Popups and errors during readme process.

Hello my geek friends,

Last night spybot found a trojan. It was listed as a driver in Windows32. Spybot said to fix it by removing the file. But that it may not be all of the problem. I did remove the file. Then I ran AdvancedSystemcAre and it said my computer was hijacked.

So this morning I started the readme and run routine.
SAS found nothing
MB found nothing
Shortly after I started Combo fix SAS popped up and said it found a trojan.
Then other programs started popping up too. When it finished I saved the log. But decided to start over.

Ran SAS It found a trojan and I removed it.
Ran MB found nothing.
started Combofix again.
This time SAS popped up again and said if found several trojans.
I stopped Combo fix again. And restarted with SAS turned off.
Ran Combo fix and it had an error in Hijackthis. I let it continue and but I kept getting popups that my home page had been changed to some microsoft address, did I want to allow that, which I didn't.
I then ran MGtools.

Since I can only send 4 with this message,I picked these messages to send
File of SAS
File of Combofix
File of Hijackthis error
File of MGtools

Hope you can make sense of this.

Pete22

 

Hello Chaslang:


I forgot to mention on my last post. When I finished the Mgtools program on 3 Jun 2009 all of the icons on my Quick Launch toolbar and most of the icons for my programs listed in Programs menu from the start button were ruined. I have fixed them now.

XP has just been reinstalled on my computer. That's why I thought it was a malware problem. I am sorry that I did not include my problems in last post. I realized it just as I pressed the send button. I know we are supposed to wait for a reply before reposting.


What caused me to do the readme and run routine:

-Installed Programs keep disappearing.

-Whenever I use my Maxthon 2 browser all the setting have been reset to the default.

-Sometimes I when I go to Add/Remove programs the page stays blank. I use SAS to fix this problem

-When add/remove came up properly, I still could not delete programs because it said the microsoft installer tool was damaged. So I had to reinstall it.


I have decided run Combo.fix and MGtolls again and attach these files along with this post. If you don't see any malware on the new files, then please advise me what my options are. :banghead

OK. I just bought SAS. In the past, I had SAS free and it did not cause problems. I realize now I need to turn it off while I do these tasks. I will also remove internet access while I do. Then I can't be infected while I run this, either. I will also disable winpatrol. If anything else pops up I will disable it and rerun the report so I get a good report for you.

I don't know how to stop the windows notification that I have disabled stuff. So combo fix ran with no other popups except that one.

I'm glad you want to make sure I did the right thing. I will attach my MBAM report.

Oh yes, you are right. In the future I will take notes as I run each program. That way I can keep better track of the process. I got that same error today as well.

Wasn't it you who wrote Hijack this? So you would know whether the error in Hijackthis was caused by something other than malware.

Today just after I finished MGtools, and was looking for the MGlogs this popup reappeared. See attacked picture.

It was probably the same as all of the ones that kept popping up during the process last time. Instead of being a homepage redirect, it is a search redirect from google to iesearch. I have never heard of iesearch.

If it is not malware, what should I do?

You do a great service. Thanks for all of your hard work

Pete22

 

p.s. Avast settings are being reset to default everyday. That worries me.

 

Hello Chaslang:


I am so glad you noticed that I had the wrong Malwarebytes. I downloaded it and ran a full scan.

It found Malware!!!! I will attach the log. I want to deal with this before I go too far with the rest of your instructions.

I was hoping the ruined icons would help you identify the malware. Is this one of the signs of this type of malware? If not, then there is still trouble in "River City."

I have been using winpatrol since win98, so it is not likely to be causing these problems. I did install threatfire, but deleted it as best I could when I found out is was not a good idea.

I did just buy SAS. Its setting maybe incorrect. However, I have noticed that CCleaner is cleaning stuff it should not. I am not sure if it is doing this because it was compromised by the malware or if the setting need to be tweaked. For example, file extentions that I am currently using are slated for removal. Files for a new program [I installed the day before and used for several hours] were also listed as from an unused application. So I have stopped using it. I also have stopped using pctools for now.

I did not do the reinstall myself. I have also wondered if it needed to be done over.

Before I change too much, lets deal with this malware and then see what we have left. Thanks for sticking with me until I found it.

Thanks for using your brilliant mind to help others.



Pete22.

 

Possible malware found in backup files of C drive found on F drive

Hello again,

After your last instructions, I tried to stablize Windows. I did a Scannow and it did find that several files needed to be repaired. I also copied the files on this hard drive in case windows died.

This morning SAS was doing its daily run and said it found malware. When I looked at the file, the entries were found on my F drive, but were backup copies of information on my c drive. Then the computer started crashing. I had to reboot several times to get it to be stable. My Timeto program kept closing unexpectedly. Firefox kept highjacking my default internet browser.
I am not sure I got the items from SAS cleaned off because of all the crashes.


I then ran CCleaner, it ran fine.
MBAM crashed.
I was able to run Combofix.
After combofix rebooted the host file had been emptied out. Winpatrol notified me and I refused the change. It also had the search engine changed from Google to something at msn again, just like before. I also refused that change. I am assuming this is a windows issue.

I then ran MGtools.

Please look at these logs one more time and confirm that these issues are not malware. if so I will wipe this computer clean and reload windows.

Could it be possible that it is a hardware issue of some kind instead? like something on the motherboard?

Pete22

 

Thanks for your patience Chaslang.

Ok, thats sorta what i thought.

Windows crashed, as you suspected, shortly after I sent my last message. I can only use lunix on it right now. Thanks to your warning of a windows issue, I had backups of almost everything. Thank you.

For future reference: If I run the read me and run and there is no malware or only stuff in the restore, as per you or one of your assistance, and I am still having problems, it is probably a windows problem or a hardware problem.

Any other big flags that I could learn that would help me guess that windows was at fault instead of malware?

Maybe a better question? When should I suspect a windows issue instead of thinking it is malware? Or should I always assume it is Malware first?


Thanks again,

Pete22