Removing Trojans, process stalled...

Hi there, before I start I just wanted to say that this forum is absolutely priceless and it has gotten me through many infections on my client's machines. This is actually the first time I was unable to get through all the steps, and it figures it has to be on MY machine!

I've got a couple trojans on my secondary computer that I'm having trouble removing. I'm pretty pi**ed about the whole thing actually, since I know I caused the infection by opening a file I knew might be bad before scanning it with AVG. STUPID MOVE #1.

I'm running XP and AVG Free 8. I did have the current Spybot installed, but I've seen the big warning about the Tea Timer (which I had enabled) so I went and un-installed Spybot, with the intention of re-installing without the Tea timer (before I saw the documentation on how to disable it).
*Probably STUPID MOVE #2.

Anyways, I've gone through the Read & Run first completely - one problem though - I was able to remove the OLD version of Java, but the new version will NOT install. Otherwise, read and run is done.

So, I moved on to the XP cleaning steps. At first, SAS was unable to update so I manually updated and I was able to complete a full scan. The log is attached.

Next, I went to re-install Spybot and it kept crashing during install. Gave a few retries and restarts, no luck.

So, I went on to Malwarebytes and I was unable to install this as well.

So, I went on (possibly STUPID MOVE #3?) to combofix. I had no trouble getting it started and it appeared to be running properly. It went through a number of "stages" and then rebooted the machine. This is where I am stuck now, the machine boots through all the way to the desktop, but then no further. I just see my desktop image and the mouse pointer (which is not frozen). I left it for a bit hoping combofix was still working but it is over an hour later and still hung at that point. I even tried manually shutting down the puter with the button on the front and it only wants to hibernate (which it has not done in YEARS!).

Funny thing is, I saved the one report I got on that machine and with it "hung up" I was still able to connect to it over my network to get the log file. I thought for sure I wouldn't even see that machine on the network!

Also, during all of the restarts I've done today (and recently) I get this error message as soon as the desktop loads, I don't know if it is related or not but I thought I should include it:

Error loading C:\WINDOWS\system32\{89107d50-962d-f08e-c734-28257cb11d52}.dll

The specified module could not be found.

Again, my SAS log file is attached.

Please let me know what other information I can give to help out! I'd like to shut this machine down, but it is just hanging there right now!

 

Thank you so much for your reply Tim.

While waiting for your response, I did try to boot to Safe Mode (I only tried standard Safe Mode). I was able to do this, but when it got to the desktop it wouldn't go any further. Same as before, except with just a black screen and the words safe mode in the corners. Still can see my pointer and it still is movable. Can't remember if I tried to open the task manager so I'm booting in safe mode again right now....

....and HELL YES I can open the task manager!! Yay! :cool

What shall I do next?

Thanks again!

 

Thanks Tim, sorry this is probably a dumb question, but what should i type in the run/new task? I tried restore.exe and it brought up a Creative App for my Sounblaster card.

Thanks again!

 

Sorry Tim, I tried that as well and it brings up the same thing: a task called "Creative Restore Defaults" and an error window that says "Your system does not have a SBLive! card installed."

AYE!

What about booting with the "last known working config"?

Was going to try that but didn't in lieu of waiting for advice from the pros!

 

OK! I got it restored to a point yesterday! Thank you!

Now, Spybot was still there so I went in and followed the instructions to disable to Tea timer.

What should I do next? I would resume the XP cleaning regiment but I'm afraid of what's going to happen when I get to combofix again, so I await your advice.

 

OK! I'm back! Sorry that took so long, I had a few hang-ups...

Through some gentle persuasion I was able to install and run SAS and MWB. You'll find the two logs attached. One problem I had was the first time I ran MWB it crashed when I chose to remove the problems. So, I ran it a second time and hit the save logs button before I chose to remove problems. Good thing, because MWB crashed again in that process.

The MGlogs are also attached.

Thank you kindly!

 

Thank you for your reply Tim. Yes, I APOLOGIZE, I was doing ten things at once so I forgot to mention that I did receive errors during MGtools. I kept choosing "ignore" and/or close (which does not cause it to close!) and it kept running and created the logs so I hoped it was complete. Again, I apologize, I should have looked at the files.

Anyways, I created the registry file and it was successfully merged.

I ran Avenger and the log is attached. I also removed Windows Messenger.

I ran the MGtools get logs function and I received the exact same errors as the first time it was run, so I opened the "NewFiles" log you had mentioned and it appears to be empty still? (there were sections for certain results, but nothing listed in any of them, I'm guessing that's what you meant by "empty").

So, I downloaded the MGtools fix for XP Home and applied it (I think? may have made a mistake here, are you supposed to just copy the .exe file into the System32 folder, or run it from there? regardless, I just copied it there).

Then I ran the get logs function again - it appeared to still be getting the same errors, in fact, maybe more? But, it finished and created another log file, which is also attached. I didn't check this one to see if it is empty, but, I'm guessing it may be, due to the errors I was still receiving. Sorry if it is!

Thank you again for all of your help! I'll be patiently awaiting your wonderful wisdom!

 

Oh CRAP Tim! That first thing your asking about, is that my selective start-up?!?!

I'm SOO sorry!! I know that is supposed to be disabled! I meant to disable it but when I was reading about doing that on this computer, the infected computer was running Spybot at the time so I didn't turn off the selective start-up!!!! I'm here right now and if it would help for me to turn that off now, let me know ASAP!!! SORRY!!!!! I feel like an ***!

If I don't here from you in a few, then I'll continue with your last instructions!

 

Thanks again for your reply. I was prepared to start apologizing PROFUSELY for the selective start-up mix up, however, it appears as though I had already set it in normal mode.

Anyways, I'm very sorry for being so deliberate, but can you explain to me more about BitDef? Do I have to run it though IE or did you want me to download it?

I'm asking because personally, I wouldn't open IE even if someone had a gun to my head, so please advise if this is what I need to do (I will open IE for you :-D), or download. I'm using FF and I don't see any scan option, it is saying I need IE 4+...

Oh also, that active desktop thingee (the .gif), don't know where the heck that came from.

EDIT!!!!!! I just read through some other posts and I see that it looks like you want me to use BD through IE. Will do.

 

lol. I'm actually doing pretty well with it because the machine that is infected is my old/secondary puter. I just feel bad because every mistake I make on this end means more of your highly valuable volunteer time spent to fix it! Really, my only concern is that I don't have a copy of the OS if I really have to do a wipe - so, if I can't clean it then I may just be left with a worthless box of plastic and wires until I can get a copy of the OS.

Sorry about the IE thing, it is just one of my pet peeves.

OK, so, bad news is better than no news, right? Here's where I'm at:

I got rid of that .gif as soon as I looked for it. Saw the delete button.

I tried running BD through IE. It crashed during initialization/install. So, I rebooted and thought I'd try again. Well, I couldn't even get IE to open again so I'm was glad you gave me the other option.

So, finally got Counterspy to download on the laptop (kept stalling on the infected puter) and I transferred it via the network. It installed fine, but continues to crash when I try to update it. I re-opened it and tried updating a number of times because I noticed that each time it would get a little further before crashing, so I was hoping several retries would get it through the updates. Did several reboots and tries, but CS keeps crashing during update.

Is there a way to manually update Counterspy? Just a thought.

Thank you again! Let me know what you suggest.

 

Ok Tim, ran CounterSpy without updating. It found 3x the things I've been seeing the other scans pull up (NOT counting cookies of course - real problems). It appeared to have removed them.

Ran MalwareBytes again. Crashed again during removal (and again, before I grabbed the report) so I ran it again and saved the log before it crashed. The log is attached.

Then ran the MGtools Get Logs again. Still getting those errors (I attached a txt doc of it, it appears to be similar to the errors described on the MGtools page, but its not exactly the same as any listed). Did you see my note about downloading the fix/patch for XP Home and whether I applied it correctly?

MGlogs is attached, but I still don't think it worked right!

Thank you again! :cool

 

Tim, the "fix" I was speaking of was the one provided on the MGtools page, where it says if you experience errors or get a blank log, pick the file for your OS and dump it into the system32 folder. I had asked you earlier if I was supposed to just put the .exe into that folder, or run it from there. I simply copied the .exe to the folder and I didn't know if that was correct, as I'm still receiving the errors when I run MGtools. **

I also had trouble finding where to get the log from CS and then I got sidetracked, so I will go research that, find out where it is, attach and do the .reg steps you just provided!

(**please advise if I need to do something different still with MGtools first. I'm here now and I'll wait a few for your reply before I go do anything!)

THANK YOU!!!

 

PUH-LEASE Tim!!! Sorry if I was sounding bi*chy, didn't mean to! You are the one who is doing all the work here, and again, I just want to make sure I'm doing the right thing so I don't have to use up any more of your time!!

I followed the Microsoft link instructions to delete the registry file. I successfully merged the registry info you gave me as well.

I believe I found where that CS log is supposed to be (C:....applicationdata...sunbelt...CS...etc) and I attached the only log I found there, hopefully it is the right one.

Well, the only thing I was really using this machine for was a jukebox, occasional viewing of design mock-ups in Photoshop and my husband does paperwork on it occasionally.

So, I went and tried to run iTunes. It crashed upon loading as it did before. Not even gonna try PS, that's a joke!

Thank you again for all of your help so far, I'll be waiting for the next step!

 

LOL. The infected machine is a Compaq Presario that I got in early 2000 from Sears - some poor nOOb bought it, it wouldn't boot, brought it back and they sold it to me for $100 (with matching keyboard ). She's an oldie but goody, originally ran ME like a charm...she's been upgraded (and upgraded, and upgraded...) but got me through college and my early digital photo, graphic and web design days. 512 RAM, celeron processor, C: is original to the puter and is 14 GB, I installed an 80 GB D: a little over 2 years ago. I know, I know...I want to put in more RAM and a better processor...also have a new processor fan and dvd drive here waiting to be installed...

ANYWAYS....

Went to System Restore and it actually goes back to late May of this year! I didn't see that the first time I did the system restore.

I ran CounterSpy again but I didn't see any prompt to save the logs. :confused
I searched through all of the application data folders and this time I found 5 logs. I attached all five, I hope these are what you were looking for! CS did say that it didn't find a single thing, however.

I DO NOT have a copy of the OS. I'm quite sure that my ex installed this OS and that means the install is well over 4 years old and he has the OS, not me. Regardless of infections or whatever, I figured that the machine needs a fresh OS install anyways (but, obviously, I've been unable to do so, due to the lack of a copy of the OS! ).

 

Attaching last 2 CounterSpy logs...

...also, i forgot to mention that things are still acting a little funky. I had trouble bringing up the system properties through the control panel, after a number of tries I finally had to look at them through System Restore (where it gives you the option to look at settings...)...didn't try any other things (IE: itunes, etc.) since I figure we're still working on it and I just better leave it alone!

 

Hmmm, you must have missed it, this was the second time I told you that I DO NOT have the OS.

I might be able to finagle another copy from a friend, but not the same copy - my ex is in California, and I don't talk to that bastard anymore.

 

Sorry Tim, I thought you were asking exclusively about the infected machine.

The bad desktop is running XP home and the good laptop is running XP Media Center. I'm still looking, but I'm quite sure that I only received a worthless copy of Microsoft office with this laptop and no OS cd. Just a little card with the OS license on it, but no CD. Still looking though, I could be mistaken.

I'm also contacting a friend about borrowing a copy of XP home ('cos even if I have the Media Center Cd, that won't help, will it?).

I'm going to go work on the desktop some more....I'll try re-installing iTunes and such and see what happens.

Thank you again for all of your help!

 

Ya, same here.

I've secured a copy of XP Home, have to wait until Wednesday for it, tho.

I saw that because of the system restore, I had the old version of Java back, so I got rid of that and successfully installed the newest version.

I also "repaired" iTunes....it worked. Appears to be running fine now.

I also am not receiving that DLL error that I posted about before.

Still getting AVG warnings about the Trojans, but I assume that's because they're still stuck in System Restore and I haven't cleared that yet...

Thanks again for all of you help so far, Tim. May I have permission to PM you about something? It is unrelated to this thread or malware...just a thank you request...

 

Hi Tim!

I turned the infected machine back on last night, prepared to do the "final steps" and system file check. However, I paid particular attention to things during start-up 'cause I wanted to make sure AVG was finding those bad files in system restore.

It's NOT! The first AVG red flag I got was for a file here:

C:\WINDOWS\system32\drivers\dmusic.sys

I'm guessing that's not supposed to be there. rolleyes

CS scan comes up clean and AVG scan comes up clean as well.

Please let me know what you think. Also, I didn't send that PM yet....soon! probably tonight or this weekend.

Thanks again, Tim!