SuperAntiSpyware and RootRepeal won't run

Discussion in 'Malware Help (A Specialist Will Reply)' started by MDFletch, May 26, 2010.

  1. MDFletch

    MDFletch Private E-2

    Hi,

    Over the past month I started to notice my PC slowing and the CPU usage consistently being at or near 100%. Last week the situation seemed to get worse and then my Trend AV alerted and quarantined multiple files with the "Bubnix" virus. I decided to run through your Malware Removal Guide. I worked through all the steps with two not being successful and upon completion the PC seems to be working fine. The speed is back to what I remember and the CPU usage is back in the normal range. There were two issues that I had when doing the steps that linger and have me wondering if all the malware was removed:

    1. SuperAntiSpyware does not install - When working through the guide steps I got the "SuperAntiSpyware.exe is not a valid Win32 application" error. I renamed the file as suggested but got the same error. I moved on and completed all the steps I could. After the machine seemed to be running as it should, I tried running SAS again with the same error.

    2. RootRepeal locks up the system - When I got to the installing and running RootRepeal step the program started to install with a box appearing on the screen saying "initializing please wait". After several minutes another box appeared along with the first that said "Microsoft Visual C ++ Runtime C.binary". It appeared as though much of the text in the second box was missing and there was a blank button at the bottom of the message. After waiting several more minutes I closed the message by clicking the button. The initializing box remained. I left it running for a couple of hours. When I came back to it the system was locked up. The only response I could get was via the power button and hard reboot. Again, I moved on and completed the remaining steps. And again, after the machine seemed to be running as it should, I tried running RootRepeal again with the same error.

    While things seem to be working well these lingering problems leave me wondering about the underlying health of the system. I have attached all the logs that were created during the successful steps. Thank you in advance for any feedback or insight that you may have.
     

    Attached Files:

    MDFletch, May 26, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. I am currently reviewing your logs and will post back with a set of instructions as soon as possible.
     
    Kestrel13!, May 26, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. What do you know about these files? Did you rename one to include a .vir extension?

    c:\windows\system32\convmem.dll.vir
    c:\windows\system32\convmem.dll


    2. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

FileLook::
c:\windows\system32\convmem.dll

DirLook::
c:\documents and settings\marty_2\Local Settings\Application Data\{FE0D66B9-3872-4C6E-8B02-900771C9A1E7}

File::
c:\windows\Afijefayo.dat
c:\windows\Vlilaxu.bin
c:\windows\system32\config\systemprofile\Application Data\qvjsge.dat
c:\documents and settings\LocalService\Application Data\qvjsge.dat
c:\documents and settings\NetworkService\Application Data\qvjsge.dat

Folder::
c:\program files\Viewpoint
c:\documents and settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MoneyAgent"=-
"PlaxoUpdate"=-
"Yahoo! Pager"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WorksFUD"=-
"Microsoft Works Portfolio"=-
"XTNDConnect PC - ErPhn2"=-
"nwiz"=-
"QuickTime Task"=-
"EarthLink Installer"=-
"Iomega Automatic Backup 1.0.1"=-
"NvCplDaemon"=-
"WCOLOREAL"=-
"NeroFilterCheck"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    3. Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).

    4. Now try and install SUPERantispyware again. If successful, let it update > run a scan > and attach the log it creates into your next reply.

    5. Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also the log from SAS.

    6. Let me know how the machine is running now.
     
    Kestrel13!, May 26, 2010
    #3
  4. MDFletch

    MDFletch Private E-2

    Thanks for the quick turn.

    Results of your steps:

    1. I don't know anything about those files. I didn't rename them.

    2. Ran the ComboFix. Log attached. One note: ComboFix reset the system about half way through which restarted the Trend AV. Trend blocked one of the Windows system writes ComboFix was attempting. I shutdown Trend again and ComboFix proceeded to the end. Not sure if the write ever happened.

    3. Done.

    4. SUPERantispyware still did not install. I got the "SuperAntiSpyware.exe is not a valid Win32 application" error again.

    5. Done. Logs attached.
     

    Attached Files:

    MDFletch, May 26, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

File::
c:\windows\system32\convmem.dll.vir
c:\windows\system32\convmem.dll

Folder::
c:\documents and settings\marty_2\Local Settings\Application Data\{FE0D66B9-3872-4C6E-8B02-900771C9A1E7}
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Be sure to let me know how things are running for you now! :)
     
    Kestrel13!, May 26, 2010
    #5
  6. MDFletch

    MDFletch Private E-2

    Again thanks for the fast turn.

    Completed steps and logs attached.

    Just FYI: I tried installing SuperAntiSpyware after all steps were done and I got the "SuperAntiSpyware.exe is not a valid Win32 application" error again

    Other than the above not installing the system seems to be working fine.
     

    Attached Files:

    MDFletch, May 26, 2010
    #6
  7. SUPERAntiSpy

    SUPERAntiSpy Private E-2

    SUPERAntiSpy, May 27, 2010
    #7
  8. MDFletch

    MDFletch Private E-2

    SUPERAntiSpyware Portable did run - thanks. Logs attached. Given this log and the previous ComboFix logs, does it appear that I am clean?
     

    Attached Files:

    MDFletch, May 28, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, May 29, 2010
    #9
  10. MDFletch

    MDFletch Private E-2

    Hi. Latest round run and logs attached. Thanks!
     

    Attached Files:

    MDFletch, May 29, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 29, 2010
    #11
  12. MDFletch

    MDFletch Private E-2

    Thanks! I will work through these steps. One last question: any thoughts on why RootRepeal won't install and run?
     
    MDFletch, May 29, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes. It only has a 50% chance of running in the first place on most machines :)
     
    Kestrel13!, May 29, 2010
    #13
  14. MDFletch

    MDFletch Private E-2

    :) OK. Thanks.
     
    MDFletch, May 29, 2010
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem. Safe surfing :)
     
    Kestrel13!, May 29, 2010
    #15
  16. MDFletch

    MDFletch Private E-2

    Would it be typical for the system to automatically perform a chkdsk on the reboot of the system restore toggle procedure?
     
    MDFletch, May 29, 2010
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds