inlaw's computer with persistent malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by agris, Jan 3, 2014.

  1. agris

    agris Private E-2

    First off, I'm glad that you guys have put together such a comprehensive system for dealing with malware removal. I haven't had to clean out a computer since '07 or earlier, apprently when malware was less sophisticated and rootkits less common.

    I've read and followed the pinned readme post and removal instructions for Vista. All software completed, none failed to start or crashed.

    System: Vista SP1 32 bit, 2 gb ram. AVG was the AV pre-infection, MSE is the current. Stock Vista firewall.

    Symptoms: audio ads playing intermittently (they sound like 'radio ads' to me, and short news clips/pseudo news) despite no applications running. svchost.exe is gobbling up 75 - 100% of CPU cycles and slowing down the computer massively, and the process is exhibiting a memory leak (easily 500+ mb and increases with time). Whatever windows files this has dug itself into, forcing closed svchost also gives me a Windows pop up saying that the plug and play service has ended unexpectedly and the system must restart (only option is 'close', and it will restart regardless of if i click it or not). In contrast to other rootkits I've googled with these symptoms, there are no pop-up adds or browser redirects. Indeed, the only signs are the audio ads and computer slow down (and svchost memory usage).

    Background: This is my inlaw's computer and I don't know what the point of infection was. Before I found the resources here, I used my '07 mindset and downloaded SB S&D (version 2!) and ran a clean / immunize. Not having solved the problem, I followed with Malware bytes and TDSSkiller. This is for the benefit of full disclosure. None of the software found anything very suspicious (suspect registry entries and 2 items in TDSS that the recommended action was 'skip'). MB did find something called 'iLivid' and removed it. After none of this worked, I found the resources here and followed the guides to a T.
    __________________________________________________________

    Attached you find all the logs. None of the software (other than MGtools which I can't interpret the output of) other than HitmanPro detects anything. It looks like HitmanPro found it, but it's imbedded in system files and didn't want to remove them (as the thread indicated I shouldn't) before consulting with the experts here.

    [​IMG]
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman Pro and have it delete everything EXCEPT for the below:

    • C:\Windows\system32\rpcss.dll



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
    C:\Windows\System32\euasfk.lch
    C:\Windows\System32\hagkxhw.gqe
    C:\Windows\System32\jeavvi.bjo
    C:\Windows\System32\ldaix.mew
    C:\Windows\System32\xrfllml.jbc
    C:\Users\Yakov\AppData\Roaming\UpdaterEX
    
    :reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}]
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Now re run Hitman again (just a scan) and attach the new log.



    Please download AdwCleaner by Xplode http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

    • Double click on AdwCleaner.exe to run the tool.
    • Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds