Avira AntiVirus Disabled rootkit & possible keystroke logger; Log files included

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by nadsab, Mar 29, 2009.

  1. nadsab

    nadsab Private E-2

    Hi,

    I have attached log files and followed all instructions found here: http://forums.majorgeeks.com/showthread.php?t=139313

    My problem started just three days ago. I have Avira anti virus, and it had been working fine for months, and now all of the sudden it freezes up when I try to check for root kits in Local Protection menu, and it freezes up when I click on any of the items on main menu. The strange thing is, it will still do a full system scan when I click the icon in the main windows system tray in the lower right hand corner of my browser, but that’s about it. I can’t even shut Avira off from the main menu icon which I could do before. I’m running windows XP by the way. So a few days ago, since Avira came out with a new version 9, I decided to upgrade to see if that solved the problem, and even after upgrade from version 8 to version 9, I have the same exact problem.

    Now about a month ago, I upgraded my PC from Windows 2000 to XP, the folks at Avira said this should work OK, and I did not notice any problems at the time. I am not really sure if this problem started with the Upgrade because I never checked the full functionality of Avira, all I have done are the regular updates and the full system scans, which still work, but that’s all the works. I only checked the full functionality of Avira 3 days ago. Another issue that could have caused the problem, I installed WAMP about a week ago because I wanted to try some dynamic development with Dreamweaver for web sites I have been working on, and I think that it could have opened up my PC to attack.

    So the reason why I came to MajorGeeks site was because in a separate check, after some research I installed Sysinternals from Microsoft and opened up the autoruns.exe application and found a MEMSWEEP2 entry which I have read is a keystroke logger, so then I thought I have some major malware infections and found your site.

    So I followed all the instructions on this site, log files attached, I have read that some malware disables anti virus applications and thought that what my problem is. Interesting to note, I tried shutting off Avira during the above instructions for one of the 4 malware scanners instructions and a window came up said that I could not kill the process I don’t have permission even though I was logged on as admin. So the only way I could run Combo Fix was to un install Avira a second time. I did that and ran the scans, re installed Avira after all the scans, and still have the same exact problem of Avira freezing up, and I see that that MEMSWEEP2 is still there.. So I am wondering if I have been infected with any kind of Malware that is preventing my Anti Virus software from detecting it.

    I am wondering if this issue could be as simple as a re install or OS upgrade problem but the folks over at the Avira site don’t seem to have a clue as to what is wrong.

    I hope someone can give me some insights here I would really appreciate any info or hints as to what I could try next.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You are reading incorrect information. MEMSWEEP2 is from installing Sophos AntiRootkit which you have installed.

    Is this the only reason for posting here?
     
  3. nadsab

    nadsab Private E-2

    Hello chaslang thanks,

    No the main reason why I am posting here is because the Anti Virus application keeps crashing and sometimes my PC freezes up when that happens and I have to reboot.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What antivirus application? You don't have one installed which is a big problem and also a possibly reason why I see some infections in your logs. I will give you a fix for these in my next message.
     
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_15

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\DS\Local Settings\Temp\EI40_\msxml4.cab
    O23 - Service: FXJDWJHHOCBLDNO - Unknown owner - C:\DOCUME~1\DS\LOCALS~1\Temp\FXJDWJHHOCBLDNO.exe (file missing)
    O23 - Service: UGD - Unknown owner - C:\DOCUME~1\DS\LOCALS~1\Temp\UGD.exe (file missing)
    O23 - Service: XMXIWVA - Unknown owner - C:\DOCUME~1\DS\LOCALS~1\Temp\XMXIWVA.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. nadsab

    nadsab Private E-2

    Hi chaslang,

    Thanks so much for the help I really appreciate it! The system does seem to run faster. There is a really weird problem though, I’ll explain…

    I actually Do have Anti Virus - I use Avira. I believe the reason why you did not see it in the first set of logs, it was freezing up and I believe at the time when I ran the scans, the only way I could shut down Avira was to un install it, because in it's current state I can't turn it off, it just runs.

    Now here is the strange part. I tried a few things over the past few days. First I created a new guest account, and logged on as the guest, and strangely enough, none of the menu items on Avira freeze up, I can do a rootkit scan (which comes up no malware found). BUT, I can not turn on the firewall or real time virus monitoring as a guest user.

    But when I log on as the original admin user, Avira menus freeze up.

    So then, I created a new Admin user, and everything seems to work, except a weird thing – when I do a rootkit scan with Avira, it stalls half way through the scan.

    What I did, since your instructions require that all anti virus be turned off during your tasks, the only way I could turn off Avira off was to un install it while I was doing the tasks, and after done, I re installed avira. And it still has the same problem after running your recommended tasks.

    The people at Avria think the admin accounts could have been corrupted. What I am worried about, is – is it possible for either a hack, or malware to have taken over administrator account(s) on my PC or even corrupted the admin?

    Also out of curiosity, what was the malware we removed? Could that hve screwed up my admin account?
     

    Attached Files:

    Last edited: Apr 1, 2009
  7. nadsab

    nadsab Private E-2

    Just one thing to add- some new info...

    After the malware removal, I started to run a new Avira rootkit scan as the new administrator account I created. Everything so far seems to work OK, and now after the malware removal, the Avira rootkit scan completes 100 percent and does not stall on any files as it did before. Before, it stalled on a file I believe in the registry called hausaufgaben.de I saved the Avira log for that stalled scan BTW.

    However, the original admin account will not allow Avira to run correctly -Avira freezes up. Should I be worried about this? Original admin is somehow dis abling the anti virus software.

    I am wondering, should I just delete the old, original admin account? Since I have a new admin account that seems to run Avira OK? If I do that, do you think I could get locked out of PC? Or would deleting the original administrator account just give me a false sense of security and maybe the PC is still compromised?

    Or maybe leaving the old administrator account on the PC is a security risk?

    Because apparently what ever malware I had disabled my ability to use Avira. Either that, or somehow my original admin account got corrupted due to a simple disk problem or memory problem. BUT, before I removed the malware, the newly created admin account still had a problem, when I ran that root kit scan as the new administrative user, when it got 45 percent through the scan, and even though the progress bar said it was 45% through the scan, above the progress bar it said the scan is finished and stalled on that hausaufgaben.de file. But now after the malware removal, the scan as the new admin user completes 100 percent with no malware found.

    Anyway just wondering what I should do now.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which account are you calling the original admin account and which is the new account?

    If you are referring the the user account that is actually named Guest. You need to disable this and never use it. Using this account is a sure way to get your PC infected.


    Yes it is possible that your original account has become corrupted and you may need to delete it. However before doing that, try running the below on this user account and we still have more malware to remove.

    Resetting Registry and File Permissions

    Also do you know who/what the below files are from? Is the second from c:\program files\SanityCheck ? What is this? Did you just install this? If so, you need to stop installing anything new. Only do what we request.
    Code:
    "C:\WINNT\system32\drivers\"
    adfs.sys      Mar  8 2009       73312  "adfs.sys"
    rspsan~1.sys  Mar  2 2009       30136  "rspSanity32.sys"
    You can get properties info on the files by doing the below for each file.

    Right click Start and select Explore to bring up Windows Explorer. Use it to navigate to the C:\WINNT\system32\drivers\adfs.sys file and right click on it and select Properties. Now see if there is a Version[ tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too. Do this for both files.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  9. nadsab

    nadsab Private E-2

    Hi and thanks so much chaslang!

    The user guest I created just to test out Avria AntiVir. I never granted it admin privilages, however I have turned it off, it is now disabled. The original admin account is the account name called DS - that was the account which while logged in AntiVir functionality froze up. The new admin account I created I named poweruser. The poweruser account ran Avira AOK with no problems after I ran your first set of instructions which I thought was strange, given that the original admin account - DS - had problems with Avria.

    OK now this is the strange thing that happened. AFTER I ran your first batch of instructions, and after I made my response post to those instructions, I tried out the original admin account again, and had the same problem. But (I think) a day later, the original admin account called DS, I tried it again, and it functioned perfectly with AntiVir. The freezing up problem went away completely. I don't know how or why it started working, I ran a couple of XP disk scans and the only thing I can think of is that maybe a few bad files or sectors on disk were repaired by the scans, or maybe your original instructions repaired the problem, I don't know. All I know is that the original admin account, DS, did not work with Avira, and caused Avria to freeze up, and then a day later it auto magically worked.

    So I actually did create a system restore point per your above instructions, but before I run your Resetting Registry and File Permissions, I thought I should tell you this information first to see if you still wanted me to run it, given the new information about the DS admin account now working OK with AntiVir. Could it be that some malware or hacker is playing games with my admin account and switched it back to function? Or could your first set of instructions and or the disk scan have repaired the problem?

    Yes sorry I did install Sanity Check, OK I promise to not install anything new until we are done sorry about that. If you want me to un install it let me know, I will wait till I hear from you until I do anything on that.

    OK the adfs.sys file according to properties is from Adobe, it's called the “Adobe Drive File System Driver”, version 4.0.1, otherwise known as Adobe Drive. Unless some malware disguised a malware file by naming it an adobe file, I do have a lot of adobe software - creative suite 4, so it could be legitimate.

    The second file is from a company called Resplendence software, it's Resplendence Sanity Check, version 1.00, rspsanity.sys is the internal name.
    By the way I don't know if it makes any difference, I had both adobe Creative Suite 2 and Creative Suite 4 installed on my pc and to clean things up and remove excess software, I un installed the older creative suite 2 version, it was redundant.

    OK I followed the rest of your instructions logs attached.

    Just a note, I disabled AntiVir and Anti Spyware before I ran Combofix, but not the firewall, and the firewall popped up while running ComboFix and I think it stalled, so I ran Combofix a second time with the firewall off and ComboFix seemed to work AOK as it did the first time. The only difference, the first time Combofix ran, combofix came up and said a new version of combofix was available so I downloaded and installed that, hope that was legit and not malware.

    I was wondering, what was that first batch or Malware we removed? Did that or could have that caused Avira AntiVir to mal function?

    I was also wondering, I was using WAMP which is from http://www.wampserver.com/ a week before this all happened. Could WAMP have opened me up for attack? I was using it for web design purposes for Dreamweaver, I would like to still use it if I can set it up to be secure, but if it comprimises my PC then I don't want to use it. It's an extremely useful tool for dynamic php-mysql web development though, your opinion on that is appreciated...
     

    Attached Files:

    Last edited: Apr 4, 2009
  10. nadsab

    nadsab Private E-2

    Forgot to mention 2 things sorry, I lost my edit button...

    The Original admin account, DS, is now set to a limited, not an administrator account. AntiVir now functions AOK when DS is either admin (when temporarily switching user type), and as a limited user. The account called poweruser is now admin. Also before this all started happening, I NEVER password protected any of my Windows accounts, which was stupid. That has all changed in the past week, all are now password protected.
    Is the purpose of this: http://forums.majorgeeks.com/showthread.php?t=169862 to delete the admin account? Or make the new admin account a super admin and transfer power over to the new admin account?
     
    Last edited: Apr 4, 2009
  11. nadsab

    nadsab Private E-2

    Also to note, I ran your new set of instructions while logged in as the new admin poweruser if that makes any difference.
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't know. You would have to check in the Software Forum to see if anyone knows of security issues with it.


    We have one more bad driver to remove with ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! It is all for what the title of the thread stated.
     
  14. nadsab

    nadsab Private E-2

    Thanks so very much for all the help chaslang!

    I was looking on your front page, is there a way I can donate to majorgeeks?

    Did the fact that I did not run the "Resetting Registry and File Permissions" instructions on that user account cause problems? Should I still run it, or is that not needed now?
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We do not have an official way to do that, but you can check out the Geek-Wear link and support MGs that way.:)

    Not necessary if everything is working okay now.

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  16. nadsab

    nadsab Private E-2

    OK thanks very much chaslang, I will check out the Geek-Wear for sure, and follow your final instructions.

    Can you please tell me, exactly what was the malware that we removed? Was it a keystroke logger, or something like that?

    Did the malware cause the AntiVir to become disabled, or was that a separate, independent issue not related to the malware?
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Unknown/unclassified trojans. Thus it is unknown as to what they may or may not do.

    Possibly but as I said above the actual problems cause by these unknown items are also unknown.
     
  18. nadsab

    nadsab Private E-2

    OK great thanks,

    2 last questions, should I completely delete that original admin account?

    Also I just noticed this morning that I had two disk errors a few weeks back in the event viewer. Could this have caused the admin account to become corrupted in some way that would cause AntiVir to crash?

    Thanks so much again, m going to buy a m-geeks t shirt this weekend!
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you don't need it, then why have it especially if it does not work properly.

    Don't really know but since you said Avira was working again it is unlikely since a disk error would cause a permanent problem.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds