Really messed up system

Welcome to Major Geeks!

Please try the below doing the below.

Run SuperAntiSpyware

• In SUPERAntiSpyware under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options uncheck the below two options
  • Use Kernel Direct File Access (recommended)
  • Use Kernel Direct Registry Access (recommended)
• Then try doing a new full scan and tell me if it still crashes. And if it does still crash, just skip SUPERAntispyware and continue with the other instructions.

 

Not a problem. Just continue and when finished attach all of the requested logs. You have a rootkit problem and possibly some other issues we need to fix.

 

It would be a good idea to attach the logs. This infection can hide and not show any symptoms.

Thanks for reminding me about adding the note to SAS. I meant to do just that but never got around to doing it.

 

There should be 4 logs from the READ & RUN ME:

• SUPERAntiSpyware
• Malwarebytes
• ComboFix
• MGlogs.zip from MGtools

 

You are still infected with the rootkit. First you need to disable Spybot's Teatimer as requested in the READ ME or it may get in the way of removal. Do this now before continuing. See: How to disable Spybot's TeaTimer

Are the below from Programmer's File Editor.

Code:

2008-05-05 10:41 . 1999-01-31 10:13 634,943 --a------ C:\WINDOWS\system32\PFE32.EXE
2008-05-05 10:38 . 2008-05-05 10:39 <DIR> d-------- C:\Temp\PFE32

Do you know what the below are for? The last two folders are quite suspicious.

Code:

2008-04-27 18:17 . 2008-04-27 18:17 57,546 --a------ C:\WINDOWS\promogif3.gif
2008-04-27 18:17 . 2008-04-27 18:17 24,351 --a------ C:\WINDOWS\promogif1.gif
2008-04-27 18:17 . 2008-04-27 18:17 24,066 --a------ C:\WINDOWS\promogif2.gif
2008-04-27 18:05 . 2008-04-27 18:05 <DIR> d-------- C:\Temp\zvebs14
2008-04-27 18:05 . 2008-04-27 18:05 <DIR> d-------- C:\Temp\kvebs14

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {60024A7B-A180-4BEE-A8BA-89EFD5BF0150} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

After clicking Fix, exit HJT.

Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

No I don't. I just wanted to make sure you knew what it was. Anything that is in the system32 folder that is not a Microsoft file should always be questioned.

Yes!

My previous fix got prematurely chopped off. Here is the rest of what I need you to do.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

The previous ComboFix log showed it the below, some of which are valid files but some were from the rootkit.

Teatimer will get in the way of removal steps. And it can be a resource hog on some systems. Windows Messenger is an old outdated program that is no longer in use and Microsoft even removed it from Windows around the SP2 time frame. It is a frequent cause of random popups.

 

That's because we don't need them for anything.

Yes! Based on your log it appears that you did not remove Windows Messenger or you removed it after getting the logs.

Now that the rootkit is gone a couple other items showed up that need to be fixed.

Delete the below file ( only delete it nothing else )
C:\WINDOWS\system32\clbcfg.dat


Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.



Then attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Okay the logs are clean but I just noticed an issue that you may want to fix. Apparently someone uninstall Microsoft .NET Framework 2 and it did not cleanup a service. The below can be seen in the HJT log.

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

You can fix this by doing the below:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to ASP.NET State Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteaspnet_state into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

Then if you are not having any other malware problems, it is time to do our final steps:

2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
3. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

If you are referring to the service, it was doing nothing since the related update was not installed. You can get it from Microsoft Update if you wish to have the current version.

Yes it can and does sometimes do this.

You're welcome. Surf safely!