Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Required Please


  • This topic is locked This topic is locked
12 replies to this topic

#1 mcgowana1974

mcgowana1974

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 August 2010 - 03:38 AM

I had Windows XP SP3 running with Norton Internet Suite 2010. I picked up some sort of infection which then installed Animalware Doctor and wouldn't let me run Malwarebytes. Norton also came up with a Suspicious.mystic warning and proceeded to delete explorer.exe which led to all sorts of problems trying to get windows to load. After a week of frustration I manged to do a repair installation of windows which has taken me back to SP2. I have ran full scans with Malwarebytes and Norton and they don't find any infected files. However as soon as I enable my wireless connection Norton pops up with an error about spam email - it looks as though my PC is sending out Spam email although they don't show up in my sent items when I check outlook.

I must have some sort of infection but can't track it down. Please help

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 21 August 2010 - 01:54 PM

Hello let's get 2 more logs please. Firsr,,SAS:
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Now an online scan:
ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 August 2010 - 04:49 PM

Superantispyware log below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/21/2010 at 10:44 PM

Application Version : 4.41.1000

Core Rules Database Version : 5389
Trace Rules Database Version: 3201

Scan type : Complete Scan
Total Scan Time : 01:47:20

Memory items scanned : 273
Memory threats detected : 0
Registry items scanned : 11763
Registry threats detected : 0
File items scanned : 191149
File threats detected : 0

Just about to start the ESET scan.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 21 August 2010 - 05:02 PM

I forgot to ask if you had the exact message.

Norton pops up with an error about spam email


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 August 2010 - 05:12 PM

I can't get IE to load. I normally use Firefox so not sure how long IE hasn't been working. When I tried ESET via Firefox it tried to install but then returned a message that it couldn't update

#6 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 21 August 2010 - 05:15 PM

In terms of the Norton error, a pop up appears which is titled 'Email Error' and the pop up contains details of From, To and Subject for what appears to be spam email. The From and To email addresses are not my email address. The current popup says '451 Message temporarily deferred - [70]'

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 21 August 2010 - 05:15 PM

Are you getting an error message with IE?
Can we run run
Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 21 August 2010 - 06:58 PM

Hello please take a look at this if using Yahoo mail and getting the message.
http://help.yahoo.com/l/us/yahoo/mail/post...tmaster-04.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 22 August 2010 - 03:22 AM

I managed to get IE working. ESET log below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0f4f13196543104bbedcd55b94e5deba
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-22 08:10:57
# local_time=2010-08-22 09:10:57 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=crash
# scanned=197233
# found=2
# cleaned=2
# scan_time=6220
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\ucevigul.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I will start the F-Secure scanner and post the log when complete.

WRT Yahoo Mail, yes I use Yahoo mail. However, the Norton popups occur whenever my PC has an internet connection i.e. I don't need to have a browser open. The messages are all outgoing that Norton is picking up

#10 mcgowana1974

mcgowana1974
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:26 PM

Posted 22 August 2010 - 07:24 AM

F-Secure report below:

Scanning Report
Sunday, August 22, 2010 11:28:44 - 13:21:23

Computer name: HOME_ALAN
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
9 malware found
TrackingCookie.Atdmt (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (spyware)

* System (Disinfected)

Suspicious:W32/Malware!Gemini (virus)

* C:\SDFIX\APPS\FIXPATH.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SDFIX\APPS\ISADMIN.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SDFIX\APPS\WINMSG.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\SDFIX\APPS\SWREG.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\VISUAL LIGHTBOX\VISUALLIGHTBOX.EXE (Not cleaned)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\@LAST SOFTWARE\SKETCHUP 5\BSSNDRPT.EXE (Not cleaned & Submitted)

Suspicious:W32/Malware!Gemini (virus)

* C:\DOCUMENTS AND SETTINGS\HOME\APPLICATION DATA\FIMO\ORUT.EXE (Not cleaned)

Statistics
Scanned:

* Files: 114408
* System: 14863
* Not scanned: 19

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* Not cleaned: 7
* Submitted: 5

Files not scanned:

* C:\PAGEFILE.SYS
* C:\HIBERFIL.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\KRHZKF.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
* C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{78CA3BF0-9C3B-40E1-B46D-38C877EF059A}\NOF_1.2.2.2\CMNCLNT\_LCK\_RDRPLUGING
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_{4E9CB39A-5F78-4887-A3D6-2790DE9DDE11}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CMNCLNT\_LCK\_{869594F6-6511-4780-AD37-49B479DA2A4F}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_24ADF822-76F7-4481-B30B-FF1B40F8687F

#11 electroguy

electroguy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 22 August 2010 - 12:06 PM

Norton will not remove suspicious.mystic. Neither will Kaspersky.

(Most seem to just think suspicious.mystic is just an annoyance, but when you have it, its nasty). I have removed it myself on a few computers. Instructions for removal at www.squiggo.com


Suspicious.mystic is a rootkit, that lodges itself in your C:\WINDOWS directory, registry, spams via email and a host of other fun things..

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:26 PM

Posted 22 August 2010 - 02:18 PM

Hello, you do have some serious infections left here. The safest way to remove these is by posting a Rootkit scan a DDS log and get assissted remaoval.

Please go here....
Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Pandy

Pandy

    Bleepin'


  • Members
  • 9,559 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 PM

Posted 22 August 2010 - 11:18 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic342022.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Do not anticipate trouble, or worry about what may never happen. Keep in the sunlight.

Hide not your talents. They for use were made. What's a sundial in the shade?

~ Benjamin Franklin

I am a Bleeping Computer fan! Are you?

Facebook

Follow us on Twitter





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users