Data Execution Prevention Blocks Explorer/Others Following Malware Removal

[ElwoodJD]

Hello, this is my first post to this forum as I have usually had good luck with removing most malware on my own.  This one has me stumped, however, so I would appreciate any help I can get.  Up front, I will say I am experienced with computers (or at least the software side of things) though I'm certainly no expert.  Here is some key information:

OS: XP Pro, Service Pack 3
Anti-Virus: AVG (newest software version as far as I can remember)
Anti-Malware Programs: Ad-Aware Anniversary Edition
                               Spybot S&D (With TeaTimer, though I already read on your list of info to disable it for now)
*I am aware that you recommend two other programs (SuperSpyware and some other).  I am willing to switch to those if recommended, but for now I do not have the option to as you will see.


Here is my problem.  I got one of those annoying popup programs that pretends to be anti-virus claiming I had lots of infections and to buy their software.  I knew I had at least one infection, namely that program popup.  I ran Ad-aware immediately, it found 2 Trojan items, which I selected to remove.  It informed me that to finish the removal process I needed to reboot.  I did so, immediately.  Upon startup, the normal XP login splash screen with user icons was replaced by a simple login box (with my username already filled in to the top box, with a blank password box below).  I logged in.

Before anything popped up, I got the blank background and mouse, and then it told me that Data Execution Prevention blocked "Userinit Logon Application."  I click close message.  Nothing else loads.  I hit alt-ctrl-del, Data Execution Prevention stops that.  Finally, clicking ACD multiple times I get task manager.   Depending on the bootup (I have restarted my computer now multiple times trying different fixes to no avail), I'll have about 6-7 copies of svchost.exe, lsass.exe, services.exe, winlogon.exe, csrss.exe, smss.exe, wuauclt.exe, System, System Idle.

I try to run explorer from task manager to get my desktop.  Sometimes nothing happens to the processes box of task manager, and sometimes dumprep.exe shows up before Data Execution Prevention kills explorer.  For this reason I have been unable to run any of my anti-malware programs again (running ad-aware from task manager fails, though the services show up in processes the application never actually launches; similiar problems with spybot and avg).

Hijackthis, being a simple program, seems to launch no problem however.  I have included a log with this post, though to be sure it does not seem to point to any particular problem (I'm still a newb when it comes to reading hijackthis logs, though I have used to to some success from time to time removing obviously malicious stuff).

EDIT: One more thing.  I have started the computer in safe mode without networking as well, but even there NOTHING loads and task manager attempts to run explorer.exe result in the exact same problems.

EDIT2: So I killed the dumprep.exe program right as it started, and it never got a chance to kill explorer.exe.  I got that running, opened up my Ad-Aware and started a full scan.  I'll let you know what it turns up when it finishes. 
As an added note, my internet does not work.  Though I am connected to my local wireless network, when I open IE7 it says loading proxy settings, then no matter where I try to point the browser it redirects me to http://browser-security.microsoft.com/block.php?r=6.16
I hope editing doesn't bump, because I am really not trying to do that.

Any help would be appreciated, and if you have any other questions I'll be here to answer them.  Thank you so much in advance for any help!!

[attachment deleted by admin]

[evilfantasy]

Welcome to CH.

Go ahead and turn off Tea Timer. It's not doing any good if the computer is already infected and will just get in our way.

- Can you use System Restore to get your desktop/functions back? Or restart tapping F8 and use Last Known Good configuration?

Or...

- Are you able to install/transfer and then run some other tools we will need?

--

Open HijackThis and select Do a system scan only then place a check mark next to:

- O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll

Close all borwser windows and click Fix checked.

----------

[ElwoodJD]

Please see Edit2 from the OP in case you did not initially see that information.

As to your specifics:

TeaTimer is off.
I have access to my desktop again, see Edit2, and internet access. 

Following a fullscan of Ad-Aware, I found Win32Backdoor.TDSS (quantity 2), and Win32TR\.\er Agent.  At this point in time and until I hear back from you I have not taken any action upon them and am waiting at the Ad-Aware Scan Results/Perform Actions page.

I have jumpdrives and another clean computer so yes I can install new programs as well as my restored internet access on the infected computer.

I have made the adjustment you recomended in HijackThis, which restored internet functionality.

[evilfantasy]

I hope editing doesn't bump

You don't have to worry about bumping after a helper has replied, in fact I prefer it so I will know that any information has changed

I found Win32Backdoor.TDSS

Ad-Aware or Spybot isn't powerful enough to remove this rootkit. As for your thoughts on them from above replacing them with SUPERAntiSpyware and MalwareBytes is suggested. They used to be the best but for some reason they just aren't keeping up with the newer more powerful scanners.

Let's try to get your functions back.

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys
- clbdriver.sys
- TDSSserv.sys

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can get on the web.

Note: You can disable the drivers again if you think they might have returned, just don't try to uninstall them.

If the files are not found then please let me know what is listed in Non-plug and Play Drivers.

----------

You might need to reset your web settings.

• Open Internet Explorer, click the Tools button, and then click Internet Options.
  
• Click the Connections tab.
  
• Click the first entry in the Dialup and Virtual Private Networks list, and then click Settings.
  
• Select the Automatically detect settings check box, and then click OK.
  
• Repeat the previous two steps for each entry in the Dialup and Virtual Private Networks list.
  
• Click the Lan Settings button in the Connections tab, and repeat steps 4-6. Click OK on the Connections tab.
  
• Close Internet Explorer, and then restart it.

.
----------

Download (or transfer) ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[ElwoodJD]

Sorry I disappeared, thank you for hanging in there with me.

I found TDSSserv.sys, neither of the other two.  There are about 40 things in that list, some of them sound suspicious (including: Beep, dmboot, dmload, i2omgmt, lsecdd, sptd, and maybe a couple of others that I could go either way on).  There is a lot in the list, but I'm willing to type them all up if you tell me later that it is necessary.

I have ComboFix on my desktop, but whenever I click it nothing happens.  It is listed under processes in task manager, but the program itself never seems to launch.  I wanted to keep you updated on that to see if you had any ideas, but if I am able to get it to run once it is launched, I'll edit to add the log.

[evilfantasy]

Launch Task Manager by pressing Ctrl + Alt + Delete

End the Process on these file names (if found)

- FindStr
- Vfind
- SED
- GREP
- or any file that has the extension *.cfexe

End each only once. 

Now you should be able to run ComboFix.

[ElwoodJD]

Finally got ComboFix to run last night.  It ran normally, attempted to restart my computer and then I got a dreaded blue screen informing me I had an error occur.  "Bad_Pool_Header"  Then some generic text, then at the bottom STOP: 0x00000019.  (I have actually received this error message 90% of the time that I attempt to shutdown or restart).

Anyway, I did a hard restart of the system, but ComboFix still managed to restart my computer and put out a log.  Additionally, one thing that had noticeably changed is that the login spalsh screen with icons had returned upon startup (instead of the generic text only windows login box that I reported showed up right when the infection began).  I had to go to bed last night, and when I got up this morning things had gotten worse again (including the return of the generic text only windows login box).  I decided to run ComboFix again to scan and produce a log that might more accurately reflect the current stuff going on.  Please see both of them attached.

One more thing, after running ComboFix the second time, it rebooted my computer without the blue screen error.  However, upon startup, my wireless network cannot find any networks in range (even though I usually have about 10 in my apt building).  It almost seems like my wireless switch is off on my computer, but I have triple checked that.  I am not sure what the cause may be.

Thank you again and I look forward to your next set of recommendations.

EDIT: Just for thoroughness, I added a new HijackThis log as well (seeing as there were some new browser hijacks it seems under O2, maybe some other stuff).  I cannot seem to modify this post to add another attachment, but if you'd like I can attach it to the next response I send to you.  I also have noticed a number of new folders that have been created in my C:\   Those include: cmdcons and Qoobox.  I also think there may be some new folders in the Windows directory, but I cannot be sure.

[attachment deleted by admin]

[evilfantasy]

Qoobox is the ComboFix quarantined files.

See here for your Internet connection. http://www.bleepingcomputer.com/combofix/how-to-use-combofix#restore

-----

First download attached xp_files.zip to your desktop from here: http://www.filedropper.com/xpfiles_1

Unzip it & it will create a folder called XP_files on the desktop.

Next:

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Fcopy::
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\SYSTEM32\DLLCACHE\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\ServicePackFiles\i386\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\ServicePackFiles\i386\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\userinit.exe | c:\windows\system32\userinit.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\SYSTEM32\DLLCACHE\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\$NtServicePackUninstall$\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\ServicePackFiles\i386\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\svchost.exe | c:\windows\system32\svchost.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\SYSTEM32\DLLCACHE\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\ServicePackFiles\i386\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\$NtServicePackUninstall$\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\ctfmon.exe | c:\windows\SYSTEM32\ctfmon.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\SYSTEM32\DLLCACHE\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$NtServicePackUninstall$\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\ServicePackFiles\i386\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\explorer.exe | c:\windows\$NtUninstallKB938828$\explorer.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\SYSTEM32\DLLCACHE\spoolsv.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\system32\spoolsv.exe
c:\documents and settings\lt\Desktop\xp_files\spoolsv.exe | c:\windows\$NtUninstallKB896423$\spoolsv.exe

Driver::
ivfsykgg
Lbd
ethyfttz

File::
c:\windows\system32\2C.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\28.tmp
c:\windows\system32\27.tmp
c:\windows\system32\24.tmp
c:\windows\system32\22.tmp
c:\windows\system32\21.tmp
c:\documents and settings\Cerulo\gihcwa.exe
c:\windows\system32\1F.tmp
c:\windows\system32\6F.tmp
c:\windows\system32\6D.tmp
c:\windows\system32\6C.tmp
c:\documents and settings\Cerulo\vjpyy.exe
c:\windows\system32\6A.tmp
c:\windows\system32\6B.tmp
c:\windows\system32\69.tmp
c:\windows\system32\pdbcopy.exe
c:\windows\system32\68.tmp
c:\documents and settings\Cerulo\kgvxy.exe
c:\windows\system32\67.tmp
c:\windows\system32\35.tmp
c:\windows\plapxfoh.exe
c:\windows\system32\32.tmp
c:\windows\system32\30.tmp
c:\windows\system32\drivers\ivfsykgg.sys
c:\windows\system32\2F.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\40.tmp
c:\windows\tjsutwal.exe
c:\windows\system32\3A.tmp
c:\windows\system32\38.tmp
c:\windows\system32\makehm.exe
c:\windows\system32\37.tmp
c:\windows\system32\36.tmp
c:\windows\system32\drivers\ethyfttz.sys
c:\windows\system32\29.tmp
c:\windows\system32\secupdat.dat
c:\windows\system32\drivers\ndisio.sys
c:\documents and settings\Cerulo\jdpgkx.exe
c:\windows\system32\20.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\gcc.exe
c:\windows\system32\3.tmp
c:\windows\sysguard.exe
c:\windows\system32\11.tmp
c:\windows\system32\10.tmp
c:\windows\Ipigafisequ.dll
c:\windows\system32\B.tmp

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"plapxfoh.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ivfsykgg.sys]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[ElwoodJD]

I created and ran the instructed CFScript.  Attaches is the ComboFix log from that.

The default windows network "Repair" feature failed to fix my network connection issue.  It hung up at the connect to wireless network part because it still fails to find any wireless networks.  Of course, I know that my network is out there because my other laptop is connected to it.

Just in case its related, I posted a hijack this log as well.  Thanks for any more help you can give me.

[attachment deleted by admin]

[evilfantasy]

You may end up having to reinstall your wireless software. This infection is actually pretty severe, the worst I've seen in a while, and might have "broke" some of your software as well as Windows. I'm not sure this is repairable as that fix didn't work.

c:\windows\system32\userinit.exe . . . is infected!!

c:\windows\system32\spoolsv.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

We need to run a scanner that might repair this and then again might not. Do you have an XP install CD? You might end up needing one.

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Disable Ad-Aware as it may interfere with repairs

• Click the Settings button, Auto Scans tab, and under Scan on Ad-Aware startup
  
• Be sure both selections for No automated scan are checked (green).
  
• Then click Save and close Ad-Aware.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
- O2 - BHO: (no name) - {C5BF49A2-94F3-42BD-F434-3604812C8955} - (no file)
- O2 - BHO: (no name) - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - (no file)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

 ----------

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

* Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
* A window will now open showing SDFix being extracted into the C:\SDFix folder.     
* Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
* DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

When your computer has started in safe mode, and you see the desktop, close all open Windows.

* Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

Code: [Select]

C:\SDFix\RunThis.bat
* SDFix window will open containing some brief info and a disclaimer on the use of the tool.
* Type Y on your keyboard and then press Enter to begin the cleanup process.
* It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
* Copy and paste the contents of the results file Report.txt in your next reply.

----------

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

• Next post please add:
• SDFix log
• MBAM log[/b]

[ElwoodJD]

I uninstalled Spybot as TeaTimer was being persistent.  I also made the changes in HijackThis.

I ran SDFix.  Following reboot, while it was finalizing things, it reported that it failed to open the following files:

SDFix-FileCheck\Alchohol120_retail_1.exe
""\Keymaker_v3.exe
""\RC1_Patch_v.exe

It put out a report, as did MBAM, which are attached.

I do have my original XP Pro CD, however, my DVD drive is broken so it might be difficult to utilize it.  I'm suspecting the internet is in a bad way and will need to have its drivers/software reinstalled, but I'm not sure how to go about doing it.

Thank you.

[attachment deleted by admin]

[evilfantasy]

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[ElwoodJD]

LopR.txt is attached.  I have to run out for upwards of 45 minutes, but then I will be back.  Thank you.

[attachment deleted by admin]

[evilfantasy]

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.

Double click

LopSD.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Choose the language by typing of the corresponding letter and press Enter
  
• Click OK at the informative window.
  
• Type 2 to choose Option 2 (Delete with Hosts File Restore), then press Enter
  
• Wait until the end of the scan.
• A report will be generated, post the contents of it in your next reply.

.
----------

Try to repair your Internet connection again.

Reset the router, unplug it if there is no reset button for about 10 seconds then plug it back in.

• Open Internet Explorer, click the Tools button, and then click Internet Options.
  
• Click the Connections tab.
  
• Click the first entry in the Dialup and Virtual Private Networks list, and then click Settings.
  
• Select the Automatically detect settings check box, and then click OK.
  
• Repeat the previous two steps for each entry in the Dialup and Virtual Private Networks list.
  
• Click the Lan Settings button in the Connections tab, and repeat steps 4-6. Click OK on the Connections tab.
  
• Close Internet Explorer, and then restart it.

.
See if you can connect now.

----------

You have to remove the Cracks & Keygens before I can continue helping.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\Cerulo\Application Data\uTorrent\Its.Always.Sunny.in.Philadelphia.S04E11.The.Gang.Cracks.the.Liberty.Bell.PDTV.XviD-FQM.avi.torrent
C:\DOCUME~1\Cerulo\Application Data\uTorrent\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD.torrent
C:\DOCUME~1\Cerulo\Desktop\MacDrive 7.0.10\Mediafour_MacDrive_v7.0.10_incl_Keygen-PARADOX.rar
C:\DOCUME~1\Cerulo\Favorites\Current Torrents\TMPGEnc XPress v4.4.2.238 Incl. Keygen and Patch-HAZE (download torrent) - TPB.url
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\brd.nfo
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\brmnk19a.zip
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\file_id.diz
C:\DOCUME~1\Cerulo\My Documents\Downloads\My.Notes.Keeper.v1.9.WinAll.Keygen.Only-BRD\Keygen.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[evilfantasy]

Also do you have two antivirus installed? Looks like AVG and McAfee. You should only have one installed at a time.

[ElwoodJD]

I am getting to the instructions you left me right now, but I wanted to let you know that I do not believe I have two anti-virus programs running.  I think my computer came with McAfee for a year, but I removed it after it expired and went with AVG 7.5, then re-uped to AVG 8 when it came out.  McAfee is not listed under Add/Remove Programs, so is there something else I should do to find/delete it if there is still remnants of it around?

[evilfantasy]

You can delete the McAfee files that are in C:\Program Files.

[ElwoodJD]

Attached please find the Lop log from the second run-through using option #2.
As for MoveIt, after running it a box popped-up requesting me to reboot.  With that box open I could not copy the text of the log.  I accepted the reboot, but upon loading Windows OTMove did not reopen.  When I manually opened it, I could not find the log anymore.  Is there a hard copy somewhere on my harddrive (I looked in C:\ already).

Also, I have deleted a couple of stragler McAfee files.  Thank you.

[attachment deleted by admin]

[evilfantasy]

Look in C:\_OTMoveIt\MovedFiles and open the newest .log file present.

[ElwoodJD]

Ha, didn't even notice the OTMoveIt folder for some reason.  That log is attached.

Also, I went through device manager, uninstalled all my network  controllers and other drivers for my wireless and broadcom stuff, and have the internet running seemingly normally on my computer now.  So that is a plus.

Thank you, and what's next?

[attachment deleted by admin]

[evilfantasy]

OK since you have a connection now we need to run an online scan.

Also let me know how the computer is running after this scan.

This scanner works with Internet Explorer only!

Scan with the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

Once BitDefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report



This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
You will have to upload the file online. The forums will not accept HTML.

Go to File Dropper

Click Upload
Locate the file and double click it.
Copy the download link and post it back here.

[ElwoodJD]

I went to dinner while the BitDefender scan was running (it estimated a couple of hours), when I returned my computer had reset.  I logged in, and now things seem bad (they actually seemed pretty OK before I left).  When I logged in and things started to load up, I get a bunch of Data Execution Prevention program stops.  They seem to be scam programs though (including such stellar entries as: "Run a DLL as an App," "Logon Screen Saver," "services," and "Run a DLL as an App" again and again and again).  Anyway, I am attempting to run the BitDefender online scan again if I can get it to finish fully again.  I'll post it ASAP.

[ElwoodJD]

Also, while running BitDefender this second time, it has prompted "Windows File Protection" to warn me that required Windows files have been replaced by unrecognized versions.  It prompts me to insert Windows XP Service Pack 3 CD (Which I don't even have since I downloaded SP3 on top of my old XP Pro).

I'm assuming this is alright, but I thought I would mention it to see if it's a problem.  I'll post the log whenever this thing finally finishes running

EDIT: BitDefender log posted at http://www.filedropper.com/bitdefenderlog .  I'll check back tomorrow morning to see what you think.  Thanks again for all your help.

[evilfantasy]

This is not looking good at all.

Please do the following:

1. Download this diagnostics tool MGADiag.exe and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.

[ElwoodJD]

The MGA Diagnostic Log is attached.  My computer seems to be running alright, but there are clearly issues behind the scenes.  Performance is slightly sluggish, upon startup I still do not have the standard icon based windows login splash screen (just the text box still), and User Logon UI is terminated by Data Execution Prevention immediately upon startup.  Also, I seem to be noticing that if left idle for 5 minutes (not running any sort of scan or otherwise, just leaving the computer alone), it reboots on its own.  Anyway, those are my observations along with the requested log.

There are some documents and other tidbits that are not backed up.  Is it too late to back them up without bringing the infection along with them to the next computer?  I am getting the feeling that I am going to have to wipe my whole machine and reinstall windows.

[attachment deleted by admin]

[evilfantasy]

I'm not sure what the infection is but BitDefender removed a bunch of files in your i386 folder which are the files used to install, repair, modify, update and rebuild Windows. In other words it's your recovery partition and that indicates that the entire OS is either now damaged or infected by malware.

Backup what you can, you can always run a virus scan on the backup folder before saving it. Wipe and reinstall.

Sorry but I don't think this is repairable.

[ElwoodJD]

 

Yeah, I was starting to get that feeling...ah well, some days you get the bear and some days...

Anyway, sounds good, I guess I will start the backup and reinstall process this afternoon.  Couple of questions you might be able to answer:

1) My DVD drive is broken right now, so I'm struggling to figure out how to reinstall the OS.  I considered downloading an iso of the XP Pro CD I have, since I can still use the Product Key I already possess.  Is there any problem with that plan?

2) If I back files up to an external harddrive, should I scan it from this infected machine before the reinstall, or should I scan it after reinstalling the OS.  Is there a risk of re-infecting if I did the later, or a risk of infecting the backups if I did the former?

3) Thank you for all your help trying to deal with this problem.  What do you think went wrong?  Was this an especially bad infection, or do you think that my partial delay in seeking help exacerbated the problem (I probably rebooted my computer a couple of times while running my own ad-aware and spybot scans.  Since they weren't powerful enough to fix it, I wonder if rebooting it a couple of times just allowed the infected processes to burrow deeper into my computer).

Either way I appreciate the help, I'll be on ComputerHope for about the next hour or so while I backup files, so if you think of anything else let me know.  After that I will wipe and re-install.

[evilfantasy]

2) If I back files up to an external harddrive, should I scan it from this infected machine before the reinstall, or should I scan it after reinstalling the OS.  Is there a risk of re-infecting if I did the later, or a risk of infecting the backups if I did the former?

It's risky. I'm sort of wondering if a new scan from BitDefender might turn up just as many newly infected files. I would back up the files and then scan them from a clean computer or the new install.

1) My DVD drive is broken right now, so I'm struggling to figure out how to reinstall the OS.  I considered downloading an iso of the XP Pro CD I have, since I can still use the Product Key I already possess.  Is there any problem with that plan?

Not sure. Try asking in the Windows forum.

What do you think went wrong?

Not sure. There is new malware out there that we still don't know much about.

[ElwoodJD]

Gotcha.

One final question.  Once I get my computer re-running clean, what programs do you recommend.  Clearly my AVG + Ad-aware/Spybot combo was not fully gettng the job done.  I understand those programs are getting on in years.  Clearly you guys like MBAM and that other program that you have lised on the stickied topic regarding what to do before posting.  Are there any other programs you think are an indespinsible part of a well protected computer?

I like AVG because its free, but I would love to hear any suggested software that I might procure to keep things safer in the future.

Thanks for all your help!

[evilfantasy]

In addition to MalwareBytes and SUPERAntiSpyware.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before.

For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[ElwoodJD]

Awesome, your the best.  Take care, I think with all of that I am off to backup and re-install XP.