Malware Trojans - Fake Alert, JS\Tenia, Rootkit

On 7/16/09 I developed a problem on my computer while surfing the net that results in lockups while booting, unitiated internet explorer activations, and Google search not working. I have attempted to follow the steps in Read & Run Me First. I followed the instructions in the overview and then downloaded the tools specified in the Windows XP Cleaning Procedure section.

I can not get SUPERAntiSpyware to run. Tried changing the name to SAS.exe. With either name, I get a message from SUPERAntispyware saying: “SuperAntiSpyware has encountered a problem and needs to close. Re-downloaded and tried it again, same thing.

I can not get Malwarebytes Anti-Malware to run. It appears to install correctly and I click on the “Update Malwarebytes’ Anti-Malware” and “Launch Malwarebytes Anti-Malware” boxes at the end and click on Finish. Nothing happens after 10 – 15 minutes. The program will not start from the Desktop icon or from the Start menu, ALL PROGRAMS, Malwarebytes icon. I have unistalled it and reinstalled it a couple of times.

You advice to skip over any of these programs that do not function, but I’m hesitant to do so due to problems getting the first two tools to even start up. Any advice?

My system specs are:

Windows XP Professional
Version 2002
Service Pack 3

Intel Pentium 3.00 GHz
2.00 GB Ram

McAfee Security Center 9.3 updated 7/9/09
McAfee Virus Scan 13.3 updated 7/17/09
McAfee Personal Firewall 10.3 updated 6/9/09

My problem history is:

On 7/16/09 I was using Google to search the web for golf cart accessories. While accessing websites I got three messages from McAfee Real Time Scan concerning Trojans. The contents of the McAfee Detection Log follows:

1. 7/16/09 7:12:30PM Real Time Scan Generic FakeAlert!htm(Trojan) Quarantined
Detection name: Generic FakeAlert!htm(Trojan)
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\F81xJFGC\Index[4].htm
Process: Crogram Files\Internet Explorer\iexplore.exe


2. 7/16/09 7:12:33PM Real Time Scan GenericFakeAlert!htm(Trojan) Quarantined
Detection name: Generic FakeAlert!htm(Trojan)
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GMLPCG5F\Index[3].htm
Process: Crogram Files\Internet Explorer\iexplore.exe


3. 7/16/09 7:24:28PM Real Time Scan JS\Tenia.d(Trojan) Quarantined
Detection name: JS\Tenia.d(Trojan)
File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GMLPCG5F\Index[3].htm
Process: Crogram Files\Internet Explorer\iexplore.exe

If I initiate a Full Scan by McAfee I get the following McAfee Detection Log entry(typical of about 10 runs):

7/16/09 8:12:11PM Full Scan GenericRootkit.d!(Trojan) Removed
Detection Name: GenericRootkit.d!rootkit(Trojan)
File: NTOSKRNL-HOOK


I have the following problem symptoms:

1. System hangs up during the boot process. Hangs in different stages of the process. So far, after 1 to 4 tries it will boot successfully.

2. Once booted, when I start Internet Explorer I get a message from Internet Explorer saying:

"Your last browsing session closed unexpectedly. Would you like to restore your last session, or go to your home page."

If I select the restore options, a variety of Internet Explorer sessions come up, none of which I initiated. Once I close these extraneous activations, I can get to the sites I want (like GEEKS.com). I will also get extraneous Internet Explorer activations at random times while using the computer.

3. Google search doesn’t work. If I type in some key words for a search and click on the search icon, for just a second the screen will flicker with what appears to be the correct information, then it blanks out and gives the DONE message in the bottom left hand side of the screen.


Any and all help appreciated.

 

As of 7/19/09 I have tried to run all the tools in Read and Run Me First and Windows XP Cleaning Procedure.

I could not get the following tools to run: SuperAntiSpyware,Malwarebytes Anti-Malware,combofix.exe, and RootRepeal.

I think MGtools at least partially ran and I will explain below. MGtools did generate the MGlogs.zip file and I have attached it.

Now for a summary of what I have done to date following the steps in R&R:

1. Uninstall Malware Programs
Removed "viewpoint media player"

2. SunJava
Removed Java 2 Runtime Environment SE v1.4.2
Installed Java(TM) 6 update 14

Received 3-4 messages during this install asking me to approve or
deny adding Browser Helpers to IE. I approved.

3. MSCONFIG
Checked MSconfig and it was already in Normal mode.

4. McAfee Quarantined Files
Removed two quarantined files from McAfee.

5. Recycle Bin
Emptied

6. CCleaner
Installed new CCleaner and have run multiple times.

7. Enable System View of Files
Done

8. SUPERAntiSpyware
Installed from Geeks.com website. Get error "SUPERAntiSpyware
has encountered an error and needs to close". Redownloaded. Same
thing. Tried SAfe Mode. Got error: "The System Administrator has
set polices to prevent this installation."
Then went to the SAS website. Downloaded the free version from
them. Same result. Followed threads on SAS website. Downloaded
SAS.FREE.EXE. SAS appeared to install o.k. at this point. Tried to run,
same error. Ran RUNSAS.exe from SAS website. Got error message:
"unable to locate program files". Tried Renaming to SAS.exe, with
same result.

9. Malwarebytes Anti-Malware
Have downloaded and tried to run it several times, both in Safe and
Normal modes. Appears to install o.k., but does nothing when
activated. Tried Safe and Normal modes.

10. combofix.exe
Appeard to install o.k. and started running o.k. Got to the screen
telling me the publisher could not be verified. Clicked on run and
waited. No more combofix windows popped up. After two hours of
waiting I gave up. System appeared to be idling. No activity?

11. RootRepeal
Appeared to install and begin running o.k. Then got error message:
"Could not read boot sector. Try adjusting the Disk Access Level
in the Options Dialog." Don't know how to do this. Clicked on o.k.

Then got error: Could not find module on disk." I did get what
appeared to be the Root Repeal home screen. So, I tried to
start the scan anyway. Got error: "Device IoControl error!
Error code=0xc0000001."

12. MGTools
Appeared to install o.k and appears to have paritally run. Generated
MGlogs.zip file. I hope it has something useful.

I got the following errors while MGTools was running. First, right
after the screen showed: "Looking for Vundo type Infection. Be
patient.", I got an error from Sort Utility saying "Sort Utility has
encountered a problem and needs to close."

After this the MGTools page showed the message: "The process
cannot access the file because it is being used by another
process."

Then after agreeing to the Trendmicrosystem license agreement,
and right after the MGTools page showed the message "Zipping
highjackthis.log" I got an error from Dll Logger as follows:
Proc Dll Logger has encountered a problem and needs to close."

Then got the message: Scanning complete - Your log file is in
C:\MGlogs.zip***.

MGtools appeared to terminate normally and I have attached the
zip file.

13. TDSSserv.sys
While perusing the Malware forum I saw a thread that looked similar
to mine with subject: "Invasive Software Takeover - Please Help",
dated 07/05/09 at 13:31. Based on directions given in this thread,
I tried to see if I had TDSSserv.sys on my system. I do not appear
to have it on my system.


Summary: My symptoms as noted in my original post remain the same.
I haven't noticed anything new.

Let me know what to do next. Thanks again for all you do.

 

TimW,

First of all, let me thank you for responding to my problem. Looks like you guys are swamped!! I appreciate it.

I successfully (I think), was able to run all the scans in safe mode with NO networking as follows:

1. SUPERAntiSpyware
In safe mode(no networking) with the SAS.exe file renamed to
Text.exe, the scan ran to completion. Note: The SAS version I ran
was the FREE version from the SAS website(see prior post). The scan
found 10 threats, 2 in the Registry and 8 files.

Let me know if I need to download the MajorGeeks version of SAS
and run it.

2. MalwareBytes
Ran to completion and found 3 threats, all quarantined. Renamed to
John.exe to run.

3. Combofix
Ran to completion using the standard name on my desktop.

I ran it in Safe Mode (No networking), so I was not able to install
the "Microsoft Windows Recovery Console". After I post this, I'll try to
install it manually.

Combofix did not find anything as near as I can tell.

4. RootRepeal
Ran in SAFE MODE (no networking). No problems found.

5. MGTools
Ran in SAFE MODE (NO networking). Ran to completion.

Four Logs are attached.

Thanks

John

 

TimW,

Here is the Root Repeal log. Also run in SAFE Mode, no networking. Nothing found.

If you find additional problems let me know. Unfortunately, we have to leave town in the morning for afuneral. Will be gone for a week possibly. I'll check your posts, but additional actions will ahve to wait till I get back.

Thanks again for all you guys do.

 

TimW,

A few comments on how my PC seems to be running now:

1. I have not had a reboot failure since running the scans earlier today.
Only run 3 - 4 so far.

2. Google search function now appears to work.

3. I have not seen any signs of the extraneous websites that were
being initiated previously.

So, in summary, my PC seems to be functioning normally at this point,
but we need to see what the logs show and monitor for return of my previous symptoms or any new ones.

Other notes:


4. When I boot my system in normal mode, it appears that
SUPERAntiSpyware is activated? I don't see it on the Task list.
Is this normal?

5. I have not run McAfee virus scan since I ran the Majorgeeks
recommended scans this afternoon. When I have run McAfee over the
last few days it has flagged PrcViewer as a potentially unwanted
program. I think this is a program in MGTools (?) and assume this is
not a valid threat?

6. I tried to follow the directions in the Combofix instructions to manually
install the Windows Recovery Console on my PC. When I went to the
Microsoft link it gives instructions for downloading the Windows XP
Setup disks for a floppy boot installation. You can click on a
Microsoft Recovery Console link on that page, but it only gives
instructions for installing the Recovery Console from your Windows
CD. It says you can download the Recovery Console from a UNC
site. Any advice? I guess I can rerun Combofix in Normal mode
and let it install the Recovery Console for me. I assume I need the
Recovery Console if we do some addditional repair work.

Thanks again for your help.

 

Timw,

Just got back in town after attending a family funeral. Sorry for the delay.

Since my previous runs of the various tools were done in SAFE mode I decided to rerun everything in NORMAL mode before wrapping things up just to make sure all is o.k..

Note, my computer seems to be running fine after the cleanup performed on 7/21/09.

Tonight I reran: SUPERAntispyware, Malwarebytes, Combofix, RootRepeal, and MGTools, all in NORMAL mode.

The runs appeared to be clean and all logs are attached. Note SUPERAntispyware did not appear to create a log since no objects were detected.

The only unusual thing I noticed was that the RootRepeal log shows several entries under the Hidden Files heading. I'm assuming these aren't problems, but I wanted you to check before I return to normal use on my PC.

If all looks o.k. with you, I'll follow the instructions in your previous message of 7/24/09.

Thanks again for the help and all you guys do!!

 

Tim W,

Thanks for getting back to me. I think I disabled Windows Messenger, not sure. I ran Combofix, CCleaner, and MGtools per your last instructions and logs are attached.

Comments:

1. Windows Messenger

When running the Remove/Disable Windows Messenger program a
window popped up asking me to check the appropriate boxes. I
checked the "Disable Windows Messenger Machine Wide" and "Hide
Messenger from Outlook Express" boxes. I did not check the
"Uninstall Windows Messenger" box. I then clicked the "APPLY"
button. After waiting some time, the window did not change, so I
clicked on the "EXIT" button. Reran a second time with same result.
So, not sure if Messenger is disabled or not?

2. Combofix

Combofix did request the download of a new version. Done.

After the scan, Combofix shutdown and restarted my PC. Wasn't sure
what action to take, so when prompted, I entered my log-on password.
Combofix restarted and appeared to complete normally. However, all
the processes associated with startup were fired up. Hope, this did not
confuse the issue.

3. CCleaner

Your instructions were to run CCleaner, but only delete the temporary
files. I ran it with only the "System Temporary Files" box checked. I
did not check the box for "Temporary Internet Files".

4. MGTools

Your instructions were to run *C:MGtools\GetLogs.bat*. I don't have
this file on my C drive. The program I downloaded is named:
*C:\MGtools.exe*, which I ran. I assume this results in the same logs
being created.


5. File Delete Requested Earlier

In your post of 7/24 you asked me to use Windows explorer to delete
the file *C:\WINDOWS\system32\UACovlvhgocbl.db". I deleted this
file when we got home on August 6th.

6. Symptoms

My previous symptoms, intermittant boot failures, random internet
page accesses, went away with the 7/21 tool runs.

I curently have the following artifacts/symptoms. My mouse speed
increased dramatically. It was wild. I changed the speed via the
Control Panel\Mouse. However, during the boot process, before I
log in with my password, the mouse is still very fast. Is there a way
to change this?

My task bar is screwy. There aren't any colors on it. For example,
the Start button has a white background instead of green. Active
tasks are not shaded blue, just a white background. When I left click
on the Start button, none of the displayed entries are shaded blue.
When I go into the Control Panel\Display and try to reestablish the
task bar format, it has no effect.

One time I had a task called "mhotkey: show up on my task bar
after booting. Did not know what this was, so I closed it. Haven't
seen it again.

Any ideas on what caused these issuesand how to fix them?


Anyway it appears something has changed settings on my PC.

I also have old tools recommended by MajorGeeks on my PC. These include: AdAwareSE, SpywareBlaster, and SpywareGuard. Should I delete/uninstall these?


That's it. Thanks again for your help

 

Tim W,

I had some problems with Combofix, so I'm not sure the changes you gave me were applied correctly or that Combofix ran properly. Here's what happened.

1. Dragged the CFscript.txt file on top of Combofix.exe. Combofix started up and said it needed to upgrade, so I let it upgrade. Combofix started running and got to the Autoscan xcreen where it says "Scanning for infected files...". A few seconds after the scan started a Notepad file window opened named "Dequarantine.txt" with the following text:

C:\Qoobox\Quarantine\C\WINDOWS\system32\settings.sfm.vir -> C:\WINDOWS\system32\settings.sfm ( 1080 bytes )
C:\Qoobox\Quarantine\C\WINDOWS\system32\settingsbkup.sfm.vir -> C:\WINDOWS\system32\settingsbkup.sfm ( 1080 bytes )

At this point Combofix appeared to stop running. I waited about a half an hour. Nothing happening. Autoscan window had disappeared. No Combofix.txt file was created. A task called Notepad.exe was on my task list.
I tried to access the internet, couldn't. Tried to print the Dequarantine.txt file, but no printer was assigned to my computer. It appeared that Combofix had quit running and left my computer in an unknown state.

So, after thinking about what to do, I finally decided to rerun Combofix without creating the CFscript.txt file you had in your last message.

2. Started up Combofix. It ran to completion and created the Combofix.txt log file. It is attached. I had to reboot my PC in order to access the internet. Other than that, my PC seems to be running normally.

3. I do not see the files I think you were trying to restore on my PC, namely:

C:\WINDOWS\system32\settings.sfm, and
C:\WINDOWS\system32\settingsbkup.sfm


So, I don't think the first run of Combofix where you were trying to restore the files worked properly.

Should I try to run Combofix again with the code you supplied in your last message?

Why did my PC hang up the first time and what do I do if it hangs up again if you ask me to rerun the code you sent?

Not sure what happened, made me nervous that my PC was left hanging in some unknown state.

As noted in my prior message, my original symptoms: hangs when booting, random internet accesses, etc. all cleared up when I was able to run the tools in SAFE mode back on 7/21.

I had a new problem with the background color on my taskbar when I got home on 8/6, but finally discovered that some process (Combofix?) had changed my windows display Properties Appearance option to "Windows Classic" rather than "Windows XP". Once I changed this my Taskbar and Start menu background colors were as they should be.

Anyway, the Combofix.txt log is attached.

I don't think the code you gave me to restore the settings files worked.

What next?

Thanks again....

 

Tim W,

o.k. followed instructions and Combofix ran to a normal completion. It did reboot my PC during the process.

I have attached ComboFix.txt and MGlogs.zip.

I can't find a file named DeQuarantine_log.txt?

When I read your email message text the file appears to be called ComboFix.txt. When I read your post on the website it says Dequarantine_log.txt.
So, I'm confused.


I can't find the files C:Windows\system32\settings.sfm and C:\WINDOWS/system32\settingsbkup.sfm.

Not sure the restore worked.

Anything more on the Error: Key: regfile\shell\merge\command does not exist! thingee?

PC seems to be running normally. Reran SUPERAntispyware and Malwarebytes while I was sitting around. No infected stuff was found.

Thanks,

 

Tim W,

First, thanks for all your help. My PC appears to be running fine now.

I followed all your cleanup instructions. The only anomoly was when I tried to uninstall HighJackthis 2.0.2. Got a message saying the program had previously been uninstalled? I didn't do this, so I assume the uninstall Combofix process may have done it?

My mistake on not finding the two sys32 files. I didn't look for them correctly. Now I see they are there.

I still see some odd files on my C drive like a "Dequarantine" and "Boot.bak".

There is one folder on my C drive named "b0d83eb29b7fed6f79" that contains 2 folders and 14 files totaling 6.12 mb. This file shows a creation date of 8/7/09. I don't have any idea what it is, but it has a weird name.

Multiple runs of SUPERAntispyware, Malwarebytes, and McAfee have shown no problems over the last several days.

I am assuming it is safe to resume normal operations on my PC.

This is the second time that MajorGeeks has come to my rescue. So thank you guys very much.

Keep up the good work!!!

 

TimW

File deleted.

Life is good!!!


Thanks Thanks Thanks