.Net issue on XP

Discussion in 'Malware Help (A Specialist Will Reply)' started by marus, Aug 18, 2010.

  1. marus

    marus Private E-2

    Hello,

    Ran the scans in order as described within the instructions. Attached are 3 of the 5 scan results as upon last reboot 2 scan results have disappeared?!!? Did a file search and was unable to locate them. I believe every scan found at least one issue. The last scan only said it saw an issue but not how to repair it. Since all scans were completed, current problems include system will not shut down nor go to sleep when using the 'start' tab and then the proper turn off the computer sequence. Another issue is that when the system boots up the .NET Framework comes up with an error message about 'Hpqthumb' or one of its dependencies, was not found. I did before reload .Net Framework 1.1 which last one start before the problem came back. When the last scan was done in order the 'Windows installer' stated "deleting", since the reboot it is back to "installing". These matters started on or near the 5th or 6th of August.

    Thanks very much for the work done this far and whatever help you may offer from this point.

    Yours,

    M
     

    Attached Files:

    marus, Aug 18, 2010
    #1
  2. marus

    marus Private E-2

    Additional logs recovered and attached as I didn't know where to find them. All is well! : )

    Thanks again,

    M
     

    Attached Files:

    marus, Aug 18, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Currently reviewing your logs. Will post back with a response ASAP.
     
    Kestrel13!, Aug 18, 2010
    #3
  4. marus

    marus Private E-2

    Thank you,

    Looking forward to your next up-date. Hope to be calling you 'Goddess of the 'Geeks' or 'Malware-Destroyer'' soon.

    Yours,
     
    marus, Aug 18, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is this a business machine? If so I will work with you as long as you consider the following risks:

    Our practice of removing malware from business computers has these considerations:
    • Business companies' policies pertaining to proprietary information found on their machines
    • Possibilities of being party to breaching a company's "Code Of Conduct"
    • Financial and/or legal liabilities - if while cleaning a business machine, it crashes; resulting in loss of company information or worse - client information

    What is this??
    • c:\program files\BPP2003STANDARD.exe

    Please go to Add/Remove programs and uninstall the following software:

    • Java 2 Runtime Environment, SE v1.4.2_03
    • Java(TM) 6 Update 15
    • Java(TM) 6 Update 2
    • Java(TM) 6 Update 3
    • Java(TM) 6 Update 5

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\Tasks\ParetoLogic Registration.job
c:\windows\Tasks\ParetoLogic Update Version2.job

DirLook::
c:\documents and settings\Big John\Application Data\PCFix
c:\documents and settings\Big John\Application Data\Key Folder
C:\WINDOWS\system32\%S8867~1
C:\WINDOWS\system32\%S886~13 
C:\WINDOWS\system32\%SYSTE~4
C:\WINDOWS\system32\RIVERS~1 

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Common Files\ParetoLogic

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25BC7718-0BFA-40EA-B381-4B2D9732D686}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let us know of any problems you may have encountered with the above instructions.
     
    Kestrel13!, Aug 18, 2010
    #5
  6. marus

    marus Private E-2

    Hi Kestrel13,

    I did the best I could but things did not go as anticipated, I will explain as I can. I followed your directions and had some minor difficulty in removing the requested java scripts. In fact only one would remove so I went to the site and tried to load anew the latest stuff and after some time and maybe 30 attempts the java scripts that were bad were cleared and new uplaod to version 21 was installed. Then I tried to remove that but that wasn't going to happen today. Went on to step one after turning off the virus protection ran the analysis checked and removed the suggested lines. Went on to the combo fix and it stalled after waiting for some time I hard rebooted system and started again. The program in both runs reloaded the 'recovery console' which was initially installed the first time I ran this software and has worked ever since. Then when the notepad report came back there was no mention of any 'KILLALL::' nor any of its components within the text, at least non that I could read, attached for your option to see. So I moved on re-ran the MGTools as suggested and have attached this file. At this point I will reload the COMODO and wait to hear back. Lastly, I have yet to revert back the 'Defogger' from the initial opening instructions.

    Thank you for your efforts and patience with me and my system.

    Yours
     

    Attached Files:

    marus, Aug 19, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It appears you did not run my combofix script. Do it again following the instructions carefully. Do not simply double click combofix.exe, slide the CFScript.txt over the top of the combofix icon as requested, and then:

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Aug 19, 2010
    #7
  8. marus

    marus Private E-2

    Hello Kestrel 13,

    I believe that this last set of instructions was carried out as suggested.

    Thanks for your patience and ongoing guidance.

    M
     

    Attached Files:

    marus, Aug 19, 2010
    #8
  9. marus

    marus Private E-2

    Hi Kestrel 13,

    A follow up note, just rebooted and new error message has appeared: 'Config parser error "Error parsing c:\WINDOWS\Microsoft.NET\Frramework\v1.1.4322\config\machine.config Parswe returned error 0xC00CE502"'. Looks like some real progress : )

    Yours,

    M
     
    marus, Aug 19, 2010
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You must keep the 6.21 version installed, do not try to uninstall it as you obviously depend of using java for some applications and web activity. I still see 6.2, 6.3 and 6.5 installed which you could uninstall another way if not through the traditional method, but we that is something that we can do later if you remind me.

    Hmm I believe this may not be related to malware, and that you will have to work this out in the software forum if errors persist.

    let's finish off here:

    Do not install anything unless I ask you to at this point, and refrain from making any system changes.

