Malware/virus NOT removed + RR hangs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by boogieman, Feb 17, 2010.

  1. boogieman

    boogieman Private E-2

    1. I have run all scans but RootRepeal since it did not work.
    In normal mode RR hanged (even lights on mouse went out so seemed to kill USB power) and sometimes restarted windows, in safe mode it hanged windows and halted on "initializing")

    2. All other logs in attached zipfile. Also includes a screenshot of windows dir which surely seems to contain several non windows programs.

    3. Combofix log says "possible rootkit infection" so it is a pity I can not run RR

    Need advice :confused
    Boogieman
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. I am currently reviewing your logs. Whilst doing so I notice that you are way out of date with MBAM. Please update it, rescan > fix all it finds > and attach the log it produces into your next reply.
     
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1.
    • WinPcap 4.0.2 <--- Did you knowingly install this? If not then please remove it, otherwise leave it alone.
    • Java(TM) 6 Update 17 <-- outdated, please uninstall it.

    2. Did you set the below policies yourself?

    3. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Driver::
    pnicml
    
    File::
    c:\windows\isRS-000.tmp
    c:\docume~1\oh\LOCALS~1\Temp\pnicml.sys
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4. Now let's use TDSSKiller

    • Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter ( the quotes are required).
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive called "TDSSKiller.txt" please attach this log to your next reply.

    5. Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    6. Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    7. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Last edited: Feb 17, 2010
  4. boogieman

    boogieman Private E-2

    - Se comments above in red
    - I can't really express my greatfulness from getting personal assistance in the matter. You guys rock :dood

    Very best regards
    Boogieman
     

    Attached Files:

  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening :)

    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    DirLook::
    c:\program files\Personal\bin
    c:\program files\Personal
    
    File::
    C:\Windows\Q330994.exe
    C:\Windows\seksdialer.exe
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    Let us know of any problems you may have encountered with the above instructions and also let me know how the computer is running now!

    Please confirm that those two files have now definately gone because I have no way of knowing considering they were not showing up in your logs.
     
  6. boogieman

    boogieman Private E-2

    But "personal" folder is not a virus.
    That is the certificate client for my bank.
    I dont want to delete that one, or does it not delete it with killall?

    Regards
    Boogieman
     
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, it would not have deleted it, just looked at its contents. So just take out that part and continue.
     
  8. boogieman

    boogieman Private E-2

    1. Ok, here is the log (personal part removed).
    Combofix ran an update and deleted the two files you mentioned
    AND two other files.
    View attachment ComboFix.txt

    2. I have 2 strange catalgues with GUId names and some odd files inside.
    You can see that content of the first catalogue in the attatched jpg.
    Guid times 2.jpg

    3. The second Guid catalogue contains a LONG log with the name "msxml4-KB927978-enu.log" which I have attatched as a zip since it was to large (284Kb). It looks very suspicious but it could be MS XML as filename says, but why the folder name then?
    View attachment msxml4-KB927978-enu.zip

    4. I also attatched a Hijack this log which i run before combofix.
    View attachment hijackthis_BeforeRegSBPRoduct.log

    I have a strong belief I have gotten som kind of rootkit.
    My PC has restarted 2-3 times with blu/white line all over the screen.
    The root kit detectors fail to run.
    I have uninstalled NOD32 and SAS and it seems to run a bit more stable now.

    Hope the info helps and BIG thanks for the support
    Ola
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You did not attach the C:\Mglogs.zip that I asked for. The screenshot is very small to see but from what I can make out it is nothing to worry about!
    I Did not request that.

    I do doubt it. Combofix can sometimes be wrong about what it is reporting. I have had you successfully run TDSSKiller which revealed no problems.

    Probably nothing to do with malware.
    Attach the mglogs.zip too and then I will see what we will do next. :)
     
  10. boogieman

    boogieman Private E-2

    Ooops sorry, i must have missed the last lines :-o
    Here is the mglogs.zip
    View attachment MGlogs.zip

    And the picture which was too small in zipped format so it can be viewed in full resolution (if needed)
    View attachment Guid times 2.zip

    It feels hard to trust antivrus programs.
    I.e. kaspersky saw mgtools.exe as a "Trojan-Dropper.Win32.Agent.blsp", but that virus type does not exist in kaspersky database...well :)
     
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good evening :)

    1. What exactly are you using for anti virus right now? Nothing?

    2. Please disable utorrent from loading at start up whilst we are working to remove malware.
    OK, I see now! We can delete the folder you are questioning with combofix, (C:\{8000102C-0000-0000-60E0-7BD20B5F6067} it is indeed suspicious.

    3. Tell me what is inside of the folder beneath the folder you highlighted in your screenshot?

    4. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    5. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Folder::
    C:\{8000102C-0000-0000-60E0-7BD20B5F6067}
    
    Registry::
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    6. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    7. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    8. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  12. boogieman

    boogieman Private E-2

    None currently that is right, I have uninstalled NOD32 and SAS temporarily since they seemed to hang my PC (have been working well after deinstall of thosw two).
    Was about to installt Kaspersky, but it did not work well with my zone alarm firewall.
    I made a online scan with kaspersky over the night though and got some infection warnings, but mostly on quarantined items and the virustools I am using here. If you want the log I can attatch it.

    Done

    The content in the folder beneath is uploaded in post 8 - point 3 (post entry copied below)
    I will follow your advice below and will post results when I am done.

    Regards
    Boogieman
     
    Last edited: Mar 3, 2010
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK :) I will be here waiting.
     
  14. boogieman

    boogieman Private E-2

    Here are the logs.
    I also attatched the online kaspersky scan that showed malicious items.

    The combofix hanged the first time.
    It killed the Zone alarm vector monitor first, so i shut it down and removed ethernetcable.
    30 or so seconds later ith hanged entire PC at scan 30 something, so I had to do a hard reboot.

    Then i re-ran the combofix and getlogs as per instruction.
     

    Attached Files:

  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The Kaspersky scan just showed alot of items it was finding in quarantine and also False positives.

    Let's do this and then without you running any more scans, please tell me how your machine is behaving and what actual malware issues you are still having?

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Fcopy::
    C:\Program Files\Intel\Intel Application Accelerator\Driver\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
    C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
    
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
     
  16. boogieman

    boogieman Private E-2

    Just a questions, since i dont understand (and i do like to understand :) )

    1. The atapi.sys (normally used for ie cd/dvd-drives right) file in "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386" is older than the one in "C:\WINDOWS\system32\drivers". Why overwrite the new one with the older?

    2. The Intel Application Accelerator files seems to be the same version and size.

    Do you suspect they are infected?
     
  17. boogieman

    boogieman Private E-2

    Could not change last post due to 10min time limit - so have to make a new one (sorry, not a try to bump)

    Regarding malware signs left:
    After uninstalling SAS and NOD32 I havent had any particalar issues.
    - No reboots (unless when running combofix last time).
    - No blue-white line over screen lockups
    But I dont know why?

    What worries me is this recurring part in combofix log
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, me too, which is why I was trying to cover all bases for you and was why I was replacing those files with older copies just in case they were infected. But I think we need to go about this a different way. Sigh, I will be back with a post soon.
     
  19. boogieman

    boogieman Private E-2

    Ok, menwhile I did the proposed replacement of the files as per your post.
    Here is the log. View attachment Logs 20100305.zip

    And once again, thanks for your patience and effort
    Ola aka Boogieman
     
  20. boogieman

    boogieman Private E-2

    In the log i posted below, this entry looks supsicious in the combofixlog dont you think?
    Or is it RR, MBam, SAS or combofix's file to build the log? (that date i ran all 4 and sent you the files, but RR fluked)

    It is the only thing present in the TEMP catalogue for allusers and an exe-file feels so so.

    Regards
    Boogieman
     
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It relates to power DVD. Not malicious and nothing to be concerned about.

    Now then, I want you to update both SUPERANTIspyware and Malware Bytes. Re scan with each, fix all it finds and attach the logs they create into your next reply.

    Next, let's do this:

    Using ESET's Online Scanner


    Attach the ESETScan.txt to your next reply as well as logs from MBAM/SAS.
     
  22. boogieman

    boogieman Private E-2

    Hi

    1. I will do your proposals later today.

    2. I think found one thing earlier today.
    When I boot I have 2 instances of wmiprvse.exe running for a while.
    I looked up all version I have and there were quite a few (see attatched jpg)
    WmiPrvse.jpg

    I have scanned all the versions I have on www.jotti.org and found that ONE of them reported a backdoor by one scanner. See permalink below
    Jotti scan result of wmiprvse.exe in folder 'C:\WINDOWS\$hf_mig$\KB956572\SP3GDR'
    When I take properties of the two files in the jpg, they have exactly the same date (manufacturer, version, size and so on) but only on is reported inected, so something is strange.

    All the other versions in the jpg reported OK by all scanners .
    If you want me to send the infected file, let me know. I guess you are using some kind of "sandbox" but I dont want to spread infections if someone else on the forum should happen to use the file.

    Best regards and huge thanks
    Boogieman
     
  23. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes please.

    Then please do the below:

    Please go to start > Run and paste in the following:

    (enter in full file path of the file just ONE of the scanners reported as a threat instead of example.exe and my file path) - I believe this could just be a false positive anyway with that particular scanner on jotti..

    log retrievable @ C:\collect.zip
     
  24. boogieman

    boogieman Private E-2

    1. Now the proposed actions are complete and contains below:
    - SAS log (made the 10th - the rest today)
    - MBAM log (found 2 threats - se point 2 below)
    - Eset log (found 7 threats - delted)
    - collect.zip
    in this zip file View attachment Logs 20100313.zip

    2. On ESET 7 things were reported, but I have yet not chosen "delete files" on the threats found - should I do that?
    Seems like som fake reports like:
    * MGtools
    * "falcon smitrem" virus removal tool, which was a bit strange.
    * SDFix backups

    Thanks, awaiting further orders
     
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes what eset found was just false positives.

    Also the wmiprvse.exe is not infected either, it's a legit file and only one of the scanners flagged it as bad.

    I believe it's time for you to follow final steps soon. What remaining malware problems do you have if any?
     
  26. boogieman

    boogieman Private E-2

    Wrote a bit wrong below.
    - The threats in MBAM are deleted (dont know if they were fake, since i did not recognize the files)
    - In ESET then i should not delete the files? Not the uninstall.exe either from maketorrent dir?

    - Yes wmiprvse.exe should be legit. The strange thing was that only 1 of the 3 was flagges as infected by jota.
    If all would have been flagged infected I also would have opted for non virus.

    Regards
    Boogie
     
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can just use windows explorer to manually delete the below if you do not need it now


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  28. boogieman

    boogieman Private E-2

    Done


    1. SAS - passive (will use as sweeper every now and then)

      N/A

      Done, but changed back to see file extensions and hidden files, since I prefer it that way. Guess that is not an issue regarding malware.

      - CCleaner - kept it since I like the functionality
      - MBAM - kept it since it seemed like a good "once in a while sweeper"


      N/A

      Done + removed the exe and folder as prompted in the uninstall


      • Done

      Done

    - Autorun disabled (is there a safe way to look at my USB sticks which might carry infections?)
    - Avira - Installed & Active (seemed nice due to rootkit detector)
    - Spybot S&D - Immunized + display dialog (shoult I set to load at startup?)
    - Spywareblaster - All enabled (Should I set to load at startup as well?)
    - Google chrome alternative browser installed

    RegardingRootRepeal:
    If I remember it right it was not an install - so I can just delete the exe (cant find it in add/remove nore start menu)

    Regarding cookie blockers
    I cant remember which software that ask for permission when cookies are detected.
    But after reading all you files I understand it is unnessecary, so I will try to lurk out which one it was, since it is a bit annoying to allow every cookie :)

    Thanks a very huge bunch for all the support.
    I feel like Im loaded over my ears with protection now and I guess that's whats needed with todays cumbersome internet enviroment.
    A pity all people are not like you guys on MG.
    I have never understood the fun of making viruses just to bother other people and take up so much unnecessary time, but I guess those individuals are people that "are not seen" in the normal community that needs to take such drastic meassures to "shine" (they shine less than a rusty nail IMO).

    You guys & girls (must be some fems as well right) on the other hand - glows like diamonds in the rain :)


    Thanks again
    Boogie - hopefully virus free - man
     
    Last edited: Mar 16, 2010
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member


    For the external Hard Drive and a USB stick.

    Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

    Please have all your removable storage devices ready for disinfection.

    Download Flash Disinfector by sUBs and save it to your desktop.

    • Double-click Flash_Disinfector.exe to run it.
    • Your desktop and icons may disappear. This is normal.
    • It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
    • Follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    • Wait until it has finished scanning and then exit the program.
    • There will be no GUI interface or log file produced.
    • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

    Your choice. I do not personally rate S&D much these days and do not use it.

    Your choice, I have it installed but do not have it running at start up.

    Yes, simply delete it's executable, and any logs it made.

    You are very welcome! :)

    Take care.
    Kes13!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds