Tainted Windows XP Machine Reinfection

Discussion in 'Malware Help (A Specialist Will Reply)' started by matthewmalk248, Dec 22, 2012.

  1. matthewmalk248

    matthewmalk248 Private E-2

    Hey everyone, doing a favor for my uncle in law who unfortunately took his computer to a co worker during the summer to have some rootkit removed (no idea which) and some other spyware. It looks like the guy just ran TDSSKiller and Combofix and called it a day.

    Fast forward to now and the PC was running super slow so the coworker just told him to run combofix again and it removed some "tmp" files he said, the last log I saw showed nothing removed but I think he ran it more than once.

    Computer was still running like crap so he took the hard drive out and took it with him yesterday when he flew up from Texas for X-Mas. I said I'd take a look for him. So far I
    - uninstalled Java (it was really old)
    - uninstalled a couple toolbars & an expired McAffe (he now uses webroot)
    - Ran CCleaner
    - currently running an SFC for the hell of it
    - Removed Yontoo & MapsGalaxy (mywebsearch)

    Scans are now coming clean but I'm still worried about remnants, can you tell anything from the logs? TDSSKiller had some "Suspicious" entries and remember some antivirus overides somewhere in the registry scanner
     

    Attached Files:

    matthewmalk248, Dec 22, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Are you booting up from this harddisk or are you running scans on it while slaved to your PC? Looks like only one hard disk so I assume you just threw it into a different PC.

    There is nothing of concern in these logs other than MSconfig being user for controlling startups.


    The PC it is running in now really does not have enough memory for effective running of Windows XP.
    Code:
    Total Physical Memory 1,024.00 MB 
Available Physical Memory 523.89 MB
     
    chaslang, Dec 22, 2012
    #2
  3. matthewmalk248

    matthewmalk248 Private E-2

    Yes he didn't want to bring the whole PC so he just brought the drive and I threw it into an old PC I had laying around, his actual PC has 4GB Ram.

    I remember where I saw that override stuff, it was in the combofix logs (pasted below), but if there of no concern then I'll tell him he's good. Thanks a bunch!

    Code:
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
     
    matthewmalk248, Dec 22, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Those are not problems.

    Since you are not having malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Dec 23, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds