MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 03-25-09, 14:00
nyt nyt is offline
Private First Class
 
Join Date: Mar 2009
Posts: 40
Thanks: 6
Thanked 0 Times in 0 Posts
Default Still Infected after following cleaning steps

One of my users was surfing yesterday (Internet Explorer) and they must have become infected with some nasty malware. After a reboot she came to get me and the screen was filled with Symantec Antivirus email warnings. It looked like a virus was trying to send out spam. The computer was unusable and I was unable to do anything.

I rebooted back in as Admininstrator and followed the instructions in "READ AND RUN ME FIRST" thread. This computer is running XP so I followed the instructions in the XP Cleaning thread.

I ran all the tools as the Administrator. I did try to log back in as that user but the emails warning started going crazy again. Also symantec popped up messages about Hacktool.rootkit and another TROJAN. The computer rebooted (from me trying to Ctrl-Alt-Del) to logoff I think, before I could see the name of the Trojan.

Attached are the 4 files that the instructions said to include.

Thanks in advance for any help you can provide. This is killing us because the user cannot get into there account.
Attached Files
File Type: txt mbam-log-2009-03-25 (09-15-03).txt (7.2 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 03-25-2009 - 10-40-50.log (6.4 KB, 1 views)
File Type: txt Combofixlog.txt (10.9 KB, 1 views)
File Type: zip MGlogs.zip (54.9 KB, 1 views)
Reply With Quote
Sponsored links
  #2  
Old 03-26-09, 11:53
nyt nyt is offline
Private First Class
 
Join Date: Mar 2009
Posts: 40
Thanks: 6
Thanked 0 Times in 0 Posts
Default Re: Still Infected after following cleaning steps

I know this is going to bump me but I think this information is important.

I finally got the recommended tools to run while I was logged in as the problematic user. After running Super AntiSpyware, Malwareytes said it found more stuff and cleaned it.

Even still after the reboot, Symantec keeps popping up with information saying I have hacktoolrootkit and Trojan.Fakevalert (tied to iehelper.dll).

No more email popups but I am pretty sure I am still infected.

Thanks for your help!
Attached Files
File Type: txt COMBOFIX 3-26.txt (12.0 KB, 1 views)
File Type: txt mbam-log-2009-03-26 (12-09-16).txt (2.3 KB, 1 views)
File Type: log SUPERAntiSpyware Scan Log - 03-26-2009 - 10-25-57.log (993 Bytes, 1 views)
File Type: zip MGlogs.zip (54.6 KB, 2 views)
Reply With Quote
  #3  
Old 03-30-09, 02:31
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,165
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Still Infected after following cleaning steps

Welcome to Major Geeks!

Do you know what the below folder are for?
Code:
2009-03-25 13:59 . 2009-03-25 13:59 <DIR> d-------- c:\documents and settings\mstraub
2009-03-25 13:56 . 2009-03-25 13:56 <DIR> d-------- c:\documents and settings\echu
2009-03-26 16:29 --------- d-----w c:\program files\SAAZOD
Is saazremotesupport something you knowingly installed?

Is the below policy script something related to your company
Code:
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1172250837-843870029-1846952604-1012\Scripts\Logon\0\0]
"Script"=map.bat
Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below software:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 7
Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Toolbar V35 (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
Viewpoint Toolbar <-- should have been uninstalled in step 1 of the READ ME

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll (file missing)
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS

After clicking Fix, exit HJT.

Now we need to use ComboFix
  • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
KILLALL::

Driver::
port135sik

File::
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\windrv.sys
C:\Documents and Settings\ndodge\hmrwchmrwbglqvbglpuaf.exe
C:\Documents and Settings\ndodge\mrwchmrwbglqvbglqvbgl.exe
C:\Documents and Settings\ndodge\otydinsxdinsxdinsxdin.exe
C:\Documents and Settings\ndodge\qvbfkpuafkpuaejotyejo.exe
C:\Documents and Settings\ndodge\rwcglqvbgkpuafkpuafkp.exe
C:\Documents and Settings\ndodge\wdinrwchlquaejnsxdinr.exe
C:\Documents and Settings\ndodge\yejotyejotyejotyejoty.exe
  • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named c:\combofix.txt
  • I will ask for this log below
Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run Ccleaner to clean out only temp files and nothing else!

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:
  • C:\ComboFix.txt
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #4  
Old 03-30-09, 08:09
nyt nyt is offline
Private First Class
 
Join Date: Mar 2009
Posts: 40
Thanks: 6
Thanked 0 Times in 0 Posts
Default Re: Still Infected after following cleaning steps

Quote:
Do you know what the below folder are for?
Code:

2009-03-25 13:59 . 2009-03-25 13:59 <DIR> d-------- c:\documents and settings\mstraub
2009-03-25 13:56 . 2009-03-25 13:56 <DIR> d-------- c:\documents and settings\echu
2009-03-26 16:29 --------- d-----w c:\program files\SAAZOD

Is saazremotesupport something you knowingly installed?

Is the below policy script something related to your company
Code:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1172250837-843870029-1846952604-1012\Scripts\Logon\0\0]
"Script"=map.bat
Yes -- the two folders are other valid users on this computer. SAAZOD is a tool that is included with a number of agents used by a teaming partner that provides managed IT services. Specifically it helps me monitor all the computers on my network to ensure that AV definitions and windows updtates are up to date. Also help monitor event logs network devices for automated notification of any problems.

saazremotesupport is part of SAAZOD.

I will have to ask our network admin about map.bat. I believe it is a valid script that loads up our main network shares.


The computer appears to be running fine now. BUT when I just re-enabled Symantec Antivirus I got a popup that says I still infected with Trojan.Fakevalert. The Filename is listed as unavailable and the original location is listed as unavailable.

I attached 3 items (as opposed to the two you requested). The first time I ran combofix, I forgot to turn off Spybot S&D's teatimer. I disabled it before running Combofix, but it came back on upon reboot and Combofix froze up on me. The log file I found for that is attached as Combofix Interrupted.txt.

I then ran it again and attached that combofix log file as well.

Thank you very much for your help and please let me know if you have any idea why Symantec is still indicating I have a trojan. I am going to reboot now because Symantec is requesting it.
Attached Files
File Type: txt ComboFix interrupted.txt (5.1 KB, 1 views)
File Type: txt ComboFix.txt (12.8 KB, 1 views)
File Type: zip MGlogs.zip (53.8 KB, 1 views)
Reply With Quote
  #5  
Old 04-02-09, 12:39
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,165
Thanks: 61
Thanked 7,581 Times in 4,079 Posts
Default Re: Still Infected after following cleaning steps

Quote:
Originally Posted by nyt View Post
The computer appears to be running fine now. BUT when I just re-enabled Symantec Antivirus I got a popup that says I still infected with Trojan.Fakevalert. The Filename is listed as unavailable and the original location is listed as unavailable.
I cannot help you with this without a file name and location. Right now all I can guess is that the brain dead Symantec woke up after we removed all the malware that it was missing. And that it is only seeing what we have already quarantined. Wait until after completing ALL of my final instructions and then tell me if it is still detecting anything.


We just have have a few minor items to fix with HijackThis.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {601ED020-FB6C-11D3-87D8-0050DA59922B} - (no file)
O2 - BHO: (no name) - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

After clicking Fix, exit HJT.

After doing the above your logs will be clean.

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /u
      • Notes: The space between the combofix" and the /u, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    • Delete the C:\combofix folder from combofix (if it exists)
  3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  5. Go to add/remove programs and uninstall HijackThis.
  6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
  7. If you are running Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  8. After doing the above, you should work thru the below link:
After doing 100% of the above, see if Symantec still finds problems.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot open Major Geeks site, Could Not complete Cleaning Steps, Got ONLY MGTools Log monalisa Malware Removal 2 11-16-08 05:30
Still Infected after removal steps Tipsi Malware Removal 8 08-22-08 01:58
Infected with Spyware, followed above steps... TheBlackClap Malware Removal 25 10-29-06 23:14
Performed all cleaning steps but still problems shellyshell Malware Removal 12 08-24-05 22:31
Infected - Have followed all FAQ steps gigtime Malware Removal 5 04-24-05 18:27


All times are GMT -5. The time now is 05:42.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger