trying to make sure my computer is clean

[harry 48]

quote by cbmatt , If you want to help, feel free to instruct people on how to run scans and post logs.  Once they've done that, your job is done.

ok , thanks for your help and advice , thats all i will do from now on

with my limited knowledge taking out sp3 will do no harm it's only and upgrade from sp2 , i have taken it out

twice , it slows my pc down , but then i could be wrong   

but i will be still reading and trying to learn more if i can

[willderphil]

Ok hopefully you guys can help me more. Here are the new logs you asked for cbmatt.

[attachment deleted by admin]

[CBMatt]

Interesting...you're the second person I've dealt with this week so far who has this same infection.  I guess it's really getting around.  In any case, it should be gone now.  Your computer is looking a lot better.  How is it running?  Are you still having any issues?


Oh, and as for the items you asked about in your first post...most of those are legit.  However, gtw_logo is often associated with an infection, usually installed with a screensaver.  Have you downloaded any screensavers recently?  Either way, I strongly urge you remove this if it still exists.  The files should be gone, so it may ask if you simply want to delete the title from you list.

I can't really comment on Browser address error redirector.  Sometimes these are legit, but they usually aren't.  One of your infections commonly redirects engine searches, so it may be related to this program.  My suggestion is to remove it.  If it is malicious, the important files will most likely have already been removed.

The other programs are safe.

ok , thanks for your help and advice , thats all i will do from now on

with my limited knowledge taking out sp3 will do no harm it's only and upgrade from sp2 , i have taken it out

twice , it slows my pc down , but then i could be wrong   

but i will be still reading and trying to learn more if i can

I don't mean to be harsh or bossy; we are just very particular about how we do things in the malware section.  I've been absent a lot recently, so random advice from other users makes it difficult for the few specialists are here.  We appreciate that you are trying to help, but it often creates more work for us because when we are working with infections, we need to know exactly was has been done.  We need to devise a specific plan for each person.  Simply directing users to the "Read this first" post is more than enough help.

As for SP3...it shouldn't cause you any speed issues.  It almost identical to SP2.  The main difference is that it provides enhanced protection.  If SP3 gives you problems, then it's probably something you should look into.  Or perhaps you installed SP3 before any of the hotfixes were released...some people did have issues with it at first, but it should integrate into your OS smoothly at this point.

[willderphil]

Well thank you guys but I am still having problems (maybe there is a registry problem or something???) anyways I still don't have internet and still cant turn on windows firewall. and i still cant install super anti spyware it is all saying the same things. I did notice now that in device manager under other devices a "mass storage controller" has an exclamation point and a question mark on it. But maybe I need to try to find help somewhere else?

[CBMatt]

I wouldn't expect that device driver to be at fault, but we should still keep in mind.  But for now, try out the steps below.  There could be something that the previous scans missed...

Please print these instructions as they will be needed later when Internet access is not available.
 
Download SDFix by AndyManchesta and save it to your desktop.  You will have to use another computer and transfer it via flashdrive.
http://rapidshare.com/files/156236231/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

• Double-click SDFix.exe and it will extract the files to %systemdrive% (this is the drive that contains the Windows Directory, typically C:\SDFix).
• DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double-click RunThis.bat to start the script.

• Type Y to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found then prompt you to press any key to reboot.
• Press any Key and it will restart the PC.
• When the PC restarts, the Fixtool will run again and complete the removal process then display Finished.  Press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
• Copy and paste the contents of the results file Report.txt in your next reply.

[willderphil]

Here you go. Just to let you guys know I really appreciate all the attention you guys are giving this.

[attachment deleted by admin]

[CBMatt]

Hey, somebody has to do it, right?  Heh.

SDFix didn't find much more than a bad log file.  Do you still have a Dr. Web CureIt log by any chance?  It might give more insight to what is going on here.  Unfortunately, if the files have already been removed, a new scan won't do much good.  At this point, it's starting to look like either your problem isn't completely virus-related, or the infection cause some permanent damage.

This is one of the difficulties that arises when a non-specialist starts assisting: they're not trained to ask for all of the appropriate logs, so it kinda leaves me in the dark with a lot of things on your computer.  I try to not do this because of the work invovled, but I'm going to ask you to run an additional scan.  It will only take a minute or two and will produce two large logs:
Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

While waiting for my response, you can also try uninstalling the "Mass Storage Controller" from Device Manager.  Upon doing so, restart and it should automatically re-install itself.  I'm not expecting it to actually help, but sometimes you just don't know what might happen.

[willderphil]

Well trying to reinstall that controller didn't work. I don't know what it is and it needs a driver and i have no internet. If the driver is on my driver cd I think that cd is in storage. And if i cant fix this i will need to go get them anyways for a clean install.

[attachment deleted by admin]

[CBMatt]

If the driver didn't reinstall itself, then it may be something that isn't native to your computer, such as some sort of add-on.  Of course, that's only speculation.  As you can see by looking at the logs, they are quite long, so it's going to take me quite awhile to sort through all of the information.  And for now, I have to get to bed so my wife doesn't kill me.  Heh.  But once I wake up, I will spend some time going over everything and I will let you know what I find ASAP.  In the meantime, you should gather any CD's you have for this computer, just in case.

[CBMatt]

Well, I spent quite a bit of time going through your logs and I didn't really find much of anything.  There were a few errors in your event log, but these are common errors that probably be fixed easily if you have your Windows CD.  They wouldn't be causing all of these troubles, though.

However, one thing did catch my eye.  You have a catchme.sys on your computer.  I didn't think much of it because ComboFix installs Catchme, but I'm not aware of it normally appearing in the Temp folder.  So, to be on the safe side, I think we should investigate it further.

First, I'd like for you to head over to VirusTotal.  Underneath Upload a file, copy and paste the following file path:
C:\DOCUME~1\OWNER~1.KAR\LOCALS~1\Temp\catchme.sys

Now, I have a feeling this won't actually work (it will probably say the file doesn't exist), but if it does work, please post the log here.


Also, I would like you to download a program called Registry Search: http://www.bleepingcomputer.com/files/regsearch.php

• Extract the files from Regsearch.zip into a folder.
• Doubleclick regsearch.exe to start the program.
• Enter catchme in the top area of the form and then click "OK".
  
• Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well). Attach this file to your next reply.

[willderphil]

I couldn't go to that first web site to see anything because I can't get internet on the computer that is messed up. But here is the regsearch log

[attachment deleted by admin]

[CBMatt]

I couldn't go to that first web site to see anything because I can't get internet on the computer that is messed up.

Of course.  Excuse me, it's been a long week.

As for this file, my suspicions haven't really been confirmed or denied.  But it's best to err on the side of caution, I think, so go ahead and follow my steps below.  If this is a legitimate version of the Catchme file, deleting it won't cause any harm to your computer...

Download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\Documents and Settings\User\Local Settings\Temp\catchme.sys

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet023\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\catchme
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\LogConf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt.  Please post that here and let me know if anything has changed.

[willderphil]

Um im guessing this is a new or old version of avenger than you are familiar with because the instructions were no good but I ran the quote in the box and did execute. I unchecked search for rootkit too. so if you want me to do it with the scan for rootkit just let me know. After startup of deleting those files it doesnt look like anythings changed. Let me check more in depth real quick. Yeah everything is still broken. Here is the new log too.
Oh and something you might find a tiny bit funny. When you told me to go to that website to upload that file. I was so tired that I went to the website copy and pasted the file path and was about to hit send file before I said to myself.  No. Wait. This isn't going to work wrong computer.

[attachment deleted by admin]

[CBMatt]

Heh, don't worry, I know how you feel.  Knowing me, I probably would've done the same thing.  Thank you for letting me know about The Avenger.  I haven't had to use the program in quite some time, so I did not notice the changes to the interface.  It's good to see that they have simplified it somewhat, and I'm glad you managed to get it figured out.

The file and registry entries were not found on your computer...so much for that.  I've got to admit that I'm somewhat stumped at the moment.  I have a fairly high success rate when it comes to detecting and removing infections, so this is either a very deep and hidden infection or the infection is gone but the damage remains or your current problems aren't related to an infection.

Reformatting may be the best bet if you can't get this figured out.  I'm at the point where I can't really help you much anymore because I've had you run some pretty thorough scans and the best thing that came up was just a hunch.  Everything is coming up clean now, but there's obviously something wrong and it does sound a lot like an infection.  Although I wouldn't expect much to come of it, you can try running ComboFix again.  And you can try the rootkit scan with The Avenger.  You could also try System Restore.  If it is still operating properly, try to go back to a time before all of these problems started.  If it worked, the computer would hopefully return to its normal working state.  The infections be present again, so we'd have to remove them before they could do any serious damage.

It's a longshot and a desperate move, but it's worth a shot, I suppose.  If you don't know how to use System Restore, take a look here:
http://www.computerhope.com/issues/ch000589.htm

You could also try running a repair install of Windows, but you will need an original Windows CD to do that.