Something Evil is still on my machine - please help

Discussion in 'Malware Help (A Specialist Will Reply)' started by scribe, May 17, 2009.

  1. scribe

    scribe Private E-2

    Went through all of the Readme first instructions.

    When running combofix, I realized that there was some residual Norton software (probably came with machine) still running somewhere. Don't know if that would impact anything else. Used the symantec removal tool and combofix seemed to work. Seemed like there might have been other issues as at one point while trying to download the removal tool my entire screen flickered, all of the text on the screen changed to a different font (including in the taskbar), the screen flickered a second time and everything went back to the way it was. - Have no idea if that means anything but it seemed strange enough to maybe be a clue.

    MGTools generated tons of "Registry editing turned off by Administrator" messages.

    Still can't get registry editing back on or task manager and am still getting alerts from Spy Sweeper about email attachments. And whatever this darn thing is also seems to have completely turned off my Trend Micro Antivirus program (can't get it to launch at all; great help that appeared to be in all of this).

    Don't know if any of that info is useful or not. Attached are the logs and I'll be keeping my fingers crossed that someone here knows how to fix this.

    Also, is there any chance that this crud that I have could have come from a MAC? A client sent me files and this started around the same time. One of the scanning tools targeted a few of the files that I think had extensions like .xls.lnk

    Regards,

    Michele
     

    Attached Files:

    scribe, May 17, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is your copy of Spy Sweeper a paid version or a trial version?

    Infected files can be transferred from any system. It is not necessary that the files be executable on the other OSs. The files could still contain an infection. However this is not a confirmation that this is how you got infected.

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing. Your Desktop is a mess!

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware, like TrendMicro and SpySweeper) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 20, 2009
    #2
  3. scribe

    scribe Private E-2

    Thank you so much for trying to help me with this.

    The Spyware Sweeper version I was running when I was infected was 5.5.7.48. I thought by keeping the definitions current the version did not matter as much (I'm on dial-up and downloading a 35MB file is a pretty much a whole day endeavor.) I purchased a new version (my old subscription was expiring soon) and downloaded all of the latest files. For some reason, WebRoot did not accept the new key correctly and it won't let me log in to download the latest definitions. I called them about it and while they did offer to try to help, I felt like I was being led down a path that would lead to a pricey "professional services" request.

    I removed most of the junk that was on my desktop. I was using it as a nag file of sorts - those things I needed to do something with. I knew better and did it anyway.

    On to the results of what you suggested I do...

    Disable/Remove Windows Messenger appears to have worked without issue.

    ComboFix - While it was running a popup warning about the Canon IJ Network Scan Utility which closed on its own.

    CCleaner - generated an error...

    When I said OK, CCleaner closed.


    I went ahead and tried to keep going with the other scan.

    While it was running I got the familiar "Registry Editing has been Disabled by Administrator".


    When I came here to upload the log files Mozilla seemed to stop taking commands. I opened a new window and it kept telling me it was done loading and all I had was a blank screen. IE would not launch. Pulled the plug and on reboot had two new errors.

    When I tried to reconnect to post here, something kept accessing my disk drive and the Internet was fairly non-responsive. Turned off auto-updates on Spysweeper and I regained control enough to post this message. (While typing this sentence I got another popup -- Generic Host Process for Win32 services has encountered a problem and needs to close)

    This page did not load properly and I thought I would post this text and then try to upload the files in a second pass. Mozilla once again went haywire and I couldn't do anything.

    Tried to save this post as a .txt and the two log files to a CD. It let me stage the files but when it came time to write them it kept complaining there was no CD in the drive. Finally got everything on a USB flash drive and am sending this from my Mom's PC.

    BTW, the date stamp on the MGlogs.zip file is showing 5/17. Did I need to delete the old file before running the bat file?
     

    Attached Files:

    scribe, May 20, 2009
    #3
  4. scribe

    scribe Private E-2

    Sorry for the second reply. I can not get the MGlogs.zip file to upload. Even with a new name it keeps telling me the file is already attached to the thread.
     
    scribe, May 20, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That means that you did not create the new log file by running C:\MGtools\GetLogs.bat It is not necessary to delete the previous ZIP file. You just have to run GetLogs.bat; however before doing this, please run the below:

    Resetting Registry and File Permissions - make sure you reboot where requested.


    Now download Registry Search (see the link titled RegSearch Download Link )
    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • See the top 3 boxes under the Enter search strings (case independen) and click Ok... option, enter the below string (use copy and past)
      • abp470n5
    • Then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
    • Attach this RegSearch.txt file.
    Now run C:\MGtools\GetLogs.bat as previously requested and attach the new C:\MGlogs.zip file.
     
    chaslang, May 20, 2009
    #5
  6. scribe

    scribe Private E-2

    Just to let you know I haven't disappeared. The first utility has been running since Wednesday. Is that normal? My machine had around 118,000 files before I ran the read me procedures. It is currently listing 3 errors but the utility is still running.
     
    scribe, May 23, 2009
    #6
  7. scribe

    scribe Private E-2

    Sorry, two more questions.

    It looks like the utility finished and restarted itself. I have noticed that 2 of the errors it had last time have not occurred so far - they were early in the scan and it is already past that point.

    Is this registry tool going to keep running through all of my files until it reaches zero errors?

    Will it take as long as it did the first time to cycle through all of the files?
     
    scribe, May 23, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No this is not normal. Possibly you have a lot of problems with your file system. I was suspecting that you may have a lot of non-malware problems which was part of the reason for running this.

    If it has not finished by the time you read this, just move on to the Registry Search part and do not run the Resetting Registry and File Permissions fix anymore.
     
    chaslang, May 24, 2009
    #8
  9. scribe

    scribe Private E-2

    What's the safest/smartest way to stop it? Should I pull the plug or do something else?

    BTW, this morning it restarted again.
     
    scribe, May 26, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Can you kill the subinacl and secedit processes from Task Manager and then goto C:\Programs Files\Windows Resource Kits\Tools folder and rename them so that the .exe extension is .EEE to prevent them from running.

    I have never heard of this happening. Either you have a lot of registry keys and files with problems or there is a bug of some sort.
     
    chaslang, May 28, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds