seemingly a bit of everything

Discussion in 'Malware Help (A Specialist Will Reply)' started by dellsworth, Jan 3, 2010.

  1. dellsworth

    dellsworth Private E-2

    Hi,
    What doesn't work with this computer is a bit of everything. I'll do the list...

    1) folder options shows hidden files and folders both show and hide options checked. When I check show it doesn't work. When I go back in they both show checked again.

    2) Search doesn't work at the drive level and in various other circumstances. Sometimes yes but most of the time no. During the process of trying to clean it seems to sometimes work. Before it didn't at all.

    3) Registry editing disabled by administrator. This seems to be a common problem and I did all the solutions. I even downloaded another editor which does in fact allow me to view and change registry keys - but this one doesn't stay saved.

    4) taskmgr tab doesn't work. I copied taskmgr from another machine and ran it. It worked fine but then it got deleted.

    5) I get startup errors on something called c:\PCSDK\INICIO.BAT. inicio2.bat, inicio3.bat, and taskmgr.exe.bat all execute in the cmd window on startup.

    6) on shutdown I get unable to initialize errors on xcopy and sometimes xkill (or something like that). If it's critical I'll get the exact detail.

    I went through and completed the entire read and run procedure (housecleaning and so on). Then I went through the entire cleaning procedure for XP. I could not install rootkit - maybe.... I tried several different ways. It comes up continually with "Error - invalid PE image found!" Once I went past that error though I could do some scanning. I saved a couple of those logs.

    I ran MGtools. Obviously it didn't work well since regedit won't work. Still after clicking numerous times on unable to edit the registry errors it did proceed with a scan of sorts.

    As you might imagine I've worked with all this for a long time and run all the various fixes available for all of them. So. I've got the logs. I assume there's at the least a startup task that needs to be removed that is continually updating the registry at the least as well as the hidden files option on the folder and probably task manager.

    I've attached the logs and will attach whatever shows up from the perhaps crippled rootrepeal.

    I could do highjackthis also and spybot if you'd like. I noticed there was a highjackthis log in mslogs and maybe that is sufficient.

    I'll continue playing meanwhile. It's my wifes machine and she let her teenager get at it. I'll say no more.
     

    Attached Files:

    dellsworth, Jan 3, 2010
    #1
  2. dellsworth

    dellsworth Private E-2

    I guess I needed to write a bit to sort it out in my head. I got the majority of the problem which was a virus called WINDOWSSYS.EXE. I found it figuring out that if my assumption that it was an active process running and monitoring to continue to prevent the use of tools to fix it; then a simple safe boot would allow me to use those tools. I used the other version of regedit I'd copied down, went through the RUN keys, found it and dumped it from RUN and RUNONCE. Then fixed the regedit disable and copied a new taskmgr from my other laptop. I still haven't got the hidden folder options toggle working. It must be something else. Search seems to be working better too but maybe it's an illusion. I'll keep playing.
     
    dellsworth, Jan 3, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    No!!! See our instructions. Once you begin the process, you must only do what we ask you to do any nothing else.

    Why is this PC being run without proper protection?

    You need to put ComboFix.exe on your Desktop as requested and required. You had it here:
    Running from: c:\downloads\ComboFix.exe

    Creating the below folder and installing things there, was a bad idea. To us and some scanning tools, this looks like malware. In addition, Spybot is not a virus removal program.
    Code:
    C:\
FIXVIR~1      Dec 26 2009              "FixVirusPrograms"
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O4 - HKLM\..\Run: [windowssys] C:\pcsdk\inicio.bat
    O4 - HKLM\..\RunOnce: [windowssys] C:\pcsdk\inicio.bat
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 5, 2010
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds