"system is infected. system has been stopped due to a serious malfunction...."

Discussion in 'Malware Help (A Specialist Will Reply)' started by Canzealander, Oct 23, 2009.

  1. Canzealander

    Canzealander Private E-2

    Hi there. I just got a call from my Mom to help her deal with a malware problem. Unfortunately my expertise consists of google and you guys so I am at a loss.

    Ok, so I don't have access to her computer and will not until Sunday (today is Friday evening where I am), so I just have a basic description of the problem and some basic questions.

    First, what happened is she downloaded a picture from photobucket. After she turned on her computer the next day (I think), a warning came up replacing her background but not her icons saying "your system is infected. system has been stopped due to a serious malfunction. spyware activity has been detected" or similar. The "your system is infected" thing was red and in all caps. The warning was in a black box on a blue background. The warning disappears to show her actual background momentarily when she shuts down the computer.

    She is running xp home, not sure if hers is up to date.

    Her antivirus is mcafee, she updated it by credit card AFTER seeing this warning on her computer, should we be worried about this?

    There are no other computers on her network; is it safe enough to connect to the internet from her computer to solve this problem?

    Mcafee was run and managed to quarantne 13 files, but the problem is still present.

    A dialog box occasionally pops up prompting her to download windows antivirus to help fix the problem. I have the suspicion that this will make things worse so I told her not to click it. Was I right in doing this?

    What information will you guys need, and what programs should we use to deal with this? What antivirus/antispyware combo do you recommend for later after this is dealt with? Should she cancel her credit card - is it compromised? Hopefully this is a common problem that is relatively easy to deal with. Thank you for your time, and even though I cannot access the computer until Sunday I will check the forum later on.

    -Canzealander
     
    Canzealander, Oct 23, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please try doing the below:

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


    Now download and Run exeHelper

    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.

    Then try running these instructions: Using MGtools


    Attach the below logs when finished with all of the above:

    • C:\avplog.txt - from AVPfind
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools

    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    TimW, Oct 25, 2009
    #2
  3. Canzealander

    Canzealander Private E-2

    Thanks for the quick response, but I also would like to know your opinion on whether her credit card was compromised or not. She made a purchase with it on her computer after it was compromoised. Thank you.
     
    Canzealander, Oct 25, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would have no idea until you can attach the logs for me to look at. If you are concerned, then call your credit card company and alert them.
     
    TimW, Oct 25, 2009
    #4
  5. Canzealander

    Canzealander Private E-2

    Thanks! I will post the logs when I can, or she will post the logs under a different username. I'm at work now without access to her machine.
     
    Canzealander, Oct 25, 2009
    #5
  6. Canzealander

    Canzealander Private E-2

    Ok so I went through that and here are my attachments. I understand it may be late but I'm crossing my fingers that you'll get this.
     

    Attached Files:

    Canzealander, Oct 26, 2009
    #6
  7. Canzealander

    Canzealander Private E-2

    oh and here is what superantispyware picked up

    C:\Documents and settings\owner\cookies\owner@counter.surfcounters[1].txt
    C:""\owner@semdirector.112.2o7[1].txt
    C:""owner@tribalfusuion[1].txt
    C:""owner@www.googleadservices[1].txt
    ...
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\RUNDLL32.DLL
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\NTUSER.DLL
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\START MENU\PROGRAMS\STARTUP\SCANDISK.DLL
     
    Canzealander, Oct 26, 2009
    #7
  8. Canzealander

    Canzealander Private E-2

    Um is anyone there?
     
    Canzealander, Oct 27, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Apparently you did not read this:
    Don't Bump! It Only Hurts You!!!

    Your system in in desperate need of more RAM:
    Total Physical Memory 256.00 MB
    Available Physical Memory 18.54 MB
    You should have 4 times that amount.

    Now:

    Please use add/remove programs to uninstall:
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 2"
    J2SE Runtime Environment 5.0 Update 6"
    Java(TM) 6 Update 7"
    Java(TM) SE Runtime Environment 6

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Oct 30, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds