Request for help on infection win xp t2

Discussion in 'Malware Help (A Specialist Will Reply)' started by mit-evo9, Apr 8, 2007.

  1. mit-evo9

    mit-evo9 Private E-2

    Hi there.

    Ive read the few threads on the malware removal guide & special procedures & am still in need of assistance.

    Just a brief history. I have my desktop for nearly a year. Installed is win xp t2 with free AVG antivirus installed & Spybot S&D. I try to update windows security but found that lately unable to load the windfows update webpg(?).Furthermore when i put it on standby & leave it, When i come back maybe an hour later, it seems like there are programes running in the background ( The system lights is blinking ) & I have to start it up from scratch agn.

    I ran panda activescan & found out that my machine was infested with hackers tools & Kavsvc among a list of others even after I ran Spybot & AVG, what gives? I keep them updated all the time & they didnt detect at all?

    Can you advice me on my next course of action? Attached is the activescan log. any advice is greatly appreciatted.

    Thanks.
     

    Attached Files:

  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi and Welcome

    Yes next course of action is to follow the below and attach all the logs requested.



    Our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.




    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. mit-evo9

    mit-evo9 Private E-2

    I Have followed the steps as stated in "READ & RUN ME FIRST. Malware Removal Guide " & also "Special Removal Procedures - TitanShield, Virtumonde, Qoologic, SpyAxe, Look2ME, etc "

    I have followed the steps in accordance. I did not manage to get a report from getrunkey. A message poped up saying acces was denied. When I did a search & found a folder in c:\ it was empty.

    Are the reports sufficient to find out whats happening coz its really making me sleepless at night:cry Following msg is the other logs.

    Thanks so much for your help
     

    Attached Files:

  4. mit-evo9

    mit-evo9 Private E-2

    These are the other logs:
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to attach all the logs requested! You are missing some of the logs. Note that ALL steps in the READ ME must be run in the order written. Obtaining the logs in the wrong order will result in incorrect removal procedures being created which is a waste of our time and yours.

    The logs requested are:
    • CounterSpy
    • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
    • Bitdefender - from step 6
    • Panda Scan - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • newfiles.txt - the log from ShowNew.bat
    • HijackThis
    You only attached
    • CounterSpy
    • Panda Scan - from step 6
    • newfiles.txt - there is no reason to rename it to shownew.txt
    And while you ran CounterSpy, you told it to ignore what it found rather than fixing it. You must Quarantine or delete what is found otherwise there is no sense in running the scans. Re-run it, fix what is found and save a new log.

    Thus you need to attach:
    • CounterSpy - a new log after fixing
    • Bitdefender - from step 6
    • runkeys.txt - the log from GetRunKey.bat
    • HijackThis
     
    Last edited: Apr 10, 2007
  6. mit-evo9

    mit-evo9 Private E-2

    Sorry for the mistake. attached is the files as required. As for the getrunkey.bat, i doubled clicked and a screen came up asking to proceed y/n. After clicking y & waiting for a few sec, another pop up window came but with warning saying access denied.

    Thanks for your help.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    GetRunKey does not have any popups asking you to click anything. So if you are getting any, it would have to be coming from your security programs (like a firewall or an antivirus). It is strange that you don't have the same issue with ShowNew. Does the message say more than "access denied"?

    Please click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands.

    cd "C:\Documents and Settings\paul lcf\My Documents\apps\hijackthis\"
    getrunkey.bat

    What messages do you see in the command prompt window? If you see any error messages check to see if it is one of the ones mentioned on the download page for GetRunKey.

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to winipcon
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pastewinipcon into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT and reboot if it tells you it needs to.
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    Java 2 Runtime Environment, SE v1.4.2_03
    Mozilla Firefox (1.5.0.10)
    My Way Search Assistant <-- should have been uninstalled in step 0 of the READ ME

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Then install the current version of FireFox from: Mozilla Firefox

    Now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Now look for the below file and delete it if found (it is more than likely already gone):
    C:\WINDOWS\system32\ipcon.exe

    Now attach new logs from ShowNew and HJT.

    How are things working?
     
  8. mit-evo9

    mit-evo9 Private E-2

    I folowed according to your instructions:
    Please click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window, enter the below commands.

    cd "C:\Documents and Settings\paul lcf\My Documents\apps\hijackthis\"
    getrunkey.bat


    This came up :
    C:\Documents and Settings\paul lcf\My Documents\apps\hijackthis>getrunkey.bat
    C:\runkeys.txt\*, Are you sure <Y/N>?
    - I didnt proceed but just closed the window. What shld I do?

    The rest of your advice I followed to the letter. Attached is the new logs. Can you also advice further if there is anything unusual abt my registry? May i also knw what does winipcon do?

    Thanks for your advice I feel much better now. :D :D :D
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please don't use such hard to read colors!!

    I'm not sure what you mean! This next line:

    C:\runkeys.txt\*, Are you sure <Y/N>?

    will not popup due to running GetRunKey.bat. Yes the c:\runkeys.txt file is what GetRunKey.bat is trying to create. But it you are getting a message about are you sure, it is not from GetRunKey.bat. Perhaps your antivirus or antispyware program is questioning whether you want to run the script. Just say yes!


    No! Because we are not looking at all of your registry. We are only looking at a very small sample of registry keys often used by malware.


    It was an unknown Trojan service. Possibly related to a password stealing trojan.



    Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  10. mit-evo9

    mit-evo9 Private E-2

    Thank you so much all. Ive done as per your suggestion ;)
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds