Reader_S Malware - I want to win this war!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SZC, May 26, 2009.

  1. SZC

    SZC Private E-2

    Please help! :cry I have a nasty virus. I've done plenty of virus removal before, used SpyBot, Malwarebytes, Safe-Mode and all and have beat the bugs in the past, but this virus has me nailed.

    Here's the short version: Windows XP - Dell computer with two hard drives, the newer one was the Master and older one was the Slave when I got infected (dirty USB stick from Kinkos I believe). The new drive just got totally hosed - I can only boot up as far as the background image (no icons appear) and trying to boot to Safe-Mode goes to a blue-screen of death. So I disconnected the SATA cable and started booting into the older drive, for which there are two users: User1 goes to the same thing above (background image with no icons, I'm not sure how to proceed from here); User2 - boots fine. If I go to Safe-Mode I can see both users and the Admin login - so I boot up into admin whenever I was going to Safe-Mode.

    After booting into User2 I went through the Windows XP Cleaning Procedure Guide posted on these forums and generated all the logs: The virus blocked all access to the sites to download and update Malwarebytes and SAS so I downloaded these on a mac (haha) and manually transferred them. ComboFix failed completely, I would get an error while opening it that would close the program and then delete itself from the desktop (is the virus doing this?). Lastly I ran MGtools. Obviously I still have the virus and now requesting help.

    It would be great if I could clean the old drive and then set it aside to work on the new drive, but if I need to wipe the old drive it can be sacrificed as the newer drive has the latest data that I would like to keep. After reading several threads on this virus (Reader? Virut? Conflicker?), it looks like to date there is no really good method or SOP for curing this particular virus. Any suggestions welcome - I'm ready to go to war! :major
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    Viewpoint Media Player

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Then make sure these folders are empty other than files from today:
    C:\WINDOWS\Temp\
    C:\Documents and Settings\Akiko\Local Settings\Temp\

    Now see if you can run ComboFix.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  3. SZC

    SZC Private E-2

    TimW,

    thank you for the help. I got as far as attempting to execute the script for The Avenger. However, I received this error after inputting the text you had indicated: "Error: Invalid Script. A valid script must begin with a command directive. Aborting execution!"

    I went to the Avenger website and add "Files to delete" to the top of the script. Did you omit this instruction? I was told some 3 of the regkey could not be deleted, specifically:
    HKEY_Current_User\Software\Microsoft\Windows\CurrentVersion\Run | reader_s
    and also two more with the same file tree but named "| @" abd "| Windows Resurections"

    I assume you produced this list by scanning one of the three initial logs I posted so I may be able to generate an updated and accurate list on another pass.

    Also, I had previously rebooted and tried a few things in vain while I was waiting for your initial reply, and I had manually deleted a bunch of those tmp files being creating by the virus (stored in the c:\ directory) which are now gone. I still have the virus but maybe the script didn't work because the files to be deleted have shuffled around some? If I know how you created the Avenger script file I may be able to get past this step? There seems to be some files that don't exist anymore plus a few new ones that do. I will attached the log file.

    When I moved onward to the ComboFix instructions, the program still stops after a non-descrptive 'error' and deletes itself form the desktop. The virus is still blocking Malwarebytes from updating.
    -----------------------------------------------------------------------------------

    Lastly, concerning my drive I haven't attempted to fix yet, I can only boot as far as the background image (no icons), and trying to go into Safe-Mode goes to a blue-screen-of-death error. I can get to the Ctrl-Alt-Del menu though, is there any trick to proceeding from a no-icons boot-up?
     

    Attached Files:

    Last edited: May 30, 2009
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No I did not omit that intruction. Did you omit copying it when you pasted it into Avenger? Can you not see it in my previous post??


    When you manually deleted the files, avenger noted that they no longer existed. And the script did work. Look at what was removed that you hadn't removed in your manual deletions.

    What drive? Are you talking about a different computer? Or are you doing this while slaved?

    Regardless, lets move on:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now use windows explorer to find and delete:
    C:\WINDOWS\DUMP51e8.tmp
    C:\WINDOWS\ld08.ex_
    C:\WINDOWS\TEMP\pq79jt7.exe
    C:\WINDOWS\system32\8.tmp

    If you cant manually delete them:
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now go to start / run / type "sfc /scannow" without quotes and have your xp disc handy. Do it twice so we can see if it replaces the ndis.dll.

    Tell me exactly what happens when you try to run COmbo....the exact error message. And are you downloading a new copy of Combo??

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Jun 1, 2009
  5. SZC

    SZC Private E-2

    TimW - I really appreciate your help. I was not able to work on this problem since your last reply (june 1)-- very sorry I was out of town. Per you first comment I did miss the command from "Files to Delete" from before and apologize for this oversight. :-o Also, to answer your question I did have had two drives chained together (master/slave) and I am indeed fixing one at a time. The other drive will not boot past the background image (no icons appear) and I was just quickly inquiring to see if there is a simple command to get past this so I can begin to work on that drive as well (I simply swap the SATA cable back and forth to work on each drive).

    Getting back to the fix of the first drive - I still definitely am very very infected. :cry I ran the MGtools\analys.exe and only this file appeared in the list, which I checked to be fixed:
    O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\pq79jt7.exe (User 'Default user')

    The other two were not in the list. I also deleted a reader_s file but I'm sure it will come back.

    The REGEDIT4 command did not work. This was the error: "Cannot import C:\Documents and Settings\Chris\Desktop\fixME.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

    I downloaded a fresh version of combo fix from the majorgeeks windows XP cleaning procedure post. This time running the program went further than last time but ended with an error "!! Alert !! It is NOT SAFE to continue! The contents of the ComboFix package has been compromised. Please download a fresh copy from http://www.bleepingcomputer.com/combofix/how-to-use-combofix Note: You may be infected with a file patching virus 'Virut' "

    Then the program deletes off the desktop. I went to the website and downloaded a new version and got the same error.

    The virus still blocks certain websites like malwarebytes.org, so I know it is still out there !!F@ckers!! This is a nasty one!! :major

    The MGlogs.zip file is attached and the avenger.txt is not because I manually deleted the files you mentioned and did not run avenger.

    Thanks a bunch, the help is very much appreciated! --- Chris
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    IMPORTANT NOTE: Some if not many, of your Windows system files are infected. And many other non-Windows files could also be infected. Even if we attempt to fix these problems (which may not be easy to do unless you have an original Windows XP SP3 bootable CD), your system may be unreliable and untrustworthy.You may need to reinstall this system.


    Your logs show that your Windows Operating system files have become infected and there is no known reliable fix for this. In addition there are many many other infected files. We could spend a lot of time trying to remove this infection, but odds are that it will not work because the nature of the infection has so many executable system files infected that as soon as we fix one file, other files that are infected will almost immediately or upon the next reboot, just reinfect the files. In addition, your PC would still basically be unreliable/untrustworthy even if we manage to fix the infected files that we can see since there could be many more that we are not seeing.

    The safest thing for you to do is backup your personal data immediately since your PC could possible become unbootable at any point in time. Do not back up any executable files. This includes programs that you have downloaded since any of them could be infected.

    Once you backup, you need to perform a total reinstall of Windows and all other necessary software. DO NOT reinstall from any executable files you backed up because they are most likely infected.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds