Switched HomePage to

May 13, 2008 5.45pm est

Hello Again,

Some quirky problems with my PC....ran many scans and tests to determine if I'm infected....but no infections found.

First, the symptoms. I use Firefox as default browser, and have IE7 installed for occasional use. Launched IE7 last night and noticed the home page was different. Usually it is Google, but it had changed to www.FINDERG.com
I tried to switch it back to Google by going to Tools > Internet Options, but this window pops saying:

RESTRICTIONS.
X (red X) This operation has been canceled due to restrictions in effect on this PC. Contact System Administrator.

I have administrative rights, or used to, so it should not be blocking me. Cannot open Tools > Internet Options window.

When I launched SUPER Anti-Spyware to do an update and scan, I ran into this pesky window:

SUPER Anti-Spyware ALERT:
Home page changed - to: www.finderg.com.
If you did not make this change, (I didn't) then you may have spyware or adware on your PC.

However, the Super Anti-Spyware scan completed and found no traces of malware. No Infections.

When I tried to do Panda's ActiveScan 2.0 online, I ran into an update error : updating incomplete due to error. Try Again. Over and over, but no update or online scan will run.

And neither will Symantec's online virus scan. It hits a brick wall and proclaims my browser (IE7) is not sufficient.

And when I surf around with IE7 I notice in the lower left hand corner a note that page is loaded, but with errors, or a little yellow triangle with an exclamation point ! inside it. Almost all sites do this.

Finally, when I try to shut down the PC, going to Start > Turn off Computer, it freezes up, stuck, with the little hourglass icon, and won't shut down. I have to open Task Manager (Ctrl + Alt + Delete) to get it to 'Shut Down' and 'Turn off'.

Also ran Norton SystemWorks 2003 'One Button Check-up', but found no errors to fix.


Did the whole cleaning and scanning routine. The scans/tests I ran are:

1. AVG Anti-virus, Home Ed. (My subscription A/V service); no infections found.

2. Kaspersky Online Scanner; no infections found.

3. Spybot S&D - Free Ed.; no infections found.

4. A-Squared, Trojan Scanner; Free Ed., & online scan - no infections found.

5. SUPER Anti-Spyware, Free Ed.; - no infections found.

6. Ad-Aware Lavasoft, Free Ed.; - no infections found.

7. I also have SpywareGuard & SpywareBlaster installed and running in the background....

8. Symantec Online Security Test Scan; after downloading the ActiveX controls, and the installation & definition updates, as it begins the scan....it stops and says it cannot proceed because you need higher than IE 5 (I have IE 7). Stopped cold.

9. Panda Online Scan - Refuses to run or update the definitions (already have it installed on PC). Stopped cold.

So I am at a loss regarding what to do next. Since the logs show no infections, I have not included them. However, I append here the HiJackThis log which I just ran.

Any help or suggestions ??

Thanks,

-scottportraits

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:53 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.

 

Re: Switched HomePage to www.FINDERG.com

Wed Nite, May 14, 2008 11:30pm est

Hello Again,

Thank you for the Norton Removal Tool....it took several passes to finally get "Ghost Start Services" off the plate, but it finally yielded with all the other Symantec junk. I only installed SystemWorks 2003 for the two utilities I liked to use, namely the 'One Button Check-Up', and the 'WinDoctor'; but from henceforth I will abstain from Norton et al and stick with my subscription AVG and the CCleaner registry sweeper.

So I went down the list meticulously....which has gotten more complicated than the last time I was here. Anyway, a brief recap of all I did includes:
1) Removed all unused (or questionable) apps from the 'Add/Remove' list; 2) Used CCleaner: a.) in general, b.) on the Registry Entries, and c.) on Start-Up items.
3) Defragmented the Hard Drives (with Diskkeeper Lite); 4) Uninstalled old Java and downloaded/installed new up-to-date version; 5) Ran multiple scans with:
Spybot S&D, AVG A/V, SUPER Anti-Spyware, MalwareByte's Anti-Malware, A-Squared Free Ed., Kaspersky online scan, and Dr. WebCureIt.
The Dr. WebCureIt found trojans, virus's, and other entries, which it healed.

For some reason my IE7 browser is being rejected by Symantec's Online virus scanner, and also Panda's Online scanner. Can't do them.

I can already see hidden files, system files, and extentions. I configured Spybot exactly as directed, as well as MalwareByte's scanner. Ran SUPER Anti-Spyware but found no infection. Ran Spybot and found nothing. Ran MalwareByte's and found nothing. I'll include the logs in an attachment, but Spybot didn't generate one I can get at.

Now, I ran ComboFix two ways (by accident). I recalled running it (or some other utility) after the first run, next in safe-mode. So I booted up in safe-mode after first running it in normal mode. Anyway, I'll include just the second log, which was done both times in normal mode, and which were prompted by going to Start > Run and pasting in that KILLALL command. Incidentally, my clock is still set at military time, i.e., 23:04pm. Can we fix this ?

Next I ran MGTools and have included the zip file with the logs. Spybot was clean and yielded no easily obtainable log, but I have them for Kaspersky, Super Anti-Spyware, AVG A/V, and A-Squared. However I am including only the ComboFix log (with KILLALL) and the MalwareByte quick scan log.

I only missed one thing. I didn't go to Run > msconfig > and click the "Normal Startup" radio button. I was afraid to. Never did it before, and noticed it checked the boxes on ALL of the StartUp tab's list....many many I didn't even recognize. If it is crucial, you will have to walk me thru that process again.

So I will surf around and see how she is performing. Getting rid of all that Symantec junk (which they impose on you aggressively) was very helpful. Dr. WebCureIt was also extremely helpful, since it detected and deleted many infected files and entries.

So here it all is, and I anxiously await your diagnosis and recommendations.

-Yours truly

- scottportraitsl

 

Re: Switched HomePage to www.FINDERG.com

Thursday May 15, 2008 12.30pm est

Gee, I hope I didn't goof up the process so bad that you can't find out what went wrong. I checked Spybot, and I had left it in 'Advanced' mode. Tea Timer was already un-checked, as directed, but the other box, 'SDHelper' was left checked. So I unchecked it....
I used Tea Timer for a while in March and it got on my run menu. Noticed it was cumbersome, and I mainly use Mozilla Firefox, so unchecked it long ago. It stayed on the run menu, but was unchecked. Now 'SDHelper' is also unchecked, as are all the IE Tweak "locks". I reverted Spybot back to default mode now.
Before I go to Run > msconfig, and change it to 'Normal' StartUp, and then reboot, you'll have to tell me which scans or fixes to run. Should I run that ComboFix with KILLALL command? Will I be re-running the MalwareByte, Spybot, and SUPER Anti-Spyware scans again in this strange new mode which I will be experiencing for the first time? Will I run the MGTools.exe log generator after all that ??

I know how to change it to 'Normal' StartUp, but will wait until further instructions tell me what to do and in what order.

Many thanks for your patience,

- scottportraits

 

Re: Switched HomePage to www.FINDERG.com

3:05 am est

Alright !!!

Reset the msconfig to 'Normal startup', rebooted, and ran MGTools.exe .
The file C:|MGTools was generated, with all the goodies inside. Found the GetLogs.bat file and clicked it. Seems to have run the test again. Anyway, the resulting .zip file is attached, hope I did it right and both test's results are in there.

This is a good forum.

- scottportraits

 

Sunday May 18, 2008 7.30 pm est

Hi Chas,

Well, after disabling 'Tea-Timer' under the 'Resident' tab of Tools in 'Advanced Mode' of Spybot S&D, I reverted it back to 'Default Mode'. Then I ran the last scan with msconfig > Run > 'Normal StartUp'. That's how I thought it was supposed to be. So now, after your last post, I checked. Launched Spybot, clicked from 'default' to 'advanced', opened 'Tools', and opened 'Resident'. Well, I don't know why, but the 'Tea-Timer' box is unchecked, like I had it before. Also, the other box, with 'S D Helper' IS CHECKED, like you told me. So I will leave Spybot in 'Advanced Mode' and we'll see if Tea-Timer keeps getting activated. I can't understand why it would, since I changed that a long time before running the last MGLogs. I just switched it back afterwards to 'Default Mode'.

Next, I uninstalled SpywareGuard and will just run SpywareBlaster. Somewhere I read it was good to run both, but I can see how it might conflict. SG is gone. And so is A-Squared; both uninstalled and purged from my system.

I am only running one (that I know about) RAM management app, called FreeRAM XPpro, by YourWare Solutions. It was freeware, and seemed to speed things up, so I've been using it for a few years. The only other one I know about was Windows Memory Optimizer, which I thought I uninstalled a long time ago. I cannot find it on my installed apps list, or on the file tree of C:\Program Files. Where are these other RAM speeding programs hiding on my machine ??? I can't find them now....

I downloaded and ran the 'Messenger' removal tool and ran it. I thought I had already disabled everything connected with Messenger from the My Computer > 'Manage' > 'Services' tab's list. It was NOT on my list of Add/Remove Programs...so after running the removal tool I also went to C:\Program Files\Messenger and manually deleted that file.

Then I looked for the temp files in the root folder that you say are wasting 800MB's of space. I found them under C:\ in the right pane, but not on the file tree. Deleted 'em like you told me. They are gone.

Now I tried to run MGTools but only get the C:\WINDOWS\system32\cmd.exe window which launches the whole kaboodle. It generated a new MGLogs.zip file, and made a new MGTools folder on the C:\ tree. I had deleted them last week. Inside the newly formed MGTools folder is an 'analyse.exe' icon for HiJackThis......so I hit that option....it ran HiJackThis.

I did not find the top four entries. I had uninstalled RAMBooster months ago, and WinMemory Optimizer was also uninstalled a while ago. ALCMTR.exe has to do with the sound card and audio driver, I think, but I disabled that from msconfig > run menu during this episode of malware cleaning. How come they still leave a trace that you can see, but I don't ??

Didn't show up in HiJackThis 'System Scan Only' window:

O4 - HKLM\..\Run: [RAMBooster.Net] C:\Program Files\RAMBooster.Net\RAMBooster.exe -m
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [WinMem] C:\Program Files\WinCleaner Memory Optimizer\WinMemOpt.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe

All the rest did, after I checked 'em and fixed/deleted them (after closing the browser and any running apps.)

Now, to the ComboFix test. Didn't go to Run > msconfig and click radio button for 'Normal StartUp'. Was I supposed to? Anyway, dragged .txt file with KILLALL stuff copied onto it from desktop to ComboFix icon on desktop. Scan begins. Then after a while it shut down my machine to restart. It took a long time to save settings and shut down, a symptom I've been having for a while now.
Upon reboot I also got the System Configuration Utility window since I had deleted programs like FreeRAM XPpro that previous session. Just let ComboFix run its course....and it generated a log which I have saved.

Then I copied the bold text onto notepad as an 'all files' type, saved it as fixme.reg to the desktop. It had a registry icon with little blue boxes....clicked it and after asking and getting confirmation it said the registry addition was successful . Whew !!

Ran the GetLogs.bat command and generated a 'new logs' ZIP file. Here is that log, and the combofix log, as you've requested.

I would like to shut-down the machine now and see if it takes a long time to save settings and restart........I will let you know how things are going, after you analyse the logs, in my next post .

Than you for the excellent help, Chas....it is well appreciated.

-scottportraits

 

Sun May 19, 2008 1.00am est

Hello Chas,

I am having a serious misunderstanding about the startup run menu, and its behaviors. I always started up by run > msconfig > 'Normal' startup. I don't know when or how or why I tried 'Selective' startup, but I must have misunderstood big time. I'm sorry about that. Or maybe it is a symptom of malware damage.....

Here's my problem now:
When I switched it back to 'Normal' StartUp, it automatically checks every single box on every single item that ever got on that last tab, StartUp list. When I go and try to uncheck all but the 5 I need, it automatically reverts back to 'Selective' startup, against my will. When I hit the 'Normal' radio button again, every single box gets checked, again....about two dozen things, some long scrubbed from the PC. It re-starts TeaTimer, for example.
Right now it is set for 'Normal' startup. Fine. But stuff is checked there that shouldn't be. Lots of stuff. And I know exactly which ones should be checked, there are five items, but can't get it to do that. If I start unchecking even one box it reverts the thing back to 'Selective' startup.
What to do ??

I'm guessing it is from malware damage, because I used to be able to uncheck things running there in 'Normal', and it would stay in Normal mode. Now, if I uncheck even one item it forces it back to 'Selective'.

What do you think ?? On restart every single box is checked, things are running that have been uninstalled, like FreeRAM XP and TeaTimer, and SpywareGuard.....it must be malware damage....

Anyway, it is in Normal startup mode now, with every single box stubbornly checked and refusing to be unchecked without slipping back into Selective mode.

I ran the GetLogs.bat again, in this situation, and here is the MGLogs.zip file from 10 minutes ago.....

Thanks C,

- scottportraits

 

Mon morn, May 19, 4am est

Okay, I re-read step one in the 'Do This First' list....and my msconfig is set for 'Normal' startups. This, for whatever reason, is causing ALL the junk to be checked under its last tab, Startup. Dozens of old things.

At any rate, its been set to 'Normal' mode and will stay that way until you tell me otherwise. I think this is a symptom of the malware damage....pretty clever sabatoge, I'd say.

Ran the HijackThis 'System Scan Only', and picked out each one of the entries you have on the last posted list. Closed browser and hit 'Fix All'. Fine. Rebooted....

But upon rebooting I find the lower right task bar full of the supposedly deleted apps, like ALCMTR.exe, SpywareGuard, FreeRAM XP, etc. !!! Just taking a fast peek at the Run > msconfig > Normal Startup > Startup list I find all those ones we supposedly deleted are still there ! Every single (about 2 dozen) items on that list are STILL checked.....so the malware is keeping these ghosts haunting the machine. Deviously insidious malware, I might add.

So I launched CCleaner and went to the Tools section, and tried deleting the offending (startup) running processes from there. This must have worked.

Now, As I go to Run > msconfig > Normal startup > Startup (list) I find there only the five I really need, and checked. They are 1) AVG Anti-Virus; 2) Sygate Firewall; 3) Printer spooler for little printer (C88); 4) Printer spooler for big printer (R280); and 5) Windows Defender. All the other 'ghosts' are gone !! It looks so....clean !!

So from here on I'll leave the msconfig set to 'Normal' and do any alterations/deletions through CCleaner's Startup deleter, and not try to control the startup menu from msconfig. I also went to C:\Doc & Settings\OWNER\Startup\ and one by one deleted all these apps that were hiding out in that location.

Here is the newest MGLogs.zip file (from running GetLogs.bat) , which I ran 10 minutes ago. I am turning in now, so my next post will be in the morning around 10am est.

Good night Chas,

-scottportraits

 

May 21

Okay, back again.
Started with the final steps phase. Uninstalled SUPER Anti-Spyware. Left MalwareByte's app. Uninstalled ComboFix from desktop with Run > "%userprofile...." command, and deleted the C:\cf folder .... Did not run VundoFix or SmithFraud. Deleted the fixme.reg patch. Uninstalled HijackThis. Deleted C:\MGTools folder and other MGTools stuff.

I did the 'Disable System Restore' technique, rebooted, and then ran my subscription AVG anti-virus, Spybot, and Ad-Aware. Well, I was surprised to see AVG caught a whole bunch of items under its 'Warnings' tab, but not under "Threat' or 'Infection'..... They all said 'adware', but some said virus, trojan, etc. (?)
Spybot came up clean, but for some log entries (which we've seen before in these cleanings) one in particular SchedLgU.txt, that refused to be fixed. Spybot asked if it could fix on restart, which I consent to. But on reboot it sticks and I can not delete it from its home in C:\Windows.....like I say, we've been through this one before. I knew I could get it out in safe-mode.

As far as the AVG scan went, I asked to quarantine or remove or delete the 'warnings', which were dozens. It asked if I was sure, then again warned it was irrevocable, etc. I tried to remove, but not sure if it did or what exactly happened. So I turn System Restore off and reboot. This time up into safe-mode.
Once in safe-mode I run Spybot and was able to expunge that SchedLgU.txt file. Ad-Aware also had an infection which I quarantined and deleted. But the AVG scan was the most dramatic and interesting....
First, it took all night. Second, it immediately started to generate a formidable 'warning' list. That list, which was run through the run command line window (like ComboFix or the other run > command line scans) was loaded with generic adware registry entries. For the most part, they looked like this:

HKLM\Software\Microsoft\Internet Expolrer\Active X Compatability\ {3650-5764957jdlse;p (registry number codes) 456394yehd} and something like 'generic adware' or 'vundo adware', or 'trojan bomka', 'ConHook.I', etc.

The list was over 2 dozen, maybe three. I had tried to open IE7 and do an online Symantec and Panda scan once previously, while still in normal mode, and IE7 rejected them both and would not let them run. The Symantec one downloaded Active X stuff, and definitions....and some entries in the 'warnings' list had 'Symantec' in them..... I think IE7 has some crud in it.

I'm back up again in Normal Mode now. System Restore is enabled. Main thing I notice is it takes along time to shut down. First thing back up into Normal was to set a new system restore point, then purge all restore points except the most recent. Shutting down takes 4 & 1/2 minutes. From Start/Turn Off Computer to little hourglass on desktop is 2 minutes, then from hitting 'restart' or 'turn off' through blue screen saving settings and shutting down is 2 & 1/2 minutes. Way too long. Not sure what happened. Did I goof something up ?
Maybe I should have left all those AVG registry entries.....

Actually AVG saved this 'Command Line' scan (from Safe-mode) and it appears they were moved to the virus vault and I deleted them. I still have the log, but it is in Excel format, not able to append here.

Another strange thing: Windows Defender has an error icon in the tray now. Open the dialog and it was unable to update and run it's scan. Try to update it and get "Error Code: Ox80248011" - 'can't check for updates'.

So it's that error, and taking a long time to shut down, that's still an issue. What do you think, and how do you like this ?? I must be crazy....

- scottportraits

 

Alright !!!

Well, the Windows Defender glitch is fixed, and I guess we'll wait for AVG to work out the bugs in their version 8.

Shutdown went fast and easy now, so I guess it's digested all the settings and made them part of the protocols.

My rig seems to be running fine now, everything ship-shape. Mind if we leave the post open for a couple of days while I surf around and try her out ???

Thanks Chas for all your help. I learned quite a bit, especially about msconfig and normal startups. We are all very lucky to have guys like you around to help us battle the foes who make malware.

Keep up the great work !!

Sincerely,

-scottportraits

 

Friday May 23, 2008 6pm est

Yeah ! The PC is running smoothly and it is a joy to have her working with me and not against me. I honestly thought my motherboard was getting cooked when it first started to slow down from malware. Alot of multi-tasking.....

Anyway, the only issue open to debate is with IE7. I like to be able to go online and do a scan from Panda, Symantec, Kaspersky, and A-Squared's sites, but my IE7 browser, the only one you can do those scans from, seems to reject Symantec's and Panda's since last year in fact.

I've been led to believe uninstalling IE7 and falling back on IE6, then re-installing 7 is tricky at best. May not even be worth it if Symantec spikes your machine with adware or other 'Symantec' tattoos, which it apparently does.....leaves a mark or something.

Other than that I am one happy camper now that we cleaned out my PC and gave it a new lease on life. At least there's one part of my life that's together. If the IE7 problem is negligible, than we can close this topic off now with a great big

THANK YOU !!!!

HooRay for MG, and it's Techs and tools!!!

-scottportraits