Spybot-S&D causes BSOD upon "fix"

Discussion in 'Malware Help (A Specialist Will Reply)' started by kbilliu, Dec 5, 2007.

  1. kbilliu

    kbilliu Private E-2

    In following the "Read & Run me first" instructions, I get as far as clicking the fix selected problems and I get the blue memory dump page. After three attempts, I skipped this and continued. Trend Micro keeps popping up and telling me I have a different virus or trojan name every few mins including vundo and "troj_rootkit.es" and most of the time it can't quarantine. I followed the specific instructions for both of these and vundofix and rustbfix found nothing.

    I'm also having problems booting half the time without first booting to a command prompt and del the contents of my temp folder then rebooting.

    I have the reports from everything on the "read and run me first list" plus the Panda software. I'm not sure if which log would help the most at this point, if any. I could really use some help.
    Thank you.
     
    kbilliu, Dec 5, 2007
    #1
  2. kbilliu

    kbilliu Private E-2

    just adding that trend micro just updated and rebooted the system and after reboot, now I have messages saying I have "hijacker.agent.mv" and "TrojanDownloader.xs". Windows Security Center is reporting the downloader one and telling me to update my antispyware and to "click here" to remove threat. I'm not even sure it's really windows security center at this point.
     
    Last edited: Dec 5, 2007
    kbilliu, Dec 5, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide ---> if you have done this...please attach the logs that are requested:
    ComboFix and the MGLogs.zip.
     
    TimW, Dec 6, 2007
    #3
  4. kbilliu

    kbilliu Private E-2

    Here are the logs.
    Thank you!
     

    Attached Files:

    kbilliu, Dec 6, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.0_01
    Spruce
    Viewpoint Manager (Remove Only)"
    Viewpoint Media Player

    Reboot and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following:

    * Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    * On the page that opens, scroll down to DomainService
    * then right click the entry, select Properties and press Stop Service.
    * When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    * Click OK until you get back to Windows.
    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis
    * Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    * At the lower right, click on the Config button
    * Then click the Misc tools button
    * Select Delete an NT Service
    * Copy/paste DomainService into the box that opens, and press OK
    * If you receive any error messages just ignore them and continue.

    Now select Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 6, 2007
    #5
  6. kbilliu

    kbilliu Private E-2

    Thank you!!
    This may be the stupidest question ever asked, but my "run" has disappeared from my start menu. How do I get it back?
     
    kbilliu, Dec 6, 2007
    #6
  7. kbilliu

    kbilliu Private E-2

    I had someone tell me how to get around not having a "run" but not get it back so at least I could follow the rest of the list.
    "DomainService" wasn't listed as were a few of the items listed in the Hijack This list you had so I just deleted the one's I did have plus the weather bug one I saw.
    Here are the reports.
    Thank you! I'm seeing a light.
     

    Attached Files:

    kbilliu, Dec 6, 2007
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As to your "Run" functions:
    # Right-click on the Start button

    # Click on Properties

    # Select the Start Menu tab

    # Press the Customize button

    # Select the Advanced tab

    # Scroll down through the Start menu items list

    # Check the box next to Search and/or Run

    # Press OK twice


    Are you aware that you have a keylogger on your system?

    Now:
    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


     * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 7, 2007
    #8
  9. kbilliu

    kbilliu Private E-2

    Here are the new logs.
    I really appreciate all the help. I've had this pc off the internet for days now once I realized the problem wasn't getting any better. Can I assume the key logger isn't an issue if I'm not connected to the internet?

    And I've informed my family that the next time they come and visit, no one touches my computers.


    My "run" apparently was always there but something loaded every option on the start menu so not everything could be viewed. When I went thru and removed everything I don't typically have on there (my music, my pictures, etc.) "run" reappeared.
     

    Attached Files:

    kbilliu, Dec 7, 2007
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following:


    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!http://www.majorgeeks.com/download469.html

    Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000]

    To take ownership of the key do the following:

    * Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    * Click-on Security in the top Menu
    * Select Take Ownership
    * Repeat these steps for all of the registry keys given above before continue to the next steps below.
    * Now leave RegistrarLite running and continue
    * Now run the fixME.reg REGISTRY PATCH below in this message.
    * Tell me the results. Any error messages?
    * Now in RegistrarLite click View and then Refresh
    * Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
    * If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.


    Here is the Registry Patch

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    PART 2 - Setting Permissions for Everyone

    Run the below if some of the registry keys still exist after running the above steps.

    Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).
    After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

    Everyone
    SYSTEM

    Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

    Then reboot your PC!

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 7, 2007
    #10
  11. kbilliu

    kbilliu Private E-2

    When I select
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE]
    it just takes me to the root, however, when I select the second one, it takes me to the DomainService one, so at least I believe I found it?
    Also, it's telling me that taking ownership is only available in the PRO version. You said not to d/l from the author's site. Is the Pro version on this site somewhere? I d/l from the first TX site listed.
     
    kbilliu, Dec 7, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do it another way!

    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell us how things are working now!
     
    chaslang, Dec 7, 2007
    #12
  13. kbilliu

    kbilliu Private E-2

    I think I have a serious issue to take up with Trend Micro over all this getting thru. Sigh.

    Here are the latest logs! Ccleaner found a bunch of stuff but it has every time I've run it. Even if I just ran it an hour previous.

    My wallpaper has been back after the first list of instructions Tim sent. The pop ups seem to be gone. I'm no longer getting a message that I have porn on my computer and do I want more passwords (that was about every 10 seconds and extremely annoying).
    My font is still changed but that may be a setting that has changed that I'll have to change back. I still have the pc unplugged from the router so I haven't completely tested it yet. I'm going to be shopping for a new anti-virus s/w after 10 years with pc-cillin AND I just paid for the next year in Sept too.

    I really appreciate all the help. I was seriously getting ready to pull my data and reformat and who knows if that would have even worked.
     
    kbilliu, Dec 7, 2007
    #13
  14. kbilliu

    kbilliu Private E-2

    looks like logs didn't attach...
     

    Attached Files:

    kbilliu, Dec 7, 2007
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay it really does appear that you have locked registry key permissions/ownership problems. We will have to go back to using RegistrarLite. But you need to uninstall the one that Tim had you install. It will not work for you since they changed the new version to have less capabilities now. After uninstalling it, please download and install this one:

    http://downloads.bjgarrick.com/files/RegistrarLite.zip


    Now run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (I explained how to do that further down).

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE\0000
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DOMAINSERVICE

    To take ownership of the key do the following:
    • Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the top Menu
    • Select Take Ownership
    • Repeat these steps for all of the registry keys given above before continue to the next steps below.
    • Now leave RegistrarLite running and continue
    • Now run the fixME.reg REGISTRY PATCH below in this message.
    • Tell me the results. Any error messages?
    • Now in RegistrarLite click View and then Refresh
    • Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
    • If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.
    Here is the Registry Patch

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    PART 2 - Setting Permissions for Everyone
    Run the below if some of the registry keys still exist after running the above steps.

    Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).
    After click Edit Permissions , here is what I expect you to see in the Group or user names area of the form:

    Everyone
    SYSTEM

    Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, I want you to boot into safe mode and repeat these exact same steps to see if we can do it from safe mode.

    Then reboot your PC!


    Then move on to my next message since you have more to do!
     
    chaslang, Dec 7, 2007
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you complete the instructions in message number 15 before you continue with the below steps.

    First uninstall Spybot - Search & Destroy 1.3. This is 3 years out of date.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O20 - AppInit_DLLs: C:\WINNT\system32\wmfhotfix.dll c:\winnt\system32\ldcore.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Dec 8, 2007
    #16
  17. kbilliu

    kbilliu Private E-2

    I had to do the Part 2 to delete the registry keys but it looks like they are gone now.

    I've attached an error I get every time I run GetLogs.bat. I know it says something in there about ignoring an error, but I'm not sure if this was it or if this one even means anything. I can just click on it and it goes away and the program continues. Just figured I'd let you know it was happening in case it means anything.

    I also have a few errors on boot, but I'm guessing they are just things I'm going to have to clean up when everything is finally fixed. A couple of missing dll's I believe. I've been ignoring them so far. Let me know if you need/want to know what they are and I'll write them down.
     

    Attached Files:

    kbilliu, Dec 8, 2007
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're logs are clean. Except this.

    Morpheus 1.9 <-- bundler of malware and should be uninstalled
    Mozilla Firefox (1.0.7) <-- this is way out of date. You need to uninstall and use the current version:
    Mozilla Firefox


    This is occurring because you do not have some of the updates from Microsoft installed. For ProcessDLL.exe to work, the Microsoft .Net Framework software needs to be installed.

    You could post these exact error details and if they are not malware, I will advise you to post them in a new thread in the Software Forum.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Dec 9, 2007
    #18
  19. kbilliu

    kbilliu Private E-2

    I can't uninstall morpheus. I've tried in the past too. Screen flashes quickly and then I'm back to the program list window.

    I can't do a windows update. It's just telling me I've failed. When I click to repair my internet connection window, it tells me tcp/ip is not enabled yet I see it is when I click on properties. If you don't think this is a malware issue, I'll work thru it with my IT guy tomorrow. My email is working and I can hit the internet so I'm not sure if the tcp/ip error is what is blocking the windows update but I also get a tcp connection failure message when I try to download the new version of Firefox.

    My error on bootup is a missing dll on something I believe one of the programs you had me run deleted. I don't believe it's a malware issue, but just in case, here it is.

    "error loading C:\program files\wild tangent\apps\cda\cdaengine0400.dll The specific module could not be found."
     
    kbilliu, Dec 9, 2007
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You could try using the below to uninstall it: Your Uninstaller! 2008

    If that does not work, just use this registry patch:

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Windows Update can fail for many reasons. Most of them are issues for the Software Forum. However give the below tool a try as it just may help with your connection issues:

    XP TCP/IP Repair


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

    After clicking Fix, exit HJT.

    How are things working now?
     
    chaslang, Dec 10, 2007
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds