Trojans, What Else?

Oh,no! When will this malware nightmare end?:cry

After almost two weeks away, I turned on this computer (XP SP3) and started getting the message box about "To free up disk space, Outlook Express can compact messages.” I ignored it the first couple days, then thought I’d found a fix for it yesterday at http://www.microsoft.com/communitie...8f6c650b58ef&lang=en&cr=US&sloc=en-us&m=1&p=1. It went away when I unchecked Outlook Express on my admin and limited user accounts in Indexing Options. But when I logged back on later, it was back again and there were no other options to uncheck.

Since I had been working on a different computer from 110309 until yesterday, I was paying particular attention to Avira Antivir when I first logged on. When it did not download the updates (despite Comodo firewall showing the updater was trying), I downloaded them manually. Then I ran the AV scan. I was surprised to see that MGTools and SUPERantispyware exes were said to be infected with Trojans. I wondered if they could be false positives, but the AV scan had not detected them as such before, so I quarantined everything.

I ran Malwarebytes—nothing. I went to Add or Remove Programs to uninstall SAS, saw that OKAVAgent from Trend Micro (that had been removed long ago) was still there and uninstalled it first. Installshield took it off. Then I got this alert message from Comodo that Defense+ “temporarily blocked this application (explorer.exe). It has tried to execute shellcode as a result of a possible buffer overflow attack.” I then removed and reinstalled SAS. SAS detected Trojan.Agent/Gen-FakeAlert[OShot].Process in a UBCD4Win exe plus 4 adware tracking cookies. Again, I wondered about a false positive but SAS had not detected this before. After I clicked to remove and quarantine the items, SAS rebooted.

When my user login came back and I clicked my admin acct, I got a User Environment box that said, “Windows cannot load the user’s profile, but has logged you in with the default profile for the system. Detail: Insufficient system resources exist to complete the requested service.” It’s almost like this thing knew I’d be back to run the other scans. On clicking limited user account, I got Parser Message “Value creation failed “ at line 422.”

I rebooted and got same admin acct message, so I went into safe mode with networking. Ran ComboFix and Rootrepeal and I tried updating MGTools, but I could not tell if it did.

This morning clicking either user acct brought up: “Windows cannot log you in because your profile cannot be loaded. Check that you are connected to the network or that your network is functioning correctly. If the problem persists, contact your administrator.” I did get into the limited user account at one point.

I’m in Safe Mode to post this now.

 

Rest of logs
Should I try running ComboFix, Rootrepeal and MGTools on the Default User account in Normal Mode?

 

Chaslang, I never thought I would say this: I’d rather have some malware than this current problem.

I could only go into Safe Mode to create the new user admin acct.

I tried logging in in Normal Mode with the new acct—got userinit.exe error: the application failed to initialize normally. Then I tried my old admin account, but all I could get into was default user acct, which I gather is not an admin acct. I got hkcmd.exe-Bad Image: the application or DLL C:\Windows\system32\comRes.dll is not a valid Windows image. Please check this against your installation diskette.

So I rebooted and tried the new acct again—got setup50.exe error: the application failed to initialize normally. Personalized settings for MS Outlook Express 6 were being set up. Clicked OK on the error message—got Windows Delayed Write Failed: Windows was unable to save all the data for the file C:\Sys Vol Info\restore{bunch of letters}fifo.log. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere. Personalized settings of Windows Messenger 4.7 were being set up. (GRRRHH-I hate that W Msgr!)

Click OK—got run32.dll error. OK—got regsvr.exe error. Now the bottom half of my screen is fluorescent green; some of my icons are in the top half. I opened My Computer and it is in the top half of the screen only. There is no Start button. I clicked View System Information—got rundll32.exe -Bad image error: the application is not a valid Windows image. Please check this against your installation diskette. OK—then ERROR: the application module C:\Program Files\Avira\AntiVir Desktop\rcimage.dll cannot be found or has been modified or destroyed. The AvWSC.EXE cannot be started. Please check your installation! OK—nothing else popped up!

I was able to get a screen with All Programs, so I tried to open System Restore—got rstrui.exe-Bad image: same text as the others. OK—nothing else popped up. I tried again to open System Restore and I did not get the error message but nothing is happening.

I guess I will try to figure out how to do a System Restore tomorrow. Will Safe Mode be OK? I’ll also try the Permissions link tomorrow.

I googled Bad Image on MG and found this thread on Vundo: http://forums.majorgeeks.com/showthread.php?t=202192. But I don’t have that, do I?

 

That's why I quit that evening at the point I did. I decided I would back up every data file before I tried to go any further. I had a lot of difficulty doing the backup. The CD-RW did not seem to be recognized when I tried the Windows CD burning program, the Windows backup, or Acronis True Image. Kept saying there was no disc in drive. Somehow, I finally did get it all backed up on 2 CDs.

I tried over and over with the various admin accts to find a way to get System Restore to work. The only restore point I could go back to was Nov 9 when the SUPERantispyware was reinstalled, and I would just get a message that it could not be fully restored, so nothing was done. When I would click on the date arrow to go back a month, it would not move to an earlier date. Permissions link did not work for me either. I could not get subinacl to run; "the system administrator has set policies to prevent this installation."

However, at some point this weekend I got 2 MS messages in a row that "the system has recovered from a serious error." Things seemed to be better after that and I could work in Safe Mode with Networking and you would never know I had a problem, that is, unless you tried to System Restore from there--still not working.

While I was on the phone with my sister Sun. night telling her I wish I had brought that Winbook home with me, (and she telling me she would just take a hammer to my computer if it was hers), I was in Safe Mode reading a Microsoft troubleshooting site and it said something about third-party applications being a problem, so I realized then what had probably happened--Avira was the third-party culprit. I told you that I was watching Avira to see if it was going to update because I knew that there had been problems with it updating, and on a couple occasions, I had manually downloaded the updates. Well, I now think I was wrong to assume that the updater wasn't working and I shouldn't have gone after the manual updates until I got a message that the updates failed. I think somehow the automatic updates from Avira and the manual updates, instead of just overwriting each other, clashed and corrupted something. That's why I got all those false positives when I did the AV scan. I would have called any one of them by itself a false positive, but I didn't know what to make of the whole bunch at once. Unless you can think of a better explanation, I am going to assume that is what happened.

So I decided to uninstall Avira and sure enough, when it rebooted, there was my third MS message of the day about "recovered from a serious error." Contrary to what you may think, I've not been unhappy with or confused by Avira on this computer, except for this episode. So I did try to reinstall but the registration would not go through. So I gave up on it and put on Avast. Its registration did go through and it updated OK.

Monday I was even able to get into the new admin acct in Normal Mode. Not everything works as it should but no more really weird half green screens.

Actually, same as with Avira, on THIS computer I did not get a lot of confusing alerts with Comodo (UNLIKE my other computer) and I felt pretty comfortable with it. However, I may take it off and put something else in case it too got corrupted like Avira.

I realize I still may have to reinstall. I can get into the new admin acct in Normal Mode and the desktop looks normal now but I can’t get anything to open. Still get the default acct when I try to go into my old admin acct. In Safe Mode I can get into any of the 3 admin accts without a problem and everything seems to work normally except System Restore. Given this info, do you have any other suggestions? I have three Acronis images, so if I can get one of them to work, at least I won’t have to start over from the very beginning. Before this happened, I had this computer just the way I wanted it, all sticky'd and updated. Sure wish this had happened to the Compaq instead--I put Avira on it after Avast became disabled (yes, disabled—just like McAfee!)

As always, I appreciate your help more than I can say.

I guess this thread should have been titled "Never Manually Download Avira Updates Until You Get an 'Updates Failed' Message.”

Chaslang, I wish I had had some more straightforward malware problems instead of those nebulous problems for which there seems to be no answer. Maybe I would have made a better first impression on you, and perhaps you would think better of me.

Chaslang, do you and Tim ever do presentations to groups? My professional association is looking for proposals for presentations at our next annual meeting, in Baltimore Oct 9-12, 2010, either 90 minute or 3-hour sessions. Can’t tell you yet which day of those four it might be, but if you’d prefer one, I guess you could specify which. The Topic Category you could fit in would be Information Systems and Record Management and the Area of Concentration would be Quality/Education. Target audience is Physicians, Nurses, Scientists, Managers/Supervisors, Technologists and Perfusionists. I’ll serve as moderator and you and Tim will be the speakers. The title could be “Personal Computer Security--How to Protect Yourself from Malware!” We’ve never had speakers on this topic, so I think it would be a big hit. Would you like 90 minutes total (like 8:30 to 10 AM or 10:30 to noon, etc) or the 3-hour (8:30 to noon morning or 2 to 5:30 PM afternoon)? I’d have to submit the proposed topic and see if the program planning committee accepts it. Say OK, and I’ll turn the proposal in by Friday. Oh, and if the program goes over well, we’d want you to do it the next year in San Diego, Oct 22-25, 2011.

 

Chaslang, I hesitate to even ask, but I’d like your advice on the attached scans. Just look at them first before you spend time reading anything below. I don’t want to waste your time.

On 112809 as a preliminary step to running Dial-a-fix (which I never did run), I ran Belarc Advisor. It indicated Windows Media Player had three MS updates from 082109 that needed to be reinstalled. I went to Add or Remove Programs to uninstall Windows Media Player 11. When I clicked to remove, I got a message that it could not be removed but was reverting back to an earlier version. (When have you ever had that happen in Add or Remove Programs?) Today WMP 11 is still there, and on trying to remove it I get a Windows Media Configuration Manager message inside a WMP 9 Series box that “Setup is currently unable to detect available updates. Please try again later.”

After operating in Safe Mode with Networking for most of November and trying many different things, I finally got back into Normal Mode again just about two weeks ago. After the single system restore point I had for 110909 disappeared like all the rest had done earlier, I decided to try my ERUNT backups. I went back a few days before the bad images of 110909. Upon seeing the message box about compacting messages in Outlook Express (which I do not use), I decided I had not gone far enough back and decided to go back to an earlier date in October before that message appeared.

When I tried to go to Windows Update, I get Server Error “403-Forbidden: Access is Denied. You do not have permission to view this directory or page using the credentials that you supplied.”

On 120309 while I was reading email, Comodo alerted me that mcinst.exe (with a red M like McAfee products) was trying to run and I blocked it. It is sitting in C:\Windows\temp with a bunch of numbers preceding the mcinst. I have a bunch of files in C:\Documents and Settings\Janice\Local Settings\Temp. I’ve come to hate anything in a .tmp file or temp folder unless I know I put it there.

I ran some scans as I tried to sort things out. These were run about two weeks ago, and I’ve not turned the computer back on until today as I have been out of town.

 

Chaslang, I've been to the Software Forum on the other computer and I'll go there for this one too.

I forgot to mention that I had, in addition to the Adobe Shockwave Player 11.5, an extra Shockwave (without Adobe) in Add or Remove Programs. I uninstalled that extra one, thinking it might be malware-related; maybe the source of Bad Image? (I’m probably wrong on that too.)

Chaslang, the only malware we ever found before on this Lenovo was those inconsequential Trojans that I found just running Malwarebytes as a routine scanner. Are you saying you did find something this time? Remember I had no system restore points (in fact, I still don’t)—system restore is still disabled and I am relying on ERUNT. But there should not be any malware in ERUNT backups because they don’t go back before the Trojans were cleaned by MBAM.

As for the mcinst.exe, saInst.exe has joined it and both show up one after the other in Comodo alerts at totally inappropriate times. I could see an updater file maybe, but McAfee Siteadvisor is already installed and appears to be working OK. Plus I now have over 100 .tmp files in Windows\Temp and many are copies of copies. McAfee told me to zip the files to them to look at. Maybe I’ll uninstall and reinstall and see if I can get rid of the problem that way.

There’s no need for you to respond to my random thoughts above; I’m just thinking out loud. You can go ahead and close this thread. I’ll muddle on through and work things out eventually. Just a Christmas message follows.

All I want for Christmas is to find out
1) what service MHRFE really is,
2) what Windows Driver Package - Microsoft Corporation (usbvideo) Image (05/25/2007 1.0.3656.0) is and
3) what .NET Runtime Optimization Service v2.0.50727_x86 is.
You know all that Microsoft stuff; I’ll bet you can tell me if anyone can. You are the best person I know to ask about anything related to malware or computers, and I sincerely do thank you for teaching me a lot over the past several months. And believe it or not, I’ve even appreciated your negative feedback, even though it’s sometimes been hard to hear it. I’ll try to do better should I ever have to ask again for your help.

For YOUR Christmas present I bought myself two copies of Acronis Home Image and two big external hard drives. I hope to become the Queen of Imaging! Plus I am putting “Learn Linux” on my to-do list for 2010. I’ll remember 2009 as the Year of Malware.

But I couldn’t resist sending you a little something else, so I decided to write you a story about how my computer problems have sometimes looked from my perspective. Now, scroll down below and read the funny little fantasy tale. It’s a puzzle—see if you can tell which lines are actually true and which are pure fantasy.

Somewhere in Hacker Land, wherever that may be, the Malware Makers are taking a break.

Hacker A: Let’s look at that MajorGeeks site. Those guys, all those logs, they look for file.
Hacker B: I know I get good ideas how to avoid detection. I write malware to evade scans.
Hacker A: Check out that Compaq we got malware on. That one stubborn woman, Google freak. She not want to give up trying to figure out what she don’t understand. She google everything.
Hacker B: Yeah, she not know when she not able to get printer to work in limited account that we have remote FAX set up. She really puzzled why all print going to FAX.
Hacker A: She don’t even have MS Excel and Word 2003 on her computer, just expired trial. She ought to get nice pirated copy like we have. That OK, we take care of it for her. Bill Gates no mind.
Hacker B: She do some online scans. She not know we disable them. She not know what extra buttons.mean.
Hacker A: She really hate we disable McAfee and make it look like it update and reinstall all time. She hate it even more when Avast do same thing. That drive her mad.
Hacker B: What wrong with that woman? She no do online shopping with credit card.
Hacker A: Yeah, no online banking, either. Luddite!
Hacker B: We send her Masterpiece Malware and it end up on that old slow computer. What a waste! Why she not go out and buy nice new computer right away?
Hacker A: She run 18 scans and could not get one to show Masterpiece Malware. She wait several months and update definitions, thinking she figure out. Unhuh, Masterpiece Malware disable everything she try. We really outdid ourselves on that one! MajorGeeks think she crazy woman running all those scans and not finding anything. She frustrated, and they mad at her. We ROFL!
Hacker B: She not want to click on our compacting Outlook Express message. She so suspicious. She never use, so that email all ours!
Hacker A: Uh, oh, she messing with our settings on Clipsrv and ctfmon. She keep turning off Language Bar every time we turn it back on. She even disabling MHRFE.
Hacker B: She not know what she doing. Just send her couple nice enticement pages; she wear down eventually and click on if we keep sending. Oh, why she no click on nice purple Google page we send her?
Hacker A: Oh, she find this article: How Malware hides and is installed as a service on Windows NT/XP/2000/2003 http://www.bleepingcomputer.com/tutorials/tutorial83.html. She google that before but she not know what it mean then. She so dumb a couple months ago, she not even know computer has services.
Hacker B: She on to us! But we fix her. We disable that Lenovo so she have to use this Compaq computer.
Hacker A: Yeah, ha, ha! We disable her Avira, send her false positives to confuse her and then send her Bad Image. That teach her to mess with us.


Thank Tim and Kestrel13! for helping me too. You guys are good guys to help those of us who don’t know as much about malware and computers as you do.

Merry Christmas, Chaslang!
Bah, Humbug! to the Malware Makers!
And Best Wishes for a Happy New Year to all the MajorGeeks​