Nasty infection - causing BSOD intermittently

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by d8122, Apr 22, 2010.

  1. d8122

    d8122 Private E-2

    this is my cousin's computer. He had a particularly nasty version of Internet Explorer Super Anti-virus that disabled .exe files amungst other things that I have been trying to clean since 9AM this morning. I have run AVG Free 9.0 (it reports no problems now), SAS (it cleared a ton of stuff), edited the registry to allow .exe files to run, fought for three hours to get MBAM to run (it finally did run), ran Spybot and have just finished ComboFix which reported rootkit issues as well. Until this point, I got the BSOD and a memory error 0x00000008 whenever I tried to boot to windows XP in normal mode. Safe mode with networking ran ok, but with warnings. I'm attaching the logs I can find and would appreciate any assistance or direction in other actions I should take to clear things for him. I REALLY do not want to have to reload XP if I can avoid it, espcially since he can't find the CD's and I don't have a copy of Media Center which is the version he's been running. thanks in advance
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I still need to see the C:\Mglogs.zip from running C:\MGTools.exe. Run that if you haven't already per the instructions in the R&R and attach the log it creates into your next reply and then I can get on with giving you a fix.
     
  3. d8122

    d8122 Private E-2

    Thank you! I've attached the log from MGTools as well as a MBAM log I was able to run this morning. No more BSOD so far today, but would appreciate your insight as to anything else I can do to clean up the mess.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And what a mess it is. Let's get started on clean up!

    1. Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode

    2. You have two different anti virus installed. This is never a good idea due to many reasons, so please uninstall one of the two before we continue:

    • Trend Micro PC-cillin Internet Security 12
    • AVG Free 9.0

    3. Please go to Add/Remove programs and uninstall the following software:

    • J2SE Runtime Environment 5.0 Update 6

    4. If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    5. Did you set the below? If not then include it in our fixables:

    6. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    7. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    RenV::
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
    c:\program files\Dell\Media Experience\dmxlauncher .exe
    c:\program files\Dell Support\dsagnt .exe
    c:\program files\Google\Google Desktop Search\googledesktop .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\QuickTime\qttask          .exe
    c:\program files\Yahoo!\Messenger\yahoomessenger .exe
    c:\program files\Yahoo!\Search Protection\searchprotection .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\system32\DLA\dlactrlw .exe
    c:\docume~1\ed\locals~1\temp\chc         .exe
    
    FileLook::
    c:\windows\system32\FFD313F53E.sys
    
    DirLook::
    C:\WINDOWS\8C503S8BZ13JLG57
    
    File::
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\InstallShield\UpdateService\issch .exe
    c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
    c:\program files\Dell\Media Experience\dmxlauncher .exe
    c:\program files\Dell Support\dsagnt .exe
    c:\program files\Google\Google Desktop Search\googledesktop .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\QuickTime\qttask          .exe
    c:\program files\Yahoo!\Messenger\yahoomessenger .exe
    c:\program files\Yahoo!\Search Protection\searchprotection .exe
    c:\windows\ehome\ehtray .exe
    c:\windows\system32\DLA\dlactrlw .exe
    c:\program files\76156.dat
    C:\Documents and Settings\LocalService\Local Settings\Application Data\63RDu2gJKQ
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\63RDu2gJKQ
    C:\Documents and Settings\ed\Local Settings\Application Data\22k5paIc
    c:\docume~1\ed\locals~1\temp\chc         .exe
    C:\Documents and Settings\ed\Local Settings\Application Data\3007464621
    C:\Documents and Settings\ed\Local Settings\Application Data\30074646213035940529
    C:\Documents and Settings\ed\Local Settings\Application Data\30074646213289215207
    C:\Documents and Settings\ed\Local Settings\Application Data\300746462163RDu2gJKQ
    C:\Documents and Settings\ed\Local Settings\Application Data\30074646217Alp65jw
    C:\Documents and Settings\ed\Local Settings\Application Data\3007464621812392749
    C:\Documents and Settings\All Users\Application Data\22k5paIc
    C:\Documents and Settings\All Users\Application Data\3007464621
    C:\Documents and Settings\All Users\Application Data\3035940529
    C:\Documents and Settings\All Users\Application Data\3289215207
    C:\Documents and Settings\All Users\Application Data\63RDu2gJKQ
    C:\Documents and Settings\All Users\Application Data\7Alp65jw
    C:\Documents and Settings\All Users\Application Data\812392749
    C:\Documents and Settings\ed\Templates\22k5paIc
    C:\Documents and Settings\ed\Templates\3007464621
    C:\Documents and Settings\ed\Templates\3035940529
    C:\Documents and Settings\ed\Templates\3289215207
    C:\Documents and Settings\ed\Templates\63RDu2gJKQ
    C:\Documents and Settings\ed\Templates\7Alp65jw
    C:\Documents and Settings\ed\Templates\812392749
    C:\WINDOWS\system32\wahoneza.dll 
    c:\docume~1\ed\LOCALS~1\Temp\geurge.exe
    c:\docume~1\ed\LOCALS~1\Temp\nvsvc32.exe
    
    Folder::
    c:\documents and settings\ed\Local Settings\Application Data\cxbkaolui
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\befifufobi]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ewrgetuj]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsf87efjhdsf87f3jfsdi7fhsujfd]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]
    
    RegLock::
    [HKEY_USERS\S-1-5-21-2897835390-3875079946-978270905-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,73,fa,c4,4c,ca,93,4c,8d,e4,4c,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,49,73,fa,c4,4c,ca,93,4c,8d,e4,4c,\
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    8. Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    9. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    10. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Last edited: Apr 22, 2010
  5. d8122

    d8122 Private E-2

    I tried to follow your instructions to the letter .. with one exception. I uninstalled AVG earlier today before your message and installed MS Security Essentials (in the hope idiot would at least let that update), but I cannot get PC-Cillin to uninstall. If I try to uninstall under CP, a fatal error occurs. There's nothing under Program files, and task manager doesn't show pccmon* process running, but ComboFix insists it is there. I even tried downloading a fresh install in hopes it would over-write and fill in any blanks, but that didn't work either. I ran Combofix anyway. the only messages that popped up said windows was missing critical files and to insert the XP Profession CD 2. I didn't (and can't should I need to in the future as this machine is running Media Center and the only disc i have is for XP Pro). All else went smoothly and I have not experienced any BSOD's today as I surfed, added a new user account and found a great recipe for Arroz Con Pollo,
    The logs for ComboFix and MGTools are attached.

    PS - if any marginal "fluff" stuff would best be uninstalled, please let me know. It hasn't helped him get a date anyway

    You're a champ!
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Both AVG and Trend Micro require removal tools. Let's see what we can do to clear up from the old anti virus and also have another go at deleting some files that are being stubborn.

    Official AVG Removal Tool

    PCCTool from Trend Micro

    Now Run Ccleaner. (Not on the registry section though)

    Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      c:\windows\system32\FFD313F53E.sys
    • At the upload site, click the browse button.
    • Next click Submit file
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    Could you please get this: FFD313F53E.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Folder::
    c:\windows\8C503S8BZ13JLG57
    C:\Documents and Settings\ed\Local Settings\Application Data\avg
    c:\program files\AVG
    c:\documents and settings\NetworkService\Local Settings\Application Data\avG
    c:\documents and settings\All Users\Application Data\avG
    
    File::
    C:\Documents and Settings\ed\Local Settings\Application Data\3035940529
    C:\Documents and Settings\ed\Local Settings\Application Data\3289215207
    C:\Documents and Settings\ed\Local Settings\Application Data\63RDu2gJKQ
    C:\Documents and Settings\ed\Local Settings\Application Data\7Alp65jw
    C:\Documents and Settings\ed\Local Settings\Application Data\812392749
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  7. d8122

    d8122 Private E-2

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Was taught by Chaslang and another online malware removal school. :)

    Anyway, your logs are clean!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is just from using DivX. ;)
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Thanks Chas LOL
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds