Need help/info removing some last pieces of malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by djames216, Oct 18, 2007.

  1. djames216

    djames216 Private E-2

    Hello good folks.

    I have been working on removing malware from someone's heavily infected PC. I believe I have removed 99% of it, but (according to Panda Active Scan) there is still some traces left. Any guidance or help you can give to erradicate the last of it is very much appreciated.

    I have followed your Malware Removal Guide and have attached the appropriate logs.

    Many thanks.
     

    Attached Files:

  2. djames216

    djames216 Private E-2

    Hello again.

    Here are the last 3 logs.

    I had to run Panda Active Scan in Normal Mode because I had problems running it in Safe Mode with Networking. But it does appear to have found the exact same problems in Normal Mode that it did in Safe Mode.

    Thanks again for any assistance you can give.
     

    Attached Files:

  3. djames216

    djames216 Private E-2

    Sorry, just realised I forgot to post a HiJackthis log. I'll have one posted in a few minutes.
     
  4. djames216

    djames216 Private E-2

    OK, here is the hijackthis log. Just to confirm, I renamed the hijackthis executable to analyse.exe as instructed by your good selves.
     

    Attached Files:

  5. abri

    abri MajorGeek

    Hi djames!
    Please stay with this thread. When you switch threads we lose track of information you gave us in a previous thread. The computer is not quite 99% yet.
    Please run the scan in the box below and then post fresh logs for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and HijackThis (hijackthis.log). With the Combofix log, you'll have 4 logs altogether.

    Run this utility:
    After you've run Combofix, please follow the instructions and links in the box below!

    abri
     
  6. djames216

    djames216 Private E-2

    Hi.

    Thanks for the quick reply and sorry about the change of thread.

    When I ran Combofix a message came up telling me that "sed.cfexe" has to be closed down etc. But Combofix appeared to continue scanning regardless.

    The same message also came up when Combofix was preparing the log report after reboot. Again, Combofix appeared to carry on regardless.

    Right, here are the first 3 (of 4) logs as requested.
     

    Attached Files:

  7. djames216

    djames216 Private E-2

    Here is the last of the 4 log files. The Hijackthis log.
     

    Attached Files:

  8. abri

    abri MajorGeek

    Hi djames!
    The computer still has quite a lot of infections. The instructions here are extensive. Please just do them one step at a time. Because of the Smitfraud fix under step 6, you'll need to post the first rapport.txt log before you complete the smitfraud fix. The second rapport.txt can be posted with the other logs listed at the very end.
    Steps one and two of the instructions can be skipped if you need to ask about them, but you should come back to them when you have a chance.


    1) To begin with, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

    2) Is this something you want on your computer? If not, please add it to the list of items to be fixed by hijack this.
    O16 - DPF: GraphicalChat Application - http://www.onchat.com/ChatWorld/chat-signed-ie.cab

    3) Now scan with HijackThis and check the boxes for the following entries. I'll give you two sets. One to fix and one to think about fixing if they are things that don't need to have in startup.
    ( Make sure ALL browser windows are closed when you click FIX)
    4) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.
    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    6) I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

    7) Now reboot into normal mode and attach this second rapport.txt log here, along with the log from Avenger and fresh logs from ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and HijackThis (hijackthis.log)

    Here's a list of the logs you'll need. Please let me know how things are running now.
    • rapport.txt (the 2nd one)
    • Avenger Log
    • ShowNew Log
    • GetRunKey Log
    • HijackThis Log


    abri
     
  9. djames216

    djames216 Private E-2

    Hello abri.

    Thanks for your help once again. Just to make something clear here. I am attempting to fix someone else's PC and I have been asked to fix it as a favour for someone I don't really know (or can get hold of). So, I have a question for you.

    2. I don't know if he wants "onchat" on his PC. Is it harmful? I'm basically authorised to remove anything that can be harmful etc. So if you recommend I remove, then remove it I shall.

    I will go through this new set of instructions tomorrow and will post logs as appropriate.

    Thanks.
     
  10. abri

    abri MajorGeek

    If you don't know, just leave it in. I don't know it to be harmful.
    abri
     
  11. djames216

    djames216 Private E-2

    Hi abri.

    Here is the first Smitfraud log from step 1 of number 6. Just to confirm, I have not started step 2 yet. But will do so, as soon as I have completed this post.
     

    Attached Files:

  12. djames216

    djames216 Private E-2

    Here are the first two logs of the final five.

    The rapport and Avenger logs.
     

    Attached Files:

  13. djames216

    djames216 Private E-2

    Finally, here are fresh shownew, runkeys and hijackthis logs.

    Thanks.
     

    Attached Files:

  14. abri

    abri MajorGeek

    Hi djames!
    With one exception, it all looks good. There's a remote connection software called LogMeIN which has quite a few files associated with it. It appears to have been installed some time in mid-September. It can be removed, but it may have been put in intentionally, so I would want to know if the user wants someone to have remote access to the computer. If not, I would give you one more set of instructions to remove this before the final cleaning instructions. Please let me know.
    abri
     
  15. djames216

    djames216 Private E-2

    Hi abri.

    I put the logmein software in myself a few days ago. So yes, the user wants the logmein software to remain. I install logmein to support people remotely if need be.
     
  16. abri

    abri MajorGeek

    Hi djames!
    In that case, everything looks good. Please run ATF one last time and then follow our final cleanup instructions in the box. The "How to protect yourself from malware" is a good read and may have some things in it for you.
    abri
     
  17. djames216

    djames216 Private E-2

    Hi abri.

    Thanks for all your help, its very much appreciated. I have one last problem though, I hope you can help. When I open the System Restore Window it is completely blank! Help!
     
  18. abri

    abri MajorGeek

    Hi djames!
    Do you mean, when you followed the instructions to disable and enable system restore, that when you went to the system restore tab in properties under My Computer, that the tab itself is blank? You don't have a choice of turning on and off system restore because there's nothing on that tab?
    abri
     
  19. djames216

    djames216 Private E-2

    Hi abri.

    Apologies for not being explicit enough. The system restore tab in system properties works fine. I have been able to turn on and off system restore as instructed.

    I am referring to the System Restore Wizard page. The page that pops up when u want to manually make/retrieve a restore point etc. It is completely blank.
     
  20. abri

    abri MajorGeek

    Hi djames!

    re: your disappeared restore points window:

    Try this first. Please look for this file: C:\windows\inf\sr.inf
    Right-click on it and select install.
    Check and see if the restore points window is back.

    If that doesn't work, try this:

    Go to Start / Run
    Type in cmd and hit enter
    Copy and paste in the following lines one at a time and hit enter after each one
    regsvr32 jscript.dll
    regsvr32 vbscript.dll
    regsvr32 /i mshtml.dll


    abri
     
  21. djames216

    djames216 Private E-2

    Hi abri.

    I first tried the "install" method, but no success.

    I then tried the "cmd" method. The first 2 lines ran successfully but after I pressed enter on the third line the following message came up - "mshtml.dll was loaded, but the DllRegisterServer entry point was not found. The file can not be registered."

    After doing all of the above, the page is still blank.
     
  22. abri

    abri MajorGeek

    Hi djames!
    Try this please. Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.
    abri
     
  23. djames216

    djames216 Private E-2

    Hello abri.

    The user's PC was bought second-hand and doesn't have the original XP install CD. So unfortunately, this repair scan isn't an option. I have done the next best thing (that I know of) and created a back-up of the registry via regedit. I am now satisfied that everything that can be done has been done. Many thanks for all your help and assistance. It has been informative and very useful. Thank you.
     
  24. abri

    abri MajorGeek

    Hi djames!
    That will also work. You may also check in the software forum if they can help you recover that one file.
    Good luck and many happy endeavors with your computer!
    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds