Dad opened viral email. Need log look over

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jashale, Sep 27, 2008.

  1. jashale

    jashale Private E-2

    I just need a final look over the logs to confirm no viruses or spyware. I am a self taught advanced user. From what I can tell, the logs look clean. Please confirm.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You look pretty good after the scans....we just need to do a few things:

    Please Disable Spybot's TeaTimer

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now use windows explorer to find and delete:
    C:\Program Files\neibtde
    C:\Documents and Settings\All Users\Application Data\nyvibgbo

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file
     
  3. jashale

    jashale Private E-2

    TimW,

    I followed what you posted. Attached is the new log.
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Neither of the items were removed. Did you get any error messages? Did you insure that your AV and AS programs where disabled?
     
  5. jashale

    jashale Private E-2

    timw,

    No error messages. I did exactly as you asked. I run Avira Antivir; I right clicked on the taskbar icon and pressed deactivate. I am not running a real time antispyware program. I will try running the logs again. Maybe I uploaded the wrong logs.

    I didn't look through the logs this time. I will before I upload again.
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let me know. :)
     
  7. jashale

    jashale Private E-2

    Major System Files infected: winlogon.exe, lsass.exe, svchost.exe, spoolsv.exe

    My dad wasn't paying attention and he open an ecard attached to an email. The virus he opened completely took over. I went through the "READ & RUN ME FIRST. Malware Removal Guide - MajorGeeks Support Forums" and "Windows XP Cleaning Procedure". Please no more references to it. The logs are located here http://forums.majorgeeks.com/showthread.php?t=170505.

    The problem is major system processes are infected. Avira Anti-Virus kept saying that winlogon.exe is infected with TR/Patched.AA.546 . I switched antivirus software to Avast Free edition. Avast with its boot scan feature confirmed, lsass.exe, spoolsv.exe, services.exe, svchost.exe, and winlogon are infected as with Win32:patched-CK [Trj]. So in all, these are the infected processes

    lsass.exe
    services.exe
    spoolsv.exe
    svchost.exe
    winlogon.exe

    I did a little more digging. I hashed the above system files. I also hashed all files in the system32 folder. I compared the Infected Computer with Clean Computer 1 and Clean Computer 2. Only the above files were different between the infected computer and clean computers.

    Here are the results. Also, attached in tab delimited text format (open with a spreadsheet program for best viewing):
    [​IMG]

    [​IMG]

    I need to replace these files with clean versions which I have from the other computer. You cannot replace winlogon.exe from the Recovery Console or Bart's PE. I get an access denied error. I will try a bootable Linux CD next with NTFS support. My questions is as follows.

    Question: I have clean versions of lsass.exe, services.exe, spoolsv.exe, svchost.exe, and winlogon.exe. How can I replace the infected files?

    Logs: http://forums.majorgeeks.com/showthread.php?t=170505
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The first thing we should try is to go to start / run / type "sfc /scannow" without quotes and have your xp cd ready. Run it at least twice.
     
  9. jashale

    jashale Private E-2

    On Sunday, I wrote a batch file that replaced some system files:
    I put Sysinternals Suite in C:\Progam Files\SysinternalsSuite\. I also copied good system files with good Microsoft Signatures to C:\file_replace. This batch file successfully replaced spoolsv.exe, services.exe, and winlogon.exe. I got this idea from killing lsass.exe (system still runs without it) and replacing it with a clean copy. However svchost.exe did not get replaced.

    To replace svchost.exe, I right clicked on svchost.exe and pulled the Properties Dialog Box. From here I renamed it to svchost2.exe. I set the svchost2.exe to be deleted on next reboot using a utility called Unlocker. I then placed a clean copy of svchost.exe into the system32 folder. Don't ask me why this worked. I just know that it did.

    I will still run sfc /scannow.

    I will post the MGlogs.zip file in a few minutes for review.
     
  10. jashale

    jashale Private E-2

    The logs are attached. Hopefully this is it.

    sfc /scannow did not ask for the XP CD. I was not given any information or prompt after it finished. I assume everything is okay.
     

    Attached Files:

    Last edited: Oct 7, 2008
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes....if it did not give you any message, then it was fine.

    As to the work you did to replace the bad file...well done!

    Are you still having problems?
     
  12. jashale

    jashale Private E-2

    No problems that are apparent. I want to keep a close eye on the my dad's computer so that I can make sure all malware is gone.

    What's crazy is I replaced all these system files remotely. Yes my connection was lost many, many times, but I just called my parents to reboot the computer into Safe Mode With Networking or Normal Startup. This was a good challenge.
     
    Last edited: Oct 9, 2008
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good.....then lets clean up from the scans in the meantime:

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    If you get a success message, then it is time to do our final steps:


    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combo-fix folder from combofix.
    3. If we had you run Avenger, you can delete all files related to Avenger now.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds