Something like "Poison Ivy"?

My malware problems seem to have started on 03 October. I run Vista on a 32-bit laptop.

I was checking the contents of an unknown folder on a USB stick. I didn't click on the .exe it contained, but I did click a couple of "links" in the package. One seemed to direct to a non-functioning web-page. The other, I found later, seemed to direct to a .jpg in the folder, which didn't seem to be a real .jpg at all. I think I remember the Console opening briefly.

After infection, the obvious features were:

1) In the task manager, firefox.exe was always running, even at startup. Firefox is my default browser. When I killed the process, it would restart in a few seconds. I was unable to erase firefox.exe until I renamed it, then moved it to trash, then erased it using eraser.exe. At least this aspect of the problem no longer occurs.

2) winservice.exe kept appearing in the Temp folder. Avast detected this, presumably when winservice.exe attempts to execute.

3) Sometimes the Console appears briefly, for a moment, before disappearing. conime.exe appears in the task manager.

A normal scan with Avast apparently did not detect the underlying cause. My laptop computer has a problem running deep long scans, as it overheats and shuts down (around 83 degrees C according to Speedfan). The overheating is a pre-existing condition from before this infection. The problem often causes me no trouble, as I don't generally work the laptop hard enough to overheat. Sometimes the scheduled scan by Avast! is enough to shut it down. During the processes recommended by MajorGeeks, I had my laptop sitting on ice-packs to keep it running long enough to complete the steps, one scan per day.

I've backed up important files (documents, photos, etc) to another computer.

I have read http://kb.mozillazine.org/Firefox.exe_always_open and http://blog.trendmicro.com/virux-cases-escalate/ and now realise the trojan could be particularly nasty. As I suspect the malware will try to pass on information from my computer, I am keeping the infected computer disconnected from any networks or internet as much as possible. I am accessing MajorGeeks on another computer, and transferring files by USB stick.

I've read the Forum rules and associated links. I checked for suspicious registry entries, but I'm not experienced enough to be sure. From this point on, I am trying to follow the instructions on MajorGeeks for malware removal.

Notes on following the malware removal steps, and other observations while running the infected computer:

I've deleted the contents of the Avast virus chest. It contained 5 instances of winservice.exe, 1 each of firefox.DMP, 1285865559.exe, kernel32.dll, install.48596.exe. 5 VPU files in Avast4/Setup were modified 2 days after infection began.

Wmpnetwk.exe keeps recurring in the Task Manager. It is 896512 bytes.

WmiPrvSE.exe keeps recurring. I am unable to Open File Location for it.

I noticed 2 instances of desktop.ini on my desktop.

Running SuperAntiSpyware:

First try crashed due to overheating. Re-tried.

Temperature rose to 83 degrees C during scan, according to SpeedFan. Terminated unnecessary processes in Task Manager to prevent overheating, but eventually terminated explorer.exe which was using 50% CPU. That fixed temperature problem. SAS continued running. Result: “Scan is complete. No harmful software was detected.” Log is attached. I also got a message, “Windows Defender encountered an error: 0X80508018. An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.”

Deleted un-necessary files from infected computer to help future scans with running time and temperature.

Running Malwarebytes Anti-Malware:

Downloaded update database mbam-rules.exe on other computer.

Installing: Final stages of installing Malwarebytes AM were ridiculously slow. Being interfered-with by malware? After clicking Finish, computer fan was running very fast, unknown temperature. Computer not responding. Tried CTRL-ALT-DEL. Screen went black, still running. “Logon process has failed to create the security options dialog. Failure – Security Options.” Very slowly, the desktop re-appeared, and the frame for open windows appeared, but blank inside. “Windows Explorer is not responding (dot dot dot)”

“Malwarebytes' Anti-Malware. An error has occurred. Please report this error code to our support team. MBAM_ERROR_UPDATING(12007,0,WinHttpSendRequest) [OK]”

MalwareBytes program window appeared. I closed it and ran the updater mbam-rules.exe.

Processor temperatures reached around 83 degrees before beginning a MalwareBytes AM scan. Multiple instances of tskmgr.exe were running, using most of CPU %. Quit them, temperatures dropped. Also terminated other processes to help.

Began MB Quick Scan. “Malwarebytes' Anti-MalwAre (not responding) while “Preparing to scan system.” mbam.exe using 101680K of RAM, 00% CPU.

MBAM remained “not responding from Time Elapsed = 2 seconds to 10min 47s. Still zero objects scanned. Went “not responging again at that point”. Explorer.exe using 50 tp 51% CPU. SpeedFan not responding. Terminated explorer.exe using Task Manager.

MBAM awoke briefly again around 20min, still 0 objects scanned.

Multiple instances of taskmgr.exe & WmiPrvSE.exe appeared in Task Manager. WmiPrvSE.exe wouldn't terminate. MpCmdRun.exe (Username NETWORK) wouldn't terminate, “Unable to terminate process. The operation could not be completed. Access is denied. [OK]”

Tried to run explorer.exe from Task Manager. Very slow to respond.

MBAM awoke briefly at 32min8s, still 0 objects scanned. “Currently scanning C:\ (something) system32 (something) (something).dll “

At this point:

Blue screen

The message was something like, “A problem has been detected (dot dot dot)
shut down to prvent damage (dot dot dot) Kernel (something).”

Restarted.

“One of your disks needs to be checked for consistency.”

CHKDSK: I wasn't able to write quickly enough, but this is a bit of an idea..

“Deleted corrupt attribute list entry 128 in file 36020. Deleted corrupt attribute (128, $J) file rec segment 114523. Deleted corrupt attribute (128, $J) file segment 252960.”

“Deleting index entry {99A47F6E-8A3D-46C2-A0BJ-696C852CDB0C} in index $I30 of file 391.”

(There were 5 or 6 more like the above one.)

“Recovering orphaned file MPCMDR~1.pf (27302) into directory file 43.”

“Recovering orphaned file MPCMDRUN.EXE (27302) into directory file 43.”

etc etc

Windows completed re-starting. Immediately, 2 instances of “Windows Task Manager has stopped working” even though I had not run it. I clicked “Close the program.”

Then I ran Task Manager. There were 4 instances of taskmgr.exe and 2 of taskeng.exe.

I didn't attempt MBAM again.

Running Combofix:

Stopped Avast! On Acess Protection. All Shields are OFF. Ran combofix.exe from desktop.

Message asking me to disable AVG Anti-Virus Free, but as far as I know I uninstalled all AVG products (with difficulty) about a year ago. I have no AVG icon on Desktop or Tray. No AVG folder in c:\Program Files. No sign of AVG in Programs and Features control panel either. Agent Ransack found an invisible AVG Vault file, which I deleted.

I tried to terminate combofix while I searched for any sign of AVG, but it would not cooperate to quit. I shut down the computer, restarted.

Quit various processes from Task Manager. Screen went black. I forced shut down again. Restarted.

Searched for AVG using Agent Ransack again. Found traces in files rescued from another computer. Erased them all. Only left avgremover.exe and avgremover.log.

Ran avgremover.exe. It didn't appear in Task Manager, but conime.exe did. Hijacked?

Avast! Found winservice.exe trojan. I must remember that Avast re-activates itself each re-start.

Ran avgremover.exe again. It ran quickly, brief flash of console text, gone. I didn't restart the computer at this point.

I stopped Avast! Again, and ran combofix again from desktop. It again detected AVG Anti-Virus Free as being active. At this point I restarted the computer in case AVGremover needed a restart to fully remove AVG.

Stopped Avast! Again. Ran combofix from desktop again. Again it detected AVG Anti-Virus Free. I proceeded anyway.

(NOTE: None of the instructions on www.bleepingcomputer.com helped in my attempt to remove AVG, as I could find no hint that AVG existed, except when I ran combofix. Is something hiding behind a process designed to look like AVG Free to avoid detection?)

After running combofix, I shut down the computer. Combofix log is attached.

Running Root Repeal:

Started computer. My desktop picture has changed.

Running Root Repeal from desktop. “Initializing, please wait (dot dot dot)” After 2 minutes, the screen went white, then desktop returned. Still “Initializing, please wait (dot dot dot)”

RootRepeal.exe using 50%CPU, 32392K RAM, then 32444K RAM. TrustedInstaller.exe kept recurring. C:\Windows\servicing\TrustedInstaller.exe 39424 bytes. Tried renaming it. Permission Denied.

RootRepeal still “Initializing, please wait (dot dot dot)” after 25 more minutes. I terminated RootRepeal.exe.

Tried again. Ran RootRepeal from desktop. After a few minutes, it was using 980316K RAM, 50% CPU, still “Initializing, please wait (dot dot dot)”

15 minutes later, 952624K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 952624K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 933284K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 933256K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 572720K Ram, 50% CPU, “Initializing, please wait (dot dot dot)” Temperature up to 82 degrees.

15 minutes later, 572720K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 572720K Ram, 50% CPU, “Initializing, please wait (dot dot dot)”

15 minutes later, 572720K Ram, 50% CPU, “Initializing, please wait (dot dot dot)” There is no “Files tab”, no “Scan button”, no “Select Drives” form, no “OK button”, so I haven't got to the stage where the instructions say, “It will start scanning. Wait for it to finish.” I have to assume it won't work. I've given it every opportunity, as far as I can see.

Terminated RootRepeal.exe. Shut down, but explorer.exe didn't quit straight away. After a couple of minutes, shut-down completed.

Running MGTools:

Copied MGTools from USB to C:\

Although http://forums.majorgeeks.com/showthread.php?t=137630 says it won't run the scan on Vista simply by double-clicking it, it does seem to run. Perhaps that instruction is for an outdated version of MGTools?

A TrendMicro Hijack This window opened, with the End User License Agreement. I accepted. Immediately got an error form to submit. Clicked Yes, but “no internet connection available”.

MGTools finished. Log is attached.

As per instructions, tried double-clicking EnableUAC.reg to re-enable UAC, but the .reg just opens in Notepad. Enabled UAC using Windows Security Centre instead.

I can't view http://forums.majorgeeks.com/attachment.php?attachmentid=128029&d=1262041254 or http://forums.majorgeeks.com/attachment.php?attachmentid=106090&d=1232959619 (linked from instructions on
http://forums.majorgeeks.com/showthread.php?t=137630) because I was not a registered member of MajorGeeks forum, yet.

I've followed the http://forums.majorgeeks.com/showthread.php?t=139681 Vista cleaning instructions as well as I could, and am attaching what log files I was able to get. I hope somebody is able to follow all this and work out what is going on. Many, many thanks in advance.

 

Thanks for your reply Tim. That was a lot faster than the 5 day I was expecting.

I'm looking into what I can do about the overheating issue.

I'm very convinced that I do have a malware infection (from the behaviours I described), so if nothing showed in those logs, I feel it means I need to try other methods. But I'm also very worried the malware has been gathering data from my computer, and may be waiting till I connect, to upload that data, for whatever purposes. For that reason, I'm very reluctant to run an online scan; I'm trying to keep the infected computer isolated. Is there a downloadable alternative that might do the job?

Do you have an idea why I was unable to run RootRepeal and MBAM?

 

That sounds like a good approach. 2 problems: 1) I've never been able to burn an iso to a disk, successfully. 2) The CD drive on the laptop doesn't work.

Would there be something similar, but designed to make a bootable USB stick?

Thanks again for your time.

 

No, I was responding to your suggestions on how to deal with the malware, given that 2 of the 5 scans failed, and the other 3 did not reveal any malware, despite the computer's behaviour and my observations suggesting the presence of malware. (I'm not posting in this topic regarding my overheating problem, except insofar as it hinders the malware-seeking attempts. I'm following the heating issues elsewhere.)

You suggested using the Kapersky or Bit-Defender bootable scans. I got the feeling you were suggesting that as a way of avoiding possible malware behaviour that may be blocking other attempts at detecting the malware. My problem with this is that I've never been able to make a disk from an iso file, though I've tried several times. The other problem is that my CD drive (on the infected computer) doesn't work, though I could perhaps use an external drive. I'm not sure whether it is possible to boot from external CD drives.

I suggested that I might be able to do a start-up scan from a bootable-scan USB memory stick. Do you know of a suitable download to do that?

Would it be simpler to just format the hard-drive and re-install the OS? Would that guarantee the system is free of all malware, including root kit ones?

 

My problems did start with a certain folder including a strange .exe, a link to a strange website, and another link that turned out to point to a .jpg file (in the same folder) which was not really a .jpg file. Those were my first hints that I'd just done something incredibly stupid by clicking on them.

From then, firefox.exe would always be running, even when I had just terminated it. At startup, multiple instances of firefox.exe would run. (I don't think I explained that bit in my initial post). So anyway, I'm working on the assumption that I do have malware, and as a worst-case scenario, that it's sophisticated, has collected data from my computer, and is waiting for me to connect to the internet so it can send this data to somebody, for unknown purposes.

That's why I'm reluctant to do an online scan.

I think my CD problems are software related, as it happened a couple of years ago when I supposedly restored the system to original condition.

Yes, my personal files are backed up, so I don't mind re-formatting. I do have an external CD/DVD drive. I'd be quite interested in having a Linux bootable USB stick with basic applications and "emergency" stuff, like rootkit scanner etc.

At the moment, my laptop is partly disassembled, as I was trying to get in to clean the fans. That didn't turn out to be very easy. Meanwhile, it's a good chance to prepare a USB stick or CD to do what needs to be done.