Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Logs
  New Posts New Posts RSS Feed - Infected PC, cleaning doesn’t help
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Infected PC, cleaning doesn’t help

 Post Reply Post Reply Page  12>
Author
Message
StarStuff View Drop Down
Newbie
Newbie


Joined: 15 July 2006
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote StarStuff Quote  Post ReplyReply Direct Link To This Post Topic: Infected PC, cleaning doesn’t help
    Posted: 15 July 2006 at 2:56pm
I'm about 10 seconds away from wiping my hard drive, so I'm praying someone out there can help!

Two days ago I started getting pop-ups from my AVG Free antivirus program. One says that Generic.WUE is trying to install; the other that Dialer.BZB is trying to install. I have had AVG clean these, and they just pop up again in a few minutes. I've had AVG move them to the vault, and they pop up again. I also have Spyware Doctor running anytime I'm online, and I ran a scan, and it didn't catch anything.

So, I went online to the AVG user forum, found and printed advice on cleaning my computer, and downloaded and installed all the recommended programs:  CWShredder, Ad-Aware, Spybot S&D and Ewido Antimalware. I made sure all these programs were up to date and that my AVG  had the latest updates.  I turned off system restore and ran Disk Clean-up, as instructed. I ran every program in order, deleted anything they found, rebooted, ran the programs again before going online or running any other programs, found nothing the second time.

Went online, Bam! The two popups from AVG came back, one about Generic.WUE, the other about Dialer.BZB. I went back to the AVG forum, found instructions to go to aumha.org and download HijackThis. I did so, and immediately my computer was infected with something called Pest Trap. Now my IE browser gets hijacked to this URL: http://www.sysprotectionpage.net/ whenever I start it up or try to go back to my home page. I am currently using Firefox to avoid whatever nasties the IE trojan may be doing.

I keep cleaning and recleaning my computer with the aforementioned programs, and they find and remove these files, but then they just keep reloading themselves. I downloaded and ran RKR, and got six results, but I can't get it to save; the file disappears, and my desktop icons all disappear, too. This scan was done while online. I've been unable to boot in safe mode since I installed the Microsoft critical updates a couple of months ago, which I can get NO help on, from Microsoft or anywhere else, so as an aside, if anybody can point me to a resource for help about that problem, I'd appreciate it.

Anyway, I took a screen shot of the results page for reference; since there are only six items, I'm going to manually enter them here:

HKLM\S-1-5-21-4258344790-2804389820-235594248-1007\Software\ Microsoft\At Work Fax\Transport Service ...
Timestamp: 10/10/2004, Size: 43 bytes, Description: Data mismatch between Windows API and raw hive data.

C:\$VAULT$.AVG\04555671.FIL (this is the AVG antivirus quarantine vault)

C:\Documents and Settings\Gina\Local
Settings\Temp\plugtmp\virusometro_std-2.xml
Timestamp: 7/15/2006 (today), Size: 134 bytes, Description: Hidden from Windows API.

C:\Documents and Settings\Gina\Local
Settings\Temporary Internet Files\Content.IE5\1E5MFENT\bgates[1].exe
Timestamp: 7/15/2006 (today), Size: 8.69 KB, Description: Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\Gina\Local
Settings\Temporary Internet Files\Content.IE5\YTUP2FJB\bgates[1].exe
Timestamp: 7/15/2006 (today), Size: 8.69 KB, Description: Hidden from Windows API.

C:\Windows\Temp\win135.tmp.exe
Timestamp: 7/15/2006 (today), Size: 15.50 KB, Description: Visible in directory index, but not Windows API or MFT.

During the time I've been writing this post, there have been three more popups, trying to install the bgates, Dialer.BZB and Generic.WUE files. I had AVG move them all to the vault.

Please help! I'm at the end of my rope, I've tried everything I know how to do and all I can find out to do. I'm not even sure how successfully I'll be able to wipe my hard drive and start fresh, as my XP disk is from Dell and, as I said before, I no longer can boot into safe mode (a keyboard failure message comes up, then the screen just fills up with a list of files and then freezes).

I'm SO GRATEFUL for any help you can offer!

P.S. I also installed the IE-Spyad, no help; and I downloaded and ran the Microsoft malware detection program, which came up with nothing.

Also, I just remembered: Yesterday, while one of the spyware programs was running its scan, I could swear I glimpsed a folder in my Program Files named "Moonlight Software," and then a subfolder that I can't remember the name of, but it was called something related to spyware or antivirus. BUT, there is no Moonlight Software folder on my hard drive, anywhere, even with the Show Hidden Files checked in my folder options; and Search doesn't find anything named Moonlight, other than a few photos and a music file. But no folders at all. ???




Edited by StarStuff - 15 July 2006 at 3:03pm
Back to Top
steely View Drop Down
Senior Member
Senior Member
Avatar

Joined: 11 June 2006
Location: United States
Status: Offline
Points: 221
Post Options Post Options   Thanks (0) Thanks(0)   Quote steely Quote  Post ReplyReply Direct Link To This Post Posted: 15 July 2006 at 3:32pm
hi starstuff,
don't wipe your hd just yet. it doesn't look like you've got a rootkit here. i'm not the expert on this but EP_XOFF is and i'm sure he'll be along shortly to confirm this. this looks like conventional malware that you should be able to eradicate. go here http://www.castlecops.com/postlite160873-pest+trap.html read that thread. then decide whether you want to post in that forum or come back here. we can help you here but castlecops is *dedicated* to resolving the type of issues you're experiencing. hth!



Edited by steely - 15 July 2006 at 3:42pm
cheers,
-steely
Back to Top
SpannerITWks View Drop Down
Senior Member
Senior Member
Avatar

Joined: 14 August 2005
Location: United Kingdom
Status: Offline
Points: 896
Post Options Post Options   Thanks (0) Thanks(0)   Quote SpannerITWks Quote  Post ReplyReply Direct Link To This Post Posted: 15 July 2006 at 5:23pm

Further to steely's good advice, i offer this -

That www is a well know Nasty site that keeps changing the name of the Rogue App, and their www !

Can you do a System Restore from before the event ?

Also clean out ALL your Windows and IE etc Temp files, along with ALL your browsers Cache etc.

After you have done that do some Free online scans here with IE -

http://www.bitdefender.com/scan8/ie.html

http://support.f-secure.com/enu/home/ols.shtml

http://www.trendmicro.com/spyware-scan/

http://www.webroot.com/consumer/products/spysweeper/freescan .html

http://www.pandasoftware.com/products/activescan.htm

http://www.sunbelt-software.com/dell/counterspy_scan.cfm

I know you can't use Safe Mode right now, but have a look at these links for extra possible solutions, including Manually deleting as much as you can.

sysprotectionpage.com

http://forums.pcpitstop.com/index.php?showtopic=121052

http://forums.spywareinfo.com/index.php?showtopic=79444

http://www.bleepingcomputer.com/forums/topic57739.html

Spanner

Stay Safe - SpannerITWks/SpannerInTheWorks -
BOClean AntiMalware - http://www.nsclean.com/boclean.html
Back to Top
steely View Drop Down
Senior Member
Senior Member
Avatar

Joined: 11 June 2006
Location: United States
Status: Offline
Points: 221
Post Options Post Options   Thanks (0) Thanks(0)   Quote steely Quote  Post ReplyReply Direct Link To This Post Posted: 15 July 2006 at 7:35pm
ya, not being able to boot into safe mode is a bit of a concern. if you can do a system restore before the point that you downloaded the critical updates, that would be a good thing. here's some info on that: http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/dnwxp/html/windowsxpsystemrestore.asp .

also, further to spannerITWks good advice also try downloading and installing prevx. because you really can't run|try too many scans. looks like you're prolly infected with more than one piece  of malware.






cheers,
-steely
Back to Top
StarStuff View Drop Down
Newbie
Newbie


Joined: 15 July 2006
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote StarStuff Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2006 at 12:20am

Thank you all for the advice, I will try all the suggestions you've given and let you know the results.

As for system restore, I wish it were still an option, but as I said, going by the advice I got on aumha.com, I turned off system restore before running Disk Cleanup and then the various programs. So all my restore points are gone now.

AVG just popped up another virus alert, this time Generic.XOE (instead of .WUE), and when I told it to put it in the vault, instead of just doing it like before, it said I'd have to restart my computer to complete the operation. Now what is up with that?

This is enough to send me back to my Mac!

Many thanks for your advice. I'll keep you posted.

Back to Top
steely View Drop Down
Senior Member
Senior Member
Avatar

Joined: 11 June 2006
Location: United States
Status: Offline
Points: 221
Post Options Post Options   Thanks (0) Thanks(0)   Quote steely Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2006 at 12:51am
Originally posted by SpannerITWks SpannerITWks wrote:

Also clean out ALL your Windows and IE etc Temp files, along with ALL your browsers Cache etc.


to do this quickly download killbox. select tools>delete temp files.

Originally posted by StarStuff StarStuff wrote:

AVG just popped up another virus alert, this time Generic.XOE (instead of .WUE), and when I told it to put it in the vault, instead of just doing it like before, it said I'd have to restart my computer to complete the operation. Now what is up with that?


avg prolly needs to attempt a pending file move operation. if you open regedit and look at this key: HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations hopefully you'll see the file avg wants to move. there's a tool and some info about this on this site that you can find here:  PendMoves.

and yes, please do keep us posted.
cheers,
-steely
Back to Top
StarStuff View Drop Down
Newbie
Newbie


Joined: 15 July 2006
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote StarStuff Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2006 at 1:39pm
Originally posted by steely steely wrote:

...try downloading and installing prevx.


Steely, I can't thank you enough for pointing me toward this software! I installed it, it ran its initial check and found a nasty, deleted it and now no more hijacked IE, no more AVG popups, and I think it's solved some other problems, too. I'll report back when I've had time to run my system with Prevx1 for a while, to see if in fact all the junk has really been rooted out. But none of the other software has been able to do what this program has done.

$19.95 a year for this kind of protection? My God, just to save me the aggravation I've had over the last three days alone, I'd pay twice that. Thank you again for suggesting this.

I'll get back in a few days and let you know how it's working out.

Happy Person!
Back to Top
steely View Drop Down
Senior Member
Senior Member
Avatar

Joined: 11 June 2006
Location: United States
Status: Offline
Points: 221
Post Options Post Options   Thanks (0) Thanks(0)   Quote steely Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2006 at 9:07pm
Thumbs Up np StarStuff. glad to have helped. yes, prevx is a good product for conventional malware detection, prevention, and removal. because it hooks the native winapi it can root out stuff on a low level that a lot of other anti-sw can't.

just remember though, to the best of my knowledge no anti-sw out there always detects everything all the time. ex: prevx won't detect anything you download. it will only attempt to detect stuff if it executes. so the potential for something very clever to get hold of your system is still there. stay vigilant and you'll stay safe.

btw, can you boot into safe mode now?




Edited by steely - 17 July 2006 at 12:36am
cheers,
-steely
Back to Top
StarStuff View Drop Down
Newbie
Newbie


Joined: 15 July 2006
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote StarStuff Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2006 at 11:20am
Hi, Steely,

Yes, I was able to boot into safe mode finally -- don't know if it was being short-circuited by the trojan that Prevx1 eradicated, but certainly I'm getting performance I haven't had for several months. While in safe mode I ran ewido, and it caught two: Adware.CouponBar and TrackingCookie.Tribalfusion. So yes, you're right about that, Prevx doesn't stop them from downloading, it keeps them from executing. Most of the time. (Where's an emoticon for "keep your fingers crossed"?)

I did some extensive checking on the PrevX1 site before I installed it, including the forums on CastleCops, and the reports were highly positive. Prevx claims that because of the way it works, there really is no need for any other antispyware, antivirus or even firewall programs. One user on the forum reported that Prevx has kept both his and his wife's computers clean for seven months running, even though the wife runs no other protection whatever and visits numerous sites without any thought to their potential dangers.

I agree with you, though: No one program can catch everything, as demonstrated by my own experience with ewido catching those two invaders that got past Prevx. However, I'm impressed enough with Prevx to invest in a year's subscription, keeping ewido and AVG antivirus loaded and the others in reserve should other problems crop up.

I was in high hopes that the cleaning with Prevx, and the fact that I can now get into safe mode, had solved all the problems I've been having since installing the critical updates several months ago.  Unfortunately, about 90 percent of the time I'm still getting the BSOD on shutdown, with the message "STOP: C000021a {Fatal System Error} The windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000). The system has been shut down." Following this, on restart I get "winlogon.exe encountered a problem and needed to close," followed by instructions to send an error report to Microsoft. Only winlogon doesn't close, apparently, because after clicking off this message I can always use the computer normally.

I did send an error report a couple of times, and got back a message saying this problem was probably caused by a virus. I got no response when I answered that all these problems started with the critical updates. So, either there was a virus lurking around waiting to activate once these updates were installed, or Microsoft is distributing buggy code. Couldn't be the latter, now could it? And if it's a virus, why doesn't it hamper normal shutdown 100 percent of the time?

Anyway, I'll continue to let you know how it's going as far as viral infestation goes. I'm sensitive to the fact that this forum is about viruses and not system problems. Although if anyone has any suggestions, please feel free!

Again, MANY THANKS for your advice. Your help has been invaluable.
Back to Top
steely View Drop Down
Senior Member
Senior Member
Avatar

Joined: 11 June 2006
Location: United States
Status: Offline
Points: 221
Post Options Post Options   Thanks (0) Thanks(0)   Quote steely Quote  Post ReplyReply Direct Link To This Post Posted: 17 July 2006 at 4:04pm
hi starstuff,

awww - who knew about this?
Originally posted by StarStuff StarStuff wrote:

Unfortunately, about 90 percent of the time I'm still getting the BSOD on shutdown, with the message "STOP: C000021a {Fatal System Error} The windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).


this error is fairly well documented. you should goto http://support.microsoft.com/ and search on stop c000021a.

it could very well be this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;3171 89
even though they're talking about NT4 there, and the status is different, it could be happening in XP also. I've got an idea, remember the registry key i mentioned earlier w/regard to pending file moves? go there and see if there are any files listed. maybe prevx, avg, or another tool moved something before XP got a chance to.

or? it could be this:
http://support.microsoft.com/kb/234658/EN-US/.
again they're referencing NT4 but with ms products a lot of times that doesn't matter. it's the same status you have and the only solution they list is a patch. is your system fully patched and up to date?

or? it could be this:
http://support.microsoft.com/?kbid=823736.
we just don't know?

unfortunately, if all else fails, you may have to consider this: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315 341

good luck and keep us posted.
cheers,
-steely
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down