Malware Infestation - a real challenge here

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jasherrr, Jun 15, 2007.

  1. jasherrr

    jasherrr Private E-2

    My 'puter has been crashing randomly - suspiciously as I access applications that try to battle malware (apps like Ad-aware, Spybot, Ccleaner, Firefox, etc.) What blows my mind is that it even does it in safe mode when i am not connected to the internet.

    I went to the read me first and did everything up until boot in safe mode then run ccleaner then spybot. I can get through ccleaner in safe mode, but then as soon as I open spybot - system crashes and restarts. When I was able to run spybot earlier I noticed smitfraud, TIBS, and a handful of other nastiness. Also, when the system reboots, a Microsoft Windows dialog box opens up and says

    "The system has recovered from a serious error. A log has ben created..tell microsoft, etc." Also has a "Click here" To see what data this error report contains and when I do - it shows:

    BCCCOde: 1000008e BCP1: C0000005 BCP2: 804EC2B6 BCP3: F94104A4 BCP4: 00000000 OSVer:5_1_2600 SP:2_0 Product 768_1

    Below that, error report contents include:
    C:\DOCUME~1\JAY~1.VAI\LOCALS~1\Temp\\WER6a0c.dir00\Mini061507-01.dmp
    C:\DOCUME~1\JAY~1.VAI\LOCALS~1\Temp\\WER6a0c.dir00\sysdata.xml

    Please advise - i am at wits end and ready to throw the computer out the window (seriously)

    Lastly - here is HJT log if it is helpful to view:
    Logfile of HijackThis v1.99.0
    Scan saved at 11:28:17 PM, on 6/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\tmrsrv32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jay\My Documents\Jay Work Docs\HJT\hijackthis.exe

    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O23 - Service: Ad-Aware 2007 Service - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please attempt to complete the parts of the READ ME than ask for the below logs:
    • GetRunKey
    • ShowNew
    • HijackThis - make sure it is installed and renamed as requested. This is very important.
    Attach these logs if you can. It is best to get the logs from normal boot mode but if you cannot do that then get them from safe mode.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The HJT log you incorrectly posted inline (and HijackThis.exe is not rename as is imperative) is basically useless. It shows no problems at all. In fact it is absurdly small and looks like you have edited it. It also shows you have no antivirus which is a very bad idea.

    It may well be that your problem is not malware.
     
  4. jasherrr

    jasherrr Private E-2

    Thanks for the quick reply - will attach hjt log next time - i didnt edit it, it is what it is. It is very tough to get through the runkey and shownew stuff because the 'puter keeps crashing - but will try now and report back. Will also rename hjt. Thanks for the tough love - but i swear I am really trying!
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then have you been experimenting on your own fixing things with HJT?

    Besides renaming HijackThis.exe you must get it installed properly. You have it installed exactly where we specify not to install it. AND even worse, you don't have the correct version. Get the version in the READ ME.
     
  6. jasherrr

    jasherrr Private E-2

    OK - I have attached the three files.

    I did notice spyaxe and smitfraud in the Miscellaneous Malware Detection Report from getrunkey.

    Thanks again for your help - it is VERY much appreciated,
     

    Attached Files:

  7. jasherrr

    jasherrr Private E-2

    Yes - before i knew i was in deep doo i got rid of stuff from hjt. I downloaded new version and renamed it and included in previous post. Thanks again for your help!
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bad idea! You should restore from the backup created in your original location.


    No you did not rename it and it is still installed in the wrong location!
     
  9. jasherrr

    jasherrr Private E-2

    OK - i hope i did it right renamed it analyse and put it in program which is where you told someone else to put it , had hard time finding directions for proper placement - did best i could
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After going thru your log from ShowNew I have to tell you that you are very very badly infected. Possibly due to having inadequate protection software on your PC for who knows how long. And also possibly due to the kinds of websites you assess and what/where you download from. There is no telling how effective the removal process will be. You may be looking at a reinstall to get your PC operating properly.

    Goto Add/Remove programs and uninstall Microsoft AntiSpyware it is not even supported anymore.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. Avenger
    2. GetRunKey
    3. ShowNew
    4. HJT


    Make sure you tell me how things are working now!
     
  11. jasherrr

    jasherrr Private E-2

    ok - I am getting better at this following directions thing!

    All done and attached. seems to be working ok so far - thanks agaio for your help - how does it look you think?

    Avenger attaching in next post - max of 3 i can attach
     

    Attached Files:

  12. jasherrr

    jasherrr Private E-2

    Avenger log
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks better but one baddie came back. See if you can delete the below file after booting in safe mode:

    C:\WINDOWS\system32\ksys.sys

    Also see if you can delete this file:
    C:\WINDOWS\system32\drivers\RUNTIME2.SY_

    If it deletes with out an error, then reboot in normal mode and attach a new log from ShowNew. If it does not delete, just come back and tell me what happen when trying to delete the file.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also do the below!


    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then attach a new log from GetRunKey.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just to keep you moving along since I will be signing out soon and I will not be back until Sunday night (EST) here are the next steps no matter what happens in my previous instructions.


    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    Make sure you tell me how things are working now!
     
  16. jasherrr

    jasherrr Private E-2

    Deleted ksys in safe, it came back when I rebooted - and i dont see runtime anywhere
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It went away but may come back since it is related. Run the other two procedures. You don't need to attach a GetRunKey log until you complete the ComboFix procedure.
     
  18. jasherrr

    jasherrr Private E-2


    done
     

    Attached Files:

  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay move on to ComboFix and then do the below. I'm signing off now:

    Now please download F-Secure's BlacklightBeta
    • Download fsbl.exe and save it to the Desktop.
    • Once saved... double click fsbl.exe to install the program.
    • Click accept agreement and Click scan
    • This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.



    Also see if you can run other scans now from the READ ME. Things like:
    CounterSpy or AVG Antispyware
    Bitdefender online scan
    PandaActive Scan
     
  20. jasherrr

    jasherrr Private E-2


    done
     

    Attached Files:

  21. jasherrr

    jasherrr Private E-2

    hjt log
     

    Attached Files:

  22. jasherrr

    jasherrr Private E-2

    Blacklight log
     

    Attached Files:

  23. jasherrr

    jasherrr Private E-2

    I did all you recommended then did ad-aware, ewido both twice. After al this - things have calmed down a bunch on my 'puetr for sure thanks to your help. Please find latest get run, shownew and hjt.

    Any recommendation on a free antivirus solution?

    Thanks agai for your help!
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay we just have a couple of folders to remove (one is just a left over from running Pocket Killbox). Delete the below two folders:

    C:\!KillBox
    C:\WINDOWS\system32\1024


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds