Numerous malware & configuration changes.

Discussion in 'Malware Help (A Specialist Will Reply)' started by tadpole, Jun 29, 2009.

  1. tadpole

    tadpole Private First Class

    Hallo

    I would be very grateful for some professional help, I cannot clean my computer on my own!

    I was unable to uninstall Avast, which appears to be disabled, and the old java updates, they appear to have no uninstaller and will not delete.


    I have followed everything in the read and run. Attached are my logs.

    Below are the viruses that had been detected so far, before I ran your tools.

    trojan.agent
    worm.archive
    trojan.vundo
    rogue.installer
    rogue.error. fix
    win32.neptunia-ACL
    microsoft.windows.securitycentre_disabled
    microsoft.windows.security.internetexplorer
    virtumonde.sdn
    mediaplex
    adware.trackingcookie
    rogue.compound/trace

    The main problems have been that my firewall and security was not working properly, I had to turn the firewall on manually. I then could not connect to the internet, unless the firewall was turned off. In firewall exceptions I found 4 entries for utorrent, which I had not downloaded and I could not delete them. I found 2 hidden utorrent files in my documents, unable to delete them. Webcam worked but would not broadcast. Icons from my desktop,appearing in the task tray when I booted up, when clicked said "server busy" . Microsoft installer regularly running something. Task manager altered and under admin tools the msg "The task image is corrupt or has been tampered with.mcupdate" Constant crashes. It took 2 whole days to download and run the tools, my screen kept disintegrating and stalled the machine, despite doing a repair to the nvidia driver. After changing the msconfig to normal I could not boot and my boot disk could not do a repair, I had to do a restore. This happened twice. I found strange logs in inetpub, including "soapCaller.bs Morfeus+(rude word)+Scanner
    with an ip range that I recognised as belonging to some stranger who has been harrassing me online for months. The log was dated the same day that I told them I had discovered their real identity and to leave me alone.
    When downloading anti spyware tools I noticed - copying, as though I was copying a file. Every time I checked my internet connection I found the file sharing was on. When I turned it off, it would be back on next boot. Occasionaly a symantec antivirus window popped up.

    Any help will be gratefully received
    Regards
    tadpole
     

    Attached Files:

    tadpole, Jun 29, 2009
    #1
  2. tadpole

    tadpole Private First Class

    Here is my 5th log, I hope I have sent it correctly.

    Thankyou!
     

    Attached Files:

    tadpole, Jun 29, 2009
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks, tadpole!

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

    Thanks for your patience.
    dr.m
     
    dr.moriarty, Jun 30, 2009
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, tadpole

    Question: Are you working a malware thread on another forum? I see other scanning tools and logs - OTL.exe / C:\Rooter$ / C:\Program Files\dds.scr / etc.

    Note: While we appreciate that you very likely posted at multiple forums in order to ensure a response, in the future please do not cross-post. Resources that help perform malware removal are very precious and very limited, and cross-posting only serves to tie up the time of multiple helpers who could be using that time to help someone else who also has problems. If you wish to work this here on Major Geeks, then please post messages at all other forums where you have posted asking them to close the threads so that you do not waste anymore resources on duplicate work.

    In the future - choose one forum and stick with that one until they've resolved your problem.

    I will wait for your reply while I am still going over your logs....

    dr.m
     
    dr.moriarty, Jul 2, 2009
    #4
  5. tadpole

    tadpole Private First Class

    Hallo dr moriarty

    I appreciate your concerns, I am not working a post at any other forums. I have run the scanning tools you mentioned from other forums, in the hope that the combination would clear up all the infections. I have listed what they found. My avg only found the roaming cookies, but did not clear it. I have not run any "fix it" tools that require a proffessinal helper, like combo fix until I came here. I had seen that the forums are busy and was hoping not to have to ask for help, which by now I realise I very much need! I have been going through the audit logs, and something has assigned itself "special logon" and taken over most priveleges and attempted to disable the audit system.

    Regards
    Tadpole
     
    tadpole, Jul 3, 2009
    #5
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, tadpole


    The below fixes are specific to your problem and should only be used for issue(s) on this machine. Also, please do not install any other software while we are still working with you unless instructed. Once we have given you the all clean and final instructions you will be free to install what you want.
    Questions: Is your copy of Spyware Doctor a paid program or a free trial that does not fix anything? Did you knowingly install FriendFinder Messenger 4 Is it working properly?


    Step 1:
    You have a very old version of FireFox installed - Mozilla Firefox (2.0.0.13)
    Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and proceed.
    Step 2:
    Now we need to use ComboFix to tidy up some.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step 4:
    Now install the latest Sun Java Runtime Environment

    Step 5:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

    Step 6:
    Please put a copy of the C:\Users\tadpole\AppData\Roaming\Microsoft\Installer\{56B29499-A2B7-44F4-834E-EC5C18C47311}\_69525f90.exe file into a ZIP file and attach it here for me to look at.
    If you don't know how to ZIP a file, you can do the below.
    • Go to start > Run and paste in the following:
    Please attach the below logs to your next reply:
    • C:\MGlogs.zip
    • C:\combofix.txt
    • C:\collect.zip

    Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

    dr.m
     
    Last edited: Jul 7, 2009
    dr.moriarty, Jul 7, 2009
    #6
  7. tadpole

    tadpole Private First Class

    Hallo dr. m

    Thank you very much for your reply and instructions.

    I am still unable to uninstall the the Avast and Spyware Doctor, For Avast I get the mesage "The installation source for this product is not available. Verify that the source exists and that you have access to it". For Spyware Doctor, I get error Messages file "C:\programfiles\spywaredoctor\inins0000.msg" is missing. Please correct the problem or obtain a new copy of the program. On trying to uninstall Firefox(which I had uninstalled previously) The message said "Uninstaller could not be found, it may already have been deleted" I took the option to delete the entry from Add/Remove programs.
    Spyware Doctor I downloaded from google pack, it did delete what it found. I knowing installed Friendfinder mesenger, and deleted it when Spyware doctor picked up that Friend finder was a known bad site. I never tried it to see if it worked. The old Java files, I am still unable to delete, uninstaller could not be found.

    I rarely view webcam videos, they usually freeze, I do not accept files on messenger. I would be grateful for precautions to be taken.

    I have moved the downloaded files from C:\program files folder, and left what I think came preinstalled. I made a new file for the programs .exe files, but when I cut and copied the files that they had generated(to the new location) in my documents I got a message "Destination folder access denied" after a few had been pasted.

    For the past few days I have been unable to access anything on the web, although Yahoo and MSN connected. When I attempted to run combofix from my desktop I got a message "combofix has expired, do you want to exit or proceed with reduced functionality" I exited and downloaded it onto a memory stick off my old computer. Each time I copied it to my laptop and tried to run it, I was told it was corrupt. On the off chance, I tried to get it directly and managed to connect. I ran combofix and was waiting for the log file to "pop up". After quite a few minutes my "system shut down, to avoid damage to the computer" I only managed to write down Bad_pool_header. The technical error code began with "stop" and various figures that I missed. On booting up I got two little windows, "windows has recovered from an unexpected shutdown" and "communications manager has stopped working" This last message I get almost every time I boot.

    I went to turn my firewall back on, and there are a number of entries again in the exceptions. Most of them begin with "remote".

    My hacker has visited 5 times according to my inetpub logs, the last visit being 29/6/09. I have not been able to access the net again until today, using this machine. An attempt has been made to disable my audit logs. The event logs show "special logon" Subject user Sid S-1-5-18 and a list of 12 priveleges that the hacker has assigned to his own use. I had found that I am denied access to a number of things, ie Nvidia driver etc is corrupted and acces is denied when I tried to reinstall it. I can submit these logs if they would help.

    Attached are the logs you requested, thank you for helping me.

    tadpole

    PS The roaming.zip is the collect.zip
     

    Attached Files:

    tadpole, Jul 7, 2009
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :major

    Thanks for the explanation of your present problem, tadpole. I'm off to work this morning and will work up a plan of action late tonight.

    dr.m
     
    dr.moriarty, Jul 7, 2009
    #8
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, tadpole

    Your surfing habits of adult sites may have corrupted your operating system. Delete all of those "URL" from your Desktop and stop accessing sites like this. *They may be the cause of your current problems which may not be fixable other than by a reinstall.
    I strongly recommend that you clean up your Desktop immediately leaving only links. Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least it can have an effect on your PCs performance.

    Step 1:
    Your system has also been messed up by installing too many conflicting security programs.
    Please run the below special removers, re-boot, then run them again.

    A. Norton Removal Tool
    Norton Removal Tool (SymNRT) 2009.0.5.26

    B. AVAST! Uninstaller -
    avast uninstall utility
    C. AVG Remover(32bit) and (64bit)
    AVG Remover

    D. Try using this for removing Spyware Doctor, Firefox, and the old Java files.
    Your Uninstaller! 2008

    Step 2:
    Using Windows Explorer - navigate to and delete the following:
    C:\Users\tadpole\AppData\Roaming\Microsoft\Installer\{56B29499-A2B7-44F4-834E-EC5C18C47311}\_69525f90.exe
    C:\Users\tadpole\AppData\Roaming\Microsoft\Installer\{56B29499-A2B7-44F4-834E-EC5C18C47311}\_2cd672ae.exe
    C:\Users\tadpole\AppData\Roaming\Microsoft\Installer\{56B29499-A2B7-44F4-834E-EC5C18C47311}\_16496df1.exe


    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!


    Step 4:
    Please attach the inetpub logs where you suspect the presence of a hacker.(copy & paste them into a Notepad.txt or do a screencapture)

    Step 5:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

    Please attach the below logs to your next reply:
    • C:\MGlogs.zip
    • inetpub logs

    Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

    dr.m
     
    dr.moriarty, Jul 12, 2009
    #9
  10. tadpole

    tadpole Private First Class

    Hallo dr.moriarty

    Thank you for your reply and further instructions.

    I was unable to connect to the net using my laptop to download the tools. I used my memory stick after downloading from another computer. All 4 files were corrupted when I tried to run them. I booted into safe mode and was able to connect and download the tools. When I rebooted to run the tools a second time, I got a blue screen. On pressing the esc button, the machine booted. My screen became so pixelated I could barely read it. I noticed a clear swathe appeared when I moved the mouse, and was able to "rub out"
    the pixelation with the mouse, leaving a clear, readable screen. The Your uninstaller tool worked beautifully. When I re booted to run the tools a 2nd time, my webcam icon appeared and when clicked, said "server is busy"

    I have completed the rest of your instructions.

    Attached are the logs you requested. I think the inetpub history has been tampered with, in Event viewer there are a number of :Error ISS-APPHOSTSVC 9010 codes refering to inet pub history. I saved all the "special privelege assigned" and it records 38 823 events. It appears the hacker last visited on 1/07/09 which is the last time I connected the laptop to the net, apart from to download your tools.

    I have also attached another set of suspicious hidden Dfsr.logs, as they contain not only my e mail address, but one of this hackers many e mail addresses. On 8/7/09 I received a taunting e mail from him.

    :-o There is something I would like to add, but do not wish it to land on google along with the post.

    Thanks again for your help and time.

    tadpole
     

    Attached Files:

    tadpole, Jul 12, 2009
    #10
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, tadpole

    After conferring with our top malware expert - we cannot find anything in our logs to indicate any problems with a hacker. If you are currently experiencing problems, you must provide us with specifics.

    The only items we see will be taken care of by doing the following. *Note: They have nothing to do this any problems you have mentioned.

    Step 1:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix, exit HJT.


    Step 2:
    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step 4:
    Go to the following link and install one antivirus and one firewall now from our recommended listings. How to Protect yourself from malware!

    Step 5:
    Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

    Please attach the below logs to your next reply:
    • C:\MGlogs.zip
    • C:\combofix.txt

    Make sure you tell me if you had any problems running this procedure and give a description of how things are working now!

    dr.m
     
    dr.moriarty, Jul 16, 2009
    #11
  12. tadpole

    tadpole Private First Class

    Hallo dr. moriarty

    Thank you for the instructions of yesterday.

    I had some trouble running combo fix. I had crashes, and it was not doing all the sequences as per the guide. I ended up running it 3 times, as when I tried to access the log made, I got a window : Explorer.exe Illegal operation attempted on registry key that has been marked for deletion. After a crash whilst waiting for the log to be made, the message was : windows was shut down to avoid damage to the system. error catchme.sys After the 3rd run, I was able to access the 3 sets of logs, which I will attach.

    I have had my webcam icon appearing in the system tray after I have rebooted, even though I had right clicked and closed the webcam program. It said "server busy."

    I downloaded Comodo antivirus and updated it last night, today It said that it had never been updated, and each time I tried, it either stuck at 30% or did nothing at all.

    I managed the MGtool on the second attempt, I got a pixelated screen on the first try.

    I am still denied access to various things.

    Quote :After conferring with our top malware expert - we cannot find anything in our logs to indicate any problems with a hacker. If you are currently experiencing problems, you must provide us with specifics.

    Please let me know what 'specifics' you require, as I am getting confused now. I have written down exactly what was on the event viewer in the details: friendly view dated 29/5/09, 30/5/09 of the special logon, where priveleges were assigned, when I suspect I was hacked. I have other details of my alleged hack, I just need to know what you require.

    Thank you again.

    Regards
    tadpole





    The screen is sometiimes
     

    Attached Files:

    tadpole, Jul 17, 2009
    #12
  13. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, tadpole

    First: None of your logs show any malware present. Keep in mind that "Files and Folders" are now set by our tools to be no longer hidden...could that explain why you're now seeing things that were hidden before? If you think you see a problem in the logs - please Copy & Paste that exact information into your next reply. Also special login is what the Windows OS uses (like Network Services and System) and it is not a problem.

    Secondly: Why are you installing and running applications from C:\Users\tadpole\Documents\MY DOWNLOADS\ rather than in C:\Program Files?

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please attach the C:\combofix.txt and tell me if you have your privileges back. *Continue to describe any current problems.

    dr.m
     
    dr.moriarty, Jul 20, 2009
    #13
  14. tadpole

    tadpole Private First Class

    Hallo dr moriarty

    Thank you for the further instructions.

    I moved my programs apart from the preinstalled ones to C:\Users\tadpole\Documents\MYDOWLOADS\ after reading the following in one of your posts to me :

    Quote:
    *Notes! You have two anti-virus programs installed -- a huge No-No! Please choose which you wish to keep and uninstall the other immediately.

    I hope that you are aware of necessary precautions when viewing certain Webcam videos.

    I strongly recommend that you stop downloading files to the C:\Program Files folder and to move the ones you have already saved there to someplace else.

    Regarding my being suspicious of the inetpub logs, the file had been modified on 27/05/09. There are only 5 logs in there and the 1st one has a suspicious name :

    #Software: Microsoft Internet Information Services 7.0
    #Version: 1.0
    #Date: 2009-05-29 15:31:13
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2009-05-29 15:31:13 67.209.100.189 GET /user/soapCaller.bs - 80 - 200.68.8.77 Morfeus+****ing+Scanner 500 19 3 4368
    #Software: Microsoft Internet Information Services 7.0
    #Version: 1.0
    #Date: 2009-05-29 17:02:33
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2009-05-29 17:02:33 127.0.0.1 POST /CFIDE/main/ide.cfm CFSRV=IDE&ACTION=IDE_DEFAULT 80 - 127.0.0.1 cfssvradmin 500 19 3 20788

    The second one, has the ip range that my harrasser has, namely 201.92.12.140 from the same ISP as he usually uses, Telecomunicacoes De Sao Paulo S.A - Telesp in Brazil :

    #Software: Microsoft Internet Information Services 7.0
    #Version: 1.0
    #Date: 2009-05-30 10:17:07
    #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
    2009-05-30 10:17:07 67.209.100.186 GET / - 80 - 201.92.12.140 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+GTB6;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506) 500 19 3 43697
    2009-05-30 10:17:17 67.209.100.186 GET / - 80 - 201.92.12.140 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+GTB6;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506) 500 19 3 147
    2009-05-30 10:17:25 67.209.100.186 GET / - 80 - 201.92.12.140 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+GTB6;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506) 500 19 3 28
    2009-05-30 10:19:15 67.209.100.186 GET / - 80 - 201.92.12.140 - 500 19 3 62

    The custerr and log files in inetpub were created on 27/05/09. The custerr file contains a file called en-US that was modified on 27/05/09 and everything in it was modified on 27/05/09 as follows : Unfortunately when I try to paste, the paste is greyed out.


    Upon entering into search, the e mail address gabriel_asantos@hotmail.com that appears in the DFSR logs, an address that this person uses, Comodo quarantined 2 ApplicUnsafe.Win32.Hide~AB@5325787 files, originating from
    C:\32788R22FWJFW\n.pif which popped up when I tried to start combofix. "windows cannot access the specified device, path or file. You may not have the appropiate permissions to access the item" I therefore am unable to copy and paste that log.

    The reason I am suspicious of these logs on that date:

    A person using that ip range, that ISP, has been trying to get me to send "customers" to his fake websites, with fake ccbill and paypal options, in order to steal their credit card information. I found out his real name and told him so, at the end of May. I therefore did not think these logs were a coincidence, nor did I think all the computer problems I began to have were coincidental. I could be wrong, as I am no expert at deciphering logs.

    Comodofix, I was unable to run as per the message above. I ran it in safe mode, and when it re booted into the usual mode I got the following :
    Preparing log report.
    Do not run any programs until combofix has finished.
    Access Denied

    I ran it again in safe mode, and when it rebooted, I pressed f8 for safe mode, and got the log which is attached.

    Yesterday I uninstalled programs that were not working, such as adobe reader and adobe flash, windows office, and a few others. I had to use youruninstaller. Not all the files could be deleted - Reader 8.0 and Reader 9.0
    After running Combofix, I am still denied access when I try to delete them.



    Since doing the last Combofix, when I try to do advanced searches for some things, I click on advanced and the screen does a little jump. Same happens each time and I cannot do the search.

    Thanks for all the help you are giving me dr.m, I am appreciating it.

    Regards
    tadpole
     

    Attached Files:

    tadpole, Jul 20, 2009
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Morfeus is a scanner that looks for vulnerabilities in PHP based web sites. This is not really a malware problem. It is a possibly issue with vulnerabilities in software you use or a web server you have setup. These scans are still quite common. You need to make sure you have proper protection ( a good bidirectional firewall like you added from Comodo and it would be a great idea to have a hardware firewall like from a router if you do not have one already). Also make sure all software has been updated and you will need to look for issues in any of your website code. You can read lots of info on these scans and possible solutions in links like the below:

    http://stateofsecurity.com/?p=467
    Update on Morpheus Scanner
    http://ekle.us/index.php/2007/01/weird_server_logs_find

    Again this is not a malware issue. If someone is getting into your PC from outside, it means you have opened doors to allow them to get in and your protection or what you have setup on your PC is a problem. Who added the LogMeInRemoteUser account and gave it admin priviledges?


    False detections since this is part of ComboFix and you are supposed to have protection disabled before trying to run ComboFix.


    Again this would still not be considered malware. It is classified with scamming, fishing, spamming....etc. If some one has picked up your email address that you may have posted somewhere, you could get added to literally thousands of lists in a couple days. And if you respond to any of them, you are just confirming that your email address is still valid which mean it will get added to more lists and you will have more junk sent your way.

    Comodofix, I was unable to run as per the message above. [/quote] You mean ComboFix and it cannot run if you still have protection enabled.

    Manual delete files from the deepest level folder first and work your way back towards the top. This is also not a malware problem. You can work issues like this in the Software Forum.

    dr.m will continue working with you to cleanup a few miscellaneous items and then give you final instructions which will work towards getting proper protection on your PC too.
     
    Last edited: Jul 23, 2009
    chaslang, Jul 23, 2009
    #15
  16. tadpole

    tadpole Private First Class

    Hallo Chaslang

    Thanks for the explanation about the things that were worrying me, and the links you supplied.

    I downloaded Log Me In, at the request of my ISP, so that a technician could check if it was my settings that were causing my connection to keep dropping. I uninstalled it after my settings had been checked.

    I had turned off Comodo before doing the Combofix.

    I will go and read those links now.
    Thank you

    tadpole
     
    tadpole, Jul 23, 2009
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But the account may still be there and there are drivers for it still on your PC. You need to go to Control Panel, User Accounts and delete this account if it shows up. If it does not show, just delete the folder for it under C:\Documents and Settings.
     
    chaslang, Jul 25, 2009
    #17
  18. tadpole

    tadpole Private First Class

    Hallo chaslang,

    Thanks for your reply. I have deleted the logmein files.

    Regards
    tadpole
     
    tadpole, Jul 26, 2009
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (file missing)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    After clicking Fix, exit HJT.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\temp
    C:\Users\tadpole\AppData\Local\temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jul 28, 2009
    #19
  20. tadpole

    tadpole Private First Class

    Hallo chaslang

    Thanks very much for the latest instuctions.

    I had uninstalled most of the software that I can download again, as a lot of it was corrupted, and needed Your Uninstaller 2008.

    Comodo Internet Security was reporting that the firewall was not working properly, and registered an Unknown Account in security. I Uninstalled it and re installed. I got the same report again.

    My computer is now running much better, thankyou.

    Problems that are occuring now.

    1. Non plug and play driver adfs :

    This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

    Click 'Check for solutions' to send data about this device to Microsoft and to see if there is a solution available.


    2. Adobe reader 8 and 9 file folder:

    I cannot delete, access denied.

    C:\Users\tadpole\Documents\MY DOWNLOADS\kill\Reader 9.0\Resource\CMap
    C:\Users\tadpole\Documents\MY DOWNLOADS\kill\Reader 8.0\Resource\CMap

    I took ownership, and access is still denied.

    *3. chkdsk/f is still stopping half way through and reporting an unknown error.



    Attached are todays logs. Thanks again,

    tadpole
     

    Attached Files:

    Last edited: Jul 29, 2009
    tadpole, Jul 29, 2009
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I still see the LogMeInRemoteUser user account in your logs. Are you sure you deleted it using Control Panel -> User Accounts

    You can continue to work removing this in the Software Forum as this is not a malware issue.

    Not sure what you are referring to.

    Possibly this is correct and is just referring to the fact that you sill have the LogMeInRemoteUser account showing but there are no folders for it anymore.

    These are items you should work in the Software Forum. But not sometimes to delete folders, you need to go all the way down to the deepest folder and delete all files. Then delete the folder. And then work your way back up to higher and higher levels.


    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jul 31, 2009
    #21
  22. tadpole

    tadpole Private First Class

    Hallo chaslang,

    I would like to thank you and dr. moriarty very very much for all the time, patience and help you have both given me. I am most grateful.

    The logmein was not under user accounts, and I did go to the root of adobe 8 and 9, it was when I got to Cmap that access was denied. I will go to the software forum if I am still unable to get rid of them.

    Thanks again, you are both great!

    :grouphug
    tadpole
     
    tadpole, Aug 1, 2009
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Aug 3, 2009
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds