Malware?

Discussion in 'Malware Help (A Specialist Will Reply)' started by santamaria2000, Aug 19, 2008.

  1. santamaria2000

    santamaria2000 Private E-2

    Please help! I have tried to follow advice on other threads and your tutorials but think I may still have a problem. I would be very grateful if you could check the logs as I really have no idea what I’m doing so just trying to follow all the instructions on your site! And apologies if this is ridiculously long, just trying to provide any info that will help…

    My computer is an Emachines 160 1.30 gigahertz Intel Celeron, 7 years old with SP2. It runs really well for its age and any odd problems have been fairly easily resolved. Yesterday it started to shutdown on a minute timer with an error message about DCOM launcher service process terminated unexpectedly, so NT AUTHORITY starts to shut down.

    To stop it I followed instructions online: Start/Run, and type in "shutdown -a"and then Start -> Run -> type "services.msc" without quotations Select "DCOM Server Process Launcher" Change Startup type to Disabled Change all failures to Take No Action

    Although this obviously stopped the shutdown issue I was concerned it was a malware issue so started to go through the Read and run me first procedure. I could do all of the Steps 1-2 and so started on the Windows XP Cleaning. I successfully downloaded all the required tools but on trying to run Superantispyware I got an this message -

    The windows installer could not be accessed. This can occur if you are running in safe mode, or if windows installer is not correctly installed.

    Following advice from other threads I tried to uninstall or reinstall it but to no avail (apparently I am not alone in this!) Including most of the things off the list: http://support.microsoft.com/kb/555175. So I kept going…

    Successfully ran Spybot which seemed to find 8 Trojan files called win32. Successfully ran Malwarebytes and have the log.

    Combo fix required the Recovery console which I couldn’t get to work. I followed the link: http://www.bleepingcomputer.com/tutorials/tutorial117.html to install and use the Recovery Console but since I do not own an XP cd, did not proceed.

    Tried to finish the clean up this morning by running MGtools which worked and said it found one file. Have the report for this also. Then went back and realised I could download the stuff for the console so completed combo fix and now have this scan.

    I am trying to ascertain if I still have malware issues. Windows installer still isn’t working but I gather that is a software issue anyway. As far as I am aware and have checked my internet history, the only thing different I was trying to do yday was sort out the wireless internet and then all this happened!

    Thank you in anticipation!

    Santamaria
     

    Attached Files:

    santamaria2000, Aug 19, 2008
    #1
  2. santamaria2000

    santamaria2000 Private E-2

    Hurrah, thanks to advice elsewhere on the microsoft site (http://support.microsoft.com/kb/315346) about the error message (suggesting access to windows installer via Start/ Run/services.msc/ Services (Local) list, right-click Windows Installer and get it to start that way) i have managed to install Superantispyware and run so have attached log. Again two files found but don't think it's anything major!? Also was able to update Java which is mentioned somewhere on a thread would be an idea.

    Just looking at the log in run: dcomcnfg under security events (which i never knew existed!) all this started after the computer updated automatically some NT Service pack hotfixes.

    Anyway, the upshot is, i would still like someone to check i am malware free please! and i thank you for all the amazing advice that is on your website which seems to have saved my computer in the last 24 hours.
     

    Attached Files:

    santamaria2000, Aug 19, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I'm not sure if all your problems are malware related. Let's fix what I do see and go from there.

    Why are you running this PC with NO protection???


    Did you knowingly install the Kontiki junk below or did it sneak in unknowingly when you installed something else?
    O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe


    Uninstall Microsoft AntiSpyware which was discontinued years ago and is no longer useful.



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    After clicking Fix, exit HJT.


    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\temp
    C:\Documents and Settings\Me\Local Settings\Temp

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 20, 2008
    #3
  4. santamaria2000

    santamaria2000 Private E-2

    Hello! And THANK YOU so much for all your help!

    :eek: I know should have some protection for my computer but it's not been an issue until now! Is there anything you recommend further to the stuff i've installed for this process?

    Kontiki stuff downloaded with 4OD the channel four system for uploading their tv shows. If i uninstall the kontiki stuff will 4od still work?

    Ran the instructions and everything seemed to work. Accidentally ran mgtools.exe instead of analyse at first.

    Things seem fine so i guess everything has worked how it should. Do i need to go back and change the settings on the Dcom thing back to their original state or does that not matter?

    I will do the system restore toggle now as it says on the readme unless you spot something on those logs but once again thank you! I don't know how you manage all these requests for help!!

    Santamaria :)
     

    Attached Files:

    santamaria2000, Aug 21, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No!

    Yes.

    Your logs are clean. Now you need to do the below. The link in the final instructions will explain how to properly protect your PC.

    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Aug 22, 2008
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds