Hi-Jack This v2.0.2 08/05/09

I am a "pretty careful" user, but every once in a while.....

So, here I am looking for some assistance. I use iS3:Stopzilla v5.x, McAfee Anti-Virus Plus (AV 13.11, FW 10.11, SC 9.11) all up to date. I also use MalwareBytes v1.40 (found a couple of things), SpyBot Search & Destroy (clean).

But, my PC still runs VERY SLOW in "normal mode", a little faster in "safe mode w/networking". In "normal mode" a McAfee scheduled scan w/maximum CPU usage around 5:30am takes 12+ hours to complete?!?!

I recently "patched" my IE v7.x with MS's patches due to big security holes found a couple of weeks ago. Before this, PC was "screaming" along.

PC Specs....
AMD Athlon 64 x2, Dual-Core 3800+, 2.0 GHz, 2000 MHz System Bus
2 gigs of RAM
nVidia GeForce 6150LE GPU (w/latest driver)

I am also attaching my HJ This log from the "safe mode w/networking" boot.

Would appreciate any & all help!

 

Addendum....

I will be submitting an item, by item list of what I performed via the "Malware removal steps" that have been written.

Hopefully, it will get me some help as I believe I am still infected with something thanks!

-Scott

 

Chasang,

Please pardon my stupidity. I am pretty confused by your reply, can you explain a little differently?

So here is my step-by-step "log" of what I did:

(safe mode)
- uninstalled Viewpoint Media Player w/ Revo uninstaller (reboot finished delete)
- Updated Java to new version
- Reboot reported "Recovered from serious error" (blue screen)
- Check for SAS updates (none)
- Update Java to 6.15
- AOL v9.1 displays "Flashplayer security warning", unsure - I ignore it.
- restart w/CHKDSK c: /F (PC takes 10+ minutes to shutdown)
- CHKDSK c: /F (no issues)
- reboot PC (very slow, takes 5-7 minutes)
- MSconfig (all are checked), "Access denied need Admin"
- Clean XP (D/L SAS, I have StopZilla, no issues)
- D/L Combo Fix to desktop (NOT RUN)
- D/L MGTools to c:\ (NOT RUN)
- Install SAS (OK)
- Update
- Diagnostic yes issues found)
>> 0 memory items out of 708
>> 0 registry items out of 6942
>> 2 file items (error doctor setup.exe)
>> 6 out of 10 rating (Smith Fraud type "extortiion ware")
>> clicked NEXT
>> MS Visual C++ runtime error R6025; pure virtual function call
>> OK; SAS closed
- HDD light still "burping" along
- McAfee AV Scan running (cancelled it)

- Reboot into "Normal Mode"
>> Had to "end program-layered window"
- Windows shutting down, took about 10 minutes

- Reboot into "Safe mode w/networking" to rerun SAS in safe mode
- "stuck" @ blue progress bar (bootup) on WinXP screen
- Power OFF/Boot into "safe mode w/networking" after about 10 minutes
>> HDD light stays on steady
- choose [owner] as logon
- Rerun SAS w/updates @ 7:00am (full scan)
- Found cookies & Trojan

- Reboot into "Normal mode"
>> took about 10 minutes to shutdown/restart
>> startup slow, (10:50am - 11:25am)

- Power off/on
>> F8 using last known good settings

Attached are the following logs.... (I hope)

SAS, 08/06/09 @ 3:06a, runtime 3:28:42 (issues), core/trace rules: 4041/1981
SAS, 08/06/09 @ 8:52a, runtime 1:54:08 (issues), core/trace rules: 4041/1981
SAS, 08/07/09 @ 4:00p, runtime 5:21:56 (issues), core/trace rules: 4043/1983
SAS, 08/08/09 @ 2:41a, runtime 3:57:14 (issues), core/trace rules:
4045/1985
SAS, 08/09/09 @ 7:54a, runtime 3:09:19 (clean), core/trace rules:
4046/1986

Hi-Jack This.... (I hope)

Scan saved at 5:04:42 PM, on 8/5/2009, Safe Mode w/Networking
Scan saved at 5:30:22 PM, on 8/9/2009, Safe Mode w/Networking

I Hope all of this information helps.

You assistance is appreciated very much!!!

-Scott

 

08/18/09 - SAS, Combofix, MGTools

chaslang,

Thanks for your replies. I apologize for going "out of order". As I printed out & read the directions, running the ComboFix and/or the MGTools, I thought was a no-no unless we are explicitly told to do so???

Your last message seems to "authorize" me to run these two tools?

Am I to run them?
SAS does not find anymore after repeated scans with new DAT files.
PC still boots really slow and takes 10+ minutes to shutdown.

Understandably, I am pretty "scared" to run these tools when I do not have a 100% reliable backup of my C: drive.

Thanks, I await your reply.

-Scott

 

08/18/09 - ComboFix Log run

Chaslang....

I installed CF following the steps provided:

* Critical update required
- I, OK'd

* CF shall now restart
- it did

* McAfee warned of a registry change
- I approved of all of them

* CF "warns" of a tainted version and may need to re-download
- I, OK'd

* CF Disclaimer
* CF created a restore point

* CF found the MS Recovery Console was not installed
- I OK'd its installation
* EULA
- I clicked Yes

* CF begins its scan
* McAfee "warns" that the firewall & AntiVirus are turned off
* CF ran to completion
* SEVERAL windows errors were reported requesting to be sent to MS
* CF generated a report (attached)

* CF closes, returns me to the desktop
- I had to "restore my active desktop", did not work.
* Restarted PC
* StopZILLA, on reboot, found 28 infections:
- Trojan: Catchme (22 entries)
- Cograc: Adware (2 entries)
- System Policies: HiJacker (4 entries)
* Removed & rebooted PC

( After reboot, tried to run AOL (yukk, I know)...
- Blue Screen
"Driver_IRQL_NOT_LESS_OR_EQUAL"
* 2nd time I have seen this message
- nothing new added/installed except for my Belkin "G" Router
* Suggests I disable memory options (caching or shadowing)
* 0x000000D1 (0x00000064, 0x00000002, 0x00000000, 0x8490B44C)

>>> I am going to move forward and run the RootRepeal (step 4)

 

08/22/09

Chaslang,

Thanks for the "hand holding".

I have completed all of the steps and am attaching the MGTools log file: MGlogs.zip.

I am attaching the Combofix log: ComboFix.txt, 47k, created: 08/18/09

NO LOG for RootRepeal Kit?

Previous posts have included SAS logs.
Previous posts have included Anti-Malware logs.

Currently... NO SAS items have been found.
Currently... NO Anti-Malware items have been found.

Thanks!

 

08/26/09 - update.

Chaslang, got your last message and have completed all of the steps. Please note the below comments from the run:

* changing to "Normal Startup" always returned a msg ".. requiring ADMIN account .." to make these changes. THE OPTION SEEMED TO CHANGE, although.

* AFTER checking the O2 & O23 items, HJT REQUIRED a restart to complete the changes. I clicked [YES] to reboot.

* AFTER reboot, I cut & pasted the "KILLALL::" text.
* SAVED the txt file & dragged over ComboFIX on my desktop.
* FOLLOWING prompts, following notes:
- Current Date is: ~. ComboFix has expired. Click [YES] to run in REDUCED FUNCTIONALITY MODE.
- I clicked [YES]
- Preparing to run.....
- New Restore point...
- Scanning... Stage_49 (McAV balloon msg pops up)
- Deleting files (kgpcpy.cfg)
- REBOOTING

* AFTER auto-reboot CCleaner auto runs as part of startup

* Ran GetLogs.bat

Attaching the following logs:
- C:\ComboFix.txt
- C:\MGlogs.zip
- C:\rootrepeal report 08-18-09 (20-15-49).txt

================
iS3 StopZilla has recognized the "CatchMe Trojan" and is running its own FULL SCAN.

MY ISSUE(s)... is that the WinXP SP3 shutdown takes 10+ minutes to complete. AND... the WinXP SP3 startup takes 5-7+ minutes to complete.

I am also "thinking" that the Belkin Router I installed (but failed) with their "help desk" having me configure it via the router's IP directly may also be causing a BIG issue. I cannot uninstall the Belkin Router file(s) as there is NOT an entry to uninstall with in the control panel.
=================

Thanks for your help!!!

 

Chaslang,

Thanks for all of your help. I am now using SAS with any friends PCs who report to me they are having issues. As far as my PC... I had to break down and replace the MB. Seems the ECS v1.0 board ended up "dying" to where it just would not POST.

With all this fixed, I am keeping myself updated with SAS, AMW, SZ, AVG and making sure to run regular scans to keep up / ahead of the game.

With all of this stated, I still found some of the instructions a little difficult to follow - at times - I would like to suggest that some items I pointed out be considered for updates / corrections to the overall steps provided.

 

Yes.

MD replaced.
HDD reformatted & reloaded with a full WinXP Media Edition 2005 w/SP3.

They installed AVG 8.x (30-day trial) which they say is the "best". I prefer McAfee along with the SAS & MB and my StopZilla...

The BIG issue from the rebuild is that the "techs" did not backup/restore a folder belonging to a user "DEL" which had 1000's of pictures. They claim "DEL" made them think Dell computers and since this was not a Dell, it did not need to be backed up...

They have "offered" to rescrub the drive to try and recover files, folders, images like how the "active@delete" utility does it.

Do you have an opinion?!?!?