Malware, spyware, NASTYWARE, really need help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by EARLPEARL, Feb 4, 2008.

  1. EARLPEARL

    EARLPEARL Private E-2

    I have been plagued since about Christmas 07 with RECURRING invasions.....have 3 desktops thru a Wireless Linksys wrt54g router. One started working on it's own, processes building out of nowhere....delete one -- IT COMES BACK!!! soon processess legal or what are loaded and loading and the system is over 100%- freezes and you're just that FROZEN. Reboot, even in safe mode, might work 2-3 minutes, then processing until frozen.

    I reinstalled WINDOWS XP. HOME ON ALL 3. deleted ALL partitions, created ONE new and installed winxp sp2 on each. While they were out being cleaned, borrowed a Dell Inspiron laptop - It WAS INFECTED IN 24 HOURS but not plugged in with any of the other prev. infected machines. Other signs:
     
    Last edited by a moderator: Feb 4, 2008
    EARLPEARL, Feb 4, 2008
    #1
  2. Lev

    Lev MajorGeek

    Lev, Feb 4, 2008
    #2
  3. EARLPEARL

    EARLPEARL Private E-2

    From the READ ME FIRST PAGE, I did the work. To date reinstalled xp home (from unpartitioned diskspace using the commercial xp home disk sp1 that I own) twice already. Had used some of the tools here prior and recently no success - I GET REINFECTED IMMEDIALTEY before I even plug in to the net???:confused
    Problems have been and keep coming back:
    1. Firewall disabled with necessary services....cannot turn on again.
    2. I was denied access to files 3. Hijacked webpages
    4. Weird files and folders appear -- cannot delete or they reappear!!
    5. Processes run out of control and replicate! Usage goes to 100% and freezes - at that point 2-3 reboots and I'm done.:(
    On DSL, used a router (wired) with 3 desktops originally, since the reinstalls- been going directly thru my NETOPIA MODEM one at a time. No matter what I do, I get reinfected on all 3 before I'm even on the net again. Is it hiding somewhere on the hardrive after reformating??
    ......ready to install hardrives but need to know how to stop this thing!
     

    Attached Files:

    EARLPEARL, Feb 9, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are reinstalling your PCs from scratch and are immediately getting reinfected even before connecting to your network, then you are reinstalling from infected non-original copies of Windows or are installing other software after Windows is installed and the software you are installing from may be infected non-original media. Have you tried just reinstalling Windows and NOTHING else just to see how things work.

    Who is installing the keyloggers? C:\Windows\svcwinra.exe ( System Surveillance Pro - CA) is a program which monitors keystrokes, Web sites visited and IM conversations. Screenshots can also be captured, which can be triggered on specific keywords. The name in the registry can be any of the following values: Perm_Sys2, JmpRes, SysConn_Start, TMPINI34, Inet_Perf, and Almondrv.

    Also I see this: http://ca.com/sg/securityadvisor/pest/pest.aspx?id=453123762 which someone is installing.

    I would guess you are installing the above questionable software since I also see the below link
    Code:
    "C:\Documents and Settings\Vinni\Desktop\"
system~1.htm  Dec  5 2007        6854  "SystemSurveillancePro.htm"

    You need to decribe your problems more clearly with more precise detail as they do not necessarily sound like malware. See comments in purple text below.

    1. Firewall disabled with necessary services....cannot turn on again.
    What firewall are you referring too? Windows Firewall or another. You should not be using the Windows firewall because it does not provide adequate protection anyway especially for a home network. I saw PC Tools Firewall Plus in your log though so is this what you are saying is disabled?

    2. I was denied access to files 3. Hijacked webpages
    What files? What webpages are you hijacked to?

    4. Weird files and folders appear -- cannot delete or they reappear!!
    What files and folders?

    5. Processes run out of control and replicate! Usage goes to 100% and freezes - at that point 2-3 reboots and I'm done.:(
    What processes?


    What is in the below folder?
    Code:
    "C:\WINDOWS\system32\drivers\"
WIN2000       Jan 22 2008              "Win2000"
    The below do not belong in the C:\Program Files folder espcially MGtools.exe which we specifically stated must be in the the root folder of your Windows boot drive (i.e., C:\MGtools.exe )
    Code:
    "C:\Program Files\"
avgas-~1.exe  Feb  9 2008    14113576  "avgas-setup-7.5.1.43-3339.exe"
bfu.zip       Feb  9 2008       62862  "bfu.zip"
jkdefr~1.zip  Feb  9 2008      465088  "JkDefrag-3.34.zip"
jre-6u~1.exe  Feb  9 2008      382352  "jre-6u3-windows-i586-p-iftw.exe"
mgtools.exe   Feb  9 2008     1238736  "MGtools.exe"
spybot~1.exe  Feb  9 2008     9722720  "spybotsd152.exe"
     
    chaslang, Feb 10, 2008
    #4
  5. EARLPEARL

    EARLPEARL Private E-2

    :confusedAll reinstalls were from factory Windows CD's - one is from Dell original reinstall disk and the other is original CD I have from purchased computer. UNFORTUNATELY, I did a test run of a virgin windows reinstall with nothing else but it remembered a network connection which I had not yet set up and the registry showed names of software that were installed prior ???? How that happened I couldn't imagine....is formatting good enough to erase hardrive. Can something hide some place in the pc??

    The ( System Surveillance Pro) we tried to install a monitoring program that ight show what was happening that we could not see- couldn't get it set up to work properly.
    http://ca.com/sg/securityadvisor/pest/pest.aspx?id=453123762 I don't know what this is.....
    rolleyes
    Windows firewall became disabled with services too so I could not turn back on...I added Norton Internet Security for better protection and it got DISABLED -- protection turned off - it said that I was not the supervisor and could not turn it back on!! I am the only supervisor and administrator on the machine. Attached is screen shot of Norton turned off and enable button not available.

    Denied access to system tools mostly...system info, security logs, like that. Hijacked pages are i.e. Iowatelecom logon (my provider) main logon page -- will not accept my logon, asks to click here, when you do, you get another version of the logon page and when you log in or try to it takes you to webnuts.com.

    Weird files: local service.NT authority jmxremote.access
    New eraser task document.ers stuff like this, come will delete, some will not
    SYSTEM 32 FOLDER: Win2000
    TPkd.sys 59kb system file 10/25/2001 is what it says.

    Processes running out of control - attached is ONE screen shot, I have several like this they are not all the same. The cpu goes to 100% and we freeze, reboot, starts again, freeze and that's when I've had to reinstall - IT HAPPENS IN SAFE MODE TOO!!!

    I will reinstall the "fix it" programs to the c drive and post them right after this....

    NEW THING...I REALLY MEAN IT THIS IS THE ABSOLUTE TRUTH!!! I was running an AVG spyware scan just the other day to see if it came up with anything new and noticed the connections tab - I clicked it and noticed I had a firefox connection HOWEVER -- MY DSL MODEM WAS UNPLUGGED - I was not connected to the internet AT ALL!! My ethernet cord was plugged in from the computer to the modem but that's it. I opened my port scanner and it showed the same. - screen shot attached.
     

    Attached Files:

    EARLPEARL, Feb 16, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The proper method to use is to:
    • delete your current partition
    • create a new partition
    • format the partition
    • reinstall your OS and do not connect to the internet until you have already install each of the below:
      • antivirus
      • antispyware with realtime blocking (i.e, protection. Some tools are just after the fact scanners)
      • a real bidirectional firewall which the Windows firewall is not.
    This is not a malware detection tool It is a keylogger. Which most antimalware programs will detect as a problem. Uninstall all software like this and keep it uninstalled.

    It is what you installed.

    As stated above the Windows firewall is not adequate. However you were not using the Windows firewall anymore once you installed Norton. It has its own firewall and it will disable the Windows firewall automatically because you must not use multiple software firewalls. And sorry to say that Norton is adequate either. And if you have Norton installed you should not be using PC Tools Firewall Plus which I saw in your earlier logs.

    Spy Sweeper is the only thing I see using all of your resources. Maybe you should consider not using it for now.

    Just because you are not connected to the internet, it does not mean your applications are not running. Are you sure that you had ALL browsers shutdown. Based on your snap shots it does not look like it.
     
    chaslang, Feb 17, 2008
    #6
  7. EARLPEARL

    EARLPEARL Private E-2

    :confusedOK. I think I'd better start over nice and clean. I have 3 desktop pc's that all had (have the same problem) Each pc is still messed up - can you advise on this plan...rolleyes

    Computer A: (this one) 803 mhz proc, 512 K RAM, 20 gig HDD
    Computer B: 2ghz proc., 1gig RAM, 80 gig HDD
    Computer C: 2ghz proc, 1gig RAM, 80 gig HDD
    all have one floppy and one CDRom.,

    Would like to try using Ubunto, so far I like it. I work on the internet selling, use Ebay and other auction/private listing sites, e-mail to private customers pics I take myself with my digital camera. Thought I would set up this way....

    Computer A: keep the 20 gig HDD and add the 80 gig HDD from computer B, format one with Windows xp and one with Ubunto. Use it to do most of my surfing on the net.

    Computer B: Bought a new 160 gig HDD for it: format with Ubunto and partition it (2) for data storage on 1/2. Use it for graphic markup, format my ads, compose e-mails, etc. AND some internet (i.e. posting ads, communication)

    Computer C: BACK UP MOSTLY. Leave the 80 gig in it and ???? partition it 1/2 windows and 1/2 Ubunto??

    :) I will reinstall Windows on each of the hdd's (as you suggest) but one at a time.
    How do you install 2 hdd so you boot from either one?
    What FIREWALL REALLY WORKS - Antivirus (will buy what's necessary). Use also
    AVG antispyware, Spybot S&D, and AdAware (all free versions) SpySweeper can
    relax a while. OVERKILL SECURITY is what I need, especially now...have lost a lot
    of work time. Should I run Rootkit scan or Hijack This as a regular thing?
    Is Ubunto really more secure than Windows? If I partition one hardrive, if the Windows
    partition gets infected, does it affect the Ubunto part. too?
    Restoring my files (have them backed to one USB and disks. What can I scan them
    with to see if they are clean enough to use again? Most dangerous is my saved
    e-mails, I have to at least view some of them.
    Need to use my router again for at least 2 pc's to use the net together. Wired config is
    all I need, any suggestions for setup, firmware?
     
    EARLPEARL, Feb 19, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is a topic for the Software Forum.

    Please post in the Software Forum.

    See this: How to Protect yourself from malware!

    Only because hackers don't care about it that much so in that regard yes.

    Not necessarily. And Windows applications are not going to run on Ubunto to infect anything.

    Your antivirus and antispyware applications.

    Not in this forum. Try the Hardware Forum if you are asking about hardware setup or the Networking Forum if your questions is about networking.
     
    chaslang, Feb 21, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds