Malware problem not fixed with Malware Removal instructions

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by aagarwal584, Dec 23, 2007.

  1. aagarwal584

    aagarwal584 Private E-2

    Please find attached the logs from the scans in the Windows XP Cleaning Procedures. I followed the Cleaning Procedures but still have a problem. The problems can be pinpointed to yesterday when I surfed to a web site without having an up-to-date Anti-Virus definition files. Before I knew it, I had an infected machine.
    There seems to be 2 problems.

    (1) After restarting the computer, Windows File Protection gives following message.

    Windows File Protection
    Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Profession CD2 now.

    I have Dell OEM Windows XP Media Center 2005 installed on my Dell Dimension 5150/E510. Problem is, Dell has a Windows XP re-installation CD but Dell states there is no 'CD2'.

    (2) I keep getting pop ups every time Internet Explorer is open. The pop ups occur on their own.

    Hopeful you can help me to fix the problem. :confused
    Thanks,
    Ankur

    p.s. Please note, the AVG Anti-spyware log is not attached because it was not generated by the tool. I scanned my computer using Trend Micro (after updating virus definition files) and I can provide the logs if you need.
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_03

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
    O2 - BHO: (no name) - {3F7BDD0B-0462-4F19-8B87-54D83601B87C} - C:\WINDOWS\system32\mlljg.dll
    O2 - BHO: (no name) - {B8AFD866-6B8B-490E-DA2E-39E671810F96} - C:\WINDOWS\system32\mknamps.dll (file missing)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Now after reboot, run Windows Explorer and locate the below file.
    C:\WINDOWS\system32\ctfmon.exe.tmp

    When you find the file, right click on it and select rename. Change the name back to: ctfmon.exe

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
  3. aagarwal584

    aagarwal584 Private E-2

    Hi chaslang,
    Please see logs attached.
    It appears one problem is resolved (IE is not popping up windows anymore), but the other problem is still there (Windows File Protection message).

    I have run Avenger but Windows Explorer is still showing 4 files exist which were marked to be deleted:
    mlljg.exe
    mlljg.dll
    gjllm.ini
    gjllm.ini2
    Should these be there?

    After restarting, Windows gives me an error that it cannot find "c:\windows\system32\mlljg.exe" which is required by a registry entry.

    Please tell me next steps.
    I have suspicion malware is still there and hopeful you can help me further.
    Thanks,
    Ankur
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may have a new type of infection. I'm seeing strange things in your logs. There are process names with space in the file names where there should be no spaces. More on these further down!!

    You did not comment on my instructions for fixing the ctfmon.exe.tmp file and getting your original back. Did you complete the steps? Did you have any problems?

    I need you to put the below two files into a ZIP file and attach it here. You will notice one file has a space in the name.
    Code:
    C:\
    wrbtafjf.bat  Dec 24 2007      327680  "wrbtafjf.bat"
    wrbtaf~1.bat  Dec 24 2007        1080  "wrbtafjf .bat"
    Thus you have a C:\wrbtafjf.bat and a C:\wrbtafjf .bat both of differing sizes. This could be happening to other processes too as seen in your HJT log.
     
  5. aagarwal584

    aagarwal584 Private E-2

    Hi chaslang,
    Please find the zip file attached.
    I'm seeing the process names with spaces too when I use Task Manager.
    It appears ctfmon.exe was repaired automatically by Windows File Protection. Windows does not allow renaming the ctfmon.exe.tmp to the original name giving an error that the file already exists. There is a log entry in the Windows Event Viewer indicating this:

    File replacement was attempted on the protected system file c:\windows\system32\ctfmon.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2180, the version of the system file is 5.1.2600.2180.

    Funny thing is, my Trend Micro OfficeScan anti-virus does not detect the mjllg.exe as a virus although I can see it is there? I have updated the anti-virus and ran a full scan of the hard drive with no infections detected, but I know the system is infected.

    Hopeful there is a fix for my computer.
    Thanks
    Ankur
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes you are still infected. Many of the items we were trying to remove in message # 2 did not get removed even though Avenger removed them initially. Something on your system revived them. I need to gather some more info because I'm concerned about all those processes that I see with spaces in the filenames. I wrote a little tool to dump out some info to a log.

    Download the attached ShowFile.zip file to the C:\MGtools folder. Then also extract the ShowFile.bat program from the ZIP file into the C:\MGtools folder too. Then run the ShowFile.bat program by double clicking on it. This will create the following log file: C:\MGtools\filelist.txt Attach this file to your next message.


    Also please delete the below two files. One was from Avenger but the other was modified by something.
    C:\wrbtafjf.bat
    C:\wrbtafjf .bat


    Also did you run the Disable/Remove Windows Messenger program as requested?
     

    Attached Files:

    Last edited: Dec 25, 2007
  7. aagarwal584

    aagarwal584 Private E-2

    Hi chaslang,
    Please find the file attached.
    I delete the two files (wrbtafjf.bat with and without the space) with no problems.
    Also, I removed Windows Messenger as per the previous instructions.
    Thanks,
    Ankur
     

    Attached Files:

  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That log shows that many of your programs have been corrupted and are no longer trustworthy. See the below list of things seen in the log. And note that it is very important to realize this is only a very small subset of all the files the may have been changed on your PC.
    Code:
    "C:\Program Files\BitTorrent\"
    bi728a~1.exe  Dec 24 2007      390144  "bittorrent    .exe"
    bi7e3e~1.exe  Dec 25 2007       43008  "bittorrent      .exe"
    bif0c6~1.exe  Dec 25 2007      390144  "bittorrent     .exe"
    bittor~1.exe  Dec 23 2007      390144  "bittorrent.exe"
    bittor~2.exe  Dec 24 2007      390144  "bittorrent .exe"
    bittor~3.exe  Dec 24 2007      390144  "bittorrent  .exe"
    bittor~4.exe  Dec 25 2007      390144  "bittorrent   .exe"
     
    "C:\Program Files\Corel\Corel Photo Album 6\"
    mediad~1.exe  Dec 25 2007      457216  "MediaDetect.exe"
    mediad~2.exe  Dec 25 2007      106496  "MediaDetect .exe"
     
    "C:\Program Files\CyberLink\PowerDVD\"
    dvdlau~1.exe  Dec 25 2007      396288  "DVDLauncher.exe"
    dvdlau~2.exe  Dec 25 2007       53248  "DVDLauncher .exe"
     
    "C:\Program Files\DellSupport\"
    dsagnt~1.exe  Dec 25 2007      460784  "DSAgnt .exe"
    dsagnt.exe    Dec 25 2007      855552  "DSAgnt.exe"
     
    "C:\Program Files\Dell Support Center\bin\"
    sprtcm~1.exe  Dec 25 2007      202544  "sprtcmd .exe"
    sprtcmd.exe   Dec 25 2007      530432  "sprtcmd.exe"
     
    "C:\Program Files\Google\Google Desktop Search\"
    gof5db~1.exe  Dec 25 2007      168448  "GoogleDesktop .exe"
    google~2.exe  Dec 25 2007      505856  "GoogleDesktop.exe"
     
    "C:\Program Files\Google\GoogleToolbarNotifier\"
    google~1.exe  Dec 25 2007      423424  "GoogleToolbarNotifier.exe"
    google~2.exe  Dec 25 2007       68856  "GoogleToolbarNotifier .exe"
     
    "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\"
    avgas~3.exe   Dec 25 2007     7464448  "avgas   .exe"
    avgas~2.exe   Dec 25 2007     7464448  "avgas  .exe"
    avgas~1.exe   Dec 24 2007     7464448  "avgas .exe"
    avgas.exe     Dec 23 2007     6731312  "avgas.exe"
     
    "C:\Program Files\HP\HP Software Update\"
    hpwusc~1.exe  Dec 25 2007      377856  "HPWuSchd2.exe"
    hpwusc~2.exe  Dec 25 2007       49152  "HPWuSchd2 .exe"
     
    "C:\Program Files\Intel\Modem Event Monitor\"
    intelmem.exe  Dec 25 2007      550400  "IntelMEM.exe"
    intelm~1.exe  Dec 25 2007      221184  "IntelMEM .exe"
     
    "C:\Program Files\Logitech\QuickCam\"
    quickcam.exe  Dec 25 2007     2371072  "Quickcam.exe"
    quickc~1.exe  Dec 25 2007     2027792  "Quickcam .exe"
     
    "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\"
    mimboo~1.exe  Dec 25 2007        8192  "mimboot .exe"
    mimboot.exe   Dec 25 2007      335872  "mimboot.exe"
    mm_tra~1.exe  Dec 25 2007      110592  "mm_tray .exe"
    mm_tray.exe   Dec 25 2007      491008  "mm_tray.exe"
     
    "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\"
    drgtodsc.exe  Dec 25 2007     1203200  "DrgToDsc.exe"
    drgtod~1.exe  Dec 25 2007      868352  "DrgToDsc .exe"
     
    "C:\Program Files\Trend Micro\OfficeScan Client\"
    pccntmon.exe  Dec 25 2007      684544  "pccntmon.exe"
    pccntm~1.exe  Dec 25 2007      356352  "pccntmon .exe"
     
    "C:\Program Files\Utimaco\SafeGuard Easy\"
    ecview~1.exe  Dec 25 2007       24576  "Ecview .exe"
    ecview.exe    Dec 25 2007      355328  "Ecview.exe"
    edwizard.exe  Dec 25 2007      574976  "EdWizard.exe"
    edwiza~1.exe  Dec 25 2007      245760  "EdWizard .exe"
     
    "C:\Program Files\Yahoo!\Messenger\"
    ya00bc~1.exe  Dec 24 2007     5016064  "YahooMessenger    .exe"
    ya3557~1.exe  Dec 25 2007     4662776  "YahooMessenger      .exe"
    ya823d~1.exe  Dec 23 2007     5016064  "YahooMessenger   .exe"
    yab7df~1.exe  Dec 25 2007     5016064  "YahooMessenger     .exe"
    yahoom~1.exe  Dec 25 2007     5016064  "YAHOOM~1.EXE"
    yahoom~2.exe  Dec 23 2007     5016064  "YahooMessenger .exe"
    yahoom~3.exe  Dec 23 2007     5016064  "YahooMessenger  .exe"
    yahoom~4.exe  Dec 25 2007     4662776  "YAHOOM~1 .EXE"
     
    "C:\Program Files\Common Files\InstallShield\UpdateService\"
    is1d91~1.exe  Dec 25 2007      603136  "isuspm      .exe"
    is4e42~1.exe  Dec 25 2007      603136  "isuspm       .exe"
    is9f12~1.exe  Dec 25 2007      603136  "isuspm     .exe"
    issch~1.exe   Dec 25 2007       81920  "issch .exe"     <--- valid one according to Internet
    issch.exe     Dec 25 2007      411136  "issch.exe"
    isuspm~2.exe  Dec 23 2007      603136  "isuspm  .exe"
    isuspm~1.exe  Dec 23 2007      603136  "isuspm .exe"
    isuspm.exe    Dec 23 2007      603136  "isuspm.exe"
    isuspm~3.exe  Dec 24 2007      603136  "isuspm   .exe"
    isuspm~4.exe  Dec 24 2007      603136  "isuspm    .exe"
     
    "C:\Program Files\Common Files\LogiShrd\LComMgr\"
    commun~1.exe  Dec 25 2007      895488  "Communications_Helper.exe"
    commun~2.exe  Dec 25 2007      563984  "Communications_Helper .exe"
     
    "C:\WINDOWS\ehome\"
    ehtray~1.exe  Dec 25 2007       67584  "ehtray .exe"   <--- valid one according to Internet
    ehtray.exe    Dec 25 2007      395264  "ehtray.exe"                          
     
    "C:\WINDOWS\system32\dla\"
    tfswctrl.exe  Dec 25 2007      480256  "tfswctrl.exe"
    tfswct~1.exe  Dec 25 2007      127035  "tfswctrl .exe"   <--- valid one according to Internet
    We have no way of easily identify all the files on your PC that may have been changed, nor do we have an easy way of knowing which file is the valid one in all cases. In addition if any single one of these infected files remains on your PC, when you run the file, it could just start reinfecting all the EXE files on your system again.

    Besides all of the above you still have nasty case of a form of a Vundo infection that needs to be fixed.

    The problem is that your PC is not trust worthy due to all the files that have been modified and since we cannot really reliably fix this, your safest solution would really be to erase your partitions, format and then reinstall. It is not even safe to backup anything since we don't know which files may be infected. Even your antivirus program itself is infected. And so is your Utimaco SafeGuard encryption program.
     
    Last edited: Dec 26, 2007
  9. aagarwal584

    aagarwal584 Private E-2

    Hi chaslang,
    Looks like I am left with the last resort of re-installing.
    Nevertheless, appreciate guidance leading to the decision to the last resort.
    Dell provided me instructions for doing a PC restore which will reset the system to the factory settings.
    Regards,
    Ankur
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    We rarely have to resort to a reinstall but your type of infection is the kind that necessitates a reinstall. There is no other way to be sure of your security. After you reinstall, be sure you immediately work thru the below to help you avoid issues like this in the future:

    How to Protect yourself from malware!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds