I'm infected and I did follow the "Run Me First" instructions

My problems started when I downloaded an infected file. My McAfee firewall and virusscan software exploded with warnings. When the dust settled the most obvious symptom that something was wrong was Internet Explorer kept wanting me to make c:\secure32.html my home page and I couln't change it. I went through all the "Read & Run Me First" Instructions (link http://forums.majorgeeks.com/showthread.php?t=35407), and when through after rebooting under normal mode, I now get an error during boot that says "Services & Controller App has encountered a problem and needs to close" with the following details: SzAppName: services.exe, SzAppVer: 5.1.2600.2180, SzModName: services.exe, SzModVer: 5.1.2600.2180 offset 00008240. I then get a system shutdown warning with the details: system process c:\windows\system32.services.exe terminated unexpectedly with status code -1073741819. I got the full message the first time I rebooted after changing back to normal mode and it rebooted, the second time I got the warnings but it didn't reboot so I'm quickly writing this up and attaching the logs.

 

here's the final three report attachments. Thanks for helping me!!

 

by the way, a couple additional notes:

1. I no longer get the secure32.html homepage and IE will now allow me to make it anything.

2. Although I don't recall all the suspicious stuff detected by the various detection software you had me run, each program detected something. At no time did I get a report back that I was clean.

 

Thanks for the quick response and for helping me. Followed your instructions to the T and didn't experience any problems. I haven't gotten any more crashes or "Services & Controller App has encountered a problem and needs to close" errors since last night (before I even ran your instructs), but only time will tell how stable Windows is. I'll reply back if I have any residual problems pop up the next couple days.

I was reading the "newfiles2" log and have a question about some files on my C:\ directory. Is there any reason I shouldn't just delete the following files?:

-45961~1 Dec 27 2006 0 "-459614275"
abcdefg.bat Dec 27 2006 80 "abcdefg.bat"
t1ko.am Nov 9 2006 0 "t1ko.am"
t1ko.ar Nov 9 2006 0 "t1ko.ar"
t1ko.as Nov 9 2006 0 "t1ko.as"
t1ko.at Nov 9 2006 0 "t1ko.at"
t1ko.b0 Nov 9 2006 0 "t1ko.b0"
t1ko.bd Nov 9 2006 0 "t1ko.bd"
t1ko.be Nov 9 2006 0 "t1ko.be"
t1ko.bm Nov 9 2006 0 "t1ko.bm"
t1ko.bt Nov 9 2006 0 "t1ko.bt"
t1ko.cc Nov 9 2006 0 "t1ko.cc"
t1ko.cf Nov 9 2006 0 "t1ko.cf"
t1ko.cl Nov 9 2006 0 "t1ko.cl"
t1ko.cr Nov 9 2006 0 "t1ko.cr"
t1ko.cs Nov 9 2006 0 "t1ko.cs"

Thanks again!

 

I did run Viewpointkiller and went by their instructions. The first thing their instructions said to do was run "Check to see if you have Viewpoint installed" from the file menu. I did and it came back and said I was clean - no media player, no toolbar, no manager, so I stopped there. I just reran it now and went ahead and chose "Do all killings" and it came back and said it could not find any of the folders it was looking for.

As far as those unexplained files, I don't play games on the computer so I know they weren't created that way. The two I'm especially curious about are -

45961~1 Dec 27 2006 0 "-459614275"
abcdefg.bat Dec 27 2006 80 "abcdefg.bat"

They both were created on the day I was infected and did the first round of cleanup based on the "Read & Run Me First" instructions. I don't know if they were created before the infection (I didn't install anything before the infection that day), if the infection created them, or if one of the programs in the "Read & Run Me First" instructions created them. the 45961~1 says it's 0 bytes so i guess that's ok to delete. I opened the abcdefg.bat in notepad and this is what was inside:

rem sdel sckrypt

:klabel

del %1

if exist %1 goto klabel

del %0

Looks fairly innocuous. Worst case is, once you bless my computer as clean,
I'll create the new system restore point, THEN delete them, just in case.

Thanks again!

 

A new symptom that someone may have compromised my computer. Twice today while in the middle of doing stuff I do everyday on the computer, my mouse suddenly gets jittery - I move the mouse but the cursur freezes for a few seconds and then it jumps to catch up. It basically brings my ability to use the computer to a halt. It stays that way until I reboot. I have never had this happen on this computer before. Don't want to sound paranoid, but could it be a sign that someone has created a backdoor through my firewall (McAfee) into my computer and is hijacking my CPU for their own use and it's maxing out my resources? Is there a way to check this? McAfee's firewall is telling me it's actively blocking all unsolicited attempts but if a trojan/virus has fooled it into thinking it has permision, how do I detect that? Thanks!

 

I'm continuing to experience a sluggish computer after the infection and disinfection. One symptom is the jittery mouse arrow described earlier, but I've also noticed it doesn't take much now (post infection/disinfection) to overload my computer and slow it down. I used to be able to run several programs, watch video, and even have Rhapsody running without much difficulty. Now if I have one or two programs running, IE will slow to a crawl and Windows Media Player will have trouble with video files (jumpy picture, jumpy out-of-synch audio), and I have to reboot. So I tried to do some more investigating - I ran RegDoctor (which I already had and run regularly) and it gets hung up during it's "Uninstall Section" cleaning (whatever that is). It just stops. Never had this happen before with RegDoctor. All the other sections scan and fix without any problems. I see that you guys recommend a different registry cleaner, RegCleaner, so I downloaded that and ran. Under tools, I did registry cleanup/all and when it finishes I get 73 useless entries I can delete. I select all and click "remove selected" and I get this error message:

--Error report-----
Error message: Cannot create file C:\Program Files\RegCleaner\Backups\12.30.2006.3.17.24....5239.reg

--Addition information-----
RegCleaner version = RegCleaner 4.3, Build: 780
Idler.Enabled = True
Section = Registry Cleanup
System mode = Normal
Cleanup mode = All
NT Mode = True
Win2k Mode = True
Administrator = True
Debug mode = False

--Action Log-----
Start 0
Start 1
Start 2
Start 3
Select lang
Language: C:\Program Files\RegCleaner\languages\English.rlg
Column mode change
Start 4
Section: Software
DeleteDupes
Column click
Started
LoadColumnWidths
Done button
LoadColumnWidths
Cleanup Start
LoadColumnWidths
Cleanup Stop
LoadColumnWidths
Remove
RemRegCleanup
RemoveRegDir
LoadColumnWidths
RemoveRegDir
LoadColumnWidths
RemoveRegDir
LoadColumnWidths
RemoveRegDir
LoadColumnWidths
RemoveRegDir

Since I didn't know what was going on, I chose "terminate" instead of "ignore". Seems both programs get hung up analyzing my registry. I know this is the malware board and not "how to clean your registry" board, but I'm wondering if the infection/disinfection could have screwed up my registry (or something else) and maybe that's why I'm now experiencing sluggish computer behavior. Even if the sluggishness has nothing to do with the registry, If I'm able to determine that the especially bad viruses/trojans that were unleashed on my computer on 12/27 are now gone, might I benefit by doing a system restore back to a restore point before the known infection? Could that help undo my current sluggish behavior? I know I could possibly also restore some low-level malware that existed at the time of that restore point, but at least it won't be infected with the really nasty stuff unleashed on 12/27 (or could it? do viruses and trojans also inject themselves into old system restore point files?) and I could always repeat the disinfection steps to get rid of the low-level malware reawakened with the old restore point. Or would it be better to try to diagnose what's causing my sluggish computer? Thanks again for all your help. One final question: do you guys have a "donate" button anywhere? It'd be great if people could make voluntary donations to help defray admin costs to show our gratitude.