Trojans detected - Logs attached part 1

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by NotANewbie, Jun 6, 2010.

  1. NotANewbie

    NotANewbie Private E-2

    HP laptop
    Vista Ultimate
    Norton 360 version 4

    History of problem: For awhile, my machine had been slow to start and painfully slow to shutdown. Several days ago Norton popped up a message that 3 high risk trojans had been detected and quarantined: greader.class, gmrerews.class, gmailer.class

    I did a search and found the Malware Removal Guide instructions and did my best to follow them painstakingly and thoroughly.

    Of note:
    1-Super AntiSpyware was run in safe mode as the product literature recommends.

    2-Malwarebytes AntiMalware could not complete a scan in normal or safe mode. because it would always hang on a Norton QBackup file. The detail read:
    MBAM_ERROR_FILE_SCAN (0, 28)

    Problem signature:
    Problem Event Name: APPCRASH
    Application Name: mbam.exe
    Application Version: 1.46.0.1
    Application Timestamp: 4bd9ed9b
    Fault Module Name: USER32.dll
    Fault Module Version: 6.0.6002.18005
    Fault Module Timestamp: 49e0380e
    Exception Code: c0000005
    Exception Offset: 000121dc
    OS Version: 6.0.6002.2.2.0.256.1
    Locale ID: 1033
    Additional Information 1: cc77
    Additional Information 2: ef1a5c26c968aa33f0b7c9bb536b7677
    Additional Information 3: 94cd
    Additional Information 4: fdfe331f4bcd3385cb228314a1b8cbea

    3-ComboFix - After running that program successfully, everything I tried to open from MGTools to Word documents returned the error, "Illegal operation on a registry key that has been marked for deletion." I couldn't do ANYTHING. Using another machine, I searched this problem, and found the recommendation to run "sfc /scannow." This would only work in safe mode, but then after rebooting into normal mode everything seemed to work fine.

    4-RootRepeal seems like it threw an error, too. (Maybe I am a newbie since I can't find where I took notes on that! So maybe it didn't.) Anyway, it did return a lot of items "locked to the api." Did I do something wrong?? I hope!!

    5-MGTools could not be installed directly to C:
    It did seem to run fine, until I received a HJT error. Using Snag-It, I grabbed a screen shot. jpeg attached in "part 2". (I hope that's allowable)

    If a fresh re-install of the OS is necessary, I can, but I'd hate to lose everything. I back up fairly often to an external hard drive, but what are the odds that any infection lurks there, too?

    Thank you so much for your help!
     

    Attached Files:

    NotANewbie, Jun 6, 2010
    #1
  2. NotANewbie

    NotANewbie Private E-2

    Re: Trojans detected - Logs attached part 2

    MGTools HJT error jpeg attached.

    Many thanks!
     

    Attached Files:

    NotANewbie, Jun 6, 2010
    #2
  3. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Welcome to MajorGeeks, NotANewbie.

    I am currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Our queue is working the oldest threads first.

    Thanks for your patience.
    dr.m
     
    dr.moriarty, Jun 7, 2010
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, NotANewbie

    Did you remove all files from Norton's QBackup (Quarantine Backup) folder as instructed in the House Cleaning section of the R & R before running MBAM?

    *You do have quite a few applications loading at startup - I recommend using a manager like:
    Startup Control Panel Standalone Version 2.8

    Please attach the below log:
    C:\Users\You and Me\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
    mbam-l~4.txt Jun 6 2010 888 "mbam-log-2010-06-06 (11-30-31).txt"

    Comment: Consider updating Mozilla Firefox (3.0.19) to the more secure 3.6.3 version

    Step 1:
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Step 2:
    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Make sure you have shut down all protection software (antivirus, antispyware, firewall...etc) programs so they do not interfere with the running of ComboFix. *Remember to re-start them before coming back online.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text inside of the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
      If it asks you to overide the previous file with the same name, click YES.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
      [​IMG]
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:
    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Step 3:
    Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    Step 4:
    Click on the following link and use the below steps to upload a file for scanning: Virustotal
    Click the Browse... button.
    Navigate to the file C:\Windows\System32\drivers\lvuvc.hs

    *Either post a link to the results, or copy & paste the results into Notepad and attach the text file.


    Step 5:
    Now run the below in normal boot mode and attach the log.

    GMER - running with a random name

    Step 6:
    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the below logs to your next reply:
    • C:\MGlogs.zip
    • GMER log
    • VirusTotal Report
    * Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

    dr.m
     
    dr.moriarty, Jun 7, 2010
    #4
  5. NotANewbie

    NotANewbie Private E-2

    Did I remove all files from Norton's QBackup per the instructions?
    No. I am using Norton 360 version 4, and I can't find a way to delete items from quarantine (as I could with previous version of Norton). The only options I'm given are "Submit to Symantec," "Restore this file," and "Remove this file from history."

    I've searched for a solution, and I can't find one. If you're intersted read through these related links:
    Link 1

    Link 2

    2- The mbam log you requested is attached.

    Now I'll follow the rest of your outline and report back.

    A heartfelt thank you for your help!!
     

    Attached Files:

    NotANewbie, Jun 7, 2010
    #5
  6. NotANewbie

    NotANewbie Private E-2

    Installed and am using StartupCPL now. I turned off quite a few unnecessary startup programs (there may be more that should be turned off??)

    Updated Firefox to the latest, 3.6.3

    Step 1 - MGTools analyse exe (HJT) ran without problems, and I was able to delete the one line you suggested.

    Step 2 - I was prompted to replace ComboFix with the newer version. I did so by following the link in your original post to be sure I was getting the real ComboFix. I copied your text into notepad, closed all browsers, and disabled all antispyware, antivirus, firewalls, etc. I tried a couple of times to drag the txt file on top of the combofix icon, but each time almost immediately after starting I got the message, "Windows command processor has stopped working." Th details message is attached in a txt file.

    Step 3- Run CCleaner (cleaner only) - Done

    Step 4- Virustotal Link to lvuvc.hs scan
    Note: my computer hung for a long time "sending file" so ultimately, I downloaded their uploader, I had to add a VirusTotal exception to Norton's firewall, but then the upload went smoothly and quickly.

    Step 5 - Running GMER: No problems, but I'm not sure I did it right. It ran for a long time, hours. I left the machine and let it do it's thing. When it finished it identified many items. I wasn't sure exactly what to do next. Reading the instructions at the link you gave me, I was unsure whether to click "Ok"or just "Save" when it was finished. Since the instructions only said to click "Save," that is all I did. And then just closed the program. Should I have clicked "Ok" when GMER had finished and identified many items? If so, should I run it again, and click "ok"?

    Step 6: MGTools GetLogs bat: Done. No problems.

    What problems am I still having? Nothing is overtly obvious other than still sluggish. I am very concerned to know that all traces of infection are gone. We use this machine for online shopping, (Amazon, etc.) and even some online banking. Just need to feel confident again.

    Thank you! Thank you!
     

    Attached Files:

    NotANewbie, Jun 8, 2010
    #6
  7. NotANewbie

    NotANewbie Private E-2

    Update: I just noticed the VirusTotal link I provided to you is not working. I went back to the file where I had originally copy/pasted it to. That doesn't work. I have tried to re-submit the file to VirusTotal, but I get the message, "Cannot connect. Check proxy settings." I am not, (that I know of) behind a proxy. And it is allowed in Norton, which is what made the difference last night.

    Additionally, I just received a pop up message: "To protect the computer Data Execution prevention has closed Windows host process Rundll32" I had to reboot the computer.

    I know it would help you most to see the report that VirusTotal generated last night. I remember it said, "0/39" and each scanner had a "-" behind it. Then at the bottom there was a bunch of information, that I couldn't translate.
     
    NotANewbie, Jun 8, 2010
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I found this reply on the net:
    I don't recognize this new file of your desktop - 40phfg67.exe - and strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links.[ C:\Users\You and Me\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

    Delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    Now open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

    I'm not seeing any other malware problems. If you wish to run another online scan to double-check that your machine is clean, please run the below scanner and post the results if anything is found:

    Using ESET's Online Scanner

    *You could also post about your PC's sluggishness in our Software forum.

    Otherwise your logs look good! If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)[/COLOR]
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:

    Safe surfing! [​IMG]
     
    Last edited: Jun 13, 2010
    dr.moriarty, Jun 10, 2010
    #8
  9. NotANewbie

    NotANewbie Private E-2

    All done. (Except for uninstalling / reinstalling Norton)

    FYI: the 40phfg67.exe that you didn't recognize on my desktop is the "randomly named" gmer that you told me to install to desktop and run.

    I ran the ESET online scan twice and the logs are below.

    Twice because the first time I forgot to enable the "scan for potentially unsafe applications."
    ("Potentially unwanted" and "stealth" were enabled on scan 1)

    Scan 1 - identified and quarantined C:SWSetup\AOLIMS\Setup.exe as a likely WinAgent 32 trojan variant. (I do not and never have used AOL or its instant messenger service)

    Scan 2- I enabled "scan for potentially unwanted applications" and kept the others, enabled also. It identified Win32 PrcView.

    Please advise!

    Also, remember I did not have gmer "fix" anything by telling it ok. I just closed out of it after running and saving the log file.

    AND, I see now that the Virustotal link I gave you in last post does indeed work. Funny, my machine (or virustotal) was not working when I made that comment.

    Thank you very much for your help and patience!!!
     

    Attached Files:

    NotANewbie, Jun 12, 2010
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    LOL Yes, you're right.


    On further investigation, this is the only one I believe is unaccounted for in your logs. If it was AOLIMS, it was dealt with by the ESET scan:

    "C:\"
    SWSETUP Feb 5 2008 "SWSetup"

    That was not a problem, it was related to "C:\MGtools\Process.exe".

    The GMER log showed no issues that needed attending.

    :) You're very welcome!
    dr.m
     
    Last edited: Jun 13, 2010
    dr.moriarty, Jun 12, 2010
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds