Malware removal - please help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Mudrock, Oct 11, 2006.

  1. Mudrock

    Mudrock Private E-2

    I am a total novice PC user and I have recently connected to the internet via broadband. On the advice of some friends I have AVG anti virus software installed, and the Zone Alarm free firewall. My AVG scanner repeatedly finds a trojan which it claims to heal, but which has always returned the next time I scan. I have downloaded and run all the programs in your read and run me first thread, but the pesky little blighter is still there. I need some expert help.

    I have saved the logs from counterspy, bitdefender, panda, runkeys, newfiles and hijackthis. I think all of them have come up with a problem at some stage, with a virus/program that they cannot disinfect/heal etc. I will attach these logs to my next post when someone replies, as I'm unsure as to which is the most important and I cannot attach all of them, can I?

    Here's hoping someone can help me,

    Mudrock
     
    Mudrock, Oct 11, 2006
    #1
  2. Mudrock

    Mudrock Private E-2

    Here is some more info to help any would-be saviours to diagnose the problem:

    Specs:
    Intel Celeron II, 733MHz (11x67)
    256MB (SDRAM)
    Windows XP Professional (SP1)
    Hard disk space 19083MB (60% free)

    Problems:
    2 programs requesting internet access on a regular basis:
    w?auboot.exe (from C:\WINDOWS\System32\SKS~1\WAUBOO~1.EXE)
    fkzr.exe (from C:\PROGRA~1\COMMON~1\fkzr\fkzrm.exe)

    persistent trojan (from C:\WINDOWS\S?mantec\wucrtupd.exe)

    I don't know if any of the above are causing serious damage to my machine. Many operations are slow, but is this just a reflection of ageing technology? [see specs, above]

    Surely somebody is willing to help...

    I will attach the counterspy, bitdefender and panda scan logs now, and post the other logs later.

    mudrock
     

    Attached Files:

    Mudrock, Oct 11, 2006
    #2
  3. Mudrock

    Mudrock Private E-2

    Further logs as above...

    Mudrock
     

    Attached Files:

    Mudrock, Oct 11, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are way out of date with your Windows updates. This is a major security risk that you must address after we fix your malware problems.

    Why did you edit your HJT log? There is no way that only analyse.exe would show in your log unless you edited it or you are using HijackThis's filtering capability. If you are doing either of these, please stop doing that.

    Run this E2TakeOut follow the direction in the link for the download. Save the log and attach it here when you return.


    Now download a tools we will need- Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: (no name) - {42BE62B0-FF75-97F3-0693-F24A35DEF29C} - C:\WINDOWS\System32\adpsqh.dll
    R3 - URLSearchHook: (no name) - {779352B0-D246-A2C7-2BA3-C26705EEDFAC} - C:\WINDOWS\System32\adpsqh.dll
    O2 - BHO: (no name) - {42BE62B0-FF75-97F3-0693-F24A35DEF29C} - C:\WINDOWS\System32\adpsqh.dll
    O2 - BHO: (no name) - {6A016F4D-E4B3-CE32-8859-AD31C0AACDF2} - C:\WINDOWS\System32\efrpoow.dll (file missing)
    O2 - BHO: (no name) - {779352B0-D246-A2C7-2BA3-C26705EEDFAC} - C:\WINDOWS\System32\adpsqh.dll
    O4 - HKLM\..\Run: [Microsoft IIS] C:\WINDOWS\system32\syshost.exe
    O4 - HKLM\..\Run: [w004b26e.dll] RUNDLL32.EXE w004b26e.dll,I2 000e86da0004b26e
    O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
    O4 - HKLM\..\RunServices: [PPPOEOE] winlite.exe
    O4 - HKLM\..\RunServices: [SYSTEM] d.exe
    O4 - HKCU\..\Run: [fkzr] C:\PROGRA~1\COMMON~1\fkzr\fkzrm.exe
    O4 - HKCU\..\Run: [Knsvm] C:\WINDOWS\system32\SKS~1\WAUBOO~1.EXE
    O4 - HKCU\..\Run: [lmhdaz] C:\WINDOWS\System32\lmhdaz.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O20 - AppInit_DLLs: inicfg32.dll,iniwin32.dll C:\WINDOWS\System32\notepad.dll
    NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\a3643fds.exe
    c:\WHCC2.exe
    c:\temp\FLEOK
    c:\windows\system32\sks~1\wauboo~1.exe
    C:\WINDOWS\System32\adpsqh.dll
    C:\WINDOWS\System32\inicfg32.dll
    C:\WINDOWS\System32\iniwin32.dll
    C:\WINDOWS\System32\lmhdaz.exe
    C:\WINDOWS\System32\notepad.dll
    C:\WINDOWS\System32\w004b26e.dll
    c:\windows\system32\data.~
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2YWXIXXP\lg[1].exe
    C:\Program Files\Common Files\fkzr\fkzrd\fkzrc.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.
    After reboot locate the below folders and delete them if found:
    C:\Program Files\Common Files\fkzr
    C:\WINDOWS\system32\TFTP1732
    C:\WINDOWS\system32\TFTP1224
    C:\WINDOWS\system32\TFTP3484
    C:\WINDOWS\system32\TFTP2796
    C:\WINDOWS\system32\TFTP2852
    C:\WINDOWS\system32\TFTP3080

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\My Computer\Local Settings\Temp

    Now attach a the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT
    4. E2TakeOut log

    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Oct 12, 2006
    #4
  5. Mudrock

    Mudrock Private E-2

    Firstly, didn't know windows updates existed until I found this site - will get updated as per your advice provided that I'm now clean...

    Had no intention of editing the HJT log - there was an error during the scan, so maybe this is how it happened. It certainly wasn't a deliberate action on my part.

    Followed your instructions to the letter and have attached the logs you requested. Again though, there was an error during the original HJT scan. I tried to copy the error message but it wouldn't allow me to, but had said a copy had been saved to my clipboard. But I couldn't find it afterwards. the last scan worked OK so I think that's all right now...

    Machine seems to be working as normal now. Fingers crossed. Will wait for further advice.

    And last but not least, thank you so much for taking the time to help me!

    Mudrock
     

    Attached Files:

    Mudrock, Oct 12, 2006
    #5
  6. Mudrock

    Mudrock Private E-2

    Last requested log.

    Mudrock
     

    Attached Files:

    Mudrock, Oct 12, 2006
    #6
  7. Mudrock

    Mudrock Private E-2

    Since my last post I have switched off my Pc (was this a big mistake?). I have restarted and run my AVG virus scan, to satisfy myself that the machine is now (hopefully) clean - and it's not.

    File: wucrtupd.exe
    Result/infection: Trojan horse Downloader.Generic2.MIT
    Path: C:\WINDOWS\S?mantec\wucrtupd.exe

    I'm worried that this is my fault having switched off. What should I do?

    Mudrock
     
    Mudrock, Oct 12, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not a problems! We will just add it to my final list of things to fix (unless AVG already fixed it???).


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop (yes over writing the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Then boot into safe mode and use Windows Explorer to find and delete the below:
    C:\WINDOWS\S?mantec <--- the whole folder. It will probably look like Symantec
    C:\Windows\System32\p6.exe

    Then attach a new log from GetRunKey.
    Run a new scan with AVG and make sure it comes up clean (other than maybe finding items in System Restore which we will flush later).

    If everything is clean and everything is still running OK then continue on to the below which will also get you on the road to you updates.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Oct 13, 2006
    #8
  9. Mudrock

    Mudrock Private E-2

    I have followed your instructions with mixed success.

    I pasted in the fixme.reg file.
    I deleted the "symantec" folder.
    I couldn't find the p6.exe file.
    I thought it may have been hidden so went back to the "read and run me" thread to show hidden files. I have obviously had to wait a little while to do this. I still can't find the file.
    I ran AVG which found the same trojan (Downloader.Generic2.MIT) as before but via a different path:

    C:\System Volume Information\_restore{8984BCBB-C0C7-4577-B1D6-0067E16D5EF9}\RP86\A0046410.exe

    I assume that this is in System Restore so I shouldn't worry (?!).

    I ran getrunkey.bat.
    I attached the log below.

    I haven't continued any further in case any of the above was significant. I await further instructions.

    Also, I would really appreciate some advice about the order that programs load in startup. Counterspy starts searching for updates and can access the internet before ZoneAlarm loads, so bypassing the firewall. Doesn't this mean that other programs can too? If so, can I change the order in which everything loads to make sure my firewall is up first?

    Mudrock
     

    Attached Files:

    Mudrock, Oct 16, 2006
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure you add the registry patch in successfully? Did you get a success message? The key is still there! Try again but make sure ALL windows and other processes are closed when you do it. Then attach another log from GetRunKey. How are you looking for the file? What exactly are you using/doing?

    This can be a nasty trojan see the Techical Details here:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AKJ&VSect=T


    Toggle System Restore as indicate in step 8 of the READ ME.

    Are you going to purchase Counter Spy? After the 15 day trial you cannot use it.
     
    chaslang, Oct 18, 2006
    #10
  11. Mudrock

    Mudrock Private E-2

    Nope still can't find it.

    Definitely added the registry patch properly, with a success message.
    Rebooted in safe mode and couldn't find the p6.exe file.
    There were no other windows/applications open. [weirdly though, when I rebooteed into normal mode, task manager asked me to "end now" explorer.exe - I don't know what this is, but I certainly couldn't see it running]

    I tried to find the p6.exe file by the following steps:
    Right click "start"
    Left click "explore"
    Left click on c:\windows
    Left click on system32
    Scrolled through files listed on right side of screen
    No p6.exe file to be found
    Checked that hidden files would be shown as in point 2 of read and run me first
    Still not there
    Used "search" function, for all files containing "p6", including searching hidden files and folders
    No exe files found containing p6

    Ran getrunkey and could see the p6.exe file listed in the log, but I can't see it anywhere else!!!
    Log attached, but I know that you'll tell me the file is still there somewhere - but how do I find it?
    Sorry if I'm doing things wrong, I am trying my best and don't want to waste your time. I think I've followed the instructions on the threads to the letter and can't see where I've gone wrong.

    I've toggled system restore and AVG no longer finds the Trojan file as in my last post.

    As for counterspy, no I won't be keeping it. I was merely worried that there was the potential for new malware to get access to my machine before the firewall could protect it. I presume then that once counterspy has been uninstalled that I shouldn't worry...

    Many thanks for your continuing time and patience - as I said in my original post, I am a total novice.

    Mudrock
     

    Attached Files:

    Mudrock, Oct 18, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The file could be gone but the registry key that is trying to load it is still present. If the registry patch is not removing it, this means the registry key locked from being edited by you. This in turn means that either malware is still present or that malware previously locked the key and now we need to remove the lock. We will try this down below.

    Explorer.exe is ALWAYS running. Without it you would have no desktop, no icons, no Start button....etc. It may temporarily have been shutdown when that error occurred but it will automatically restart afterwards. You will always see at least one explorer.exe process running. If you open a Windows Explorer session to do some file searching, you will see a second explorer.exe running. Don't confuse it with iexplore.exe which is Internet Explorer.

    Now back to that registry key that will not delete.
    Please download and install Registrar Lite Make sure you select a Majorgeeks download link and not the Authors!

    Run Registrar Lite navigate to the following key and take ownership of it (explained further down):

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion

    To take ownership of the key do the following:
    • Copy & Paste the registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
    • Click-on Security in the Menu
    • Select Take Ownership
    • Now leave RegistrarLite running and continue
    • Now run the REGISTRY PATCH below in this message.
    • Tell me the results. Any error messages?
    • Now in RegistrarLite click View and then Refresh
    • Now navigate to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    • Does the above MSNPluginSrvcs key still exist in the right window pane! If so, right click on it and select Delete.
    Here is the Registry Patch

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop (make sure to use this new registry patch and overwrite the previous file). Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach a new log from GetRunKey!
     
    chaslang, Oct 20, 2006
    #12
  13. Mudrock

    Mudrock Private E-2

    Followed instructions and it all worked perfectly.
    The registry patch was successfully merged.
    The p6.exe file key was then successfully deleted!

    runkey log attached...

    I await any further instructions.

    Mudrock
     

    Attached Files:

    Mudrock, Oct 21, 2006
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your log is clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    3. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and enable System Restore to create a new clean Restore Point.
    4. After doing the above, you should work thru the below link:
     
    chaslang, Oct 22, 2006
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds