Completed Malware Removal Guide but still have problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by redwings1984, Nov 15, 2009.

  1. redwings1984

    redwings1984 Private E-2

    I just completed the Malware Removal Guide and still have infections. I'm trying to clean my Dad's business computer which was infected with multiple viruses that were causing pop ups for software downloads. The one that was recurring in malwarebytes scans even after removal was AGprotect and tcpsr. I am attaching all the log files from running SUPERantispyware, malwarebytes, combofix, rootrepeal and mgtools. If I can get help as soon as possible that would be great because my dad received notice that his internet was going to be disconnected by his ISP since he had viruses.

    Thanks
     

    Attached Files:

  2. redwings1984

    redwings1984 Private E-2

    here's the other log
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Can you tell me what these are:
    c:\program files\2006T1W
    c:\program files\2007T1W
    c:\program files\2007T2W
    c:\program files\2006T2W
    c:\program files\2005T2W


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    Driver::
    tcpsr
    ati4eoxx
    ati5hrxx
    ati5ihxx
    ati6pwxx
    2d204dc9
    350c35ed
    d73da3f5
    hgeb130
    jmbd998
    psm91ff
    
    File::
    c:\windows\System32\drivers\tcpsr.sys 
    c:\windows\system32\Drivers\ati4eoxx.sys
    c:\windows\system32\Drivers\ati5hrxx.sys
    c:\windows\system32\Drivers\ati5ihxx.sys
    c:\windows\system32\Drivers\ati6pwxx.sys
    c:\windows\system32\drivers\2d204dc9.sys
    c:\windows\system32\drivers\350c35ed.sys
    c:\windows\system32\drivers\d73da3f5.sys
    c:\windows\system32\drivers\hgeb130.sys
    c:\windows\system32\drivers\jmbd998.sys
    c:\windows\system32\drivers\psm91ff.sys
    c:\windows\maya.exe
    c:\windows\system32\uses32.dat
    c:\windows\system32\?ssembly\l?gonui.exe
    Folder::
    C:\Documents and Settings\Matt Singh.LEDGERS\Application Data\AVG8
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Maya]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "maya"=-
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Bbsxyd"=-
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  4. redwings1984

    redwings1984 Private E-2

    Thanks I will give this a try this evening since I'm not at my Dad's office right now and post the results. The folders you asked about under Program Files are from tax programs that my Dad uses (they are standard accounting programs used for filing each years taxes).
     
  5. redwings1984

    redwings1984 Private E-2

    I ran through all the steps you posted and it seems to be running fine now. Maya.exe and l?gonui.exe are no longer appearing under the startup tab of msconfig. The only problem I ran into when running through the process was that on the ComboFix restart of the machine the antivirus software ran during startup and I think that may have effected ComboFix because there was a message stating it couldn't find combofix.exe in the command window.

    Other than that it ran smoothly. I've attached the logs for you to look at below. Thanks for all your help.
     

    Attached Files:

  6. redwings1984

    redwings1984 Private E-2

    It looks like the computer is running slower now and malwarebyte's found the Malware.Trace AGprotect again. I'm including the log file from Malwarebyte's below.
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We need to remove a few more things.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    File::
    c:\windows\service32.exe
    C:\WINDOWS\system32\?????????????????????????????????????????????????
    
    Folder::
    c:\documents and settings\Matt Singh\Application Data\AVG8
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now Combo may not be able to recognize that last file with all the ? marks, so look for this:
    C:\WINDOWS\system32\0833~1 and if you find this or others like it, let me know the exact file name.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
  8. redwings1984

    redwings1984 Private E-2

    Thanks. I will give this a try and post the results by tomorrow evening.
     
  9. redwings1984

    redwings1984 Private E-2

    I ran Combofix again per your instructions and have attached the logs below. I searched the system32 folder and didn't find anything that looked like 0833~1 but did find this file which looked strange and out of place:

    㩃停潲牧浡䘠汩獥剜杯牥⁳湏楬敮倠潲整瑣潩屮潒敧獲传汮湩⁥牐瑯捥楴湯卜晡䍥湯敮瑣䍜湯楦屧噘敩⹷潣普杩.

    It was last modified on 11/18/2009, is 40 bytes and is designated as a file type. Is it something that needs to be removed?
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing anything else in your logs other than that sys32 file. I suggest that you find it and rename it. Just add an .old extension to the file name. Then lets see if it causes any programs to not run or other issues to arise. If it doesn't then we can delete it.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds