Infected with something

Discussion in 'Malware Help (A Specialist Will Reply)' started by MrsShrek, Oct 18, 2010.

  1. MrsShrek

    MrsShrek Private E-2

    This is Dad's computer that I'm trying to help him with. At one time, he had Desktop Security 2010 installed. He's been having problems ever since. Even after he uninstalled it.

    Went through the Run This First for the XP Cleaning Procedure.

    Running XP Pro SP3 on a Dell Inspiron 530.
    1GB Ram.
    229 GB hard drive w/ 219 GB free.
    1.6 GHz Intel Pentium Dual CPU E2140
    Internet Explorer 8.0.6001.18702

    Getting error a few minutes after booting to desktop in both regular mode and in safe mode.
    Generic Host Process for Win32 Services
    Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
    Data Error Report Contains:
    szAppName: svchost.exe
    szAppVer: 5.1.2600.5512
    szModName: unknown
    szModVer0.0.0.0
    offset: 001a624b

    In safe mode, error looks different. Still says svchost.
    0x001a61bb @ 0x00000000

    Regardless on if I send or don't send, error pops up again. After 2 or 3rd time popping up, cannot do anything on the computer. Found that if I don't close the first error, it will allow me to do some things. System will not shutdown or restart correctly. Hangs while going down. Have to press & hold the power button.

    Can get to the internet, but cannot get to several sites. Some of the sites I cannot get to are:
    Updates.microsoft.com
    windowsupdate.microsoft.com
    Malwarebytes
    spybot search & destroy install site
    Ad-aware install site
    and some others

    Had FREE.AVG installed orginally.

    Installed Avast and it found & removed these trojan horses:
    Crypt.AAEY
    Downloader.Generic10.RMC
    Generic19.KUU
    Generic19.LYQ

    Still could not get to the above sites. Installed IObit Security 360. It found and removed these:
    Trojan.DNS-changer (Hi-Jacked DNS) - 6 entries
    Malware.Trace

    At one point, I ran the Avast BootScan. For a while after that, the error messages quit. However, still was not able to get to the above sites. Any how, the error is back. Tried some of the fixes in the IObit Toolkit, but nothing worked.

    While searching for a fix, stumbled across your site. Hoping that you can help. Went through your Read & Run me first and went through the steps for XP Cleaning Procedure. Items were downloaded to my laptop and put onto Dad's computer via thumb drive. Here's the results.

    First, cleared quarinteen files from AVG & Avast and uninstalled both since you only want 1 antivirus installed. This left IOBit Security 360.

    SuperAntiSpyware would not run at first. So, I ran the Portable version. Sorry, but actually did this a few times. Did not understand the instructions totally about the Portable version. It found and removed some items, but did not write them down. Rebooted and still was not able to start the regular SuperAntiSpyware. Got it started by using the Alternative way. It did not find anything. SASLog.txt will be attached.

    Malwarebytes Anti-Malware was able to install after changing name to MB.exe, but could not get the program to open. Even renamed on my laptop and reinstalled. It will not open. When click on sort cut, mouse will switch to hour glass for 1 second then switch back. Nothing happens.

    Combofix.exe does exactly like Malwarebytes. Installs, but will not start.

    Ran RootRepeal. Log attached as RRlog.txt

    Ran MGTools. First run blue screened the computer and it did a memory dump. Started typing error on my laptop, but it closed before I could get to the important info. System atuomatically restarted. Re-ran MGTools and it appears to have been able to complete. Will attach as instructed. MGlogs1.zip is the first file that was created during the blue screen. MGLogs.zip is after the reboot.

    Note, Pagefile.sys was created between the 2 runs. It is 1,560,576kb in size. Cannot copy it at this time as the system says it is in use.

    Hope I have given you all the info that you need. Also hope you can help me.
    Thanks!
     

    Attached Files:

    MrsShrek, Oct 18, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Currently reviewing your logs and will get back to you with a set of instructions asap.
     
    Kestrel13!, Oct 18, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It's not a good idea to have more than one antivirus installed for many reasons!

    You did not run Combofix and I would like you to do so soon.

    If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    You have leftovers from both avast and avg:

    I suggest you run the AVG Removal Tool

    Make sure you also delete any AVG folders in Program Files and Documents & Settings/Application Data directories.

    Run the avast uninstall utility

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    • C:\WINDOWS\TEMP
    • C:\Documents and Settings\Mona\Local Settings\TEMP

    Download and run Combofix at this point as per the instructions in the R&R.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how the machine is behaving now.
     
    Kestrel13!, Oct 19, 2010
    #3
  4. MrsShrek

    MrsShrek Private E-2

    Thank you for your help. It is appreciated.

    I understand about the 2 antiviruses. Only installed more to try to beat whatever attacked.

    Tried to run ComboFix before, but like Malwarebytes, it would not run. Even after completing steps listed here, it will not run even though I downloaded a new copy.

    No, I did not set the proxy. Ran your Analyse.exe as instructed.

    Ran the avenger.exe. System tried to reboot, but hung and had to hold power button to get it to finish. Log is attached.

    Ran the AVG Remover & avast Uninstall tools as instructed. Also deleted the files & emptied the recycle bin.

    As stated above, Combofix will not run. When clicked on, hour glass shows for a second, then nothing. Tried a few times, but it will not run.

    Ran the Getlogsbat and files are attached.

    I am able to reach windows update now. In the process of downloading the critical ones. 19.

    Error has not popped up, but wonder if that is because the network cable is plugged in. Maybe if this bug can reach the internet, it doesn't give the SCVHost error? After the updates are finished, I will test and will update post with the info.

    Concerned that ComboFix will not run.

    Please advise. Looking forward to any info you can provide.
     

    Attached Files:

    MrsShrek, Oct 19, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well from looking at those latest set of logs, I am seeing no reason to try and push on with getting combofix to run, you say the computer is running well, and I am seeing nothing to be concerned with. However, if you want to you can try this as if we can get CF to run, it sometimes reveals issues the other logs don't.

    Rename combofix.exe to 123.com and try and run it again in normal mode. If that fails, try safe mode. If successful attach the C:\combofix.txt

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    Kestrel13!, Oct 20, 2010
    #5
  6. MrsShrek

    MrsShrek Private E-2

    Sorry if you misunderstood, but the computer was not running correctly. Was still receiving error if it was not connected to internet.

    Renaming ComboFix to 123 allowed it to run. Attached is the log file. During install, it did ask to be updated. I allowed it to do so. This was not in the instructions, so I hope that was ok.

    Also ran your FixMe.reg and did get a success message.

    After running all the above, Windows is now saying that I do not have an antivirus software running. IObit Security 360 IS running. Does this not count as an antivirus software? Can you recommend a good antivirus software? What do you used?

    After reviewing the attached Combofix file, please let me know what else needs to be done.
    Thanks!
     

    Attached Files:

    MrsShrek, Oct 21, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Ahhh, combofix addressed a problem!
    Yes it is antivirus, we will see if windows recognises it now after combofix was run? Does it or is it still saying the same thing?

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Oct 21, 2010
    #7
  8. MrsShrek

    MrsShrek Private E-2

    Forgot to let you know, but when I ran combofix, it also found a rootkit. Did it show you that in the log? Or was the cdrom.sys the rootkit it found?

    Having some problems running the GetLogs.bat. Also, windows is still reporting no antivirus.

    First time getlogs was ran, it hung. Left it there for a long time, but it did not finish. It did create log, which I renamed to MGlogs1st. It is attached.

    Was able to run Malwarebytes. It found 2 items. Log is attached.

    Rebooted and tried to run getlogs.bat, but got blue screened. MGlogs.2nd is attached.
    Blue Screen error:
    page_fault_in_nonpaged_area
    stop 0x00000050 (0xE1E730000,0x00000001,0x806403BB,0x00000001)

    Windows reported error after reboot:
    BCCode: 50
    BCP1: E1E73000
    BCP2: 00000001
    BCP3: 806403BB
    BCP4: 00000001
    OSVer: 5_1_2600
    SP: 3_0
    Product: 256_1

    Tried running getlogs.bat again and got blue screen again. MGlogs.zip is attached. This time error was still in page_fault:
    Stop 0x00000050 (0xC1F00000, 0x00000000, 0x8066403BBM 0x00000000)

    Windows is still reporting no antivirus. Read the How to Protect Yourself from Malware and see that IObits is not listed on your list. Wondering if this is because it is not one of the better ones. Should I remove it and put Avast back on? If I do, is there a removal tool that should be ran?

    Please advise.
    Thank you for all your help.
     

    Attached Files:

    MrsShrek, Oct 22, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes I think you should try that and see how it goes. Just uninstall IOBIT360 through the usual means and let me know how it goes. Reboot, and then install avast.

    Yes.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run a full system scan with avast and let me know how things are running at this point.
     
    Kestrel13!, Oct 22, 2010
    #9
  10. MrsShrek

    MrsShrek Private E-2

    I would like to thank you very much for all your help. Things seem to be running pretty smoothly now.

    Question, if you close this thread, will I still be able to access via the user cp and viewing my subscribed to threads?

    I'd like to come back here and review things from time to time as you've given me very good info.
    Thanks again!
     
    MrsShrek, Oct 27, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're most welcome. And that is great to hear. :)
    Yes you would, but I am not seeing a reason to lock/close it really, I'll just post final steps to you.

    Take care and safe surfing!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 27, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds