AVG scan and HJT scanlog

Discussion in 'Malware Help (A Specialist Will Reply)' started by sagacious123, Mar 28, 2007.

  1. sagacious123

    sagacious123 Private E-2

    Never been this invaded before help please

    I am looking for support for my Dell laptop Inspiron 8500 running XPhome SP2 which was recently hit with malware that shut down my Zone Alarm and Antivir AV and proceeded to shut down parts of my computer. I have fought back some, but am pretty sure the malware is still there. I was forced to uninstall Antivir and install a 30-day Kaspersky trial (now expired) and I installed all the recommended software and have been running it and will post the logs. Of note are two things. When I try and run Hijack This in normal startup mode, the computer crashes with the following message on the blue screen "Stop: 0X0000008E (0XC0000005,0X8059E7A5,0XF0C788DC,0X00000000)"
    In safe mode I can run Hijack This. Also CounterSpy (now expired) immediately delivers the following message that an invader is trying to subvert IE pages with the following
    Full path: unknown
    Registry key:
    hklm/software/microsoft/systemcertificates/spc/certificates/ae6dc9b43353ec4744f229002f493aa366ce24d/blob
    registry value = blob
    I was only able to run shownew.bat and getrun.bat in safe mode (logs attached) - in normal mode the screens were empty.
    Both the scans for Panda software and Counter spy were improperly sized in safe mode to be able to get to the buttons necessary to produce logs, though neither of those scans found anything anyway. I am attaching here the bitdefender scan, the AVG A-s scan, the shownew and get runkey logs, and the hijack this log from safe mode. If it is helpful I kept reports from the initial Antivir crash, as well as some of the changes Kaspersky was logging while the malware tried to hijack the computer through windows explorer.
    After all of these explanations ...THANKS, really, for any help. It will be MUCH appreciated.
     

    Attached Files:

    sagacious123, Mar 28, 2007
    #1
  2. sagacious123

    sagacious123 Private E-2

    Here are the other two scanlogs
    MANY THANKS
     

    Attached Files:

    sagacious123, Mar 28, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs don't really show any major malware problems. You just have a few minor things to do. If you are still having problems, they may not be due to malware.

    Delete the below two files from Kazaa which is bundled with malware:
    C:\Documents and Settings\sage\My Documents\klite172e.exe
    C:\Documents and Settings\sage\Start Menu\Programs\kmd202gu_en.exe


    Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software


    Do you know what the below folder is for? If not, delete it!
    C:\Program Files\yjakzis


    Also download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Other than the above, I see no other issues based upon the logs you provided.
     
    chaslang, Mar 29, 2007
    #3
  4. sagacious123

    sagacious123 Private E-2

    Thanks chaslang!

    It sounds like very good news. All recommended steps completed. I am just wondering why I still cannot get HijackThis to work in normal startup mode (still crashes)? For such an important diagnostic tool, this worries me....
    Glad the logs are basically clean. Maybe the many scans over time took care of the problem.......
    I also forgot to mention that I cannot get through an AVG Anti-Spyware scan in normal startup mode -- I do notice that during the scan (unlike with HijackThis however) that the fan comes on, and then it kicks into second gear (but not full gear). But this program is the only thing that elicits this behaviour, and other processes make the fan run, and it doesn't crash the computer.... Any experience with these symptoms?
    I REALLY thank you for your help!
     
    sagacious123, Mar 29, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure but it sounds more like a software conflict. Try renaming the HiJackThis_v2.exe to analyse.exe as requested. Then also try downloading HijackThis from the link in the READ ME and using that version which is version 1.99.1. Also make sure you rename the executable.

    Does it work?

    If not, try shutting down ALL of your protection software before running a scan. Unplug your cable to the internet before disabling your protection software.


    No but most scanners can be very CPU & disk intensive which can cause your fan to kick in. You may have hardware problems, software conflicts, registry corruption, or some other kind of problem preventing the scan from completing.

    To be on the safe side. Let's check for rootkits although I'm not expecting to find any.

    Please download Blacklight Beta
    • Download blbeta.exe and save it to the Desktop.
    • Once saved... double click blbeta.exe to install the program.
    • Click accept agreement and Click scan
      This app too may fire off a warning from antivirus. Let the driver load.
      Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.
     
    chaslang, Mar 30, 2007
    #5
  6. sagacious123

    sagacious123 Private E-2

    Thanks chaslang, for helping to dig a little deeper!
    Though not much came of it.....
    Tried all of your recommendations for HijackThis and ended up downloading the HJT from the readme as suggested and followed the instructions to the letter, but still crashing. Nice suggestion about stopping the protection software, and oddly when I went to shut down all of them in the task manager it would not let me completely close Spyware Terminator. Upon reflection, it was right around when I downloaded and installed Spyware Terminator that HijackThis no longer functioned in normal startup mode (it still works in safe mode)... by the way, is there a difference in the scan results if it is done in normal mode vs safe mode?
    Maybe this is the potential software conflict you may have foreseen......?
    As for the blacklight scan, nothing was detected as you predicted (scanlog still attached anyway)
    I guess I'm going to re-install all of the crashed software (Nero, Zone alarm, AVG) and assume it's safe to proceed, unless you have any last words. I haven't been connected to the internet for fear of further hijacking for a long while now. I guess I'll let you know if anything seems further out of sorts when I do (other than HJT and AVG Anti-Spyware).
    I can't begin to thank you for taking the time to help me!
     

    Attached Files:

    sagacious123, Mar 30, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then try uninstalling Spyware Terminator and other tools too see if they are causing the problems.

    Yes!!

    Still looks like it to me. The main reason I wanted to run BlackLight is to look for a rootkit infection. Rustock rootkits can sometime cause crashes like this. If you continue to get stop errors, you may need to debug them in the Software Forum to locate to source of the problem. If it still turns out to be a malware problem, you can always come back to this thread with further info to continue to work the malware end. Just to be on the safe side, I would like to run one addition rootkit scanner (sometimes one scanner can miss things another may find). Give the below a run and post a log if anything is found:

    AVG Anti-Rootkit

    What I would suggest is
    • that you download all of the software and updates you need (do it on another PC if necessary and burn to CD).
    • Then uninstall ALL protection software on this PC.
    • Reboot after each item is uninstalled.
    • Double check after reboot to make sure it was truly and completely uninstalled by looking at you HJT log and at the end of the ShowNew log see the uninstall programs list to see if the software is still list.
    • Do not reinstall anything until all remnants have been removed from your PC.
    • Even delete their folders manually (if required) after uninstalling.
    • Then slowly reinstall your software and check along the way to see if you are running into any issues.
     
    chaslang, Mar 30, 2007
    #7
  8. sagacious123

    sagacious123 Private E-2

    Hello chaslang and so many thanks!
    I wanted to let you know that I followed your instructions to the letter and I am successfully using my computer in almost all old ways with no further sign of hijacking or any major problems. Except one thing which I will mention, and maybe that will lead to some kind of breakthrough... The only remaining issue that I have is that even when all the A-V and A-Spyware were reinstalled (and they all work much better now!) Hijack this still crashes during the registry check part, AVG A-S still crashes now, also during the registry scan part (but no longer makes the fan run at high speed, interestingly), and when I reinstalled Spybot and tried to backup the registry, the computer also crashed. What is up with the registry? The computer is working fine now, but two of my main tools are effectively disabled should I have any further infection (or some weird existing one that we can't figure out), because I can't complete a scan with either HJT or AVG A-S.... What might you suggest in such circumstances?
    You have effectively helped me get my computer entirely back on its feet and I am gloriously happy and for that I owe you many thanks. I'm just wondering about the last remaining glitch which only worries me, but doesn't stop me from enjoying my freedom renewed! Thanks to you!
    Any further suggestion is appreciated, if applicable....
    MANY thanks for everything!
    Sage
     
    sagacious123, Apr 16, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is quite possible that your registry is corrupted and is the cause of crashes. You may need to discuss this in the software forum. Howeven let me ask that you try two things!

    1. Download the current version of GetRunKey from the link in the READ ME and attach a new log.
    2. download and use a-squared HiJackFree to produce a HijackThis log equivalent. Look at the bottom of the left window column and click on the Save logfile option. You will see an option for HJT compatible. Does it work.
     
    chaslang, Apr 16, 2007
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds