Greetings everyone plus a basic question

superdan · Mar 26, 2011

Hi there
I've joined because, like many, I've got a trojan problem on a small Dell mini inspiron computer ('system32/svchost.exe (832):\mem' and explorer exe (2792):memory_001) and my AVG cannot heal it. For some reason my internet connection has gone down too. So, before I send my computer off, I would like to have a crack at getting rid of it myself. I'll read the 'Read Me First' Section and will get back to you all.

One thing that occurs to me is that, I am posting here from a different computer from the one with the problem, because it has no internet, so how do I attach the reports from the infected computer witout infecting my uninfected one?

Thanks for reading.
Superdan

dr.moriarty · Mar 26, 2011

Welcome to MajorGeeks!

I would suggest these steps:

Before beginning - make sure that the pc that will be used to upload the logs with properly protected and updated

Then disable AutoRuns per this guide's instructions ---> Disabling AutoRuns

Burn the scan logs from the infected machine to CD/DVD for transfer. [NOTE: Yes, you could use a flash drive too, but flash drives are writeable and infections can spread to them.]

Scan the transfer media with several anti-malware tools (even perform an online scan or two) after insertion in the un-infected machine BEFORE retrieving any files from it!

Online Scanners

ESET Online Scanner:
http://forums.majorgeeks.com/showthread.php?t=149856

BitDefender Online Scanner:
http://www.bitdefender.com/scanner/online/free.html

Trend Micro HouseCall:
http://housecall65.trendmicro.com/

superdan · Mar 26, 2011

Thanks M,
The problem is that the infected computer (a dell inspiron mini) does not have a disc drive. I was intending on using a flash drive, rather than going out to purchase a portable disc drive. I'm am not sure if using a flash drive is worth the risk now. I suppose this comes down to risk assessment.

superdan · Mar 26, 2011

Btw, would anybody be able to explain to me why my internet connection has gone down. Everything on the infected computer seems to work properly at this stage apart from the fact that all traces of the internet connection have vanished from the tool bar. Wireless connections cannot be refreshed. While I have some knowledge of computers, I am not a 'major geek'. Is my computer still connected to the internet via the spyware, or has the OS disconnected the ethernet card as a fail safe?
Thanks in advance if you can explain this to me.

superdan · Mar 27, 2011

Read and Run Me First SuperAntiSpyware difficulty in acquiring logs.

I am in the process of the Read and Run Me First and am at the SuperAntiSpyware Stage.
I have compled the scan. I have just run the Repair broken Network Connection (WinSock LSP Chain) and rebooted.
I still do not have internet connection, but more worryingly, I cannot get the log to open. I can see that it exists but nothing is happening when I click on the 'View Log' prompt.
Also, I have to manually find programs when I want to run them.
Have I done something wrong?
I will continue with the other scans, but obviously would like to send all the logs at the end.
Thanks in advance.

TimW · Mar 27, 2011

Please attach the logs that you have. Dr.M can't really help you until he can see some logs, esp. the C:\MGLogs.zip.

As far as your moving the logs via thumb drive:

Removing a virus from a flash drive entails deleting infected files by launching the command prompt, and scanning the device with a proven anti-virus software.

Instructions
1 Turn on the computer, wait for the operating system to load and insert the flash drive. The operating system will display a message asking what you want to do with the contents of the flash drive. Click "Cancel" to close the message.

2 Click "Start" and then "Run" to launch the Run command box. Type in 'cmd' and hit "Enter" to launch the Command Prompt. You will see a window appear with a black background, with a blinking cursor next to "C:\"

3 Minimize the Command Prompt window and go to "My Computer." Right click on the flash drive icon and check the drive letter assigned to the drive. On the Command Prompt window type in the drive letter and press "Enter." If your drive letter is "E," type in "E:" and then press "Enter."

4 Display the list of files contained in the flash drive. In the Command Prompt, type in "dir /w/a". That is, 'dir-space-slash-w-slash-a'. This command will display all the files stored in the drive. Check whether the drive contains unfamiliar or suspicious files you did not put in it. Common signs of infection are the presence of files such as "Autorun.inf," "Ravmon.exe," "svchost.exe," "Heap41a", or random/gibberish named files.

5 Disable attributes of infected files. In Command Prompt, type in "attrib -r -a -s -h *.*" That is, 'attrib-space-dash-r-space-dash-a-space-dash-s-space-dash-h'. Press "Enter." This command will disable, in order, the 'read only,' 'archive,' 'system' and 'hidden' attributes of all files.

6 Delete infected files. Type in "del samplefilename" to delete the named file from the flash drive. Replace 'samplefilename with the actual file name; for example, to delete "Autorun.inf," type in "del Autorun.inf." Remove all suspicious files individually and then close the Command Prompt.

7 Scan the flash drive with an up-to-date anti-virus program. Check the program's virus definition before initiating a scan. If updates are available, download and install before scanning. Launch the anti-virus, specify the flash drive as the location to scan, and initiate a thorough scan. The scan report should show no identified infections. (Alternative online scans posted previously)
Click to expand...

8 Eject the flash drive and plug into another computer. Check file contents from Command Prompt. The drive should not contain any suspicious files.

superdan · Mar 28, 2011

READ ME RUN ME LOGS Part 1

Here are the first set

superdan · Mar 28, 2011

Re: READ ME RUN ME LOGS Part 1

Part 2

Kestrel13! · Mar 28, 2011

Re: READ ME RUN ME LOGS Part 1

Java(TM) 6 Update 17 <-- Uninstall outdated java

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 
File::
C:\Documents and Settings\LocalService\Local Settings\Application Data\uag83e533p
C:\Documents and Settings\NetworkService\Local Settings\Application Data\sm5cpi4l8o8o8738nkc82if8q647n
C:\Documents and Settings\NetworkService\Local Settings\Application Data\uag83e533p
C:\Documents and Settings\Royce Mahawatte\Local Settings\Application Data\1764256776
C:\Documents and Settings\Royce Mahawatte\Local Settings\Application Data\3661991780
C:\Documents and Settings\Royce Mahawatte\Local Settings\Application Data\uag83e533p
C:\Documents and Settings\All Users\Application Data\1764256776
C:\Documents and Settings\All Users\Application Data\3661991780
C:\Documents and Settings\All Users\Application Data\sm5cpi4l8o8o8738nkc82if8q647n
C:\Documents and Settings\All Users\Application Data\uag83e533p
C:\Documents and Settings\Royce Mahawatte\Templates\1764256776
C:\Documents and Settings\Royce Mahawatte\Templates\3661991780
C:\Documents and Settings\Royce Mahawatte\Templates\uag83e533p
C:\WINDOWS\system32\61bf~1 
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Reboot your machine and install the most current and up to date version of Java available here at the below link:

Java Runtime 6

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

superdan · Mar 28, 2011

Re: READ ME RUN ME LOGS Part 1

Many thanks. Will carry out these instructions when I get home. At the moment there is no net connection. I'll have to transfer logs and updates via flash drives. Everything else on computer seems ok. Just no net connection. I will action instructions and send logs. Best sd

TimW · Mar 28, 2011

Please keep all your replies in this thread. :major

Kestrel13! · Mar 28, 2011

TimW said: ↑

Please keep all your replies in this thread. :major
Click to expand...

Ahhh yes. Sorry for barging in on you thread Dr M, I thought it was a fresh one.

dr.moriarty · Mar 28, 2011

Kestrel13! said: ↑

Ahhh yes. Sorry for barging in on you thread Dr M, I thought it was a fresh one.
Click to expand...

:-D You're forgiven.

superdan · Mar 29, 2011

Kestrel,
Here are the logs.
The computer is still running all main functions.
Still no internet connection though. I ran a Windows diagnostic and it mentioned something about not having an IP address.
Since RunMeReadMe I have not received any virus or malware noticed from Windows. (I have uninstalled AVG for ComboFix)

I do not have a Restore Point, or whatever it is called. Because I have no internet connection, I uploaded the material from here and placed it on the desktop - but ComboFix does not seem to pick it up. Obviously I am concerned that I have no Restore Point. Can you advise how to get one without the internet?

Do you have any ideas how to get my internet connection going again?
Best and thanks in advance,
SD

Kestrel13! · Mar 29, 2011

a`yubowan. Give this a try and let us know how you get on.

WinSock XP Fix

superdan · Mar 29, 2011

I'll run it and let you know.
Can you tell me if my computer is still infected?
Do I need to send you any logs? If so, from which program?
bohom estuthi

superdan · Mar 29, 2011

Hi there,
Just ran Winsock XP Fix and the situation still remains. So, the computer is working fine apart from no internet. When I go into Network Connections the box is blank.
Do you have any more ideas?
Many thanks in advance.
SD

Kestrel13! · Mar 29, 2011

Can you tell me if my computer is still infected?
Click to expand...

The logs show nothing sinister now.

bohom estuthi
Click to expand...

Most welcome.

Unfortunately networking is not my area, please visit the Networking forum to make a start on resolving this outstanding problem.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

superdan · Mar 30, 2011

Hi,
Quick question. I renabled defogger and I was not asked to reboot. I'm assuming that this is in order. Do I just delete defogger now?
Thanks in advance.

TimW · Mar 30, 2011

Just delete it.

Log in or Sign up

Greetings everyone plus a basic question

superdan Private E-2

dr.moriarty Malware Super Sleuth Staff Member

superdan Private E-2

superdan Private E-2

superdan Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

superdan Private E-2

Attached Files:

SASlog.txt

mbam-log-2011-03-27 (20-06-15).txt

ComboFixlog.txt

RRlog.txt

superdan Private E-2

Attached Files:

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

superdan Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

dr.moriarty Malware Super Sleuth Staff Member

superdan Private E-2

Attached Files:

ComboFixlog2.txt

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

superdan Private E-2

superdan Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

superdan Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member