Post-RootKit Removal - Check my Logs....

Wednesday
Nov 18, 2009

Ouch !! Got hit with nasty malware that took a week to purge. Had a friend help me clean it out. But I am still having some troubles, so I've generated the logs and tools for your perusal.

It was a very nasty bug I got. It really took a long time to track it down. Anyway, my PC still seems a bit sluggish......and I can't set Firefox as my default browser. No matter what I do, IE7 keeps popping up as the default, and it is slow and sometimes will not download the page. About 40% of the time it goes to the address and the screen stays blank. Firefox works fine, but will not open when I hit any link, either on a page of in an email. IE7 is persistently insisting it is the default browser. And it is slow and failing to load pages......

Here's the logs.

Thanks folks,

-scottportraits

 

Hello.

I need the ComboFix log also. C:\ComboFix.txt

Also do this please.

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

 

Nov 21, 2009
Saturday 5pm est

Okay. They only let you submit 4 attachments, and the ComboFix log is not on the list. Since you can't submit a log here as an attachment either, I will have to paste it in here as text: (So sorry to do it this way, but it's all I can think of.....)

ComboFix is still on my desktop, and I haven't run a new one since the 18th.
_____________________________________________________________


Thanks,

-scottportraits

 

You can only post 4 logs per post. If you have more then put them in a new post.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Driver::
MEMSWEEP2

File::
c:\windows\system32\3F.tmp

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

 

Nov 21 2009
Saturday 8pm est

Hi,

Okay, here is the new ComboFix Log run with the 'KILLALL' and other commands. I also noticed a HiJackThis log.....so I included it (what the heck, right ?).

IE keeps opening as my default browser, but I prefer Mozilla Firefox. IE seems to be hogging the show; and I find IE is not loading some of the pages properly, or very fast. Some, not at all.

Thanks,

-scottportraits

 

Continued....

Oh yes, something else....I ran the Java tools and erased any extraneous copies of Java, but noticed this in my Add/Remove Programs list of apps:

Java (TM) 6 Update 14, 15, & 17. Each is about 90 MBs

They are still there.

Thanks,

-scottportraits

 

IE has been set as the default by the tools you have ran. You can reset Firefox as the default. How to make Firefox the default browser

Go into Add/Remove Programs and try uninstalling everything but Java 6 Update 17. If they will not uninstall then they are probably not actually installed. You can remove them like this.

Delete An Uninstall Entry

• Start HijackThis
• Click on the Open the Misc Tools section
• Click on the Open Uninstall Manager button.
• Highlight the entry you want to remove.
• Click Delete this entry

If you installed Spyware Terminator when trying to fix your computer then I would suggest uninstalling it now. It runs as a service and also is another layer of protection which you already have with Windows Defender, Avira and Sygate. Too much protection is a bad thing and usually offers less protection rather than more. Malwarebytes and SUPERAntiSpyware are far better as on demand scanners and we suggest using them over any of the others.



- Run CCleaner.



- ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

 

Sunday Nov 22, 2009

Hello evilfantasy,

Great! I reset Firefox as my default browser with the instructions from mozilla.support.com. The twist that turned the trick was to open Windows Explorer, go to Tools > Options > File Types......and type in 'open' in the slot for (none) HTTP....and with firefox.exe.
I tried doing this through the XP Add/Remove Programs window with the 'Set Program Actions and Defaults', 'custom', and hit radio buttons for Mozilla as default browser, etc. But that would not work; tried it several times. So anyway, the default launching browser is now Firefox, which loads pages faster, and has that 'no-script' feature.

Next, I deleted the 180+ MBs (or rather, uninstalled) of Java that were early releases and extraneous. Used the HiJackThis tool. Hope that frees up some CPU resources. Also, deleted JavaUpdater from my Start > Run menu.....will have to stay current with SunMicroSystems manually.

Ran CCLeaner. Then ran the ESET scan, which generated the log I am attaching here.

Thanks for all your help. I appreciate the time you technicians put in here at this site. I have learned a great deal from you all....

-scottportraits

 

mozilla.support.com isn't the page I linked to above. The mozilla.support.com site is a scam site. support.mozilla.com is the right website.

All you had to do was open Firefox and go to Tools > Firefox and select Options > Preferences > then select the Advanced panel, then click the General tab, and then click Check Now.

I also forgot to ask for a new MGtools scan so please give me a fresh MGlogs.zip and hopefully we can finish up.

 

November 22, 2009
Sunday 12 noon est

Hi,
Here is the MGLogs zip file. The scan was done on the 18th. Do I need to start over and do another one ?? Here is the one that was already done....

Thanks,

-scottportraits

 

I'm getting error messages saying I already attached this log (see below). Do I need to purge all MGTools, etc from the system, download it again, and re-run the scan ??

Cant attach the one there now. It's below. Do we need to do another ? If so, tell me how to wipe the old MGTools stuff from my C:/ drive and start over.

Thanks,

-scottportraits

 

Yes I need a new one. An old one will not do any good. The forums will let you attach a new one.

Just double click the MGtools.exe and it will run the new scan. We'll clean up everything once we are done which is hopefully after the new logs as long as they are clean.

 

Sunday
Nov 22, 2009 10.30pm est


Well, I think I erased the old MGTool stuff by going into C:/MGTools and clicking "MGClean.bat", I think I recall.....anyway, all the MGTools stuff from the first run was wiped. Don't recall if I rebooted. Then downloaded the 2.3 MB "MGTools.exe" file, and clicked it.

It started the command line scan run. Took several minutes.

(Don't know if it matters, but I did this scan with a file sharing app running, because I was in the middle of something. Also, no one ever stipulated to turn off the anti-virus or firewall, like in some other scans, so they too are running while the MGTools scan ran.)
Procdll.txt popped on my desktop for three seconds.

I'm surprised it allowed me to attach this new file. It is one KB bigger than it's predecessor, which no matter how I re-named, the forum would NOT let me attach earlier today several times today.

So here it is ! By the way....I peeked into the file C:/MGTools and find a whole bunch of stuff there that looks real nifty. I recall some of them....like "MGClean.bat", the HiJackThis - scan .exe icon from TrendMicro, and good ol' 'procdll.txt'. So I'm wondering............

............How can I learn how to use these tools ? Does MG's have a place where all of their uses are explained? There's all kinds of goodies there, I guess I'm just curious. I wouldn't want to click one and goof up my system. But it would be interesting and might be good to know.

How can I learn to fight malware :major ??

Thanks,

-scottportraits

 

See: Becoming A Malware Forum Helper

Not in any public forum.

Interesting yes. But it's designed to be run a certain way and careless clicking is never a good idea.



There are registry entries I was hoping would be gone but are still there.

Download OTM by OldTimer to your desktop.

Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SK9OU0S\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sK9Ou0s\Security]

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.


Now go to the MGtools folder and double click the getunkkeys.bat and attach the log.

Location - C:\MGtools\getunkkeys.bat

 

Monday 2pm est
Nov 23, 2009

Ouch !! I downloaded OTM.exe to my desktop and pasted in the text where you ask which items to remove. Then clicked 'move it' and it generated a list of stuff in the box on the right. So far, so good. But a window popped saying I need to reboot. I tried hitting NO, but it made that dong sound and stubbornly stayed in the front. Bottom line: I couldn't copy the results of that scan. The PC was rebooted. I lost the chance to copy the text and paste it into notepad. Darn:cry

I ran the getunkeys.bat file in MGTools, and here is the attached log.

Now, I wanted to know if an OTM log had been generated and stored somewhere, so I did a search for OTM and found these two other .txt logs whereever I got them from. They look like they might or might not be of any value. But they were in a folder that came up when I searched for OTM.

Any way to retrieve that OTM log that I missed ?? How bad did I screw up here ? :crybaby

Thanks again for all your help. I will look into the 'become a forum helper' article link.

-scottportraits

 

That's the log I needed from OTM. Good job.

I also had you run the wrong .bat file I need C:\MGtools\GetRunKey.bat instead of getunkeys. Sorry. Please run the GetRunKey.bat and attach the log.

 

Thank you Chas.

 

Monday 8.30pm est

Okay, here is the new 'runkeys' log. I'm glad I was able to find those OTM files for you.

What exactly are all these logs telling you ? Are they lists of registry entries.....some of which are not needed, maybe some are needed but not there now......seems like a TON of data.

I guess I'm not really experienced enough for the malware removal training, which I checked out from your link below. I guess you really need lot of background in computer language, and other things....

PC seems to be running pretty smoothly now, so we'll test her out tonight and see if there's still any bugs, or if she's a bit sluggish.


Thanks again,

-scottportraits

 

Your log is clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Yes. All's well that ends well.

I have MalwareByte's Free Ed and SUPER Anti-Spyware Free installed on my PC. I update them frequently, and then run a scan about once a week. I also have Spybot and SpywareBlaster, which I update and scan regularly, and Sygate firewall. I am trying Avira Free anti-virus for real-time protection, but have used AVG for years. So I have pretty decent security:boxing.

Regarding ComboFix. The icon was on my desktop, then I noticed it vanished. ?:confused So I recall I had to re-run the MGTools scan, which was first run on the 18th, and therefore had to click MGClean.bat to scrub out that previous throw with MGTools. Then I re-downloaded MGTools.exe again yesterday, and placed it in the 'purged' C:/ Drive so as to run that second scan on the 21st. Anyway, maybe ComboFix got washed from the desktop that time. But at any rate, the ComboFix icon was missing from the desktop and I couldn't enter the

"%userprofile%\Desktop\combofix" /u

formula into the Start > Run command line without getting an error window that the file was missing:banghead. So I skipped that step. It just vanished at some point in there....Manually deleted OTM icon from my desktop. Also noticed HiJackThis was absent from my Add/Remove Programs list......

Then went to MGTools folder in C:/ Drive and clicked the clean-up bat one (a second time) and scrubbed out all the remains of that second round of logs it generates. Fine.

Lastly, I went to 'System Restore' and turned it off on all drives. Hit apply and then also went to Accessories > System Tools > Disk Cleanup > More options, and clicked the bottom button to purge all restore points.
Rebooted.
Turned System Restore back on. Went to Accessories > System Restore and created a new restore point, named appropriately "Post Trojan Clean Up and Repair":guitar.

So that's about it. It has been a long week !! That thing hit me almost 11 days ago. Cost me $75. to have a technician get me online and able to launch scans and tools. It was a nasty bug:crap.:crap:crap
All my incoming downloads go to an internal slave drive, and once completed are moved to a partitioned 'quarantine' area also on that second slave drive where they would be safely :dancer far away from the C:/ Drive and operating system. Obviously, the strategy was unsuccessful at preventing this one :crap from barging in and jamming up every app you would need to deal with it or get online:neener.

So all's well that ends well.:clap You have done a great service to me and I am immensely grateful for the help and tools at :majorMajorGeeks:major.

Sincerely yours,

-scottportraits:wave

 

Try this for removing ComboFix.

"%userprofile%\Desktop\combofix" /uninstall

 

Tuesday Nov 24, 2009
1.30pm est

Well, Like I say, I must have scrubbed ComboFix out somehow, perhaps after doing an MGClean.bat purge.

At any rate, the second link below: "%userprofile%\Desktop\combofix" /uninstall
also did not work - just prompted an error window.

So I did a search using 'combofix' as the search word.....all I got were the logs that were named with combofix in the title, all .txt files. That's all there was.

Unless it's significant to track down why combofix disappeared, I can't explain or imagine why it vanished like it did. But there's no folder or any other files in there with the name 'combofix'. It just vanished. Probably because I had to run MGClean.bat to re-install and run MGTools a second time. Remember, I also 'lost' the HijackThis app in the Add/Remove Programs list. It too vanished inexplicably, but it was there because I saw it on the list.

Question is: Can MGClean.bat also remove comboFix and HijackThis ??? :confused

Thanks again to :majorMajorGeeks:major - one of the best resources on the web !! :wine

-scottportraits

 

No. MGClean only cleans up MGtools.

You can make sure CF is gone by deleting all of these files/folders (if found)

ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt

Then run CCleaner. It should be gone.

 

Well, I don't find any of those files, so it must be gone - how remains the question.....
....at any rate the PC is running as well as a Celeron can, and that's good news!
I run CCleaner every other day, almost.
No files come up when I searched for combofix. So it must be gone.

Thanks again for all the help,

-scottportraits

 

Yes that sounds good. :major