Infected PC needs some fixin!

Shortcomings...

I am not at that computer right now, but will run that RKR software a little later when I get there.

As for figuring out what programs it allows to use the internet and what not, I do not have any clue how to figure that out, let alone stop them from connecting.

"It's imperitive we get that GMER log."

How can we do that? It is mega long, as in I would need to split it like ten times to get it on this thread. Also Symantec stops it from doing certain things, which are probably the keys to this specific problem. This bug is so strong, it repairs itself when we delete it or disrupt it, and then strikes harder. I wish you could see the barrage of email spam proxy things I was slammed with last night. I downloaded a screen capture program to show you the devastating grip these malware suddenly have on my machine, but it was so overloaded I could not even open that program to show you.

 

Finally here...

Sorry it took me so long to complete this simple step but I was not home.

Here is the log from this new RK tool:

Actually I ran it, and it said "no discrepencies found" and I could not locate a log file. Even when I went to the option save, and saved that text file, nothing was there.

I went ahead and ran abother of the first one you wanted and emailed it to you.

When i first ran the Gmer scan this popped up:
SYMANTEC TAMPER PROTECTION ALERT

Target: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Event Info: Open Process
Action Taken: Blocked
Actor Process: C:\Documents and Settings\geneodel\My Documents\gmer112[1]\gmer.exe (PID 3840)
Time: Wednesday, November 08, 2006 9:02:30 PM

Seriously, how do I stop Symantec from doing this type of thing? Should I uninstall Norton and all the other anti-spyware **** I have?

 

Ok, lets check for an underlying infection. (not done with GMER log yet, just researching still)

Download and run F-Secure Blacklight
Double-click on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run Blacklight click > scan then > next, next again then exit
there will be a new text file near Blacklight.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet

 

Ok, after looking thru the logs I have found a rogue service which we need to kill\delete.

Open GMER

• Select the Services tab
• Find the service called Windows Socket 2.0 Non-IFS Service Provider Support Environment
• Right-click it and select Delete
• Close GMER and Reboot

Once rebooted, search for and delete the following file:
C:\WINNT\System32\drivers\ws2ifsl.sys<<<--this one

If you get any errors use Killbox on it.

Also look for these files:
SNOOTERN.DLL
UIDMNGR.INI

Delete them as well.

Lets run the HaxFix tool again. This service may have been preventing the tool from removing the infection.

Also, we need to disable your SuperAntiSpyware and any other anti-spyware or av. If you need to uninstall them, fine, so be it. You can re-install once we get the infection cleared out.

 

Sounds promising...

Alot of these filenames seem like things I would ordinarily be scared to erase or tamper with in anyway. Cleverness on the part of those who concocted these nasties, eh? I will go ahead and uninstall those useless anti-spyware programs I have, as I have grown to resent them for their lack of effectiveness, nearly as much as the bastard-wares themselves.

I have momentarily skpped the F-secure blacklight step to complete the new procedures outlined in your most recent post.

After I am able to finish those, I will run the blacklight too and post results incase that may be of some use in ridding this system of additional bugs, yet undiscovered.

Real quick.... once we are able to get this thing cleansed, what are my best methods of avoiding this in the future, as it seems like they come quickly, and out of nowhere.

 

current state of affairs

Ok I uninstalled AVG and Super bla bla did not have an uninstall feature so I add/remove program to get rid of it.

When I opened Gmer up Symantec still chose to block several of its intentions. I do not necessarily feel as eager to uninstall that because I want some level of protection, and also I do not think I still have the disk.

So I opened the services tab and deleted that item as you instructed, but something popped up and said I need to restore it or get the win disk out because it was a program necessary for windows to function properly or some ****, so I clicked no or, another prompt came up... I cannot recollect exactly how it went actually, but when I thought it had undeleted that file, I checked the tab and could not find it again... What happened?

I am going to delete those other things and reboot.

 

Another problem

I was unable to find those other two files snootern or the UIDMNGR. I tried finding files and folders and came up with nothing.

I will do the blacklight and Hax in a minute

To jazz up this thread a little, I will briefly mention how great the Ohio State Buckeyes are. They are already crushing North Western and it is still the first quarter...

 

First off, I need you to stick to this thread for all communications. No emails. It took me a little bit just to figure out who you were.

The file I had you delete had nothing to do with any Net connection. No idea why you lost connection.

This is why HJT analysist spend an enormous amount of time researching files, names and file paths to be sure we delete the bad files and not legit ones.

All you need to do is to disable it, be sure no processes are running. I have not run into any avs flagging GMER.

I need more specifics here, random definitions of errors are useless.

Will look forward to the other two logs.

 

Wow... Are you serious now?

First, I cannot post those logs now, as I cannot connect to the internet from that computer anymore. There is not even a 3.5 drive on there, so short of somehow putting those files on my Ipod and transfering them to a different computer and them posting them, I cannot post them. I am not overly concerned with the Spyware anymore, as a new problem has arisen which seems much more critical. I cannot connect to the internet. Whether it makes sense or not either, it came as a direct result of erasing that one particular file you had me right click on in Gmer and delete. I am not blaming you, as you were only trying to help and intentions are key. However we need to fix this. I feel your last message at almost every turn, was completely different in tone then any previous one you have sent my way.
It seemed to be more of an effort to thwart my previous message, rather than address anything I had said. I am not a message board guru by any means, and do not even understand how to properly use the quote feature, so I am unable to provide you with the benefit of that organization factor. Please do not allow that to stop you from understanding fully what I ask of you now. I cannot disable all the semantec processes for some reason as there are always some running no matter what I seem to do. When I try to end them with Gmer, a blue screen pops up, the physical memory says it is dumping, and my system reboots. Either that or when you close a different symantec process the internet stops connecting as it is somehow unable to detect proxy settings. Regardless of that, understand please that I cannot provide you with a more specific explanation of what happened as far as prompts and errors when I erased that one file, because as I have told you I cannot remember exactly what happened. I do not want to try to piece together a story of what I think happened, as it would not be accurate and thusly less of a help than a detriment. There were prompts asking yes and no and do you want to erase then do you want to restore, do you want to put the windows disk in. I tried to manuvere through those in the least damaging way possible, but going off of what you had led me to believe and still seem to stand behind, is that this file was not a vital part of my system needing to be kept, like these prompts windows sent were telling me. I figured it may have just been another clever disguise worked into the bug by the designers. If I remembered what happened I would tell you, but will you just help me fix that file and regain internet access before we worry about logs I do not have the means of posting anyway. I do not even have Itunes on that computer to take things on and off of the Ipod, plus when I ran that last logging tool, as again I told you, it showed zero errors. The log produced nothing of value. That is the blacklight one I am talking about. Perhaps the other ones might yield some better results, but as I said lets cross that bridge when we get back to it. We need to climb back up this cliff we just fell down, before we worry about the rickety bridge.

I am able to attribute much of the personality shift I believe I had just witnessed to frustration from a seemingly unresolvable situation that has done nothing but compound itself, but please understand I share that same frustration. You have the option of suddenly ignoring me and no longer concerning yourself with my plight, but I do not have that luxury. I would hope and still believe you would not do something like that of course, but that is the exact type of thing your last message leads me to believe is possible, if we can not fix this soon. I only ask you to trust in your ability to help me, and hold you desire to help. We will make it through this one step at a time. My computer will be healthy again; it will be thanks to your efforts.
Please let us fix this internet. Why could I not locate those two files you asked me to delete? (That might tell us something, why would the logs you looked at tell you they are here and needing to be taken out, when a search does not even locate them) What exactly is that file I deleted? If it does not effect the iternet what does it effect, and why would windows work to protect it?

You told me earlier that the key to ridding ones' self of an infection of this type is disabling and removing the re-infecting file. I know that is what you are working to do with these logging tools, and it seems some are prevented from doing what they need to by symantec. when I tell you that, as I have been telling you this whole time (I know you want me to disable it but I told you it won't seem to ever let me), you say this:
"All you need to do is to disable it, be sure no processes are running. I have not run into any avs flagging GMER." What do you mean you have not run into any AVs flagging GMER? Are you defending Gmer, because I was certainly not attacking it. I was merely reiterating that I felt Gmer was being inhibited by Symantec not that Symantec was leary of Gmer for legitimate reasons.

 

Without getting into my frustration and exasperation with this thread and the seemingly endless amount of trouble we are having with every turn, use system restore to get the box back to some other state where we can begin a new.

The files we have deleted thus far:
SNOOTERN.DLL:
http://www.google.com/search?source...&rls=GGLD,GGLD:2006-37,GGLD:en&q=SNOOTERN.DLL

UIDMNGR.INI:
http://www.google.com/search?source...e&rls=GGLD,GGLD:2006-37,GGLD:en&q=UIDMNGR.INI

Pretty much each and every single reference in those are trojan related.

For the other one, ws2ifsl sys, there are a couple of mixed findings, but here are the ones I'm looking at, in relation to your infection:
http://www.bleepingcomputer.com/startups/ws2ifsl.sys-12029.html

http://www.castlecops.com/o23et-w.html

http://72.14.253.104/search?q=cache...l.sys&hl=en&gl=us&ct=clnk&cd=20&client=google

If you like, you can go to the recycle bin and restore that file to see if your connection returns.

Quite honestly, I am leaning towards you saving what data you can and reformatting. The level of trouble with these tools has just never happened to me, nor have I ever seen them occur with these tools. I watch the fix threads religiously, and make notes on problems. Not to mention, Google can also find the oddball problem. So that leaves me with one of two options:

• The system is so badly damaged nothing will run.
• Your level of pc experience just isn't enough to run these tools

Let me know what you decide to do.

 

Yikes....

"Without getting into my frustration and exasperation with this thread and the seemingly endless amount of trouble we are having with every turn, use system restore to get the box back to some other state where we can begin a new." - So I was reading correctly into your shift. I mentioned it, not to agitate you further, but to allow you the simple comfort of knowing that I was aware of your frustration. I wish you could understand that. I appreciate the efforts you have made so far for me in this epic battle against malware.

"The files we have deleted thus far:
SNOOTERN.DLL:
http://www.google.com/search?sourcei...SNOOTERN.DLL

UIDMNGR.INI:
http://www.google.com/search?sourcei...=UIDMNGR%2EINI "

Ok man, I will tell you again I guess. I could not find those files when you asked me to delete them. I am not sure if you have just misunderstood the things I have been saying to you, as I have relayed that information before... Or if you are allowing your compiled frustration to cloud your mind, and block reception of my communications. Not only had I told you at the time I was unable to locate or delete those, but at the end of my last message to you, where I was attempting to ask you pertinent questions in an attempt to resolve my problem, I asked you why I was unable to find those files to delete them, if you saw them in the logs. So I am not sure why you now are providing me with explanation as to why we deleted them, when they were never found or deleted to begin with.

"If you like, you can go to the recycle bin and restore that file to see if your connection returns." It is not in there broham.

-- BREAK -- Real quick, what steps are involved in a system restore where we can revert my computer back to the state it was in a month or two ago? How can I do that? What reasons would there be not to go that route, if any?

"Quite honestly, I am leaning towards you saving what data you can and reformatting. The level of trouble with these tools has just never happened to me, nor have I ever seen them occur with these tools. I watch the fix threads religiously, and make notes on problems. Not to mention, Google can also find the oddball problem. So that leaves me with one of two options: "
It is likley I will be unable to reformat, as I have told you I cannot locate my Windows CD, sorry. As for the remainder of that statement of yours I just quoted, it seems as if you believe many of the problems here are due to my incompetance or since the errors and/or problems resolving them, are things you are not acustom to, that they therefor cannot exist. That is false logic my friend. I understand you " watch the fix threads religiously ", why do you think I chose to single you out and ask for your assistance on this issue from the getgo? I read many of the threads and saw you seemed to be the most knowledgable as well as logical and helpful. I came to you because of your expertise, not without awareness that you had it.

"The system is so badly damaged nothing will run.
Your level of pc experience just isn't enough to run these tools "
It is obviously not the second one, because though I am not an expert, I have not yet been asked by you to do anything requiring an experts touch. I have not failed to meet any tasks assigned by you, or been faced with a state of confusion. The logging applications you have asked me to use, seem to be inhibited mostly by Norton, and I have asked you repeatedly throughout this process whether that was important and how to stop it. You have responded by telling me to stop it. That did not help me, as I had already tried numerous times to disable it, but since (as you say "my level of pc experience just isn't enough ", I have been unable to actually stop that program from impeding the logging tools. I have tried my friend, and failed. That however has nothing to do with not being able to run the tools. For gods sake brother, the tools you have supplied me to work with so far, run them selves, and when you combine that fact with the step by step instructions you ordinarilly are gracious enough to provide me with, it is a cake walk logging things. Again, I will reiterate since you seem to miss the meat of what I am saying when it is mixed in with an enormous message like I am used to sending, I need to stop Norton from interfering, that seems like part of a simple solution.

As for the other "option" you layed out, I really, honestly, do not think it has to do with my system being "so badly damaged nothing will run ". Like I had told you before, this computer was virtually unused before I started using it for school and other miscelanious activities a month and a half or so ago. Virtually unused. Infection free. Problem free. Now when that is taken into consideration along with knowing that I don't file share on this computer, download hardly anything, or do anything that would be viewed as a high risk threat, it would be almost absurd to think the infection level could have gotten that bad that quickly. Please do not sell yourself that short and entertain the notion that my computers savability is out of reach due to intensity of infection. That is something you would only come up with if being on the edge of giving up.

I asked you to be patient with me before, but I will not ask you again, as my requests seem to fall on deaf ears. I know you are frustrated, as am I. I know this problem has run beyond most you have dealt with, view it as excellent training if you must. The harder something is to achieve the more worthwhile it is in the end. You know this already. The reason I will not ask you again to be patient, is not because I do not want that, for of course I do. The reason is you will have to decide on your own accord to stick it out with me, because my asking you has little effect.

If you want to help me, and think you are capable. Please transcend back to your initial pleasant self, quit assuming the problem is unfixable or due to my incompetance, and lets take care of this darnn nusence. You can do it, as you know. I can do it, though you lost belief. Let's do it. Sheesh.

Now back to the problems if we may. Do you think one of those system restorations dealios could put things back to normal? I know nothing of that process. As I asked earler before heaping a crapload of text on you, what may be some of the draw backs of utilizing that method?

Let us not speak of things that do not concern this problem anymore, let us get back to business, and remain there until the meeting is ajourned, please.

 

System restore may not make things back to normal, but it may get us to a state when things were not as unstable.

If we can't get these tools to run, I cannot finish diagnostic on your machine, simple as that.

If need be, uninstall Norton, while off line, run Combo fix, post results into note pad, then re install Norton, go back online and add ComboFix logs into the thread.

Use the instructions found here on the Elder Geek