Need Help - Malware keeps coming back

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mismgr, Aug 31, 2007.

  1. mismgr

    mismgr Private E-2

    I am in the process of finishing up the requested scans. As I got to near the end of the scans, the obvious malware .exe files that had been deleted started to come back. I am in the process of the final last scans and am collecting the log files to send. I really need help on this one because it seems to be something really deep/behind the scenes.
     
  2. abri

    abri MajorGeek

    Hi mismgr

    Welcome to Major Geeks!
    You'll need to post twice to attach the logs. We'll look at them when you've finished them all. Please make sure your HijackThis log is renamed analyse.exe and that it's in the folder HJT or HijackThis under C:\Program Files

    abri
     
  3. mismgr

    mismgr Private E-2

    Will do. Do you want the HJT log renamed when I submit it to you? Or rename it after the scan on the PC I am working on?
     
  4. abri

    abri MajorGeek


    Only the .exe file itself needs to be renamed Before you run it. The log it produces does not need to be renamed. Be sure the .exe file is in the right location as per the instructions in Point 7 of the READ & RUN ME FIRST
     
  5. mismgr

    mismgr Private E-2

    I have attached the BitDefender scan. I did not save the CounterSpy log immediately after scanning, so I think I lost that. Sorry. It is now in the process of just about being finished with the Panda ActiveScan - so far it has found only one item in the hacking/root kit category.

    Once that scan is done I will get the remainder of these for you.
     

    Attached Files:

  6. mismgr

    mismgr Private E-2

    Panda ActiveScan Log
     

    Attached Files:

  7. mismgr

    mismgr Private E-2

    Last two requested files before the HJT log.
     

    Attached Files:

  8. mismgr

    mismgr Private E-2

    Last, but not least, the HJT file - and, yes, I did follow all the directions.
     

    Attached Files:

  9. abri

    abri MajorGeek

    Did you have Counterspy fix everything it found? If not, please rerun it and have it fix anything it finds.

    Thanks!
    abri
     
  10. mismgr

    mismgr Private E-2

    Yes, I did. It could not heal anything so it just deleted everything.
     
  11. abri

    abri MajorGeek

    Hi mismgr!

    1) Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    2) After this, I would like for you to disconnect your computer (physically) from the internet and then disable any antivirus and/or antispy programs you have installed so they will not block this fix.

    3) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

    4) Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

    5) Now, please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and, one at a time, kill each by selecting it and then click Kill process. Then click yes. If you do not see all of them just proceed!

    After killing all the above processes, click Back and leave HJT running as we will be using it in the next step.

    6) Next we need to remove some bad services, please follow the below…
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to LSaServ
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above steps to Stop and Disable the below Services (if you do not find them or get any errors, just continue):
      • ioodfiuji
      • AOL-V6
      • Machine Debug Manager
    • Now Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste LSaServ into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • ioodfiuji
      • AOL-V6
      • MCH_Debug-Manager
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    7) Now scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )

    Again, make sure ALL browser windows are closed when you click FIX.

    8) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    9) Please RECONNECT to the internet now!

    10) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    11) Aftr you restart your computer we want to Reset Web Settings & Default Security Settings

    Note for IE 6 users:
    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

    Note for IE 7 users:
    Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

    12) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.


    13) After you have completed ALL of the above in the correct order, please attach the following logs.
    • HijackThis Log
    • ShowNew Log
    • GetRunKey Log
    • Avenger Log
    Please make sure your antivirus program is running again as it should. It probably will have started again when you rebooted and that is fine. Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

    abri
     
    Last edited by a moderator: Sep 1, 2007
  12. mismgr

    mismgr Private E-2

    I cannot find the ioodfiuji service to stop and disable it. When I try to disable it, it tells me that it is running and must be stopped first. BUT when I run services.msc it is not in the list.
     
  13. mismgr

    mismgr Private E-2

    Never mind. I found it and got it done.
     
  14. mismgr

    mismgr Private E-2

    Here are the log files AFTER all of your instructions were completed. I will post two with this and two with a separate post.
     

    Attached Files:

  15. mismgr

    mismgr Private E-2

    Here are the last two requested logs.
     

    Attached Files:

  16. abri

    abri MajorGeek

    Hi mismgr!
    When you ran the regedit4, did you get any confirmation or any message about it? It skipped some things.
    abri
     
  17. mismgr

    mismgr Private E-2

    When it first started there were a couple error messages as if it was looking for a file it could not find. After that it ran right through without much of a problem.

    Would you like me to run it again?
     
  18. mismgr

    mismgr Private E-2

    I apologize. I just went back over my notes and I did NOT get any messages of any kind when the regedit4 ran, other than it finished.
     
  19. abri

    abri MajorGeek

    No, you don't need to rerun it. Normally when it runs, it says something like the merge was successful. It seems to have ignored some things, so I will post a slightly different one to you as soon as there is agreement here on the next steps. Thanks for your patience!

    abri
     
  20. abri

    abri MajorGeek

    Hi mismgr!

    1) Please look in Add/Remove Programs for the following and uninstall them if found. If you get any errors just make a note and proceed.

    - WildTangent GameChannel (remove only)

    2) Scan with HijackThis and check the boxes for the following entries:
    ( Make sure ALL browser windows are closed when you click FIX )
    Again, make sure ALL browser windows are closed when you click FIX.

    3) Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    4) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    5) After you have completed all of the above, please attach the Avenger log, and after running new scans for ShowNew (newfiles.txt), GetRunKeys (runkeys.txt) and analyse.exe (hijackthis.log) please attach fresh logs for them as well. Also, please remember to answer the two questions at the very beginning about the strange folder under C:\WINDOWS AND, please let us know how it went and how your computer is running now.
    • Avenger Log
    • ShowNew Log
    • GetRunKey Log
    • HijackThis Log


    abri
     
  21. mismgr

    mismgr Private E-2

    Here are 3 of the latest log files after I did everything in your last post.

    You did mention answering "the two questions at the very beginning about the strange folder under C:\WINDOWS . . ."

    I did not see any question about the strange folder. If you can resend the questions, I will look at the folder and try to answer your questions.
     

    Attached Files:

  22. mismgr

    mismgr Private E-2

    4th log file.
     

    Attached Files:

  23. mismgr

    mismgr Private E-2

    The PC seems to be running fine. It has run much better since the first round of clean-ups.
     
  24. abri

    abri MajorGeek

    Hi mismgr!!
    sorry about the two questions. A copy/paste oversight on my part.
    Your logs look good. Please do the instructions in the box and take some time to read through "How to Protect yourself from Malware."


    abri
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds