Can't get rid of this stuff, a little help please..?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bjornhall, May 15, 2007.

  1. bjornhall

    bjornhall Private E-2

    Hi,

    In a stroke of absolute genius I ran a file I thought was safe that turned out to be bad. Avast stopped some of the resulting mayhem as it happened, but not all.

    Symptoms, in addition to what the scanners found:
    - A number of assorted trojans tried to install themselves right away; Avast blocked them (sorry, didn't keep the list, as I thought it had stopped it all)
    - Computer started randomly crashing; stop error from NDISP.SYS or some similar. Windows error reporting had the following to say:
    Ran through steps 0 - 7 in your "Run this first" sticky.

    Computer is still crashing frequently, and have had an error message popping up a couple times saying that services.exe has encountered a problem and needs to close; if I click OK to that the computer reboots after 60 seconds (this happens both in safe mode and normal mode).

    Don't think I am clean yet, but am stumped about what to do; could you have a peek and let me know what's next, please?

    Thanks! :)

    Best,
    - Björn
     

    Attached Files:

  2. bjornhall

    bjornhall Private E-2

    Here are the rest of the logs...
     

    Attached Files:

  3. bjornhall

    bjornhall Private E-2

    Sorry, got that wrong above: The file reported as the culprit of the crash errors is NDIS.SYS and nothing else. Also, sorry if my information is somewhat sketchy, but I'm having a hard time copying down error messages etc before the computer crashes again. Sometimes it stays up for less than a minute at a time.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    Make sure that one and only one Internet Explorer browser is opened up

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
    opnolll.dll
    yayxyxx.dll

    After you have killed all instances of any of the above DLLs under winlogon click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    opnolll.dll
    yayxyxx.dll

    After you have killed all instances of any of the above DLLs under Explorer click ok.
    (If you do not find these DLLS, just continue on.)

    Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
    opnolll.dll
    yayxyxx.dll

    After you have killed all instances of any of the above DLLs under iexplore click ok.
    (If you do not find these DLLS, just continue on.)

    Now back at the main Process Explorer window look for the below processes and if found right click on them and select Kill Process.
    C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}\Update.exe
    C:\Program Files\Ipwindows\ipwins.exe

    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {B5A2FE0A-844B-4EE9-A3D1-474B44E0496C} - C:\WINDOWS\system32\opnolll.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [SManager] smanager.7.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O20 - Winlogon Notify: opnolll - C:\WINDOWS\SYSTEM32\opnolll.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
    double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    • select File, Cleanup, Delete All Backups
    • Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    • Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files
    it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and

    • choose copy):

    C:\-1732723833
    C:\WINDOWS\smanager.7.exe~
    C:\WINDOWS\smanager.7.exe
    C:\WINDOWS\system32\smanager.7.exe
    C:\WINDOWS\system32\opnolll.dll
    C:\WINDOWS\system32\yayxyxx.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a
    PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    After reboot, uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Mozilla Firefox (1.5.0.11)

    Make sure you reboot again, after uninstalling the above!

    Then install the current version of FireFox from: Mozilla Firefox


    Now run Ccleaner!

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!
     
  5. bjornhall

    bjornhall Private E-2

    Thanks!

    Ran through your process, all seemed to go well.

    In the process explorer I found multiple instances of opnolll.dll, no instances of yayxyxx.dll, and did not find the two processes C:\Program Files\Common Files\{5CCBDF4D-06C1-1033-0106-050602200002}\Update.exe and
    C:\Program Files\Ipwindows\ipwins.exe

    In HJT, this line was not present anymore: O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    KillBox found several of the listed files.

    Computer is up and running atm (not connected to the net though, I am using my spare in the mean time), and hasn't crashed yet... But looking at the logs, opnoll.dll, yayxyxx.dll etc seem to still be present, don't they? I can see them in explorer as well.

    Best,
    - Björn
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you get the Pending Operations error with Killbox when trying to delete those files? That may be why they are still there. Boot into safe mode and see if you can delete the below files manually:

    C:\WINDOWS\smanager.7.exe~
    C:\WINDOWS\system32\opnolll.dll
    C:\WINDOWS\system32\prntvpt.dll
    C:\WINDOWS\system32\yayxyxx.dll

    If you get them deleted, reboot in normal mode and attach a new log from ShowNew.
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Almost forgot! Do the below too!

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program\Sunbelt Software
     
  8. bjornhall

    bjornhall Private E-2

    I didn't get the Pending Operations error from KillBox... Tried deleting the files manually in safe mode and that might have worked, here is the log!

    - Björn
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay you are clean now! You still need to complete my instructions in message # 7 if you have not already done so.


    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  10. bjornhall

    bjornhall Private E-2

    Thanks! But something is not right here...

    I went through the steps in your posts #7 and #9, and after disabling system restore (not that I think that matters, but that is what I was doing at the time) and rebooting, the system won't boot to normal mode. I get the blue screen, saying
    IRQL_NOT_LESS_OR_EQUAL and
    STOP: 0x0000000A (0x0D8BF73E, 0x00000002, 0x00000001, 0x806FF84A)

    I can boot to safe mode, but don't know what to do once I'm there...

    Now what...?
     
  11. bjornhall

    bjornhall Private E-2

    Update: After some poking around at Microsoft's site I came across this: http://support.microsoft.com/kb/929338

    Could it be an unrelated problem to my infection? If so, can/should I run the file in the KB article above from safe mode, since I can't boot to normal mode?
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It does not sound like this is related to malware and we already had all the malware removed. It is strange that it would occur after disabling System Restore as that would not have anything to do with normal boot up.

    Yes give that fix from Microsoft a try.
     
  13. bjornhall

    bjornhall Private E-2

    Ok, this is quite a coincidence that this problem should start happening just when we were done with the malware... Anyway, got it back up after running that KB fix above and then using the 'last known good' boot option (before that I had tried booting normally about half a dozen times but got the blue screen each time, and had been booting to safe mode several times as well).

    Guess all is well then! Thanks so much for your help, really appreciate it! :)

    Best,
    - Björn
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm happy to hear you got it working. You're welcome. Surf safely.
     
  15. bjornhall

    bjornhall Private E-2

    Hi again! :)

    I still haven't taken the affected computer back on line yet (thank gods for spares!), but just out of curiosity I decided to do some research on what I actually had... This kind of stuff is morbidly interesting... ;)

    It was not quite clear to me from the various web references whether or not the Win32/Rustock.gen!C variant that Microsoft diagnozed me with was a root kit or not, so just out of curiosity I decided to try the rustbfix tool linked to in your sticky for special removal procedures.

    And lo and behold, it found and removed a rootkit. I attach the logs from the tool...

    So two things:
    a) Thought you might perhaps be interested in hearing about it...
    b) Knowing this, is there something else I should do before I start using the computer normally?

    Best,
    - Björn
     

    Attached Files:

  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just to be safe, run the below. If it comes up clean and if your PC appears to be working okay, you should be ready for normal use.

    Now please download F-Secure's BlacklightBeta
    • Download fsbl.exe and save it to the Desktop.
    • Once saved... double click fsbl.exe to install the program.
    • Click accept agreement and Click scan
    • This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
    • If it displays any items...don't do anything with them yet. Just hit exit (close)
    • It will drop a log on Desktop that starts with fsbl....big number
    Please attach the BlackLight log.

     
  17. bjornhall

    bjornhall Private E-2

    Did that and it didn't find anything; here is the log.

    Prior to that (and to your reply) I also had lads provide a list of all ADS present on the computer and looked through it, nothing even remotely suspicious... So guess that's all then!

    Best,
    - Björn
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sounds good!
     
  19. bjornhall

    bjornhall Private E-2

    Brilliant, thanks again!

    Best,
    - Björn
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds