Help! Confusing issues going on...

Discussion in 'Malware Help (A Specialist Will Reply)' started by PunyN00b, Aug 23, 2010.

  1. PunyN00b

    PunyN00b Private E-2

    Not sure exactly what the deal is, but I'm pretty sure it's a Trojan and possibly some other stuff going on too.

    Issues started about a week ago or so. I was checking my Facebook, clicked on one of my friends profiles, and all of a sudden got bombarded with "Your machine is infected! Scan now! blah blah blah" prompts. Tried closing out the page, it just kept coming up and wouldn't let me close. I killed the browser, updated my virus/spyware definitions, shut off the modem and ran a scan. Found nothing. Virus/spyware program I am running is Microsoft Security Essentials (I'm beginning to figure out that this program is absolutely worthless). I was running Trend Micro, but didn't have the money to renew my subscription when it was time so I tried finding something free. Somebody suggested MSE, I went with it, and I now regret it because it has left my machine completely vulnerable it seems. Anyway, the problem seemed to go away or at least stay at bay for a couple of days.

    Then, a few days ago I log into my computer (both user accounts) and it says that a problem has caused Windows Explorer to stop working. I bring up the Task Manager, update and run MSE again and it finds nothing. I open my internet browser via the task manager and I can't pull up any web pages. Basically whatever it is has crashed Windows and killed my internet connection on that machine. It didn't wipe out the hard drive or anything (yet), all my files seem to be in tact, Windows Explorer just wont engage and that seems to be causing a lot of problems.

    I read through the Read Me First post, and I really want to try that stuff, but I'm not exactly sure how because that computer won't let me connect to the internet. That particular computer is the one that all the home network stuff is hooked up and configured through (modem/wireless router/etc...) The internet is working fine on this laptop though. Also, that computer has an external hard drive. I am wondering if I can install the things recommended in the Read Me post to the external via this computer, hook it back up to that machine, access it via Task Manager and run the scans that way or if I need to go about things in a different way. Operating system is Vista.

    Any help would be appreciated.
     
    Last edited: Aug 23, 2010
    PunyN00b, Aug 23, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, get the tools needed onto the sick computer however you can. Post back when you have logs and we can make a start. :)
     
    Kestrel13!, Aug 23, 2010
    #2
  3. PunyN00b

    PunyN00b Private E-2

    Alright, downloading to external now. One thing I should also mention is that I won't be able to manually uninstall any programs because the machine won't populate the list when I pull up Add/Remove Programs in the Control Panel for some reason. Unless there is another way then I'll just have to run whatever scans I can. I'll report back with logs once I get done running the scans.
     
    PunyN00b, Aug 23, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Okay, I'll be here waiting.
     
    Kestrel13!, Aug 23, 2010
    #4
  5. PunyN00b

    PunyN00b Private E-2

    Alright, another snag. I don't think I'll be able to disable User Account Control either, because when I open up Control Panel it doesn't show me all of the options in that folder and won't let me access the Users folder. Is there another way for me to access this? I don't want to skip anything before I start scanning.
     
    PunyN00b, Aug 23, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    View by category > user accounts and family safety

    Do you see that?

    • If not, then try this:
    • Go to start > type in "cmd"
    • Click on cmd.exe > and paste in the following:

    After you enable or disable UAC, you will have to reboot your computer for the changes to take effect.

    The to re-enable (once we have totally finished) Same procedure except paste this in:

    You should receive a success message saying: "The operation completed successfully"
     
    Kestrel13!, Aug 23, 2010
    #6
  7. PunyN00b

    PunyN00b Private E-2

    There we go, Command Prompt is the back door I was looking for but couldn't figure out the commands, thanks. I have a feeling this won't be the only time I need to use this tactic. Should be able to move forward now, I think. I'll get back to you in a little bit with some results hopefully.
     
    PunyN00b, Aug 23, 2010
    #7
  8. PunyN00b

    PunyN00b Private E-2

    Or not...

    Didn't show up when I viewed by category, and the command didn't work either. When I type in the command it says "ERROR: Access is denied." I've double checked it 3 or 4 times now and I'm typing it in right. Anything else I could try?
     
    PunyN00b, Aug 23, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Aug 23, 2010
    #9
  10. PunyN00b

    PunyN00b Private E-2

    I'm not too scared by regedit as long as I know what I'm looking for. Actually though, I've managed to finagle my way through it and I was able to get everything set up the way the Read Me said. Here's where I'm at so far:

    1. I couldn't figure out a way to disable UAC or show hidden files without Explorer, so I just went ahead and scanned with SUPERAntiSpyware. It found at least one Trojan, so I cleaned it and restarted. The system then booted up normally.
    2. I went into the control panel, disabled UAC, and it prompted me to restart. Once I restarted nothing at all worked, and I couldn't even pull up the task manager. So I rebooted in safe mode with networking.
    3. I then ran Malwarebytes and it found another dozen or so items, so I cleaned it and tried to reboot in normal mode. Still wouldn't let me so I went back to safe mode.
    4. I ran ComboFix, which found quite a few more items, and when it was done it let me reboot in normal mode. From there I was able to get my Windows Defender, Firewall, and Anti Virus software shut off and my hidden files shown. I was also able to populate my "Programs and Features" list in the Control Panel to see if any of the aforementioned programs in the Read Me were installed, and they were not. Everything else in the Read Me (Normal Startup from MSConfig, CCleaner, DeFogger) had already been executed.
    5. Right now RootRepeal is scanning (VERY slowly) so I'm just waiting to see what happens once that's done.

    Hopefully it won't be too much longer and I can get MGtools going so I can send over some logs for you. Hopefully doing things kind of out of order like that didn't mess up the process but I didn't know what else to do. If it did just let me know and I'll start over. Everything is set up how it's supposed to be now though, and I can at least use Windows Explorer at the moment.

    Thanks for your assistance by the way, this stuff drives me nuts.
     
    PunyN00b, Aug 23, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, just attach all of the requested logs once ready (forget rootrepeal if it takes too long, it only has a 50-50 chance of running anyway)

    I'll be here waiting. :)
     
    Kestrel13!, Aug 23, 2010
    #11
  12. PunyN00b

    PunyN00b Private E-2

    Alright in that case I'm going to skip it then. It's been scanning the C:\ drive for probably 5 hours now and it doesn't seem to be getting anywhere. It's found a list of files, but it seems like it's just kind of jumping all over the place in the drive and not following any sort of sequence with the scan. Like maybe it's caught in a loop or something. Anyway, moving on.
     
    PunyN00b, Aug 23, 2010
    #12
  13. PunyN00b

    PunyN00b Private E-2

    Alright, finally something tangible for you. Here are the logs. I was able to run everything except RootRepeal. Windows Explorer is back up and running, the machine doesn't seem to be lagging or anything, internet is working, everything seems to be fine. I'm not going to change anything back until I get confirmation from you that everything is alright though. I'm just going to shut it off for now and leave it alone to be safe. So here you go, do your worst!

    Also thanks again to you and everybody else involved with this site, you've been a big help. Quite a find I've stumbled upon here, I can't thank you enough.
     

    Attached Files:

    PunyN00b, Aug 23, 2010
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you access uninstall a program now to get rid of old java?

    • Java(TM) 6 Update 11
    • Java(TM) 6 Update 3

    (If so then be sure to install the new version which I will link to further on down)


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      c:\users\Evans\AppData\Roaming\sh4.dat
    • At the upload site, click the browse button.
    • Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    Then do the same for the below files and also let me know the results:

    Code:
    c:\users\Evans\AppData\Roaming\sh3.dat
C:\WINDOWS\System32\perfwiz.dll
    Could you please get this: perfwiz.dll into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:


    log retrievable @ C:\collect.zip

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Users\deana and roy\Desktop\%APPDA~1
C:\0

Folder::
c:\users\Evans\AppData\Roaming\Wireshark Antivirus

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\NoExplorer]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Run Ccleaner!

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Also do not forget the results from Jotti and the collect.zip.
     
    Kestrel13!, Aug 24, 2010
    #14
  15. PunyN00b

    PunyN00b Private E-2

    Alright, I think I've done everything you've asked. Logs/files attached.

    Here's the links for the files you had me check.

    sh4.dat scan
    http://virusscan.jotti.org/en/scanresult/6a036a92febbdd338e9d13ff638755686a3b086a

    sh3.dat scan
    http://virusscan.jotti.org/en/scanresult/a03b72317bbdcd378616bf5712ba540f92521a3d

    perfwiz.dll scan
    http://virusscan.jotti.org/en/scanresult/70958755ba0f8b9c9810ecb6cb3681b8aaf54ce5

    The first two came back clean. On the third one, all but one scanner came back clean.

    Also, everything seems to be working except that I can't get my Windows Defender to turn back on. It's giving me "error: 0x800106ba" and saying that a problem has caused this program to stop working. Other than that everything seems okay. I turned back on my Anti Virus and Firewall but haven't re-enabled UAC, reversed DeFogger or anything else yet. I will wait for your okay.

    Thanks!
     

    Attached Files:

    PunyN00b, Aug 24, 2010
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    This is something that you will have to resolve in the software forum I'm afraid.

    After examining the above file for myself I see it relates to Image-Line bvba. Does this sound familiar to you? If not then let's get a second opinion with a different online scanner

    Let me know the results!
     
    Kestrel13!, Aug 24, 2010
    #16
  17. PunyN00b

    PunyN00b Private E-2

    PunyN00b, Aug 24, 2010
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, not to be confused with the genuine perfwiz.exe, this perfwiz.dll needs to go in my opinion.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
C:\WINDOWS\System32\perfwiz.dll
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 24, 2010
    #18
  19. PunyN00b

    PunyN00b Private E-2

    Alright, done. Here's the new logs.
     

    Attached Files:

    PunyN00b, Aug 24, 2010
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well that's that file dealt with and combofix also addressed the below:

    I asked you to do this earlier, and the same still applies! You should never make use of msconfig to control start up's. There is much better third party alternatives.

    The logs look good now, how are things running?
     
    Kestrel13!, Aug 25, 2010
    #20
  21. PunyN00b

    PunyN00b Private E-2

    Everything seems to be okay for the most part (other than Windows Defender, which I'll ask about in the software forum as you suggested. ;))

    A couple of things though.

    1. When I try to put my computer back into normal startup mode in MSConfig it won't let me for some reason. It will let me select it and everything, but when I hit "Apply" it goes back to Selective Startup for some reason.

    2. Is it possible for something to get into Windows Update and install itself that way? Every time I install updates, when I reboot the computer it says that I need to update it again. Every single time, immediately, without fail. Also, every time it comes up it says I need to install the same amount of updates, so it's caused me to be kind of suspicious.

    But yeah, if those are software issues (which I'm guessing they might be) and the logs look good then I think you got it all. Anything else?
     
    PunyN00b, Aug 25, 2010
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try doing it in safe mode, ensure you are logged on as administrator.

    Let's just give combofix a final run before we wrap it up.

    Double click it to run it, and attach the C:\combofix.txt which it produces once done.
     
    Kestrel13!, Aug 25, 2010
    #22
  23. PunyN00b

    PunyN00b Private E-2

    Alright, in safe mode now. Still doing the same thing when it comes to trying to change it to normal startup. Want me to run combofix anyway or wait?
     
    PunyN00b, Aug 25, 2010
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yea. Give it a run. :)
     
    Kestrel13!, Aug 25, 2010
    #24
  25. PunyN00b

    PunyN00b Private E-2

    Done. Here you go.
     

    Attached Files:

    PunyN00b, Aug 25, 2010
    #25
  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      C:\Windows\System32\wininet.dll
    • At the upload site, click the browse button.
    • Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    What exactly are you using for antivirus at the moment?
     
    Kestrel13!, Aug 26, 2010
    #26
  27. PunyN00b

    PunyN00b Private E-2

    PunyN00b, Aug 26, 2010
    #27
  28. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, you see I had noticed that combofix reported an infected wininet.dll and said it replaced it with a fresh copy. Then when we ran it again, it again found it infected and replaced with yet another copy...

    Run a full system scan with your AntiVirus, let me know the results. :)
     
    Kestrel13!, Aug 26, 2010
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then, let me try something:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Fcopy::
C:\Windows\SoftwareDistribution\Download\cde11068f5b77b180111333ef9781925\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6002.18005_none_03d46c899ef4dd32\wininet.dll | C:\Windows\System32\wininet.dll
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 26, 2010
    #29
  30. PunyN00b

    PunyN00b Private E-2

    Alright, done and done.

    MSE came back clean and here are the logs you asked for.
     

    Attached Files:

    PunyN00b, Aug 26, 2010
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Aug 26, 2010
    #31
  32. PunyN00b

    PunyN00b Private E-2

    Done.

    Thanks for all your help, you're a saint. ;)
     
    PunyN00b, Aug 26, 2010
    #32
  33. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome! Safe surfing.
     
    Kestrel13!, Aug 27, 2010
    #33

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds