First Time Poster - Help with Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by PlainEd, Oct 16, 2008.

  1. PlainEd

    PlainEd Private E-2

    It's come to this... Have always tried (successfully) in the past to work things out myself w/o bothering others; don't think I can remove this bug/bugs unless I get assistance.

    Installed a new hard drive a few days ago and downloaded the WinRAR program to try new desktop themes from Download.com and immediately began having problems. The first thing that occurred was a popup: "Trenderdia...You will be dead next month."

    I have gone through all of your Windows XP (SP2) removal steps multiple times w/o success. I have run these programs in both normal and safe modes.

    I am using Avira, which doesn't detect a problem (updates daily). Ad-aware has found a few negligible issues. CWShredder doesn't detect anything. I also have Spywareblaster and WinPatrol on my Emachines T3265.

    It appears I have a Trojan that manipulates my hosts file in the System32\drivers\etc folder. I have deleted the file multiple times, replacing it w/ a clean one and have also changed the name of the file to hosts.old, but still get additional manipulations at boot.

    In addition to all your recommended clean-up tools I am running Advanced WindowsCare2 VERY frequently, which often finds Registry-related issues. I cannot run this program in the safe mode as I am unable to access the scan command and no screen adjustment function is available for the program.

    SpyBot is not finding anything, but of interest the full immunization is not remaining intact; I'll re-open the program after immunization and find that protection has dropped from around 113,000 items to about 90,000 and have to re-immunize (something I haven't experienced before). I do get an error msg. w/ Spybot: "Error during check! Virtumonde.dll [5771-$0060A3ED] (Access vio..." It has shut down prematurely a few times.

    I have downloaded and run VundoFix with no detections.

    Superantispyware scans cannot be completed in either normal or safe modes; the program shuts down and the pc reboots at about this point in the scanning process: "HKLM\Software\Microsoft\Windows\CurrentVersion\InternetSettings..."

    Thanks for any help you folks can provide. I would really prefer not to do a reformat and clean installation, if possible.

    Posting 3 logs as I was unable to complete a scan w/ Superantispyware.

    PlainEd
    Western North Carolina

    P.S. This is an partial example of the contents of my hosts file after rebooting:

    # Start of entries inserted by Spybot - Search & Destroy
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    127.0.0.1 10sek.com
    127.0.0.1 www.10sek.com
    127.0.0.1 123topsearch.com
    127.0.0.1 www.123topsearch.com
    127.0.0.1 132.com
    127.0.0.1 www.132.com
    127.0.0.1 www.136136.net

    ------
     

    Attached Files:

    PlainEd, Oct 16, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    As stated in the instriuctions, we only want it to be run once and then ALL log should be attached. Running it multiple times prevents us from seeing what was found in the first set of logs.

    You are messing Spybot up by changing the host file. Leave it alone. Spybot is adding all those lines when you immunize and each time you edit the hosts file Spybot has to reimmunize because you deleted the lines it has added.

    I recommend that you shutdown or uninstall WinPatrol and try again.

    You need to attach the MGlogs.zip file that was requested. No where in the READ & RUN ME do we ask for a HijackThis log.
     
    chaslang, Oct 16, 2008
    #2
  3. PlainEd

    PlainEd Private E-2

    Thanks, Chaslang. I'm not the sharpest tech tack in the box, but guess my tiredness got the better of me and I slipped regarding getting you the right stuff.

    As you recommended I tried SAS after both stopping and deleting WinPatrol - still stops abruptly and reboots the pc before the scan can complete.

    Will include all logs requested this time. When I ran MGtools I get the following pop up msg.: "ProcessDll.exe - Application Error...The application failed to initialize properly (0xc0000135). Click on OK to terminate the application."

    Thanks again for any help you might provide and "slap" me if I've done something wrong; what do they say about a little bit of knowledge (on my end)?

    Ed

    -----
     

    Attached Files:

    PlainEd, Oct 16, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This error message was explained in the READ & RUN ME in this link Using MGtools that we gave you. You do not have Microsoft .NET Framework installed.


    Your logs are clean. The only things I see todo are the below.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    And I question what the below file is. If you don't know or don't need it, then delete it.
    Code:
    C:\Documents and Settings\Ed and Susan\Local Settings\temp\
pszzsa~1.par  Oct 16 2008     1312462  "PSzZsA58.exe.part"

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Oct 18, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds