Small Business Transcriptionist Has Tried All with Work Computer!

When I came back from my work break Thursday night, I started up Firefox (I use it to look up terms, people, and locations on Google), then my 2 notepad docs, then my Excel term list...when suddenly I heard a loud noise that completely freaked me out because I thought it was malware...but it turned out to be FEBE doing a backup of my Firefox profile. So, I figured I'd just close out of everything until it was done. However, Excel wouldn't react at all. In fact, when I opened task manager, it said there were 2 Excels open and PC usage was at 100%. I have never, ever had that problem before. Task manager wouldn't let me shut Excel down, even after I got FEBE and all the other programs to shut down. I had just started going through the shutdown procedure when Excel finally shut down, so I figured everything was okay. However, when I brought everything up for work again, I was unable to sign into the VPN to get into my online transcription job.

I contacted support, and they gave me a link for GoToAssist. Just as the link connected with them, my firewall, then all other parts of AVG Pro shut down one by one. I told support what was happening and that I was sure it was something malicious so I was going to disconnect with them so I could counterattack right away.

The first thing I tried to do was disable my internet connection. IT WOULDN'T LET ME. Can you say panic? I tried both from the tray and the Network Connections. Nothing doing.

So, I quickly updated all my antimalware software, then restarted in safe mode and ran everything. Nothing was found, of course. Big surprise.

I then went down to my laptop downstairs (which isn't set up for work, yet, dammit) and downloaded everything on your Windows XP Cleaning Procedure, complete with instructions, and saved it all to a flash drive, then brought it all up here and restarted in regular mode, pouncing on the internet tray indicator and disconnecting it before the little bastard had the chance to sink its claws into it. I went through the entire procedure, and some stuff was found. I think ComboFix must've found a lot because it took a really long time. All the restarts during the procedure worked perfectly. At the end of the procedure, things seemed fine, so I turned on my firewall and all the elements of AVG Pro again and did an update. The update included a big program update and said it required a restart.

Well...upon restart, after my desktop came up (before the icons did) and the Windows greeting sounded, my screen went blank and stayed that way for more than 15 minutes, even though the hard drive was going nuts. I've heard of a long time of blank screen between the initial logo screen and the desktop, but never once the desktop comes up. So...after another 5 minutes of this, I reached for the power button, held it in for 5 seconds, counted to 20, and clicked it on again. This time, nothing came up on the screen at all.

This morning, I called my local tech to come take a look. When he turned it on, it came up perfectly normal. (I was asleep because I work nights, but Mom was there to supervise.) He said he ran every scan he could, and he couldn't find anything wrong. He also reran Malware Bytes (sorry about that), and he said it only found 1 registry key, according to Mom. ONLY???

Anyway, so, when I got up today, I was still wary of using it to deal with people's medical records because of the behavior I'd witnessed and the stuff I read yesterday in ZD Net about Zombie PC's...so, I kinda just kept an eye on it today. The first thing I did was a Windows update, which included 1 security update and 1 Defender update. The update required a restart, so I held my breath and clicked on the restart now button. It restarted just fine.

So, I went downstairs for a little while. When I came back up, the console for AVG Pro was open. The components were all working, but I hadn't left it open. Also, the little balloon saying, "Network is now connected" came up, which usually comes up about 10 minutes or so after you've turned on the computer, re-enabled the internet connection, or reset the router downstairs.

In other words, someone had been dinking around with my computer remotely while I'd been away. (My tech-savvy friends say that the Citrix software my workplace uses gives them the ability to spy on my computer, but I had just uninstalled it before this stuff started happening....)

Interestingly enough, though, when I went into my AVG firewall to see about requiring queries for remote access to my desktop, I noticed it said that there was still Citrix software installed on my computer. Hm. I looked in my Windows program list, my CCleaner program list, and my RegSeeker program list, and none of them listed any Citrix software. Hm. So, I decided to use the RegSeeker search-in-registry tool. Well, up went my computer usage to 100% again, making RegSeeker unresponsive...which has never happened before.

This stuff also started happening right after FEBE ran the first time on my computer. God, it could be so many things. It just isn't funny. (It seems something always goes wrong with one of my computers when I mention a cyberbully attack I experienced in 2007, even if it's such a vague reference as "something bad happened to me on the Internet." I kid you not. And, those people are tech savvy; at least, one of them is. And, obviously, they're very vindictive and hateful and seem to have eyes everywhere. They actually used to send me posts I made to groups they normally would have no interest in and make lewd or harassing comments about them. And, yes, the easy response would be, "So, don't mention it," but...I am still suffering from PTSD [it was extremely traumatic due to threats of personal harm after supplying me with all my personal info, when I knew exactly how sick these 2 people could be when they didn't like someone].)

So...attaching my logs. I hope you can help. Thank you so much for being here.

I will reply to this post with my MGTools log, as instructed.

 

My MGTools log is attached to this reply. Thanks again for your help! :wave

 

1 more thing: I have Asperger syndrome, so please state things as plainly as you can. I am not good at "reading between the lines," especially when it comes to technology. I know some things, but I only know what I've needed to know in the past or need to know currently to keep my job...if that makes any sense. Thanks for understanding. I was only diagnosed 3 years ago, so I have a long way to go as far as adapting to the disorder.

 

I can't work until I know my computer is malware-free.

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Step 1:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Again, make sure ALL browser windows are closed when you click FIX.

Step 2:
Now we need to use ComboFix to remove a bunch of malware files.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Step 3:
Default Security Settings

To Default Security Settings:
For Internet Explorer 6 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up navigate to the Security Tab and click Default Level for the following:

• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites.

Click OK to exit.

For Internet Explorer 7 users:
Click Start > Run > type inetcpl.cpl and press ENTER, when Internet Properties comes up, navigate to the Security Tab and simply click the "Reset all zones to default level" button. Click OK to exit.

Step 4:
Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


Step 5:
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Yeah, slight problem with step 2:
After CF restarted my computer and said, "Preparing Log Report. Do not run any programs until ComboFix has finished." (Kinda silly, considering it's running at bootup on a computer that has AVG Pro on it.) It never came out of that screen, but the hard drive has been going like crazy. This has been going on for approx. 1 hour.

Here is exactly what happened during step 2:
I followed the above directions.
CF said there was a new version avail. and asked if I wanted to download it. Thinking it was always best to have the latest version of antimalware programs, I clicked yes. It printed about 4 rows of dots across its window and then said the download failed, so it would continue with the current version. It then appeared to restart the program and go about its business.

The program took a while, as is to be expected because, apparently, my computer is still pretty f**ked up, judging by your reply.

Then, it told me it was now going to restart my computer, so I quick turned off my printer and waited for it to do so. It shut down and booted up with no hesitation, which I took as a good sign...but then the above-described happened and is still happening.

I am not opening Task Mgr and force-quitting the program or forcing a shut down until I receive advice from you, but it seems to me that something malicious was very offended by what we did.
:cry

(I'm currently on my laptop.)

 

Wow. Okay, it just finished.:-o

On to the next step...

 

Okay, a couple of things:
First of all, the AVG scanning icon came up in the taskbar when GetLogs got to the "Looking for Vundo type" infections. This has happened on both my laptop and my desktop, but the icon never stayed there after GetLogs closed. Am I not mistaken that the AVG scan icon showing when no scans are running is one of the first signs that you have a Vundo type infection?

And...I know Vundo works fast because that's what killed my last laptop. Within a day. I only learned what it was after it happened because the new laptop started doing the same things, so I disconnected it from the Internet immediately and shut it down and started researching online.

Secondly, when I opened Firefox, not only were my saved passwords still there, but so were all my previously typed URLs and previous form information.

Oh, and when I clicked delete selected in the main part of ATF Cleaner, it told me "No files have been removed." Now, I only ever use IE for Microsoft Update...but...still....

Anyway, I'm going to shut this down, now, and look to for your reply on my laptop. I just can't afford to lose this computer to Vundo. We're talking major $$$ in a household where my health costs are pretty much cleaning us out (I'm epileptic, too) so that my parents can't enjoy their retirement.

Thanks for all your help, hon.

 

Run C:\MGtools\analyse.exe by double clicking on it This is really HijackThis (select Do a system scan only) and select the following lines:

Once you completed the above, reboot and let me know how things are running and if you're having any problems. Your logs are clean and show no infections. Also, your logs never showed a Vundo infection.

 

I've never heard of this before, my AVG used to do this which is part of the reason I ditched it. Like I said previously, your logs never showed a Vundo infection or anything to worry about. As far as antivirus protection goes, I would recommend Avast! Antivirus over AVG. I’ve had both and had fewer problems from Avast. If you want an excellent antivirus, purchase Kaspersky Antivirus.

 

Everything seems to be working well, now. The hard drive was very busy when I first booted up, but it calmed down after I did CCleaner, and Autoclean in RegSeeker. I don't know if it was just a matter of time or what, but...all is behaving normally, now.

My AVG contract is done May of next year. I'll look into Kaspersky. I've got the AVG Internet Suite. Can you recommend an Internet Suite, so I don't have to pay for separate professional packages?

Thanks again for all your help. You are a life (and living) saver.

 

For security suites, the below are my recommendations.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

I think I'm having issues again, so I'm attaching a fresh set of logs again. Sick of me, yet?
:-o

Part of the reason I'm double checking is my laptop just flat-out quit on me Monday night. No shut down screen--nothing. Just shut off. And wouldn't start back up--not wouldn't boot up, wouldn't start up. I tried everything and checked everything including connections and overheating. None applied. Local tech will be coming to check it tomorrow or Friday...but he knows nothing when it comes to checking for malware. He told me my desktop was perfectly clean before we last spoke--told me he used "the same forensic scanning software the government and police use." Uh-huh.

Okay...I don't know what the deal is, but the SASlog and the Malwarebytes Anti-Malware log are nowhere to be found. I ran them in the order instructed with Spybot S&D in between. Now, I'm p*ssed. (This is from my desktop computer. Just thought I should make that clear because I reread this and it read as confusing.)

I hope the attached are enough for you to work with, as I see in the instructions we aren't supposed to run the routine more than once. :confused

 

Okay, let me get a few things straight. Which computer was we working on before? Which one is the current logs from?

If there are two computers, we need to work each computer in it's own thread. Also, keep in mind that not all computer problems are malware related.

If he doesn't know malware then he just guessed when he said it was clean. Also, to my knowledge there is no software just for police and government that scans and removes malware. If there is and he is using it and is not authorized to use it then he is violating the law.

 

The answer to both questions is "the desktop computer."

As I thought, he was just saying it to get me off his back. Grrrr.

The desktop seems to be working okay, now, but...I'd really like a for sure before I erase the previous restore points. Does that make sense? Could you do that (check the logs) for me, please?

 

Everything looks good however let's scan a few files manually just to be certain.

Go to the following website, upload each of the below files and post the results only if something is found.

http://virusscan.jotti.org/

 

:cool
Everything came out clean, except the 4th item on the list was a folder, not a file (unless part of it got cut off), so I could only scan it with the tools on my machine. I scanned it with AVG Pro, Malware Bytes, and A-Squared Pro. A2 found a trace of GoToMyPC (which was supposed to have been completely removed from my system via RegSeeker *raises eyebrow*, and a trace cookie. I quarantined them both...but neither is listed in the quarantine, now. I didn't click the "save report" button. I hope that's why.

Anyway, should it now be safe to toggle the restore points? They really, really need me to work, as we have jobs that are way out of turnaround time, now.

 

Yes! Follow all of the steps in post #12.

 

Thank you so very much. You have been so patient with me. I just want to be absolutely certain people's medical records are secure while on my machine.

God bless ya! :wave

 

You're Welcome!:major

I understand completely as I work at our local hospital as the IT Director so I know how important it is to stay malware free.

 

All seems well with that computer. I posted a new thread for the laptop. (I hope that was the right thing to do....)

http://forums.majorgeeks.com/showthread.php?p=1247579