Persistent worm infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mondrawy, Dec 6, 2010.

  1. mondrawy

    mondrawy Private E-2

    I'm having some problems that I've been unable to fix no matter how much I've tried. The system keeps getting re-infected no matter what I do, even if I clean every file & registry entry I could find. I've used CCleaner, Unhack Me & Super Antispyware to successfully remove all traces of the infection, only to see the virus return an hour later (sometimes days later) as if nothing happened.

    I have over 40 PC's connected on a LAN, only a small portion of them have been infected, the others are completely fine, only the ones that are infected keep getting re-infected everytime i try cleaning them, all PC's have windows XP x86 or x64. The virus/malware itself seems to spread through network contact, which is my guess as to how reinfection occurs. I've done the usual steps of safemode scanning, disabling system restore, running ccleaner and and such. And while those steps succeed in removing the infection from the PC, I can't seem to be able to prevent reinfection from occuring. Some of the other PC's on the network don't have any problems whatsoever, and unfortunately I cannot disconnect the network from the infected PCs perminantly, they need to be networked.

    The worm itself seems to use a variety of different files/worms so I'm not quite sure what the real name is. But it proceeds to install all of its components before disabling my windows firewall, then internet connection sharing (ICS) before cutting off all access to LAN/Internet from the pc. Any suggestions ? I've attached a combofix log, let me know if you need any more logs.
     

    Attached Files:

    mondrawy, Dec 6, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You will need to disconnect each machine from the LAN while we clean them. Please follow these instructions:
    READ & RUN ME FIRST. Malware Removal Guide

    Also tell me what these are:
    c:\documents and settings\M&M\saskda.tmp
    c:\documents and settings\Games\saskda.tmp
    c:\documents and settings\scan\saskda.tmp

    If you don't know, delete them.
     
    TimW, Dec 6, 2010
    #2
  3. mondrawy

    mondrawy Private E-2

    I've done that already, I've disconnected LAN, went into safemode, cleaned temp files with ccleaner and proceeded to run full scans with both symantec antivirus, super antispyware and unhack me. I've tried several different variations on the other PC's along with the repeated reinfections, in each attempt I wait until the system is fully clean (i.e scans report nothing) before rebooting into normal mode with LAN enabled. At the moment system restore is perminantly disabled on all affected PC's.

    I don't know what those are, but they appear on all the PCs including uninfected ones, they've been on the system for a long time and I've deleted them before but they reappear, my guess is they're temp files created by one of the applications installed, most likely 1st Security Admin, which is a group policy editor type program.

    On a slightly different subject, running combofix seems to have perminantly broken my group policy restrictions on the user Games, I've tried resetting them but it doesn't seem to work, is this a known bug/problem ? How can I fix it ?
     
    mondrawy, Dec 7, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can't begin to help you unless you attach the requested logs. I have no way of "seeing" into your system without them.
     
    TimW, Dec 7, 2010
    #4
  5. mondrawy

    mondrawy Private E-2

    My apologies, I figured the combofix log was enough. Here are all the rest except malware bytes, the installer seemed to freeze while updating so I'll give that a try later and get you the log. Hope those are enough for now.
     

    Attached Files:

    mondrawy, Dec 9, 2010
    #5
  6. mondrawy

    mondrawy Private E-2

    got malware bytes to work, log attached
     

    Attached Files:

    mondrawy, Dec 9, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Am I to assume that when you ran MBAM you saved the log and then had it fix what it found?

    Please run both SAS and MBAM on each user account. Attach the logs that show infections and name them so I know which account they are from.

    Let's do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    Fix the above only if you did not set these restrictions.

    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\system32\msvmiode.exe
C:\Documents and Settings\M&M\Application Data\ltzqai.exe
C:\WINDOWS\system32\51.exe
C:\WINDOWS\system32\77.exe
C:\Documents and Settings\M&M\Local Settings\temp\456.exe
C:\Documents and Settings\M&M\Local Settings\temp\46599.exe
C:\Documents and Settings\M&M\Local Settings\temp\851695.exe
C:\Documents and Settings\M&M\Local Settings\temp\8B57FEA3A174D628D7F49EA8FD939D31
C:\Documents and Settings\M&M\Local Settings\temp\904D57F61A9D7FE5185C01B47D54C2FB

Folder::
C:\Documents and Settings\M&M\Local Settings\temp\is-48RTV.tmp
C:\Documents and Settings\M&M\Local Settings\temp\is-AR37I.tmp
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Dec 9, 2010
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds