PC can't be controlled when rebooted (usually). Seems hijacked.

My PC has begun "freezing" when I start it up or reboot it. I can't control it at all when this happens.

Even trying to access Task Manager using CTL+ALT+DEL brings up a blank dialogue box. I have to hold down the power button until it powers off to escape these episodes. It usually repeats this process when restarted unless I can click HiJackThis.exe quick enough. This seems to make it behave for that session.

I have been using SAS & Malwarebytes (purchased versions) for several months, but I'm now getting error message from those programs. The SAS file has lots of variants of 6bb53782-634c-48f4-bbbd-f0b03b5f7e30.exe which I doubt are legitimate; Malwarebytes flashes occasional errors.

I followed the READ & RUN ME FIRST.Malware Removal Guide with LOTS of things removed by Ccleaner (wasn't able to attach reg entries files).

Was stopped at STEP 6: Windows XP Cleaning Procedure.

• opened SAS using Alternate Start icon
• updated definitions successfully
• enabled recommended settings
• ran complete scan (results attached)

SAS message said system must be rebooted to complete; that it was still infected. I deleted quarantined items then rebooted.

Same problem--the computer was not controllable. It took 5 or so attempts to successfully sneak in a HiJackThis so I could submit this.

Appreciate any help with this problem.

 

Thank you--I missed the part about keep going...

SAS:
this time when I tried to run SAS it no longer worked. There seem to be multiple versions of it throughout my directory now, so I downloaded it again & ran it (log attached) & removed quarantined items. I rebooted as requested, & a brief message displayed...something like "Dr win.exe failed to load."

Upon restarting, I wasn't able to gain control of the PC, and as typical when this occurs, the AT&T Self Support Tool window appeared & wouldn't go away. The DSL & Internet indicator lights suggested no problems there, so I didn't follow the "repair broken network connection" routine this time. As before, I could not get a response from the Start button, SAS icon, or Firefox. Hovering over the task bar gave an eternal hourglass; CTL+ALT+DEL showed the typical "Windows Security" dialogue box, but the lower half was greyed out (where the task manager link would normally be). As usual, I was only able to stop by holding down the power button. It took three restarts to "trick" the rogue by quickly hitting Start, & running PROCEXP.EXE. This seems to always allow me to take control of the PC if I can catch it in time, even though I take no action.

MBAM
Scan found nothing; thankfully was not asked to restart (log attached).

combofix.exe
Skipped; still unavailable for download.

RootRepeal
Running the RootRepeal.exe program generated an error message: Invalid PE image found (log attached)...this time I kept going & Scanned the Files (log attached). I did notice a message "found 2 hidden/locked files" before closing the RootRepeal.exe, but interestingly, this isn't mentioned in the log file.

MGtools
Ran successfully; will attach ZIP file to next post.

 

MGtools
ran successfully (log attached).

This problem has been most frustrating, but your detailed instructions are very helpful! Thanks much for what you do for computer users like me. I look forward to seeing the next step.

 

Thanks much for the help!

fixme.reg
successfully entered into the registry!

Avenger
Successfully deleted SOMYYNGI, but I did see a couple of odd things..please advise if of any consequence.

• after "execute" command, received McAfee OAS notice of deleted Trojan (cleanup.exe) detected as zapchast.gen
• PC rebooted automatically, but a dialogue box splashed for just an instant (too quick to read), then auto-rebooted again.
• This time, a dialogue box displayed continuously "Windows cannot find 'C:\cleanupexe' make sure you typed the name correctly...I clicked "OK"
• Avenger log file did not popup for review, but did generate a file indicating SOMYYNGI was deleted successfully (attached).

MGlogs\GetLogs.bat
Ran successfully (zip file attached)

Status

• Have rebooted several times without the loss of control problem
• Having a little Malwarebytes issue that's leads me to believe it isn't working.

Malwarebytes protection module keeps reverting to not enabled. When Start Protection is re-selected, this message displays:
"[Create Service] Failed to perform desired action. Error Code 1073";
then a few seconds later a message pops up saying: "Malwarebytes Protection mode is already running"
All seems OK, then in a few minutes a pop up displays: "[Open Event] Failed to perform desired action - Error code 2".

I uninstalled SUPERAntiSpyware as directed.
I could not delete a file named UIREPAIR.DLL at C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware\SDDLLS
Should I never reinstall it again? Perhaps in a more proper location you could recommend?

Is it safe to delete some of these things from the desktop now?

• RootRepeal.zip
• JavaRa.zip
  • fixme.reg
  • avenger.zip
  • HiJackThis.exe
  
  Thanks! :wave

 

Thanks--sorry for the slow reply; I've been away from my PC for a few days & haven't had a chance to try your recommendations until now.

Re: Windows cannot find "C:\cleanupexe"

It hasn't happened again, however, the only time it occurred was when I ran Avenger per your earlier instructions. I haven't run Avenger since.
Should I attempt to see if the message shows again?

RE: C:\cleanup.bat

I don't know where C:\cleanup.bat came from; I'm not intentionally trying to run it. I don't know if it's looking for the cleanup.exe file, or how to tell if it is looking for it. I don't know where it came from; it could be from the ISP...
should I delete it?

RE: SAS & UIREPAIR.DLL file
Successfully deleted the UIREPAIR.DLL file while in safe mode; thanks for the suggestion.

ComboFix
Since ComboFix is now available, I ran it. (Hope this was OK :-o).
I attempted to disable all Antivirus, Antispyware, & Firewall programs per the instructions provided with the ComboFix download, but was surprised to see a popup indicating "Norton Internet Security realtime scanner is active." I don't use Norton, so before continuing, I searched the drives for about 30 minutes using every possible thing I could think of, including "Symantec"..found nothing, so I took the double-dare & continued with ComboFix (log attached).

Malwarebytes
I've uninstalled (after running ComboFix), and will attempt re-install it after I remove ComboFix. If unsuccessful, will follow your advice & post to Malwarebytes' forum. FYI, I've been using the purchased version to provide real-time protection.

SAS
I'll also attempt to re-install SAS (also been using the purchased edition) after ComboFix is removed. Hopefully all will be working normally then!

Thanks again for your thorough guidance! :cool

 

Thanks for that quick reply. My Malwarebytes problem seems to be fixed after I visited their website per your advice--many thanks! I've stopped active protection from SAS--just using MBAM now. I also de-selected the antispyware options from McAfee. Sounds like very good advice.

The only problem is with the above success, I got slap-happy this afternoon & already followed the first step of those #7 final instructions; which means I removed ComboFix already! GRRR! :cry

I'd really like to follow through with your advice on removing those leftover Norton entries with that CFscript file. Would it be OK to just download the ComboFix & not run it, then follow your instructions?

Thanks again for your help--you folks do a great service.

 

Help!!! I've screwed up things royally & am posting this from another computer.

Your last advice was:

I thought my last post in response to this advice was really, really dumb...surely "make sure ComboFix.exe that you downloaded... is on your desktop" didn't mean it must be there in its original form...surely I didn't need to wait for authorization to put ComboFix back on my desktop... :confused

So, being the impatient creature I am, I took matters in my own hands; turned off the MBAM realtime protection & the McAfee AV; and downloaded ComboFix again to the desktop, being careful not to execute it. I then followed your directions of creating the text file; dragging it over the ComboFix icon, & following the prompts.

When I dropped the txt file over the icon, I got the same warnings that Norton was installed, & went past that. There was also a warning about Adobe not being finished with whatever it was trying to do (without my permission anyway). Then I got a prompt to run ComboFix.exe, so that's what I did--thinking it was what I was supposed to do. The program started up & began running the autoscan for infected files.

That was about 2 hours ago; my screen has been at the same point the entire time & shows no sign of stopping what it's doing.

Please advise...I will patiently sit on my hands & not try anything without specific instructions on how to proceed. :-o

Thanks, and so sorry for the trouble.

 

No, it never finished...it's still doing the same thing. I wasn't going to touch the PC until I heard back, but the family got on it while I was at work & found they could do whatever they wanted while this Autoscan just continued to run.

I just tried killing it with Task Manager; it think it will let me do it, but warns:
"If you choose to end the program immediately, you will lose any unsaved data. To end the program now, click End Now."

To be safe, I chose "Cancel" & let it continue to run until I hear back.

Next time I'll try to see if any updates are running, but I didn't have a clue Adobe was even doing anything when I started.

Thanks for your help, & again, I apologize for jumping the gun.

 

I was not able to stop it with Task Manager.

Before I try the force reboot procedure, would it be OK to try & kill C:\ComboFix\CF25872.cfxxe with Process Explorer - Sysinternals? I see PEV.exe on Process Explorer...what is that? :confused (screen shot attached)

I don't know if this is relevant, but just FYI, the Malwarebytes forum fix was for me to run mbam-clean, which I did. It's still on my desktop.

Thanks for your help! :wave

 

I'm screwed. :banghead

Sigh...Process Explorer didn't kill the processes either, so I did the hard re-boot, and....things seemed to be working OK! I could browse the net & even log on to work. I was feeling really happy, like :dood so I continued to check things out.

I updated MBAM; it asked for a restart when complete, which I did, and FTW, it locked up with an Adobe update screen that wouldn't go away: "The following updates are ready to be installed: Adobe Reader 8; Adobe Reader 8.1.5 (CPSID_49013)." I don't even want all these Adobe updates! :mad I tried clicking Remind Later, and another time tried Install Now, but it doesn't matter, it just freezes no matter what I do.

I've lost control of the PC just like the original problem I reported back in December. As before, using CTL+ALT+DEL won't bring up Task Manager, only a blank dialogue box with the header: WINDOWS SECURITY (is that even the legitimate header?).

Next I did a cold restart again, using the power button. It locked up again before I could try to quickly gain control using the PROCEXP.EXE at the Start button which used to work for me, at least for that session.

I tried it again...still not quick enough to get it going! Tried again, this time attempting to get HijackThis open (which seemed to help things work temporarily when this happened before), but I don't seem to be fast enough before it freezes again. In fact, when HijackThis opens, I get a message that says "This action cannot be completed because the other application is busy. [that would be the pesky Adobe update] Choose 'Switch To' to activate the busy application and correct the problem." [no thanks!]

During my short-lived blissful 10 minutes at the beginning of tonight's procedure, I was wondering "how will I know for sure if everything is OK", because earlier you said:

Since I had a little success at the beginning with things working just fine, do you think I escaped the deleted registry key issue you were concerned about?

What to do next? My PC is hijacked without remedy now! Any logs you want to see? I'll await your advice: I'm older & wiser now & promise to be more patient. In fact, I wanna be a geek when I grow up.

RE: the screen-shot:
I turned McAfee back on after my unsuccessful attempt with the CFscript.txt-drag-to-Combofix procedure: to keep my PC safe from exploit during the interim. The screen-shot you saw reflects the status during this waiting period.

I tried to have all McAfee & MBAM processes stopped when I actually attempted the Combofix procedure....

...but I may have accidentally left a McAfee process running causing it to lock up.

Thanks for your advice on the better snapshot program--I'll definitely look into that (later)! And many, many thanks for YOUR patience & your help! :wave

 

The rest of the logs are here:
RootRepeal error log & scan log attached;
MGlogs attached.

Thanks so much for your help! :wave

 

OK, things seem to be better because I didn't lose control of the PC when I rebooted after the final scan! I have only seen one potential problem: MBAM had its protection mode disabled automatically at some point during this process. I haven't verified it is true because I don't want to screw anything up. I'll wait this time!

Here's what I did. Before running the processes, I uninstalled all of Adobe:

• Adobe Reader 8.0
• Adobe Shockwave Player
• Adobe Photoshop elements 6.0
• Adobe Flash Player10 Plugin
• Adobe Flash Player 10 Activex
• Spelling Dictionary Support for Adobe Reader 8

For the scans, I had to run the PC in safe boot mode because I couldn't get the Normal Startup Mode to work in Step 4.
I then verified McAfee was not running by checking Task Manager before I got started.

SAS
Found nothing; log attached.
MBAM
Found nothing; log attached.
ComboFix
Did not run ComboFix per your advice.
RootRepeal
(verified McAfee, SAS & MBAM were not enabled before running)

• Received "error - invalid PE image found" when executed (error log attached in other part of this post sent a few minutes ago)
• Scan found nothing; RRlog attached in other part of this post sent a few minutes ago.

MGtools
Didn't receive any of the five Possible Error Messages listed; results attached in other part of this post sent a few minutes ago.

Thanks again for your help. :wave

 

Thanks for the instructions! I think I'm cursed--it's back to the hijacked status this morning.

I followed your instructions to remove the last Adobe file. All seemed to be functioning well, so I continued to your cleanup procedures.

The only problem I had was when removing ComboFix, I received the same warning I received before; that McAfee & Norton operations were running which would cause problems. Turned off McAfee & checked Task Manager to verify nothing was running. It gave a second warning that Norton was still there but continued.

I went on to do the Disable and Enable System Restore procedure per instructions successfully.

I rebooted again, then continued with your How to Protect procedures. I kept MBAM as the real-time protector. I didn't uninstall SAS, but changed all the settings so it never updated or ran except by manual request.

I downloaded SpyBot-Search & Destroy and SpyWareBlaster. I had to turn off McAfee temporarily to allow them to update.

I immunized & ran SpyBot-Search & Destroy & left to complete overnight. I left McAfee off during this process to avoid any problems, so I disconnected my internet cable to avoid any exploits during this time.

This morning it reported one finding, Virtumonde.sdn: [SBI $70056CE6], which was removed.

I re-established the internet connection, then rebooted. I got the hijacked PC again. CTL+ALT+DEL only gave the familiar gray screen. So I had to to a cold restart holding down the power key. I entered SAFE MODE WITH NETWORKING, so I could send this response.

I saw no merit in downloading all the tools & running all the scans in READ & RUN ME until I reported to you what I found. So I'm attaching the SpyBot-Search & Destroy log.

I wonder if SAS was part of my problem all along. It had not reported any findings in ages, & every time I do anything to it (like I did last night to change settings to run only on demand) I get my problem again.

Or maybe the problem has to do with McAfee running in the background & interfering with things, ComboFix in particular. What can I do besides checking Task Manager to see if McAfee is really running? This is driving me crazy; & to make matters worse, I now have a very similar problem with my laptop computer, which I will post separately as soon as I can find a way to get the logs off it. I had the same McAfee-ComboFix issue there too.

Thanks for your help, I look forward to hearing back from you. :wave

 

OK, thanks for the direction! I'll remove everything as you said & let you know.

I'm hoping I don't get a problem uninstalling ComboFix. It seems to always think the Norton artifact is present, & thinks McAfee is running when I've turned if off. I guess I will remove McAfee before uninstalling ComboFix.

Is there a certain order I should re-install if I have problems?

Thanks again for all your help! Oh, & I do apologize for the misnomer re: hijack. I didn't mean to create confusion, I just don't know any better! I was trying to be descriptive of the loss of PC control.

Many thanks!

 

OK, I've successfully removed everything except one stubborn McAfee file (McAfee Agent). Every time I tried to uninstall from the control panel, I got a dialogue box that it couldn't be removed because "other programs are still using it" followed by a dialogue box there was a "fatal installation error."

I also removed every tool I've used from the READ & RUN ME, including SAS & MBAM (wasn't sure if all the tools should go too, but I did it).

I was afraid to use the internet without any AV protection to make this reply, so I downloaded AVIRA AntiVir Personal Edition & have it running for now. I'll remove if you recommend. I accepted all the default values, which included some anti-spyware scanning. If I need to leave this program on, I'm sure I'll need to de-select some of those things if MBAM is added back on.

Things are working OK so far. Thanks much for your help, & please let me know if it's OK to put ccleaner & MBAM back on (& anything else you recommend).

Bye! :wave

 

Thanks very much for the response!

Yes, I did try to remove all three McAfee items, but only successfully removed two of them: McAfee AntiSpyware Enterprise Module & McAfee VirusScan Enterprise. I couldn't remove McAfee Agent.

I'll try your suggestions for removing McAfee Agent & let you know.

Thank you! :wave