Massive Virus/rootkits guidence please

Hello Geek Officers,

I have been handed a computer that is in very sorry condition. WinXP. The owner ran it for three months w/o active AV software.

Have run CCleaner, 10megs of fragmented files. Cleared those up.
Ran Mbam - quick scan 59 types of virus/trojans/spyware. Cleared these up.
Ran SAS - 22 items found and cleared
Ran deep scan Mbam - more viri and 4 rootkits.
So I'm thinking time for Rkill and combofix maybe. But I am an NCO and believe I should have guidance for these two and whatever else you suggest.

Looking forward to working w/ you folks again.

 

Hi dkgoodwin,

Please review the below link:
READ & RUN ME FIRST. Malware Removal Guide
Since you have already completed SAS and MBAM, you can attach those logs here. Continue with the rest of the procedure and then attach your RootRepeal log, ComboFix.txt, and MGlogs.zip when you are finished.

 

Thanks for replying.

attempted to run combofix - it reported that McAfee was running Did not see McAfee anywhere obvious. Ran search which turned up folders but nothing inside of them.

Download and ran McAfee Uninstaller. Combofix still reporting McAfee running. Let combofix run anyway. About module 50 blue screen . computer shutdown to protect it etc.....
Restarted, ran combofix again, same as above.

I have no logs to share w/ you yet. Can I run combofix in safe mode?

dkg

 

Yes you can

 

ok I have managed to get past the viri and run the software. logs attached.

 

Please also attach your SAS log and RootRepeal log

 

My bad. Here they are...

 

From Add/Remove Programs (via Control Panel), please uninstall the following:

• Java(TM) 6 Update 18
• Java(TM) 6 Update 2
• Java(TM) 6 Update 6
• Java(TM) 6 Update 7
• Java(TM) SE Runtime Environment 6 Update 1
• Viewpoint Media Player

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also download MBRCheck to your Desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Put your computer back into Normal Startup Mode and reboot before proceeding to the next step (Use MSconfig to setup for Normal Startup Mode)

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

and here are the next set.

Thanks so much.

DKG

 

Have you rebooted since you ran TDSSKiller? If not, please do so now.
When you have rebooted, rerun TDSSKiller and attach its latest log

 

I thought that I had. However, here is a new report.

Thanks

 

file upload again.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Note: This is actually Trend Micro HiJackThis - v2.0.4
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all explorer windows and all browser sessions including the one you are reading in right now:

After clicking Fix, exit out of Trend Micro HiJackThis - v2.0.4

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Delete the contents of this folder:

Let me know if you had any trouble deleting the items in here.

Now download and install Sun Java Runtime Environment 7
See the download links under this icon

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

**** Let me know how your PC is running after you've completed these steps ****

 

Will do.

Note, I did run messenger disable a few days back, but will do again. The system shows no AV installed, but Combofix reports McAfee, ran McAfee uninstaller downloaded from MjrGks. Will run again.

Will report back tomorrow. Thanks.

 

I have run the software in the order specified. Attaching mglogs file. Seems to be operating well. We no longer have IE opening continually until memory is exhausted and system launch is within expected timeframes.

However, it does do one thing still that I am unsure how to undo. At bootup it opens explorer and brings the user to C/program files/Dell. Will you advise how I remove this issue please?

Thank you

dkg

 

I found my Dell explorer issue - bad path in startup log.

dkg

 

Please download OTM by Old Timer to your desktop

• Double-click OTM.exe to run (Vista and Win7 right-click and select Run as Administrator)
• Copy the lines from the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

• Return to OTM, right-click in the text-field under and choose Paste
• Now click the button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder (assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file and attach this to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Here are the newest requested logs. Thank so very much.

 

Can you delete this one file through explorer?

Code:

C:\WINDOWS\Ejalumerujomurar.bin

It should be inactive, just a small trace of malware. If you are successful in deleting it, then it is time to do our final steps:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thank you so much for your guidance. I am still getting reports from Combofix that McAfee is running. I can't find anything. I used the McAfe uninstaller twice but still getting that warning. Do I need to be concerned about this?

 

You're welcome, and no this is really not a problem.

 

finishing up with this computer. I appreciate so much your directing this clean up. My friend says he has a second computer w/ similar issues. We'll see. rolleyes. I may be back sooner that expected!

Regards to all,
dkg