Old Napster Virus - or viruses?

Discussion in 'Malware Help (A Specialist Will Reply)' started by mommysews, Aug 9, 2009.

  1. mommysews

    mommysews Private E-2

    Hello!

    I'll give you a brief history ... no problems with my system for quite a long time. Installed an update of Online Armor - Lexmark printer quit working. Nothing I did - added, removed, changed - could get the printer and computer to speak to each other again. Hated the Lexmark anyways. Switched to a HP printer. Uninstalled Online Armor just to be safe - didn't want to have it interfere with printer ... intended to get a new Firewall ... ooops ... forgot about it. Still no trouble though.

    Have a CD-Rom of top 100 songs of the 80's that my brother made for me as a Christmas gift a few years ago. Data CD, so wouldn't play on my Cd player. Came across disk a few days ago. Decided to try and see if I could load it to iTunes and to my iPod (I'm new to this). Worked fine for a few songs (ya!) ... then computer started acting erratically ... fooled with it until I had 65 songs loaded before iTunes and the computer basically went wacky and now is barely running.

    I'm wondering if one (or more) of those files might have been infected?
    I will run the clean-up steps ... but I'm feeling pretty nervous.
    I think that some of the files were downloaded from the internet - I'm guessing 2003-4 ... Was Napster a known infection site? Or have I likely just used up too much of my computer memory?

    Thanks a bunch!
    Julia
     
    mommysews, Aug 9, 2009
    #1
  2. mommysews

    mommysews Private E-2

    I have run all of the cleaning procedures ... one Trojan found by MalwareBytes.

    I have attached the MGTools.zip log, the MBAM log and the SAS Log. ComboFix would not open for me (I tried deleting and redownloading) with the error about windows not being able to find the program to open the file with extension "nircmd.cfexe". Likewise, I could not get Root Repeal to open with the error message saying that it could not load the needed driver.

    I figure that I still have a problem ... and that is why my computer is basically almost at a standstill and my explorer hangs continually while loading.

    Any help most appreciated!
    Thanks! Julia
     

    Attached Files:

    mommysews, Aug 9, 2009
    #2
  3. mommysews

    mommysews Private E-2

    Hi!

    I don't mean to make this a bump ... but I'm not sure how to add to previous messages...
    Anyways ... I've been fooling around with it and have finally been able to get both ComboFix and RootRepeal to work by downloading them under my husband's user account and accessing the files from my own (Administrator) account. They wouldn't work if I tried to access them through the same user account that downloaded them.

    Anyways ... logs attached ... that is the point of this message.

    Thanks again, Julia
     

    Attached Files:

    mommysews, Aug 11, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before we can continue, I need to know which user account you are trying to clean. You mentioned vairous problems running tools and the tools need to be run with accounts having administrator priviledges for them to run most effectively. You cannot get the same full effect by running the scans from a different user account than the account that you want to clean. Doing it that way will potentially clean problems in common file areas and common registry keys but it will not fully scan other user account areas.

    Based on the logs you attached, you ran things under the Steve user account which is a Restricted User account which could explain some of your issues. But is this the user account you wanted to clean? Is this the user account that you use and wanted to clean?

    Also note that you are extremely out of date with your copy of SUPERAntiSpyware and are also somewhat out of date with Malwarebytes. Thus to be safe, do the below on the user account your want to clean.

    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.
    Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.
     
    chaslang, Aug 14, 2009
    #4
  5. mommysews

    mommysews Private E-2

    Thanks for your reply!

    I am surprised that my SuperAntiSpyware is out of date. I update and run it weekly ... or is that often considered out of date? Hmmm...

    Okay, I did the Read & Run again from the Admin account. I had attempted to run portions of it previously from other user accounts as the admin account has been giving me major headaches.

    I have attached the logs below. However, Malware Bytes would not complete this time. I received the Run Time Error 5 - Invalid Procedure Call or Argument - I tried uninstalling and reinstalling MalwareBytes, but to no avail. It always seemed to get to this point when the display showed it to be scanning C:\windows\system32\itiimg3.dll

    Also - my Spyware Blaster has more than once had the protection for antimalwareguard.com disabled ... but not by me.

    Okay ... I will await your advice on my next steps.

    Again, Thank you very much for giving of your time and expertise!
    Julia
     

    Attached Files:

    mommysews, Aug 16, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why did you create a new user account when you already had this account mom2many where you previously had posted this thread: http://forums.majorgeeks.com/showthread.php?t=179547

    You are only updating the Core and Trace databases when you click the update button. This does not update the actual program version. You need to watch for program version updates and then uninstall the old version and install the new one like I had you do. This is the only way to get the program version updated (at least with the free version).

    You do not have your PC in normal startup mode as requested in step 4 of the READ & RUN ME which said the below
    You need to do this now before we can continue since it impacts our ability to provide proper and complete fixes. I will attempt to get you started on a fix but if you still do not have your PC in normal startup mode when we get the next set of logs, we will not be able to continue.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Aug 19, 2009
    chaslang, Aug 19, 2009
    #6
  7. mommysews

    mommysews Private E-2

    I am SO sorry! Back in January, in a moment of utter frustration, when I couldn't remember my log-in or password, I created that other user account ... and then I couldn't figure out how to delete it. :eek:( I am sorry. I haven't used it since.

    I am sorry. My mistake. I didn't even check that. When I read the instructions, I assumed that "normal" was the default, and if I hadn't purposely changed it (and I don't remember doing so) that it would just be in "normal". I am sorry if this created extra work or hassle.

    You must get so frustrated with people like me .... :eek:( Again, I appologise.

    All was done as requested. I did run ComboFix as advised - but twice as it "hung up" on some part after the reboot.

    My logs are attached.

    The difference in my computer now is amazing! Wahoo!
    I hope that the logs are now clean.
    I can see in the files to be deleted that it must have been our 8-year-old son (Simon) that stumbled into the "bad stuff". He is supposed to have limited internet access ... however one day he announced to me that he had "googled" Popular Mechanics for Kids ... I told him not to google anything (!!) and left it at that. I think I'll try and get that Glubble browser running for our kids from now on! And, I'll reload a firewall ...

    Thank you for your patience with my ineptitude and your support in solving my problems. It is very much appreciated.
    Julia
     

    Attached Files:

    mommysews, Aug 19, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You are basically clean now but you have some left overs to cleanup from Avast, Symantec, Online Armor, and Comodo which are no longer installed. Also I have other suggestions.


    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation.
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
    If you get any error messages about removing the above services just click OK and continue.
    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 22, 2009
    #8
  9. mommysews

    mommysews Private E-2

    Hello again,

    I am sorry to take so long in replying. We were away on a family vacation for 2 weeks.

    Okay ... As you requested/suggested ...

    I did a big clean up of my desktop. It should be much better now.

    I ran the MGTools HJT as you advised. I see that the log says that my Avira is out-of-date ... this is because we were away for two weeks and I was having some difficulty getting the updates to download. I stopped trying and did the things that you requested instead. I have now downloaded those Avira updates without any trouble.

    I ran the ComboFix - it gave me some difficulty ... although I think it may have been a problem with installing an update. An "installation failed" message popped up in the middle of the screen and then went away. It opened differently than I expected from past runs. After a few more attempts and some rebooting it ran as expected. I have attached the log.

    I ran CCleaner - no problems.

    The C:\MGtools\GetLogs.bat gave me some trouble, but after a couple of attempts, I think it ran successfully. Logs attached.

    I was premature in saying that things were running much more smoothly. I am having real trouble logging on to the internet and with programs stalling and not functioning as expected.
    I know that my Memory is low - but the problems began at a time when I didn't really do much different in the way of usage (no downloads or suspicious surfing, etc..). I still wonder if those music files may have been compromised in some way as they have behaved differently than any other files I have ever used (ie iTunes shows them in the Music Library, but then can't find them, and all of my trouble began when I tried adding them - and, yes, I have deleted and redownloaded iTunes completely as it stopped functioning altogether at one point).

    It "feels like" something is wrong there ... not very scientific, eh?

    I can see two processes called LEXBCES.EXE and LEXPPS.EXE running in my Task Manager ... are these Lexmark files? I now longer run a Lexmark printer and have tried to delete all parts of those files that I can find. A search shows up nothing - yet those processes continue to run and restart even if I shut them down from Task Manager.

    Also, I have multiple instances (2-3) of iExplore.exe running each time I open Internet Explorer, even when I only have one window or tab open in IE. Should this be?

    I also see 10 instances of a process called SVCHOST.EXE running at all times. Is this good or bad?

    It seems that I have 53-55 processes running at all times when I log onto windows ... is this too many? It seems a ton, when I am not "actively" running any programs beyond my desktop and the "background" Malware programs (and all those HP Printer processes).

    Finally (whew!), I can still see ZoneAlarm, HouseCall 6.6 and SunBelt showing up even though I no longer use these and have "unistalled" them through Add/Remove Programs.

    Again, thank you for taking the time to help me. I will wait patiently (promise!) until you have a chance to look at my system again.

    Julia
     

    Attached Files:

    mommysews, Sep 4, 2009
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MGtools does not say anything about this. I assume you meant ComboFix. Keeping your software upto date is just something you need to stay on top of.

    I'm not sure what you mean by "stalling" and "not functioning as expected". Your logs are clean. Your problems may just be related to what you still have installed, what you had installed and then uninstalled (like Online Armor, Sunbelt, ZoneAlarm...etc) and what you had installed that we had to cleanup. You had things from Symantec and Comodo installed while other ecurity programs were installed. Also you have Avira and BETA program (IObit Security 360). Beta programs are called beta because they can be flaky. Personally, I would not un this program even thought they imply it is okay to run with other antivirus programs.

    Also the software you have installed from your ISP has been know to cause problems in the past. See: http://searchtasks.answersthatwork.com/tasklist.php?File=MotiveSB

    Unknown but since your PC does not show any infections, this is probably not a malware issue anyway. If you don't trust these items then delete them and uninstall any software your loaded to play them.

    Yes. Not a malware issue. You are still loading the service:
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

    You caused many of these problems yourself by using MSconfig to control startups/sevices and then you uninstalled the software while these were still in MSconfig. This was explain in the READ & RUN ME as one of the many reasons why MSconfig should not be used. You need to stop and delete the service. You can do this by running the below from a command prompt window

    sc stop LexBceS
    sc delete LexBceS

    Normal with IE8

    I also see 10 instances of a process called SVCHOST.EXE running at all times. Is this good or bad? [/quote] Can be quite normal with all the items you are loading at startup. 6 to 8 is quite typical. I have 7 right now.

    The process count will obviously be related to the software you run. It is not a problem unless the processes are slowing your PC down. Either way, it is not a topic for the malware forum unless you have malware processes. The READ & RUN ME gave you a link explaining How to Deal with Startups. It is up to you to figure out what you need and don't need.

    Delete the files/folders that you see left over.

    You're welcome. Since your logs are clean, I'm going to give you final cleanup instructions, but I'm not going to have you toggle system restore yet. This is just to keep restore points around in case you still feel you have problems that you did not have in the past. You could try a System Restore to that point in time.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link:
     
    chaslang, Sep 8, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds