Problems with IE, AVG and possible rootkits

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Junior94, Nov 22, 2007.

  1. Junior94

    Junior94 Private E-2

    Hi,

    Recently, IE keeps shutting off, and AVG showed some issues with Resident Shield not working. Had to re-install AVG, but problems with IE still persist, and I have some slowness. I've run a rootkit scan, found a hidden file called brognet.exe and some hidden .dll files (6). Looking for advice on what the issue is.

    Thanks,!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

  3. Junior94

    Junior94 Private E-2

    OK, I've done all of the steps in the clean-up as outlined

    1: House Cleaning & Setup
    Uninstalling malware programs
    Msconfig must be set for Normal Startup mode
    Empty ALL Quarantine type folders for antivirus and antispyware applications.
    Run Ccleaner
    2: Enable viewing of hidden files, system files and file extensions
    3: Procedures based on your Windows Operating System

    For VISTA, I was not able to successfully run Combofix.exe or MGTools.exe
    Don't know why.

    When I ran AVG spyware, only had one item. see attached.

    Suggestions on next steps - do you want me to send in a HJT log?

    Also, what about possible rootkit concerns from what I have seen with AVG anti-rootkit?

    Thanks,
    John

    Please advise
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you read in the procedure for MGtools about disabling UAC? ComboFix should also run, try running it as administrator.

    Did you tell AVG Antispyware not to fix what it found on purpose? That is do you know what the program is that it found?
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have a log from AVG AntiRootkit that you can attach?
     
  6. Junior94

    Junior94 Private E-2

    OK, when I tried to run MGTools, I got a message when it got to the embedded portion related to the HJT scan, that write-access permission to the hosts file was denied. Got into an unending way loop in the dialogue with a neverending message about permission to access file denied. Zip file not created.

    When I tried to run combofix, the dialogue box gave me a message "out of memory" and a windows pop-up that said "freeware implementation of Reg.exe has stopped working"

    I had run HJT on my own, not as part of MGTools. I'll send that along if you want to see it.

    Here's the rootkit file.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat my previous question. Did you disable UAC? If you can run HijackThis manually yourself, there is no reason it would be blocked in the MGtools procedure.


    I don't understand this one at all unless something has just recently (within the last couple days) changed. Please redownload ComboFix now from the link in the READ ME just to make sure you have the current version. Then try running it again. There was an issue with ComboFix expiring just a couple days ago.

    You don't have HijackThis installed properly nor is it renamed as required. As such the log will not be that helpful since it could miss things.

    Does the C:\Windows\System32\dotohdir folder mean anything to you?


    Run AVG AntiRootkit again and see if it can fix/delete the below files:
    C:\Windows\System32\brogunet.exe
    C:\Windows\System32\cpyubmp3.dll
    C:\Windows\System32\dxemmin.dll
    C:\Windows\System32\libaknt.dll
    C:\Windows\System32\maxuplan.dll
    C:\Windows\System32\ocxacjob.dll
    C:\Windows\System32\selarkbd.dll

    I see you have SpySweeper installed. Is it a paid version or free trial version? If free, uninstall it. If paid, you need to uninstall AVG Antispyware and Windows Defender needs to be stopped now.

    You also need to uninstall the Viewpoint Manager (and any other Viewpoint software) as requested in the READ ME.
     
  8. Junior94

    Junior94 Private E-2

    OK, went back to the beginning and started all over. Deleted the questionable rootkits, turned off defender, uninstalled AVG AS, deleted Viewpoint, etc. Reinstalled Combofix, renamed HJT, turned off UAC and then went to run the tools.

    Everything ran fine, except could not run combo fix.

    The directory in question at bottom is for monitoring software for IM chats, so the reference is OK

    Also can't attach MGTools zip to this mail - won't give me an option to attach, so how do you want to deliver?

    Thanks,
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What exact message did you get this time?


    Try again now. If you still have a problem, empty your browser cache and click refresh a couple of times. If that does not work, try a different browser (like FireFox if you are using IE).
     
  10. Junior94

    Junior94 Private E-2

    OK, here's the message I got from trying to run Combofix:

    Blue dialogue box (Combofix.exe run as administrator):
    Message In the blue dialogue box:
    Please wait.
    Combofix is preparing to run
    Out of memory

    This was followed by a Microsoft Windows pop-up
    “Freeware implementation of REG.EXE has stopped working
    A problem caused the program to stop working correctly.
    Windows will close the program and notify you if a solution is available.

    But instead of closing down the pop-ups, I took 5 minutes to write down the messages and then Combofix decided to run.

    Attached are the combofix logs and MGTools reports.
     

    Attached Files:

  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs look to be free of malware. We do have some minor things to do though.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Viewpoint Manager Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above for the below two services
      • EQHQLRIOF
      • GANM
    • Click OK until you get back to Windows.
    Uninstall the below old versions of software:
    Java(TM) 6 Update 2
    Java(TM) SE Runtime Environment 6


    Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {c7e292f8-1f8d-40a6-8fa6-e6e83d51e7e1} - (no file)
    O2 - BHO: (no name) - {c7e292f8-1f8d-40a6-8fa6-e6e83d51e7e1} - (no file)
    O3 - Toolbar: (no name) - {c7e292f8-1f8d-40a6-8fa6-e6e83d51e7e1} - (no file)
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

    After clicking Fix, exit HJT.
    Now use Windows Explorer to delete the below folders
    :
    C:\ProgramData\Viewpoint
    C:\Program Files\AskPBar

    Now run Ccleaner


    How are things working?
     
  12. Junior94

    Junior94 Private E-2

    Looks like everything related to Viewpoint is related to a NY Yankees toolbar I have installed and would like to keep. What are the issues with Viewpoint?

    So, I eliminated second and third items for the services command (by the way, what is purpose of this command), eliminated the old Java installations, and eliminated any of the HJT items that were not related to the toolbar. I eliminated the AskPBar file and ran CCleaner.

    Everything runs better although there are still some sporadic issues with the AVG Resident Shield - seems like this happens if you try to access something too quickly before all items boot up on start-up. IE Explorer OK, and the rootkit files are all related to the monitoring application in question.

    Thanks for your help. Are the HJT logs OK?
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is considered adware and also it is software that gets installed on thousands of PC unknowingly to the end user and in 99.99% of all cases the user does not want it or need it wasting system resources. You are the first person I have seen in tens of thousands that actually needs it for something. But you also probably did not know it was installed. It's your decision in the end, if this is the only thing on your PC, it is not a major problem. We and most others don't recommend it. It is also why a tool like ViewpointKillerwas written and is included in the Anti-Spyware directory for download.

    To stop questionable services from running that you don't need. Most services like this are malware.

    Attach a new one and I will let you know.
     
  14. Junior94

    Junior94 Private E-2

    Thanks, on second review the NY Yankees toolbar is not connected to Viewpoint so have eliminiated the Viewpoint Media Player and used the run command to disable as instructed. In Explorer could not delete the Viewpoint folder.

    One question, after doing all this, now I have a message that my Security Center service is turned off, and I can't turn it back onwhen I click on the button to turn it back on. When I look at individual parts of the Service, Windows Update, Windows Firewall, and Internet Options all look OK. I just can't turn on the Security Center service. Have you ever seen this, or is it related to any of the adjustments here?

    Here's the latest HJT log.

    Thanks
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Perhaps you could after a reboot.


    Did you re-enable UAC? There is a file in the C:\MGtools folder named EnableUAC.reg which you can double click on and it will do this automatically for you. We did not do anything to physically disable Security Center Service and uninstalling Viewpoint has nothing to do with it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds