Spyware 2009

Hello Major Geeks,

Here's the story...

Anti-Malware I generally run:
McAfee, Spybot, AdAware, and sometimes MalewareBytes. But have several other programs installed from previous adventures.

What happened: Approximately 10 days ago
1. Started getting IE errors…. “ie has encountered an error and needs to close” etc.

2. Ran my cleanup programs. Found some nasties and quarantined or deleted.

3. Still problems. Downloaded ie7 (which I HATE), but still problems.

4. Started getting the Spyware 2009 pop-ups along with redirected websites.

5. Ran more clean-up programs and did some manual cleaning and website blocking. (Somewhere along the way I messed up my sonic update and had to delete it).

6. Still more problems.
Some of the Nasties and questionable stuff I found along the way:
Trojan. Fake Alert
Sysguard.exe
Mcods.exe application error
RemAdm – ProcLaunch 171
Sysvol Info\.........|A0032642.exe (couldn’t completely remove)
Trogen.dropper/Gen-123
LAHCOCO.dll


7. Went to your website and did all of the Read and Run Me First steps except for ComboFix.

8. Then…..I couldn’t finish and had to be away from the computer for a week and it was in use while I was gone..


What’s currently happening:
Slow performance, unable to access McAfee website (and some other anti-malware sites such as Bleeping Computer), unable to run regedit.

So….I’m sending this in and asking for your help.

Have searched and can't find the SuperAntiSpyware scan results that I ran last week so I'm attaching the files that I do have.

Let me know if I should just start over with your “read and run me first” since the scans aren’t fresh and I've failed to submit everything required.

Really appreciate your help.

 

TimW,

Thanks for the reply.

Trying to follow the directions but things are not going well.

1. Re Ran SAS. Came up clean. File attached.

2. ReInstalled Malewarebytes. Re Ran. Came up clean. File attached.

3. Can't run ComboFix because I'm blocked from the BleepingComputer website -- and -- also I read elsewhere on the majorgeeks site not to run this program.

4. Re Ran MGtools but it just seems to hang. First time I waited over an hour. Then I deleted everything and reinstalled. Ran for an hour and a half. Same result. The zip file only seems to contain the GetUnKey.txt. Attached.
Appeared to create newfiles.txt - Attached

Looks like I'm out of space and need to attach more files. Will have to double post.

Thanks, More to follow...........

 

TimW,

Here is part 2 from my previous post.

I could not get GetRunKey to go either from the MGtools.exe or from the GetRunKey.bat file.

I did run the analyse.exe from the MGtools folder and I attached the hijack log.

Trying to give you everything you need but it's not going well.

Appreciate your help.

 

TimW

Thanks for the response.
I’m operational,,,, but ,,, I don’t know what animals might be running in the background.

Web pages are still getting redirected. Outlook messages are slow to open. I’m getting what appears to be false alarm popups and questionable icons in the tray.

I still am blocked from anti-malware sites and my mcafee updates.

Have tried a few different routes to my registry and can’t get there.

Right before I saw your post I booted into safe mode as administrator and ran MGtools. Was able to finally get a RunKey file (but I don’t know if that helps in safe mode vs. normal mode). FILE ATTACHED.

Followed your directions and downloaded Dr. Web. Ran the app.
Express Scan --- showed no viruses.
Ran complete Scan --- REPORT FILE ATTACHED.
Found – C:\$VAULT$.AVG\05812437.FIL .. infected with Trojan.DownLoader.34097 --- Cure? I pressed Yes.
Found – C:\$VAULT$.AVG\09489390.FIL .. infected with Trojan.FakeAlert.342 --- Cure? I pressed Yes.
Found – C:\$VAULT$.AVG\46304016.FIL .. infected with
Trojan. FakeAlert.342 --- Cure? I pressed Yes.

A0032642.exe/data002\32788R22FWJFW\C.bat
C:\System Volume Information\_restore-{129201FA-B0AC-49B3-96B2-DEB8B91E727B}-\RP502\A0032642.exe/data002 Probably BATCH.Virus -- Deleted File

A0032642.exe/data002\32788R22FWJFW\psexec.cfexe
C:\System Volume Information\_restore-{129201FA-B0AC-49B3-96B2-DEB8B91E727B}-\RP502\A0032642.exe/data002 Program.PsExec.171

C:\System Volume Information\_restore-{129201FA-B0AC-49B3-96B2-DEB8B91E727B}-\RP502\A0032642.exe Archive contains infected objects Move? I pressed Yes
C:\System Volume Information\_restore-{129201FA-B0AC-49B3-96B2-DEB8B91E727B}-\RP502\A0033012.exe infected with Trojan.Fakealert.4139 ---- Cure? I pressed Yes.

LOG FILE FROM DR. WEB is HUGE. Will have to try to break up, compress, and submit separately.

Tried to go to Bleeping Computer to get ComboFix but access is still Blocked.

Re-Ran MGtools in Normal Mode and “appeared to get a RunKey file. FILE ATTACHED

I know you guys are swamped and I appreciate the help.

 

Here's Part 2, the Dr Web Logs.

 

TimW

Argh….I was hoping we were making progress….Have been at this for 3 weeks…sigh

Anyway, you asked about XP CDs. I found them,,,,right there with my WIN98 CDs. What I have are two Dell Reinstallation DVDs for Win XP Media Center Ver 2005. Still sealed. (I hope you’re not going to make me use them.)

Followed your instructions the best I could. Start-up was set to Selective – changed to Normal. Had trouble on reboot – still looking for my sonic file.

Assume I should change back when we are done?

Ran fix.bat. No dos window appeared but desktop went blank and re-appeared.

I think I disabled all anti- spyware. Built the fixME file. Ran it. Did not get a success message. Just lost desktop for a moment and then reappeared.

Did not find qblkdbl.qke in win\sys32 but was present in C :\windows. Delete (?)

What next?

Thanks

 

Progress!

Avenger only found C:\WINDOWS\qblkdbl.qke
Did not get the popup on reboot, but FILE ATTACHED

But was able to successfully run C:\MGtools\GetLogs.bat
FILE ATTACHED

Looks like one of the culprits was the C:\WINDOWS\qblkdbl.qke

I tested access to Mcafee and Bleeping Computer and I'm able to hit those websites. Also able to get to my registry.

Thanks,
What next?

 

Logs attached.

Thanks

 

TimW,

Final steps completed.

....If only the maleware creators would do something to help people...instead of just being a nuisance and wasting all of our time.....

You guys do a great service!!!

Thanks again.