It all started with the secure32.html virus thingy... and now it's all downhill

Hello:

I apparently got some trojan/virus/something which was causing Internet Explorer to automatically place secure32.html as the startup page. The problem I was getting with this was that when I would try to start IE, the window would just automatically close.

Sorry if this message is a little chaotic, but I'm basically writing this as I do things (Keep in mind that I am having to do everything by using the internet on a notebood computer and transferring downloads back and forth with a USB Flash Drive):

Norton Antivirus had noticed something, and a file was deleted (I believe it was autosys.exe?)

Anyway, I then updated definitions and ran full scans with Norton Antivirus (10.0.2.2001 - I think it's an enterprise edition) and Windows Defender, but nothing else came up.

I ran HijackThis and ran my log file through http://www.hijackthis.de/en# and I removed some registry listings which seemed to be related.

I have also restarted my computer multiple times and tried some google searches for more info.

After all this, I am now able to set my default Internet Explorer page fine; but I still have the problem of Internet Explorer closing within a few seconds of when I load it.

I ran my new HijackThis log file through the automatic service I listed above, but nothing new came up.

I started going through the steps on http://forums.majorgeeks.com/showthread.php?t=35407

I emptied my Recycle Bin.

I ran CCleaner - there is no log file, but I ran the defaut settings and chose to clean everything. I then used CCleaner to look through all the applications installed; I did not see anything new or suspicious.

My wife got on my computer this morning not knowing what was going on and noticed that when she logs out of my account and into hers: Internet Explorer seems to work fine on her account.

I logged out of her account (there are two accounts on the computer) and logged back into my account:

I noticed that Norton Antivirus had found and deleted "Trojan.Galapoper.A" on an automatic scan overnight. I did something minimal like opening Norton Antivirus checking some things and then I notice that applications won't open and things seem to hang severly. I was forced to do a soft reset of the computer. This seemed to fix things.

I installed and ran SpyBot-Search & Destroy Tools 1.4:
- I created a registry backup
- I ran the Immunize this thing on the startup wizard
- I searched for updates; chose all the updates and downloaded them
- I have not done a scan yet at this point

I installed and ran CounterSpy 1.5.82:
- I enabled automatic updates on the startup wizard
- I enabled active protection
- I joined ThreatNet
- The update ran automatically (update definitions from verson 255 to 481), but it keeps seeming to hang, I try 3 times, but keep having to close the app.
- I have not done a scan yet at this point

- I ran GetRunKey and have attached the runkeys.txt file to this forum message.
- I ran ShowNew but I didn't save the newfiles.txt file to my flash drive, so I don't have it to attach.

I tried to boot into safe mode with instructions at http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam However, every time I choose "safe Mode" on startup, I get a string of a bunch of text (goes by too fast for me to read), the computer restarts again, and I get the start up screent o choose safe mode vs. normal mode again. When I choose normal mode, I get a blip of the loading windows logo, but then the computer restarts again... I keep getting the same thing over and over again

I could not run any web based antivirus programs since I cannot get Internet Explorer to work under any circumstances.

I checked http://forums.majorgeeks.com/showthread.php?t=74501 but I dont' see that any of the listings apply to my situation?

Any help please? Now, I'm totally stuck... The only thing I can think of is installing a new hard disk to reinstall a new OS and try to recover all my data from my disks.

Thanks!!!!!!!!!!!!!!

 

Let me mention that this issue of now being stuck not being able to load windows dates back to a previous problem that occurred probably 6 months ago and I just cannot remember what that problem was or how I came to fix it. Basically, I had tried to go into SAFEMODE to fix a problem at that time, but I developed this problem with getting stuck in a loop - I changed something in MSCONFIG and then this problem stopped occuring; but now it's been so long, I've totally forgotten any details or how I was able to get out of the loop in the first place to make the change in MSCONFIG.

Sorry that this probably doesn't make sense. I'll go pick up a new hard disk later today unless someone has a nice solution with the information I've given so far Thanks!

 

Problem is, now I cannot start my computer at all; It's kinda hard for me to describe, but when I start my computer, I get the screen to go into Safe Mode, but when I choose ANY option, the computer just restarts and then I'm back at that screen - it's a loop.

However, if I could get out of this, than you make a good point and I'll do that. Thanks!

 

Ahh, nice: I'll give this a try, thanks!

 

I tried the first option to repair at www.short-media.com, but this did not give me any option to choose a windows installation; weird. And, when I try going through the steps of that tutorial, i just get errors. Furthermore, when in the recovery console, when I type C:\>dir, I receive "An error occurred during directory enumeration." - basically, I can't do anything.

So, I tried the second option at www.informationweek.com, but when I get to screen 7 (http://www.informationweek.com/1094/langa07.jhtml;jsessionid=ZACDPKRIZ2CLYQSNDLOSKH0CJUNN2JVN); I don't receive a screen asking which install of Windows to repair - rather, I get the screen of my hard disks asking which disk to install XP, create a partition, or to delete a partition........................

wait a minute............ I just remembered that my C: drive is a SATA RAID and that windows requires you to do the F6 loading of the drivers thing.......... dumb windows.....

I am continuing to post this thought in case anyone else "forgets" about this and might find this reference in the future

 

OK, there was a slight problem trying the 8 step process, so I did the full Windows XP recovery from the install disk from the second option listed.

I'll mention that things are a little weird, I think because my install disk is Windows XP + SP1 and so there are some errors that come up; I think because of lacking SP2 features now. I had tried to go to update.microsoft.com to install SP2, but the website kept hanging, so I decided to just continue with the diagnostic process that I was trying to do per the MajorGeeks forum post...

After recovering Windows, I unplugged my network cable and entered safe mode:

1. I ran CCleaner with the default settings and then ran the cleaner

• I ran SpyBot with the default settings

• The only problem found was "Alexa Related" Link C:\WINDOWS\Web\related.htm which I fixed

• I ran CounterSpy with the default settings

• Detected: The Trojan RAT

• Detected: Trojan.Snatch Trojan

• Detected: webHancer Adware (General)

• Weatherbug Low Risk Adware (32 objects)

• I removed all 4 of these items

• I haven't seen this mentioned anywhere, but I notice a bunch of stuff in C:\RECYCLER, D:\RECYCLER, etc. This makes me concerned because I had emptied the Recycle Bin in normal mode, so I just deleted all this stuff

I restarted, loaded SafeMode with Network Support and I plugged my network cable back in

1. I ran BitDefender

• 1.5 hours of scanning ... and I get some blue screen and the computer resets I will repeat this scan later, but I want to move on as it was about 90% done anyway, so sorry, but no log file for right now

• infections found: Trojan.PWS.Sinowal.I, Trojan.Downloader.Agent.ADR, Trojan.Downloader.Zlob.AHZ, DeepScan:Generic.Malware.FPg.E9CE9C74, Generic.Malware.SFM!PHYd@mmignPkg.05700EE3, DeepScan:Generic.Mydoom.36921714, DeepScan.Generic.Malware.FPg.E9CE9C74

• BitDefender deleted all these items

• I tried to run Panda ActiveScan but the webpage would not come up

I resumed Normal Mode

1. I ran Panda ActiveScan

• Spyware: 36 detected - looks like just cookies on one of the accounts which I did not delete

• So, I guess I have to pay to use this PandaScan disinfecting utility? I just want to make sure that all I'm supposed to do is post the log file

While running Panda ActiveScan; Norton Antivirus autoprotect finds Infostealer - as best I can tell, Norton Antivirus did not completely remove this; I'll be working on this.

• Ran getrunkey.bat and attached runkeys.txt

• Ran shownew.bat and attached newfiles.txt

• Ran HijackThis and attached hijackthislog.txt

I checked the Special Removal Procedures and did not see anything that seemed to match anything I've found here.

Sorry that I left a couple things out, but I've spent all day on this and just wanted to at least submit this forum post that I've been saving.

1. I downloaded Windows XP SP2 since I could not get Windows Update to load

What I am going to do overnight is go back to Safe Mode after fully updating windows and re-running all these cleaning applications.

Any more thoughts?

I thank you for your help with this problem; I hope it's obvious that I've spent a considerable amount of time to try fixing this. Anyway, let all the kiddies know, "Warez is bad guys... warez is bad..." LOL!

 

more log files.

Also, any suggestions for where to download Windows XP SP2? The source I listed in the previous post - it was corrupted. I'm now downloading from here.

Thanks!

 

... oops... sorry, did that an hour ago now.

I just finished with all the updates as well. As far as I can tell, things seem to be working ok.

I'm gonna continue with doing new scans. But I won't do anything "active" until I hear back. Thanks so much for your assistance.

 

GermWarfare,

From this point please do not run anything without one of us requesting it. In order for us to help you with this problem, you must help us first.

I have read in your previous post of some things you have performed, at this point what problems are you having?

Also, if you're still malware issues then attach for me a fresh HJT log, ShowNew Log and GetRunKey log.

 

Gotcha.

At the moment, I'm not noticing any problems. Do you want new logs anyway?

Thanks a bunch!

 

If you're not having any problems, just attach a HJT log so we can briefly look thru it.

 

Here ya go. Thanks!

 

Looks good, however I would fix the "O15 - Trusted Zone" entries simply because it's not safe to have trusted entries. It's up to you but I would remove them.

 

kk, I removed a couple, the rest are either sites I personally run, or related to my work. I hope I can trust those!

So, OK to go about my business now unless a problem comes up?

Thank you very much

 

Yeah, if you're not having any problems I would continue on and not worry about anything.

You should see this article on How to Protect yourself from malware!

Surf Safely!