Can't remove malware remnants - hidden in .sys?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dachs96, Apr 21, 2005.

  1. dachs96

    dachs96 Private E-2

    I have a machine that was hit by a large number of hijacker/popup type malwares. After extensive cleaning, I was able to get rid of most of the components but there is a leftover part I can't remove. It keeps restoring in the Run section the registry keys for 5 programs no longer on the hard drive- WToolsA, ffisearch, desktop, symonnt, and elitesmr32- even if deleted only a few seconds ago. Upon startup, it also runs msconfig. In addition, after some time connected to the internet, spyware and occassionally viruses will creep back in.

    I am afraid that the problem may be resident in one of the .sys files. It does look like the config.sys was changed about the time to which I can seem to trace the initial infestation.

    I am running WinXP (SP1) and IE 6.0, on an HP Pavilion zd7000 series notebook, 3G Pentium 4, 512 RAM.

    I have just concluded another run of the procedure outlined on the sticky/thread 35407, with the following results:

    There were no malware Windows services running and the other 3 preparation steps were fine.

    Despite lowering my security precautions and having no apparent other programs running that would block them (esp being in safe mode), every time I attempted to run Symantec's online virus scan I would be informed that I was not permitting scripting or Active-X controls. I did run the PC version of Norton Anti Virus, which came up clean.

    Whenever I tried to run the normal Trend Micro online scan, my computer would hang, but I was able to successfully run the UK Java version, which also came up clean.


    Spybot cleaned away Search Miracle, while Ad-Aware removed IBIS Toolbar.

    CWShredder removed cws.msconfig. Kill2Me found no signs of infection; I ran it anyway and received a message look2me was removed if there. HSRemove removed eight items though I couldn't tell what they were. about:Buster came out clean.

    I also ran Elite Toolbar V1.20. There were no temp files in the C drive and it couldn't delete one temp file, which I am assuming had something to do w/ currently running processes. I ran it in both safe and later in normal mode. Each time it removed items though I couldn't tell what; I have the logs but don't understand how they tell one what was removed/repaired. [I ran it both ways because the registry keys didn't seem to get switched back in safe mode]

    I looked at Chaslang's thread #38772 in case it related to my situation, but the registry keys he mentions and the ones on my Hijack This log were completely different so I didn't even try that procedure.

    I did try the ADS alternate scan once, which found nothing, but otherwise I didn't try the alternate scans, as I didn't think they would be much more successful.

    I have looked on the forums for the same problem and though I found similar threads, nothing seemed to relate to exactly my problem. If you know of one that does, I would be grateful if you could direct me. Otherwise, I hope you can find a solution, as otherwise I fear I will have to wipe and repartion the hard drive and reinstall WinXP.

    Thank you for any help you can provide, and please let me know if you need any other information.
     
    dachs96, Apr 21, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download, install, and get the updates for Microsoft® Windows AntiSpyware But do not run it yet! First reboot into safe mode (with no network connectivity) and then run a full system scan. Then reboot in normal mode and continue with the below steps.

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 22, 2005
    #2
  3. dachs96

    dachs96 Private E-2

    Done. FYI it found the entries for the malware I mentioned in my first post and cleaned them.

    Attached as requested.

    Also, I'm sorry I forgot to ask this in the first post, but when I reboot in safe mode, I'm given the option of logging on as Administrator or "John Doe". John Doe is the single user and has administrator privileges, so I've been choosing that (although in the past I've gone thru thread 35407 for both). Let me know if that's incorrect. Thank you.
     

    Attached Files:

    dachs96, Apr 22, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have the problems present in your log. Make sure you run MS Antispyware in safe mode and run it on both the John Doe and Administrator accounts.

    You should not be using Msconfig to inhibit loading of any items. It will prevent us from seeing things we may need to see. Run msconfig and select Normal Startup. Then reboot.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
    First look in Add/Remove programs for the below and uninstall if found:
    WinTools
    iSearch
    SideSearch

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitesmr32.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\isrvs\ffisearch.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\windows\system32\elitesmr32.exe <-- also look for any other file beginning with elite and ending with .exe and delete them too.
    C:\PROGRA~1\COMMON~1\WinTools <--- the whole folder
    C:\WINDOWS\System32\sysmonnt or sysmonnt.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 22, 2005
    #4
  5. dachs96

    dachs96 Private E-2

    Ran under both accounts. Under each it notified me that the home page was being changed from the one set at the end of HSRemove to Yahoo (my chosen home page). Under the second one, the user, it informed me the security settings on IE for the local intranet zone were set below minimum, which I blocked.

    The first run (administrator) removed the registry keys for Search Miracle, iSearch and WinTools; the second for VX2.sysmonnt.

    The box is already checked normal. It still keeps loading on startup.

    First two settings as they should be. None of the programs were found on Add/Remove.

    Registry values fixed.


    None of the executables are present. Also, I checked task manager to verify no processes were running.


    Cleaned extra files w/ CC, deleted program prefetches and reset IE settings.

    On the reboot, msconfig started up again. Ad-Watch showed registry changes; because it is brief, I also attached the log. I am also attaching the log from my new run of HJT. This registry keys have been changed back to call the (nonexistent) malware files on startup.

    Thanx.
     

    Attached Files:

    dachs96, Apr 22, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please uninstall or disable all of Ad-Aware/Adwatch protections and the same for MS Antispyware. I think they may be getting in the way of fixing the problems right now. Then do the below:

    - Run HijackThis and fix the below (make sure ALL browsers are closed first).
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.popupsearches.com/sidesearch.html
    O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
    O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitesmr32.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\isrvs\ffisearch.exe
    C:\WINDOWS\isrvs\desktop.exe
    C:\windows\system32\elitesmr32.exe <-- also look for any other file beginning with elite and ending with .exe and delete them too.
    C:\PROGRA~1\COMMON~1\WinTools <--- the whole folder
    C:\WINDOWS\System32\sysmonnt or sysmonnt.exe

    Make sure you tell me what you can find, what you do not find, and what deletes and does not delete.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Apr 22, 2005
    #6
  7. dachs96

    dachs96 Private E-2

    I disabled all of the those programs real-time protections.




    Fixed the 6 registry values.
    None of the executable files are there to delete (nor, where relevant, are the corresponding folders).



    Ran CCleaner, emptied prefetch folder and reset IE settings.


    Msconfig still came up but the HJT log file appears to be clean. I rebooted after checking not to have msconfig show on startup and rebooted to make sure, than reran HJT (attached log). Msconfig did not come up this time and the attached HJT log appears to be clean.

    You were right, it seemed to have been Ad-Watch. I'm hoping that it's just the way the program itself works and not any actual corruption in the program - is that your opinion?
     

    Attached Files:

    dachs96, Apr 22, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It's is not a corruption in the programs! It is just the programs themselves trying to do what is necessary to protect you. The problem is that when malware does find a way into your PC, the protection programs can sometimes view they changes we are trying to make to be malware. That happens because they view the registry changes as malware at work. So to get around this, it is often necessary to remove the protection so we can get our changes to work. Similarly, we sometimes need to disable protection (and items like msconfig) so we can actually see the malware at work. If the protection programs block the malware from changing things (like your home page) but do not fix the root problem, it will just keep happening.
     
    chaslang, Apr 22, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    By the way your log is clean! To help avoid future problems you should run all steps in the below:

    How to Protect yourself from malware!

    You can also re-enable Ad-Watch and MS Antispyware now.
     
    chaslang, Apr 22, 2005
    #9
  10. dachs96

    dachs96 Private E-2

    Ok. Thanks for all of your help. You can imagine how many hours I've spent cleaning and recleaning the system :) - and for that matter :( - and even :mad: and :confused: and :eek: and - well you get the picture. At least I don't have to wipe the hard drive! :eek:

    Thanx again for the help.
     
    dachs96, Apr 22, 2005
    #10
  11. dachs96

    dachs96 Private E-2

    Um ...they're back. (I assume you want me to continue on this thread). As soon as I reenabled the two programs, Microsoft first and then adwatch, I got a message from adwatch saying the registry was trying to be changed again. I tried blocking them but I'm not sure I got them all and a new HJT log show some reinfection.

    Worse, I'm guessing this means that the origin is still somewhere on the machine. (BTW, I have the internet off, as I'm using a desktop to do all the communication w/ this forum)
     
    dachs96, Apr 22, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It may be that Ad-Watch is saving the info somewhere. And the only way to stop may be to uninstall Ad-Aware completely (delete the folder it is installed to also). Then fix everything up and reboot to make sure it is still fixed. Then re-install Ad-Aware from scratch.

    On the other hand your problem may be simply occurring because you need to answer in the opposite context. When you are blocking changes you may be blocking the changes we are making.

    It may be best to do the complete uninstall of Ad-Aware and MS Antispyware. Then reboot and post a new HJT log. By now you should know what to look for. Also check to see if the files themselves reappear.
     
    chaslang, Apr 22, 2005
    #12
  13. dachs96

    dachs96 Private E-2

    I apologize for not replying to this yesterday as I was rather busy. I can't attach the HJT log for confirmation as the user currently has the laptop back but it does appear to be clean. The registry is clean and I tried booting and rebooting a number of times, including reinstalling Ad-Aware, Ad-Watch and MS Antispyware and nothing seems to have come back, files or registry keys.

    As you predicted, AAW seemed to have been storing it somewhere and doing the cleaning w/ the programs uninstalled seemed to work. FYI, I uninstalled AAW Pro w/ the Ad-watch and installed AAW Personal to help w/ the cleaning and it didn't seem to cause any ill effects.

    Thanks again for all the help chaslang!
     
    dachs96, Apr 26, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
     
    chaslang, Apr 26, 2005
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds