not do up to this point, was Install & run the combofix.exe program. Everything like you requested in the Readme, was done.

Please advise on what to do next. Logs are attached

As I was emailing things to myself from one computer to this infected computer (I started this post on another computer) so I could cut & paste into this computer on this forum new thread post. As I opened IE and navigated to MajorGeeks in IE's address bar, another IE window (not new tab) opened to some strange news headline web page - advertisement or something. This too has been happening alot prior to the BSOD.

Thank You

damedic_mt

 

:-o

I forgot one thing to add to my above post. I also could not enter/boot into safe mode, as well.

Not any of the 3 options of Safe Mode available.

Neither could I boot into "last known good configuration" (or something like that)

Running Win XP Pro SP3

Thanks again, You provide a fantastic service!

 

Thank you very much for the reply to give me a status update! I understand, completely. Many of us need assistance, & going in order makes perfect sense.

I will continue to be patient and await your instructions. My wife has access to other computers. Hers right now, is shut off & nothing has been done to it since I posted the problem details, after running the "Read me..."

Thanx again.

 

Hi Dr. Moriarty & thanks for the reply...

I already have problems at the get go. 1st, as I navigated to the link you requested to obtain the HostsXpert program, & to follow the 6 steps that were outlined, for me it did not go that way. I had to do about 6 steps before I even got to the actual page to click on "Restore MS Hosts File". I think that maybe some steps were skipped & not listed, was because maybe they were supposed to be understood?" I am asking because I want to do things exactly as you request. I did (as mentioned) eventually get to that page.

I actually did this twice, download & follow the steps. I hope that was not a bad thing. The first time failed & the second time, I was taking notes (in case it failed again) so I could note the steps as they appeared, and relay them to you if they were repeated.

I got an error message right at the beginning that said:
Your HOSTS file is marked as a "System File" and can NOT be manipulated. Press Ok to remove the system file attribute, CANCEL to quit.

***HostsXpert will not reset these attributes ***

I clicked OK.

I then got the following "Warning" error message. (It happened the first time as well)

Your HOSTS file is marked as a "Hidden file" and can NOT be manipulated.
Press OK to remove the hidden file attribute, CANCEL to quit.
*** HostsXpert will NOT reset these attributes.***

again, I clicked, OK

The HostsXpert window was visible behind the error messages but the fields/columns were empty, when I clicked the OK button the 2nd time they became populated with #'s that looked like or resembled IP addresses, the 2nd column had, I guess, file names?
Anyway...
Way on the left of the page was at the top in Red - Make Writeable?
Per the instructions on the link - "Running HostXpert to Reset Default Hosts File",
I clicked on it like I did the first time. Nothing appeared to happen, I presumed that I confirmed that "File Handling" choice. I did not see a Make Read-Only selection, so I clicked on Restore MS Hosts File, I got the confirmation message:
Press Ok to restore Microsofts original Hosts File. I clicked OK. Then another Error message:


Error: Cannot create file C\:WINDOWS\system32\DRIVERS\ETC\hosts

I clicked OK

I don't think anything happened, other than going back to the HostsXpert folder that contained the following files:

• HostsXpert.chm
• HostsXpert.exe

I stopped here for further instructions. All I did was get out of each page that opened.

I did not continue with the custom instructions you gave me.
Will wait to follow instructions on how to proceed.

Thanks so much,

damedic

PS

I had two pages/folders with files - that appeared to be the same?
they both were labeled: "HostsXpert" They each had the same folders, but the icons were different, at least for the exe file anyway. Those files I listed them above: HostsXert.chm & HostsXpert.exe

The 2nd page which was ontop, had for the exe file what appeared to be an icon/logo : a lowercase "h" in a red dot. The prior folder I presume was a compressed or unzipped folder? Anyway, just for your info. Thanx again.

 

Hello Dr. M - Happy Holidays to you & yours! Thanks for the reply!

I am going to catalogue all that I do, as I go thru the steps you have provided for me to follow. Also I am viewing this log on another computer as I execute the instructions on infected computer. Hope that is okay?

Note: I did not download the Avenger previously. I stopped at the first step as I had encountered problems (with HostXpert) as I detailed them for you. I apologize if I made myself un-understandable.

Anyway,
* I downloaded The Avenger to my desktop
* Doubleclicked that zipped folder
* Doubleclicked the file with same name, that appeared in a new window
* Got a Title/Info window explaining what the file does, its warnings & approval to continue with qualified assistance. I agreed to that message, so I clicked OK
* Copied the text you provided & pasted it into: the box "Input script here"
* Clicked the execute button (Note - I did get out of/closed Windows IE)
* Window popped up asking: confirm execute current script - I clicked Yes.
* I clicked to Reboot Now
* Upon reboot, I did see the Notepad file. I closed it and Deleted the HostXpert files you requested.
* NOTE: As I was searching for the HostXpert Files: The computer hung up for about a minute! Then a window popped up saying, top line was in Bold: "Click here to protect your computer form spyware - then next lines read - Your computer is infected! Windows has detected an infection of spyware! It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you" When I closed that box by clicking the "X" upper right corner, the picture my wife had for a wallpaper, disappeared. Icons remained. The Logo that accompanied that message box then stuck itself to the bottom task bar (near the clock). Its a Red Dot with an X in it. Nothing appears to happen when I double click it or left click it, anyway...
* I can't seem to locate the HostXpert files???
* I searched for HostsXpert & HostXpert (I looked in our previous posts & I found references that pointed to both spellings? Maybe typos? but I searched anyways & did find files.
* Under HostsXpert I found a total of 17 references of files 12 of which were in the ...\local settings\temporary internet files
NOTE: During typing this the computer popped a window stating that IE has encountered a problem & needs to close, this happened consecutively as I was trying to search. I rebooted. "Restart"
* Upon bootup, the following window popped up prior to the icons showing up. Note,the wallpaper pic returned. Verbatim copied:
Window titled: Spyware Alert! There was a Yellow Triangle with the ! within it.
Security Warning
Worm.Win32.netsky detected on your machine
This virus is distributed via the Internet through e-mail and Active-x objects.
The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself.
In worst cases this worm can allow attachers to access your computer, stealing passwords and personal data.
Viruses can damage your confidential data and work on your computer.
Continue working in unprotected mode is very dangerous.

Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista, 7
Security Risk (0-5) 5
Recomendations: It is necessary to perform a full system scan

Box in the middle at bottom with OK in it

* I clicked the x in upper top corner to close it
* Boot up continued, Icons appeared but wallpaper disappeared
* A window opened up titled: iexplore.exe
It read:
iexplore.exe has encountered a problem and needs to close.
We are sorry for the inconvenience

If you were in the middle of something, the information you were working on might be lost.
For more information about this error, click here (this was an active link)
* Also, a new window opened as well with the same spyware warning as described above. It disappeared on its own as I was typing the above.
* I clicked on "click here" for details & this is the message within new window:
(also that warning appeared again, I x'd out)
Titled: iexplore.exe
Error Signature
AppName: iexplore.exe AppVer: 8.0.6001.18702 ModName: iexplore.exe
Modver: 8.0.6001.18702 Offset 00002807

To view technical information about the error report, click here (active)

* New window opened & it was titled: Error Report Contents

This report was exceptionally - very long, it started with "Exception Info"
Then followed by a plethora of info
in a box at the bottom of the window, was:
"The following files will be included in this error report:"
C:\DOCUME~1\Nadya\LOCALS~1\Temp\f525_appcompat.txt

I DON'T KNOW WHAT TO DO NOW? HELP!!!! Should I be very worried with this new chain of events? (Walking away, to get a breather & to focus)

 

Ok

I came back to my computer & closed all windows where I in turn found a big red window with a warning: "You computer is infected, run a scan now" or something along that line.

I went to check my bottom taskbar to see what may be there & I accidentally inadvertantly must have clicked something I probably should not have (I did not knowingly I do this) a window popped up & a scan started. By pressing the x in the top right corner, did nothing. There was no "Stop Scan" button. So I quickly Cntrl-Alt-Del & a window popped up stating that the task manager has been disabled by system administrator. I now could not close this window, so I pushed the off button. The window that opened was what resembled a similiar scanning software. Titled: Internet Security 2010 Very unfamiliar Logo, but had familiar colors - Like Windows. Looked like a porthole in a boat. 4 triangles of different colors, connecting at the narrow points to make a circle. These colors were in what I called the porthole & it had 4 protruding lines at 12 o'clock, 3, 6 & 9. Very possibly another piece of malware, trojan, spyware, etc - right?

Anyway, Dr M - Computer is shut off & awaiting further instructions on how to proceed.

To clarify: I ran the Avenger program.
Tried to delete the files you requested, but could not find them.
I searched using windows search from the start button & the above described problems began.


I did attach the Avenger log for your info

 

Wow - the problems I experienced while executing your directions to assist me!

BTW - Greetings to you Dr. M :wave

Ok, here is what happened as I tried to follow the steps you provided, the best to the ability I had, with this infected computer.

I did what I could to the infected computer while reading the directions from another computer. I turned on the infected computer to begin and upon boot up, prior to the desktop icons appearing I got a window popped up titled:
Spyware Alert !
Security Warning!
Worm.Win32.netsky detected
The rest of the window verbiage is on one of my last posts.

I x'd out of this window & computer completed bootup. All kinds of new windows opened:
** Internet Security 2010
** iexplore.exe (needs to close)
** A secondary Internet Security 2010 window - CRITICAL VULNERABLES FOUND
** New update found (I presume for Int Sec 2010?)
I closed all windows by x'ing out, clicked no for update & the only way to exit Int Sec 2010 was to right click the name of the folder in the bottom task bar, and left clicked "close".

I then opened Avenger. (note- a window popped open asking me to "click here" to protect computer from spyware) I x'd out.
I copied the requested text and placed into the "input script here" box.

Completed all of Step 1

Upon boot up, again the spyware alert window popped open. I x'd out instead of clicking "ok". Again many windows opened, I closed them all.

Went on to step 2
Could not find: HostXpert.zip
Ran search to locate it. 1st time just HostXpert and only 2 files were found & both of them were in the c:\WINDOWS\prefetch folder.
I then searched for HostXpert.zip, and rec'd "no results were found to display".
During this action, another window popped up:

SECURITY WARNING
Do you want to view only the webpage content that was delivered securely?
this webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage. I x'd out of this window. There were 3 boxes at bottom: More info, Yes, No

Went on to step 3
Ran ccleaner ver 2.27.1070 - some files were deleted.
Manually restarted - Note, again those windows popped up

Went on to step 5, which was your request to return to Post #5 of this thread, and do all that was instructed. I continued to do as requested.

Now, I opened IE browser on this infected computer, logged into MG's malware forum.
Downloaded HostsXpert 4.3
Clicked on the file with the Red Logo with "h" on it, to run the file.
New window popped up: File does not exist. Do you want to create it? I clicked - Yes
Make writable was not visible but the other make read only was, so I followed the instruction and clicked: Restore MS Hosts file. I then Clicked OK, then x'd out.

Went on to step 2, in post #5 of this thread.
Ran MG Tools\Analyse
selected the 4 lines instructed (putting check marks in the boxes)
2 new windows opened asking for an OK, I clicked OK each time.
Then closed MG Tools/HJT

Moved on to the 2nd step #2 (???)
Downloaded The Avenger & put it onto my Desktop.
Copied & pasted the requested lines & then executed.
2 new windows popped up:
1st - First step completed. Avenger has been succesfully set to run on next boot. Reboot now?
2nd - Registry Editor
Registry editing has been disabled by your administrator.
Clicked OK on both windows, computer restarted.
I then tried to "Enable" the registry editor, and was going to re-run Avenger, but each time it failed & I rec'd the window saying that Registry Editor has been disabled. ( I assume the malware/virus infection is doing this?)
I restarted computer, again.

Once again, I x'd out of all window that popped up.
Note: Wallpaper is still missing, but it was replaced with a nice big black box with big RED words saying: "Your system is infected" (duh)

Anyway, I guess I gotta laugh or :cry

Next step, ran ccleaner

Next step: Delete "Temp" folders
Could not delete any of the 5 folders in C:\windows\Temp
and could not locate a folder ...Local Settings\Temp, under Nadya

Downloaded MG Tools to C:\ & overwrote the existing version.
Exited out of IE
Ran GetLogs.bat file
New window popped up, again the Registry Editing has been disabled.
Clicked ok
MG Tools continued to run. After a few minutes, Window popped up, with a X inside a red dot, titled:
ProcessDll.exe
the application failed to initialize properly (oxc0000135). Click on OK to terminate the application. I did not click on ok, I x'd out of the window.
MGTools completed.

Logs are attached per your request.
Sorry for the drawn out detail rolleyes

Thanks alot, have a happy week.

damedic

 

Just missed the 10 minute threshold to edit my last post. :-o

Hope it is still okay to provide additional information, sorry!

PS - After last reboot, after posting this reply (I am now editing) the infected computer still had all of the windows popping up from Int Sec 2010, wanting to scan the computer; there was still no wall paper; still big black box with message in it.
And... I could only find one (1) avenger.txt file As I was re-reading your last post, I did not see your message to attach 2 avenger.txt files. I guess as we did those avenger runs, I was supposed to rename the first one? rolleyes So as to it not being overwritten? I don't know what happened, Sorry if this affects how you advise me next. I missed this because I was told to go to post #5. So, I followed those instructions from there & submitted this reply from that post.

 

Good Morning, Dr. M-

I thought I was methodical & did all that you instructed. :-o

Maybe, once I went back to your Post #5 & followed those instructions, I missed something in post #10? I don't know, but I will do all as you requested again.

As I started, all of those pesky windows opened up, tried closing all of them, but Int. Sec. 2010 now would not close. Now, Other windows opened up as well, that didn't last time:

* Internet security 2010 - Trial Version. A message telling me that the one installed is only trial. Wanting me to activate Full Version. That I was able to close out of.
* RUNDLL
Error Loading C:\WINDOWS\Temp\ntload.dll
Invalid Access to memory location.
OK

Then a Security Alert opened:
Your computer is being attacked from a remote machine!
Block internet access to your computer to prevent system infection.
Attacker IP:30.137.43.56
Attack type: smss.exe exploit
Block Allow
Windows Firewall has blocked this program from accepting... yada yada

then another by Int. Sec. 2010 opened...
Critical Vulnerables Found!
Spyware threat detected!
Your system is vulnerable to internet attacks.
spyware may damage system files, monitor your internet usage... blah blah
It is strongly recommended that you remove detected threats and do not ignore this alert message.

Name Alert Level
spybot.bank32.dll High Risk
Adware.W32/Navipromo Middle Risk
Adware.Win32.Zwangi Middle Risk

Remove Threats Ignore

I x'd out of what I could

And then completed the 1st Step in Post #10 - running The Avenger

Upon reboot, I renamed & saved the avenger text file to Avenger1.txt

I tried to get out of all of those windows

Note: Task Manager is not available: Message comes up stating that it has been disabled by Administrator

Again, I tried to locate the HostXpert.zip file, per your request, could not locate it! Using the windows search option, It came back "No search results found"
I then searched for HostsXpert.zip (with S plural) & it did find it in a My Documents folder.
Deleted it per your instructions.

I ran CCleaner - 1st option only, then got out of it, Then Rebooted.

Logged into MG's & navigated to the HostsXpert thread that you asked me to do by now following your Post #5, to Reset Hosts file.

Downloaded it & ran it then clicked OK, then x'd out

Opened MG Tools\Analyse, I looked for the files to select, But They Do NOT Exist. I deleted them the last time. Moving on to next step.

I downloaded The Avenger to my desktop to where a file already exists. I overwrote that file with the new downloaded version.

Ran the program & copied & pasted the files requested into proper box where it was to be copied into. I then executed.

Received 2 new windows:
* First Step Completed
First Step completed -- The Avenger has been successfully set up to run on next boot. Reboot Now? Yes No
* Registry Editor
Registry editing has been disabled by your administrator
OK

X'd out of latter, clicked Yes on former, to reboot.

Notepad file opened with Avenger.txt file, I Saved As to Avenger2.txt

Upon reboot, I ran CCleaner

Then I went to the C - Windows - Temp Folder, & deleted what was able to be deleted.

Could not find a folder under NADYA, Local Settings, so therefore could not delete the files in that Temp folder.

I then started the next step to download & overwrite existing MGtools file. During the stuff that was happening in the Black Box/prompt window - (the scanning of MGtools-getlogs.bat), many windows popped open.
I started to close them, but some were new that I had not seen before:

* Download Registry Defender - Windows Internet Explorer
* ProcessDll.exe - Application Error
* Message from Webpage
Warning!!! Your personal computer needs to install antivirus software! Personal Security can perform fast and free scan of your computer.
* Anti spyware scan - Windows Internet Explorer
(The scan started & I did not initiate it! I x'd out of it)


The scan completed & provided message that a MGlogs.zip file had been created. I clicked any key to close the prompt window.

When I closed that window & new windows popped open:

Critical warning!
Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML. Visafraud.a. This may result in website access passwords being stolen from Interner (yes, Interner) Explorer, Mozilla Firefox, Outlook etc. Click Yes to scan and rmove threates. (recommended)

Message from webpage
Harmful spyware or adware software. Such vulnerabilities can destroy or steal your privat info and mail. On-lines scan should install Personal Security utilities to fix your pc. Please click OK to download and install Personal Security Tool.
OK


I x'd out of them.

Logs are attached

Thank you for assisting. Looking forward to an expedited process to get rid of these pesky things. My wife is very, very anxious to get her computer back and is saying " It's been almost 3 weeks, just take it somewhere to get it fixed". I can't afford that, so I am telling her to just be patient. We are working as quickly as we can. Oh well. :confused

Thanks again & hope you have a Happy & Safe New Year

damedic

 

Hello Tim W- :wave

Thank you so much for replying. Is Dr. M. alrigtht? Hope all is well with him.

Anyway, I do appreciate that I am able to continue to work on my wife's computer with your instructions on how to proceed.

1st - We lost Internet connection capability. After the final reboot per your instructions, that is when it happened. I tried to right click on the little wireless icon at the bottom taskbar (near the clock) & then left click on repair, the message said that it could not fix the wireless connection. See the person in charge of the system.

Also, now the computer will not restart or shut down. Just the wall paper (which now reappeared, has been gone for a while) and the icons disappear like normal when shutting down, but it never shuts down. So I have to manually push the power button. Is this ok?

But anyhow, here is the detail of what occured when I started to follow your instructions:
Upon bootup, (computer has been off since I followed & completed the last instructions of Dr. M - )
A window popped up that always did prior to the showing of the desktop icons.
Spyware Alert!
Security Warning!
Worm.win32.netsky detected...
The rest of the message of this window is posted in an earlier post

I then started your instructions after closing many popped up windows, which were detailed in my last post.

Ran the MGtools, Analyse program.

Selected all of the lines you instructed (I closed out of browser) and then clicked Fix.

3 Windows popped open, same message:

Registry Editor
Registry editing has been disabled by system administrator.

and one was from HJT? Like a cautionary message:

Files will be deleted if you proceed. Do you want to continue? I clicked Yes.


HJT, finished & I x'd out.

Also, a NOTE***

I tried to log back onto the Net, and wanted to start up Avast. But while waiting for the infected computer to be fixed, apparently the trial period without putting in the license key, had expired. So I went to do that, registered the program & put in the email address to recieve the key. When I logged into Hotmail (my wifes email) to retrieve the key, I copied it and then I pasted into the place where it should go, I got an error message window box that popped up saying something like:

The License Key number you input is invalid!

Is it possible that Malware is blocking this?

Anyway, continuing:

Also, while continuing on with the rest of the procedures, the screen would go blank and then an IE error message pops up saying:

Tab has been recovered.

I also got a few times the following error message window:

Internet Explorer experienced a problemand needs to close. If you were working on something, it may be lost. Sorry for the inconveninece

I clicked on Close.

Internet Explorer reopened & clicked on "Restore Last Session"

Continuing:

FixME.reg would not merge!

And the only window I got, was what I have received alot when I was following the instructions of Dr. M, during certain procedures - and that was:

Registry Editor
Registry editing has been disabled by system administrator.

I went on to next step as you requested. Opened Avenger, followed the steps & then Executed. I clicked YES, then the computer rebooted.

Note: I Renamed the text file or Saved As: Avenger01.txt

All the while, windows kept popping up all over the place.

4ea of RUNDLL messages

RUNDLL
Error loading
The specified module could not be found

and

iexplore.exe
iexplore.exe has encountered a problem & needs to close... yada, yada

and

Registry Editor
Registry editing has been disabled by system administrator

Then during the process of the GetLogs.bat file near the end, 1 more error message popped up.

ProcessDLL.exe
Application error
The application failed to initialize properly (oxc0000135).
Click on OK to terminate the application.

I did not click OK, I x'd out

I then hit any key to exit MGtools

This is when I noticed that I could no longer log online to finish this reply & post the logs requested. I manually restarted a few times & each time the computer "hung". Would not logoff & restart. Not restart or turn off.

So the only thing I could think of was to get a thumb drive & copy onto it, those logs & then grab them from it and paste them into this post from this desktop, which has no problems.

After each manual reboot, RUNDLL error messages pop up.

Thanks for the reply & the Logs requested are attached.

Have a great & Happy New Year :wine, may it be a safe one! Enjoy.

Damedic

 

Ok, Hear you loud & clear. I thought if I was detailed & thourough, it would be better? I read many times in posts that it would be better to be detailed & concise. So, that is what I did.

Anyway,

I did not install & run combofix because when I found this forum & posted on 12/15, it was advised not to use that piece of software for now because of problems & the program was being repaired. I actually posted that is one of the programs that I did not run (from the Read me).

But I will run it, since you are asking me that question. I will presume you want me to run it from your post.

Yes, all AV's & AS's have been disabled. To my knowledge. I have un-installed the Avast & AnitVir that was on the machine. As I have stated on my first post.

NOTE- when I started combofix, I got a popup window that said:

Realtime scanners have been detected to be active: AntiVir Desktop & Avast! Antivirus

How could this be if I uninstalled them?

That message said that if they are running, it could "Damage" the computer. I don't want that to happen.

Please reply: Is there a file I can look for in the task manager under Processes? I looked & nothing looks like it may be an Avast or AntiVir type file that may be running.

Note I did find the two you did reference, though.

I will stop here & wait until you give me instruction on how to proceed.

Thank you very much & hope you & yours have a very happy new year.

Thanks again.

 

Got back from a family engagement & went back to do research on the problem I posted earlier about combofix was finding that Avast & AntiVir were detected as still scanning?

I stopped what ever processes were safe to stop & continued with Combofix. I ended up running it twice, because during the research I was doing I found that there was possibly a new update.

Oh, note*** after the 1st run, the internet connection was repaired. SAS, did not repair it per your suggestions.

During the 2nd run, combofix was updated & the Recovery Console was able to be installed as well. It could not install earlier due to no Internet connection.

I then completed all of your requests from the last post, Tim.

After the MGTools - Analyse, the computer had a problem. (Note*** there were only about 3 lines out of the list that you wanted me to select, that were available to select.)

Upon executing the command, then ok'ing the reboot, when the reboot occured, it went right into a Blue screen & had the following message:

STOP: c000021a {fatal system error}
The session manager initialization system process terminated unexpectedly with a a status of 0xc000003a (0x00000000 0x00000000).
the system has been shut down.

No log for MGTools popped up. (Note*** there were only about 3-4 lines out of the list that you wanted me to select, available.)

I manually rebooted & once again the same thing happened.

I then rebooted into Safe Mode and I think something happened as it was rebooting, (a black screen, full of names of files, i think? filled the entrire screen) then it rebooted into regular mode?? somehow? & then a normal desktop appeared. I then quickly logged onto IE, finished your request & started this post with the attachments requested.

Thank you very much, I truly appreciate your assistance!!!

And to inform you of current situation: All of the popups have apparently disappeared. The Large message of computer being infected is no longer pasted as my wallpaper. and where I mentioned that the computer would no longer reboot on it own, but just hang after the icons disappear? Well that has been corrected as well. As far as usage, I don't know. We will not use this computer until we get the green light.

PS - I got an error message about posting the combofix log #2. It is 370 kb. Apparently larger than allowed. What do I do. This is the 2nd running of the combofix. I renamed them ComboFix01 & ComboFix02.

Thanx again.

 

When going online, to interact with Majorgeeks & receive the help from you, the Malware Team (Again, I am so appreciative for all of you & what you do), I did not want to become further infected.

I was reviewing our previous dialog in past posts, and I read an important comment: Be sure to reactivate AV prior to logging back on, (I don’t think I did this in the past) So I was trying to activate an AV - Avast4. It would not accept the registration license key that Avast emailed to me.

So I redownloaded & reinstalled, tried to register that version with a new key, still I kept getting the error message saying: “License Key Invalid”. Is this because of Trojans or Malware? I think I have a few days to use before it goes inactive again, I guess?

I then started Avast & it started a preboot file scan (?)

Received an error message at the beginning of the scan:

Report file: c\Program Files\Alwil Software\Avast4\Data\Report\Aswboot.txt
Scan of all Local Drives
File c:\MGTools\Backups\backup 20091230-183713-893.dll
Is infected by win32
:Ertfor [Trj]

It was asking for me to choose from 10 options – I chose #8, “Repair All”

Received Message:

Repair: Error 42060
{The file was not repaired}

I then chose, the move to chest option, and got the following message:

Error 0xc0000034 {object name not found}

At that point I hit option #9 to “Ignore”, the scan resumed and then stopped a little while later, and gave this message:

File C:\Qoobox\quarantine\c\windows\system32\diwuzisi.dll.vir is infected by win32:vundo-HI [Trj]
Repair: Error 42060 {The file was not repaired.}

I chose to “Repair” option #7 It could not repair it , then provided those options again, this time I “Ignored” – again another problem with another set of options, I chose “Repair All” , Could not repair them, So, I then chose “Ignore All” – and the scan resumed at 23% scanned.

At Completion: A warning popup

Avast! Warning
Suspicious file found!
A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.

File Name c:\WINDOWS\System32\Drivers\agamaod.sys
Type: hidden services

I did the recommended: and clicked “Ignore”

Another window opened & it read:

Avast!:
Avast! Has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast! Scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer.

I clicked “Yes” and the computer rebooted and then the scan started. At 23%, a message stated that infected files were found (I think 4 of them plus a restore point?) , I chose option to delete. By looking at the file path of the found infections, it appeared that they were in
c:\Qoobox\quarantine\c\windows32\(then a filename)
The last part of the line was name of infection? Right before the below names was: is infected by

* win32:Bamital-I [Trj]
* win32:Malware-gen
* win32:Ertfor [Trj]


Anyway, I was able to figure out how to split the "Too Big" combofix text file (which I couldn't last post & I have attached it.

Thanks again, I wish you lots of joy, happiness & blessings in 2010 :wave

And, I am so sorry for my detail. It is just habit. I am very detail oriented and I think detailed info is required, but I come realize that most times it isn't, nor desired. I have a hard time eliminating what I think may be vital info. :confused

And also, I hope that I did not totally screw up your ability to assist me in getting this infected computer - clean, by things happening - outside of your instructions. The computer just started doing things & I responded & did what I could and thought I should do. :-o

 

Hello & Good Morning, TimW

I truly appreciate the assistance I am recieving from the MG Team of Malware Fighters, Thank you!

This is weird - I replied yesterday and I am pretty sure that I reviewed the posted reply?? But today it is not here?
I am going to repost, as close as to what I posted yesterday.

I am sorry for possibly messing/gumming up the process of help. I want to do exactly as is required & suggested. So that is why right now I am stuck already, and will wait for your reply and advice on how to proceed:

As stated in one of my first posts, I did "Uninstall" all of the AV's that were on the computer about 3 weeks ago. Which were: AVG & AntiVir. I also uninstalled SAS & MBAM. I then reinstalled them, except for AV's. What I installed was: Avast!4, instead.

Now I am being told to uninstall detected "Realtime Scanners"?? When I ran combofix before, I was getting that message to disable both Avast & AntiVir, but to what I thought & knew - was that they should not be able to be found!
I knew I uninstalled them.

And per your post, you are asking me to disable them as well.
Now for this last set of instructions of yours, I had previously (as explained in an earlier post) Re-installed Avast (over existing installation), and was able to disable it from scanning.
And now, combofix is still detecting - AntiVir??? How could this be.
But, Avast is no longer being detected as active.

TimW - Are you detecting that AntiVir is installed & active, as well??
Please help me figure this out. I am so confused :confused
Please instruct me on what to do, so I can proceed with your instructions.

I checked in my add/delete programs & it is not there. I tried looking at "Processes" running & I could not locate anything that resembled AntiVir.

I do not want to proceed with your previously posted instructions, and gum things up even more, if combofix is saying that it is not recommended to run if a realtime scanner is active: in my case AntiVir

Thank you you sir, for all of your assistance & patience with me.
I am so appreciative of all that you & your associates do for us with infected computers!!
Have a great day! Enjoy the rest of your weekend!

PS - I don't know if this is because of the malware infection, to block it. but I can't get Avast to accept the emailed Registration License Key. I keep getting a message saying that: License Key Invalid!
Is this something we can work on as well, or do I need to post this in another forum?

 

Hello & Good Evening, Tim-
Ok, I am confounded, but I will continue on.

And I do understand that I need to wait my turn for the next que available to recieve your assistance, next time around. I'll deal with this problem. But,
First off:
** I did uninstall my AV's prior to following your instructions.
** I did disable my AS's prior to following your instructions.
** I thought I did follow your instructions to the tee?
** I stopped because, I thought the popups I was recieving were detrimental!

So, now I read (and as I understand) in your last reply, that I need to proceed, even though I detailed the error & warning! messages on the popups I received?

Ok, I will proceed. Returning to your posts to do as you instructed. Very tense around here with my wifes computer not on her desk. I don't want to delay this any more than necessary - especially if it's me that's the cause for the delay

All has been completed & the logs are attached. I went back & read my posts & I think I may have skipped an item? :-o

Per your instructions, I needed to run Avenger twice?
Anyway, I think I went to your posts # 17 & 21, and completed them. Hopefully correctly.

Thank you for your help. I hope I can get back on track & follow better instructions?

with appreciation,

damedic

PS-

During the upload of files you requested, it would not allow MGlogs.zip to be completed. I rec'd the msg saying I've already posted it. I went back & looked the last time was in post #16. I tried to rename it to MGlogs02.zip but that did not work either? I will keep trying! Especially since, you are requesting that particular file.

Also, yes, I did request & recieve the email for the registration license key for Avast, from this infected machine.

 

Hello Tim
I don't know if you thought I knew what I was supposed to do, but I really didn't! :confused


The reason for the last few posts I didn't upload/attach the MGtools.zip file was - I was't given the instrucion on how to do it. Instructions on that part were a little ambiguous. I tried to upload & I thought it did, but I didn't notice that the MGtools.zip files weren't attached, in the last posts. I know I browsed for the file and then hit upload.

This evening I realized what happened. The same chain of events occured, only this time I must have been paying attention. As I looked at the list of files attached, I noticed that MGtools.zip was not in the list. I then saw the error message!

After re-reading this whole thread and trying to find a clue on how to attach a file that was already once attached, I found the one bit of instruction that Dr. M. provided me and that was:
Go to MGtools.exe & then run "Getlogs.bat", that will provide you a file called MGtools.zip.

I didn't remember that I needed to do that! And you never mentioned that I needed to include that step. And that step would provide a new .zip file.
I've been trying to rename & ?? and everything I tried failed as I was trying to upload. I kept getting an error msg - "You already attached that file" no matter what I renamed it as. Oh well. I wasn't sure if that is what needed to be done? but I took a chance and Voila!!

Anyway, no harm done besides just some additional delay & no offense taken, in that you forgot to mention that small minor detail!

The new log is now attached.

We all make mistakes, I know I do.

 

Hello TimW,

Success!!! I think???

I will be posting the log you requested.

If all is what I believe to be true, that we are clean, I've come to this conclusion since I have been using the previously infected computer with no problems. And NO real lag time that can be noticed. It is working very well!
Thanks to you & Dr. M's assistance :celebrate

My wife is ready to :dancer, she really is very pleased, that no fresh reformat had to be performed.

Anyway, I performed all of the closing requests (per your last post & the links) all the way to the end. Only the final instructions about passwords & users, etc has not been performed though (as of yet), but we will get to that.

As of now, an new restore point has been created and the following has been installed on this once infected & now clean computer:

• Avast - The only AV
• Commodo - The only FW
• Super AntiSpyware
• MalwareBytes Anti Malware
• CCleaner
• SpywareBlaster
• and... SmartDefrag

Please let me know if there is something else that would be recommended to have on this computer.

Thanks again for all of your assistance.
Is there a way to compensate you a little, do you have a PayPal link?

Take Care,

damedic

PS -

I just looked to upload the combofix.txt file, but I could not locate it! Did I do something that got rid of it? Is it possible I should have posted this before going thru all of the final steps?

Do I need to reload ComboFix & then complete the steps in your last post (create a CFScript file and drag & drop to run the ComboFix Scan) & then immediately reply with the uploaded log? Let me know & I will do that immediately.

 

Hi TimW

Yes, No, Well:... :-o

What I did, was- I did complete all of what you instructed, as you suggested, in the order of your post.

I did the final fix you suggested; copied & pasted, to create CFScript, which I then Drag & Dropped onto ComboFix & then it ran and then completed. I did see the log, but I did not move it off of the computer so I could post & attach it here for you to see. I did not know that it would disappear as we continued with the final steps.

I then just continued with your post to complete it, less the final few items in the link you wanted me to navigate to: How to protect yourself from malware.

I have now restarted to complete the final steps in that instructional.

Thanx again! and have a great 2010!

Be Well :wave

 

Good Afternoon

I forgot to mention to you when I posted last, about performance of the computer since last fix.

There was a gliche with internet connection, but I think that had to do with our modem, but not sure? :confused Other than that, all appears to be working well, no slow downs or lagtimes that seems unusual. All apps appear to be working well & online browsing seems fast enough. Nothing weird is happening as the computer is being used.

but...

I also ran the first scan this morning (as part of the new routine maintenance of this computer) and we had some malware & rootkit identified & then quarantined, via SAS :eek

I then ran MBAM, and again, 2 more pieces of Malware!

Is this a re-infection? or possibly malware that was hidden that couldn't be identified because the last ComboFix was not able to be sent your way for diagnostics?

Anyway, Tim - the log results are attached for your info.

Thanks

 

Good Evening TimW-

Much appreciation your way, for answering my last post.

As far as the final steps you instructed me to complete, to include the System Restore Toggle, I really thought I did complete that! rolleyes I really thought I did.

Anyway, upon reviewing the ComboFix Log, & then suggesting any fix you deem necessary, I definitely will ensure that I specifically complete that part (restore system toggle), along with the other items in that instruction set.

Thanks again, I will wait for your next set of instructions.

Log will be attached.

Be Well.

medic

 

Greetings Tim!

Thanks. I will begin the final steps, now that all is clear. I will follow the instructions to ensure that the restore points are all clear & create a new "Clean" restore point.

Thanks again,

Have a fantastic week.