Malware infestation.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lucivaryasi, Mar 22, 2010.

  1. lucivaryasi

    lucivaryasi Private E-2

    I am trying to help a friend clear out residual malware from their system, A while back they had an antivirus 2009 infection, they worked through it and thought they had it clean. Now they are having popup issues, as well has browser hijacks, and (a new one on me) random audio advertisments without any page being displayed. I will post my log files. Their system is a WinXP Medio Center Edition SP2. Thank you in advance.
     

    Attached Files:

  2. lucivaryasi

    lucivaryasi Private E-2

    and here is the MGlogs
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    2. Update MBAM > rescan > fix all it finds and attach the log it creates regardless of whether it found any threats or not.

    3. Are you set up to use the following proxy? I suspect not, if not then please include it in our list of fixables.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    4. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
    KILLALL::
    
    AtJob::
    
    RenV::
    c:\windows\lbsnsftav .exe
    c:\windows\system32\orhr .exe
    c:\program files\Common Files\Ahead\Lib\nerocheck .exe
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Common Files\Real\Update_OB\realsched .exe
    c:\program files\DISC\discover .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop              .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop             .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop            .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop           .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop          .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop         .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop        .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop       .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop      .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop     .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop    .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop   .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop  .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav   .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav  .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw   .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw  .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw .exe
    c:\program files\Malwarebytes' Anti-Malware\m .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\SUPERAntiSpyware\sas .exe
    c:\program files\UltraVNC\winvnc .exe
    c:\windows\lbsnsftav .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\SMINST\recguard .exe
    c:\windows\system32\orhr .exe
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe
    c:\program files\disc\discover .exe
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe
    
    File::
    c:\windows\lbsnsftav.exe
    c:\program files\1547156.dat
    c:\program files\1246921.dat
    c:\program files\1853421.dat
    c:\program files\1553187.dat
    c:\program files\1249515.dat
    c:\program files\948890.dat
    c:\program files\644703.dat
    c:\program files\11960812.dat
    c:\program files\11328796.dat
    c:\program files\8630453.dat
    c:\program files\1501375.dat
    c:\program files\687500.dat
    c:\program files\4135515.dat
    c:\program files\621968.dat
    c:\program files\752359.dat
    c:\documents and settings\Compaq_Administrator\fcwxx.exe
    c:\program files\42093.dat
    c:\windows\lbsnsftav .exe
    c:\windows\system32\orhr .exe
    c:\program files\Common Files\Ahead\Lib\nerocheck .exe
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Common Files\Real\Update_OB\realsched .exe
    c:\program files\DISC\discover .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop              .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop             .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop            .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop           .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop          .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop         .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop        .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop       .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop      .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop     .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop    .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop   .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop  .exe
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav   .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav  .exe
    c:\program files\iolo\System Mechanic Professional\AntiVirus\ioloav .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw   .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw  .exe
    c:\program files\iolo\System Mechanic Professional\Personal Firewall\iolofw .exe
    c:\program files\Malwarebytes' Anti-Malware\m .exe
    c:\program files\Messenger\msmsgs .exe
    c:\program files\SUPERAntiSpyware\sas .exe
    c:\program files\UltraVNC\winvnc .exe
    c:\windows\lbsnsftav .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\SMINST\recguard .exe
    c:\windows\system32\orhr .exe
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\CSC4.tmp 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\RES5.tmp 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\vsexyv0j.0.cs 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\vsexyv0j.cmdline 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\vsexyv0j.dll 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\vsexyv0j.err 
    c:\docume~1\COMPAQ~1\LOCALS~1\Temp\vsexyv0j.out 
    c:\windows\system32\orhr .exe 
    c:\program files\disc\discover .exe
    c:\windows\system32\spool\drivers\w32x86\3\hpztsb12 .exe
    C:\Documents and Settings\Compaq_Administrator\arpwrmsg.exe
    C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG
    C:\Documents and Settings\Compaq_Administrator\nwiz.exe
    C:\Documents and Settings\Compaq_Administrator\rthdcpl.exe
    C:\Documents and Settings\Compaq_Administrator\rundll32.exe
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\ndg1AA4VAPW
    
    Folder::
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\jogets
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\uytqgq
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\clyhrd
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\oorkpq
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\fgujtp
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\mjxhhk
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\kvrlsv
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ieymcf
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\gunkwx
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\dumlfo
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\kvlmyp
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\muswrh
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\ebxyia
    c:\documents and settings\Compaq_Administrator\Local Settings\Application Data\rswyub
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "lwvjcqxd"=-
    "jxhxnlxi"=-
    "qruuxcjk"=-
    "mxsapdqh"=-
    "fqqhjhur"=-
    "xxqrtyhq"=-
    "wykgovxy"=-
    "wystwick"=-
    "badwbfvq"=-
    "xbqmqkro"=-
    "xbiaixmd"=-
    "uhvninnc"=-
    "thgbreqw"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "orhr"=-
    "lwvjcqxd"=-
    "jxhxnlxi"=-
    "qruuxcjk"=-
    "mxsapdqh"=-
    "fqqhjhur"=-
    "xxqrtyhq"=-
    "wykgovxy"=-
    "wystwick"=-
    "badwbfvq"=-
    "xbqmqkro"=-
    "xbiaixmd"=-
    "uhvninnc"=-
    "thgbreqw"=-
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    5. From your logs I see that beep.sys is missing from the system32 directory, we will need to replace this, and to do so, please look at the below:

    Running SFC Scannow

    6. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the new logs from SAS and MBAM.

    7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  5. lucivaryasi

    lucivaryasi Private E-2

    Here are the new logs. Thank you again for the assist. When running combo fix I tried to disable the iolo antivirus ( even shut down the process through task manager) but combo fix continued to detect it. Also this computer is one that did not come with any restore or operating system disks...it does however have a recovery partition (not sure how that works, or if it will help). So I couldn't fix the beep.sys file.
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    As I go through the logs please tell me how the machine is behaving. :)
     
  7. lucivaryasi

    lucivaryasi Private E-2

    quite well at the moment...no popups, no unidentified sounds...just need to re-enable system mechanic once we are through. internet is responsive once again. altho they did say that they had run virus and spyware scanners before and it behaved itself for a few days then just bottomed out.
     
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    A little more to do :)

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Fcopy::
    C:\WINDOWS\system32\dllcache\beep.sys | c:\windows\System32\drivers\beep.sys
    
    RenV::
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop               .exe
    
    File::
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\20xYJkS83BHk4
    C:\Documents and Settings\All Users\Application Data\20xYJkS83BHk4
    C:\Documents and Settings\Compaq_Administrator\Templates\20xYJkS83BHk4
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are now, please.
     
  9. lucivaryasi

    lucivaryasi Private E-2

    I followed your directions with combofix and created the CFscript.txt file and dragged it to the combofix icon...combofix ran, then rebooted the system, but when the system came up there was no combofix screen and no log file...however in my c:\ drive there is a combofix icon that looks like the mycomputer icon...and when clicked it opens just like mycomputer and shows the drives. Here is the MGlog anyhow.
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You still have combofix.exe on the desktop, so let's do this:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\20xYJkS83BHk4
    C:\Documents and Settings\All Users\Application Data\20xYJkS83BHk4
    C:\Documents and Settings\Compaq_Administrator\Templates\20xYJkS83BHk4
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  11. lucivaryasi

    lucivaryasi Private E-2

    Yay...a combofix log. All is running swimmingly so far. here are the new logs.
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good. One more time:

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
    KILLALL::
    
    Fcopy::
    C:\WINDOWS\system32\dllcache\beep.sys | c:\windows\System32\drivers\beep.sys
    
    RenV::
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop               .exe
    
    File::
    c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop               .exe
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  13. lucivaryasi

    lucivaryasi Private E-2

    All is still well..you rock! here are the new logs.
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's replaced the missing beep.sys too so you need not visit the software forum about that. Your logs are clean! :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  15. lucivaryasi

    lucivaryasi Private E-2

    You are my hero, and aces in my book. All things are well so thank you for your time and effort, my friends and I appreciate it. (would have pm but not enough posts..lol) Take care.
     
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You are most welcome! Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds