Multitude of issues [SOLVED]

[etnavy]

Greetings all! I'm having some very odd issues with IObit360. Before I post logs and such, I thought I'd speak on the software itself...see if I'm doing something incorrectly.

 

I've run 9 separate scans now with 360. In each scan, I've had anywhere from 4 to 10 items pop up. In the first 8 scans, I simply allowed the program to repair these items. But it seems like they just keep coming back. I am fairly certain I'm infected, as the XP Defender icon in my system tray continues to come back. One particular file seems to give 360 fits, located apparently in an "lsass.exe" file. When it did delete it, it caused my PC to reboot automatically. I'm really unsure what in the world is going on now.

 

My anti-virus WAS Avast...I say WAS because after the last scan/reboot, Avast will no longer run. I can't get it to come up no matter what. Getting frustrated with it, I admit. Appreciate any help/time I can get, thanks all.

[evilfantasy]

Welcome to the IObit forums.

 

Please do not delete anything unless you are totally sure what it is. You can do serious damage to your computer.

 

Please do this.

 

Download and install SUPERAntiSpyware Free

 

* Start SUPERAntiSpyware and click Check for updates If you encounter any problems while downloading the updates, manually download and unzip them from here

 

* Once the update is finished, on the main screen, click Scan your computer

* Check Perform Complete Scan

* Click Next to start the scan.

 

* When finished SUPERAntiSpyware will list all the infections found.

* Make sure everything found has a check next to it and press Next

* Then click Finish

 

- It is possible that the SUPERAntiSpyware asks to reboot the PC in order to delete some files, please do so.

 

Locate the SUPERAntiSpyware log as follows:

 

* Click: Preferences

* Click the Statistics/Logs tab

* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log

* The log will open in your default text editor (such as Notepad)

* Post the SUPERAntiSpyware log in your reply.

 

----------

 

Open IObit Security 360

Click the Tools button.

Click the Hijack Scan button.

Click Scan Save A Log

Close the Warning window.

Copy and paste the entire Report into the next reply.

 

----------

 

Next post please add:

• SUPERAntiSpyware log
  
• IObit Security 360 Hijack Scan log

[etnavy]

Response (as requested)

 

EF,

 

Appreciate the info. Ran the SUPERAS, and found 29 items. It did request a reboot, which I did. Windows then failed. Eventually had to push to Last Known Good, just to get it to come back up. I'm working on getting everything remapped and software repair. One item, I'm unable to pull up the log from SAS, though it does show up in the Statistics/Logs menu. I looked in the program folder, and I don't see it there either. Did a quick search for *.log within the C: drive, no joy. Here's the IObit one before I did all this:

 

IObit Security 360

 

OS:Windows XP

Version:1.4.1.11

Define Version:1413

Time Elapsed:00:19:33

Objects Scanned:63173

Threats Found:11

 

|Name|Type|Description|ID|

Tracking Cookies - Removed, Cookies, Cookie:system@microsoftwindows.112.2o7.net/, 7-10

Tracking Cookies - Removed, Cookies, Cookie:system@ad.yieldmanager.com/, 7-1540

Tracking Cookies - Removed, Cookies, Cookie:system@a1.interclick.com/, 7-1908

Tracking Cookies - Removed, Cookies, Cookie:system@serving-sys.com/, 7-1516

Tracking Cookies - Removed, Cookies, Cookie:system@interclick.com/, 7-1908

Tracking Cookies - Removed, Cookies, Cookie:system@bs.serving-sys.com/, 7-1516

Tracking Cookies - Removed, Cookies, Cookie:system@turn.com/, 7-2170

Tracking Cookies - Removed, Cookies, Cookie:system@content.yieldmanager.com/, 7-1540

Trojan.Win32/Agent, Registry Value, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value=LSA Shellu, 4-25915

Trojan.Bagle, File, C:\WINDOWS\system32\WgaLogon.dll, 12-1299

Trojan.Bagle, File, C:\WINDOWS\system32\dllcache\WgaLogon.dll, 12-1299

 

 

On the plus side...the problems I was having appear to have disappeared. So, just a matter of going back and reinstalling those items that no longer seem to work. Appreciate all the help Evil, let me know if there's another way to get you the info you wanted.

[evilfantasy]

A blue screen during removal usually indicates a rootkit so we need to have a closer look at that.

 

Please post a Hijack Scan from IObit.

 

Open IObit Security 360

Click the Tools button.

Click the Hijack Scan button.

Click Scan Save A Log

Close the Warning window.

Copy and paste the entire Report into the next reply.

 

----------

 

Also run this rootkit scan and post the log it creates.

 

RootRepeal - Rootkit Detector

 

* Download the following tool: RootRepeal - Rootkit Detector

* Direct download link is here: RootRepeal.zip

 

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.

* Click this link to see a list of such programs and how to disable them.

 

* Extract the program file to a new folder such as C:\RootRepeal

* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.

* Select ALL of the checkboxes and then click OK and it will start scanning your system.

* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

* When done, click on Save Report

* Save it to the same location where you ran it from, such as C:RootRepeal

* Save it as rootrepeal.txt

* Then open that log and select all and copy/paste it back on your next reply please.

* Close RootRepeal.

 

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in Safe Mode

 

 

Also. What programs are not working now after running the SAS scan?

 

.

[etnavy]

Ugh...

 

Ok...jumped the gun I guess. Suddenly the XP Defender is back and messing everything up again. All of my .exe will not work. I loaded the rootkit item you posted, and it will not run. Every .exe pops .....

 

Ok...so now everything works again, but all the previous issues are back. I honestly don't know what happened...it literally changed as I typed my response above. I can now post that .log:

 

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

 

Generated 04/18/2010 at 07:03 PM

 

Application Version : 4.35.1002

 

Core Rules Database Version : 4820

Trace Rules Database Version: 2632

 

Scan type : Complete Scan

Total Scan Time : 00:32:00

 

Memory items scanned : 569

Memory threats detected : 1

Registry items scanned : 7316

Registry threats detected : 10

File items scanned : 23626

File threats detected : 20

 

Trojan.Agent/Gen-RogueAV

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\AVE.EXE

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS DEFENDER\AVE.EXE

C:\WINDOWS\Prefetch\AVE.EXE-0F148CD7.pf

 

Adware.HBHelper

HKLM\Software\Classes\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}

HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}

HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ProgID

HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib

HKCR\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\VersionIndependentProgID

 

Adware.Tracking Cookie

C:\Documents and Settings\Administrator\Cookies\system@media6degrees[2].txt

C:\Documents and Settings\Administrator\Cookies\administrator@2o7[2].txt

C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@content.yieldmanager[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@adbrite[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@invitemedia[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@media6degrees[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@ad.yieldmanager[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@content.yieldmanager[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@www.googleadservices[2].txt

C:\Documents and Settings\NetworkService\Cookies\system@discountautoinsuranceonline[1].txt

C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt

 

Browser Hijacker.Deskbar

HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}

HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid

HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ProxyStubClsid32

HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib

HKCR\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib#Version

 

Trojan.Agent/Gen-Cryptik

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\VMA.EXE

C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\VMA.EXE

C:\WINDOWS\Prefetch\VMA.EXE-2DD337C2.pf

 

Trojan.Agent/Gen-FakeAlert

C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\MRLIUB.EXE

 

 

 

I'll post the rootrepeal in the next.

[evilfantasy]

If you can not get RootRepeal to run don't worry. The SAS log is the information I needed so give me a few minutes to work up a new reply.

[etnavy]

Update

 

Apologize for the down time here....my PC finally crashed hard. I attempted to go Safe Mode a bit earlier as you recommended, and it won't come up at all now. *sigh* I'm hoping I can get it to boot up again in a moment...at which time I'll continue with your troubleshooting methods! Thanks EF, much obliged. brb....I hope. :)

[evilfantasy]

Try restarting it normally or use 'Last Know Good' again.

[etnavy]

MBAM Log

 

Malwarebytes' Anti-Malware 1.45

http://www.malwarebytes.org

 

Database version: 4005

 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

 

4/18/2010 8:49:59 PM

mbam-log-2010-04-18 (20-49-59).txt

 

Scan type: Quick scan

Objects scanned: 103942

Time elapsed: 4 minute(s), 44 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 0

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\vma.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

(No malicious items detected)

[evilfantasy]

Okay we are making progress now. Let me know how the computer is running after this next scan.

 

If you already have ComboFix be sure to delete it and download a new copy.

 

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

 

Link #1

Link #2

 

**Note: It is important that it is saved directly to your Desktop

 

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

 

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

 

Double click combofix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

When finished ComboFix will produce a log for you.

Post the ComboFix log in your next reply.

 

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

 

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

 

If you have problems with ComboFix usage, see How to use ComboFix

[etnavy]

Waiting....

 

EF:

 

Ok...everything booted back up and running now. Just waiting to see if any of this stuff rears its ugly head again. The only thing I've seen so far is that when I opened this up to reply, another tab opened on its own to some advert. So I'm assuming something is still attached somewhere....

 

Most of my programs came back on this latest reboot, though my Avast anti-virus is down for the count. Debating using something different than Avast though...

[evilfantasy]

See my above reply. We are making progress but there is more to do still.

[etnavy]

I'm with you

 

See my above reply. We are making progress but there is more to do still.

 

 

Yeppers, running now....:)

[etnavy]

Update

 

Yeppers, running now....:)

 

UPDATE: I've been running the Autoscan....it found a rootkit and rebooted about 15 minutes ago, came back up and has continued with the scan. Hasn't rebooted or found anything else so far....

[evilfantasy]

Give it some time. ComboFix sometimes needs to do extra work with rootkit removal that will it will slow it down and seem like it gets stuck but it should continue the scan process eventually.

[etnavy]

Give it some time. ComboFix sometimes needs to do extra work with rootkit removal that will it will slow it down and seem like it gets stuck but it should continue the scan process eventually.

 

No worries :) The only concern I might have is if I just let it run...I'll be hitting the sack in a little bit. I'm on EST and get the joy of waking by 5. If I just let it go, will it be ok? Or should I sit here and settle in for the long haul?

 

Once again, I really appreciate your time on this EF. I found what little knowledge/experience I had on PC's to be sorely lacking, and fairly quickly at that lol

[evilfantasy]

Give it about 10 more minutes and then manually restart the computer. See if it produces a log on restart.

 

We can finish this up tomorrow or whenever you get back to it. I'll be around...8-)

[etnavy]

Give it about 10 more minutes and then manually restart the computer. See if it produces a log on restart.

 

We can finish this up tomorrow or whenever you get back to it. I'll be around...8-)

 

Sounds good boss. If I get the log, I'll post it here before I crash...uh..me that is...not the PC (I hope!) :roll: Thanks once again man.

[evilfantasy]

No problem.

 

If the log does not come up look in C:\combofix.txt for it.

[etnavy]

No problem.

 

If the log does not come up look in C:\combofix.txt for it.

 

No joy on that log. Should I look to run the program again tomorrow?

[evilfantasy]

We will come back to it. Try RootRepeal again first.

[etnavy]

We will come back to it. Try RootRepeal again first.

 

Hi EF, apologies, but I didn't get the chance to run the rootrepeal tonight. Got home late from work and got busy with the family. :) I'll try running it again tomorrow.

[evilfantasy]

No problem. ;-)

[etnavy]

Ok...ran it again this evening. No errors popped up, and then the system rebooted. I still don't see any sort of report in my C: drive....

[evilfantasy]

Download random's system information tool (RSIT) by random/random and save it to your desktop.

 

* Double click on RSIT to run it.

* Click Continue at the disclaimer screen.

* Once it has finished, two logs will open.

* log.txt <will be maximized and info.txt <will be minimized

* Please post the contents of both logs in the next reply.

 

You may need to use multiple posts to fit all of the log sin. Or upload them to http://www.wikisend.com/ and post the links to them back here.