    Now you failed to address my question:

    delete the below as it is not needed now and is not where it should have been downloaded in the first place

    Do not re-enable until we are finished.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\VritualRoot

File::
c:\windows\system32\REN367.tmp
c:\windows\system32\REN366.tmp
c:\windows\system32\REN365.tmp


Folder::
C:\WINDOWS\system32\%S8867~1      
C:\WINDOWS\system32\%S8867~2
C:\WINDOWS\system32\%S8867~3 
C:\WINDOWS\system32\%S8867~4      
C:\WINDOWS\system32\%S8867~5      
C:\WINDOWS\system32\%S8867~6      
C:\WINDOWS\system32\%S8867~7      
C:\WINDOWS\system32\%S8867~8      
C:\WINDOWS\system32\%S8867~9     
C:\WINDOWS\system32\%S886~10      
C:\WINDOWS\system32\%S886~11     
C:\WINDOWS\system32\%S886~12     
C:\WINDOWS\system32\%S886~13     
C:\WINDOWS\system32\%S886~14      
C:\WINDOWS\system32\%S886~15      
C:\WINDOWS\system32\%SSTEM~1      
C:\WINDOWS\system32\%SSTEM~2      
C:\WINDOWS\system32\%SSTEM~3    
C:\WINDOWS\system32\%SSTEM~4     
C:\WINDOWS\system32\%SYSTE~1     
C:\WINDOWS\system32\%SYSTE~2     
C:\WINDOWS\system32\%SYSTE~3     
C:\WINDOWS\system32\%SYSTE~4      
C:\WINDOWS\system32\RIVERS~1
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    How are things running now? :)
     
    Kestrel13!, Aug 19, 2010
    #10
  11. marus

    marus Private E-2

    Hello Kestrel 13,

    The unanswered question about the software in question is a company called Palo-Alto... it is a Business Plan Program writing software, use/d it for school.

    Ran the suggested steps and in general the computer is running much faster prior to this latest cleaning.

    The error message mentioned earlier has not reappeared.

    I am grateful!

    M
     

    Attached Files:

    marus, Aug 19, 2010
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's better. :)

    Now you can follow final steps:

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Last edited: Aug 19, 2010
    Kestrel13!, Aug 19, 2010
    #12
  13. marus

    marus Private E-2

    Hi Kestrel 13,

    I have done as you requested and am now only holding the CCleaner, Super AntiSpyware, Malware, and reloaded the COMODO.

    The system restore has been re=activated as well as the defogger has been removed.

    Not all programs removed as the ideal world would have it as the .Net framework and other issues are still lingering about.

    Feeling strong and appreciating the help.

    M
     
    marus, Aug 20, 2010
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Topic to further discuss in the software forum :)
     
    Kestrel13!, Aug 20, 2010
    #14
  15. marus

    marus Private E-2

    Hello Kestrel 13,

    I understand my other issues belong on another site, etc.. I believe I reinfected myself as in trying to find solutions to the other issues I had, while I was unable to get or locate certain supports.

    Thus, I reloaded saved materials from 11-09 as well as went to Microsoft to find solutions, anyway, I hope you will continue your support.

    Here is what happened, I did find desperately needed selected data from my 11/09 backup. What happened was the anti virus caught one going in from my backup. After the back up was finished the microsoft found a bunch registration issues arouund 2-300.

    So I decided to run a full scan with the mal-ware both on my back-up drive as well as my C:drive and the scan ran for about 3 minutes then the whole system just shuts off. Then tried running it solely on the C:Drive with the same results. Additionally the boot-up also now is claiming to need to find a certain .dll from a recovery spot etc.

    So I obviously did a major boo boo and am very diasppointed with myself and am humbling asking you to please continue being patient with me.

    On a brighter side many of the materials recovered are in better shape than when I initially contacted Major Geeks.

    I don't know what to say at this point. I need to start anew with this process and do wish to have your continued interest in solving this ongoing issue.

    Thank you ever so much for everything thus far and am wishing your tolerance of my matters can continue on for the duration.

    Sincerely,

    M
     
    marus, Aug 20, 2010
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Alright then, I need you to start a new thread so that there is no confusion. You can link back to this old thread, for reference.

    You ran a full scan with what exactly? When you say you ran one with mal-ware I take it you mean Malware Bytes?

    Well, move onto the next step which would be SUPERantispyware (have it do a full scan on all drives), RootRepeal, Combofix and MGTools.

    Attach what logs you do have and note down any errors that may have occurred. I will try to be the one to take on your new thread but if someone else comes along and answers you, then work with them as they will help you too. I have a very busy night at work tonight and then up early on sunday morning so I cannot do a whole lot until sunday evening.
     
    Kestrel13!, Aug 21, 2010
    #16
  17. marus

    marus Private E-2

    Hi Kestrel 13,

    Got a few things done, reran everything from the begning, had to unload comono (bad spelling). ded get both the Super anti-spyware and the malware removal to reclear my c:drive and will go back through the back-up system with both of them. Have a bit of touble reloacting one of the logs to show you but have attached 4 of the 5. Will try to figure it out and get back on a follow up supplemental reply.

    Am so happy to see things getting back to a more normal appearance.

    Thanks so very much!

    M
     

    Attached Files:

    marus, Aug 23, 2010
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Marus I did state in my last post that it would be better for you to start a fresh thread and to not piggy back off this one. However, we will continue. Attach the remaining log that I need, the most important one: C:\Mglogs.zip
     
    Kestrel13!, Aug 23, 2010
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds