Pain Removing Well Hidden Malware!!

Welcome to Major Geeks!

Port 25 is typically used by SMTP. You can read more about it here:

http://www.postcastserver.com/help/Port_25_Blocking.aspx

Are you running anything that is sending lots of email?

These are probably broadcast packets from your ISP. This is common used for diagnostics. See this: http://www.hamilton.ie/gavinmc/ripwave/navini_diag.html

You have PC Tools Firewall installed. It is what disabled Windows firewall because you must never use multiple software firewalls. This is not due to malware.

 

You already had the Windows and system32 folders in your path. Now you have it there twice. Once at the beginning and once at the end. Delete the duplicates you added to the end of your Path.

Many people run into problmes running the online scans. Most frequently it is an active-x settings issue or due to the fact that you are preventing it from running in your firewall or with your antivirus....etc.

Did you knowlingly install the Crawler Toolbar stuff? It is considered adware. See this: http://vil.mcafeesecurity.com/vil/content/v_137764.htm
I recommend uninstalling this especially if you did not install it.

Is your copy of Spyware Doctor a paid version or a free trial? If free uninstall it it.

You are running Ad-aware 6 Personal which is more than 3 years out of date. If you want to use Ad-Aware, you should uninstall this and download the proper version: Ad-Aware SE Personal

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_04
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Then install the current version of FireFox from: Mozilla Firefox


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [system] C:\WINDOWS\system32\netdd\mru\ms\mg\msi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT
Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Yes! Perhaps some application you are running. From a command prompt window enter netstat -a Post back what you get.


What are all the below doing and why do they need to run at startup?
O4 - HKLM\..\Run: [CostAware] C:\Program Files\NetInternals\CostAware\niIPCApp.exe
O4 - Startup: Shortcut to YzDock.exe.lnk = D:\Program Files\Yz Dock\YzDock.exe
O4 - Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe
O4 - Global Startup: Grouper.lnk = D:\Program Files\Grouper\Grouper.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O4 - Global Startup: Unwired Launchpad.lnk = C:\Program Files\Unwired\UwSCT.exe

These are broadcast packets. They will not have the IP address of your ISP. You need to check with them if they are sending these packets and why.

Spybot is not reporting malware. It is reporting a change from the default setting where Windows is your security center and firewall. This is not a problem. It is normal once you are using your own antivirus and firewall. Spybot is not saying that anything is wrong. It is just warning you that you are no longer set to the default settings.

 

It still should not be necessary to have it in the path variable more than once.

• From a command prompt window enter regedit
• Does the registry editor appear?
• Now remove the duplicate entries from the end of the path.
• Reboot (this is necessary).
• Now again from a command prompt window enter regedit
• Does the registry editor still appear?

This is something they just recently started doing and we complained about it. There is a version without the addons. I see you uninstall Crawler Toolbar with Web Security Guard now!

I fixed them for you.

 

What are all of the below from your first log?

Code:

  TCP    TOSSER:2912            a210-9-135-203.deploy.akamaitechnologies.com:http  ESTABLISHED
  TCP    TOSSER:2913            ar-in-f165.google.com:http  ESTABLISHED
  TCP    TOSSER:2915            ar-in-f165.google.com:http  ESTABLISHED
  TCP    TOSSER:2916            ro-in-f99.google.com:http  ESTABLISHED
  TCP    TOSSER:2932            imap-vmc.mx.aol.com:imap  TIME_WAIT
  TCP    TOSSER:2934            srv12.digitalpacific.com.au:pop3  TIME_WAIT
  TCP    TOSSER:2936            pop.secureserver.net:pop3  TIME_WAIT
  TCP    TOSSER:2938            pop.bluetie.com:pop3   TIME_WAIT
  TCP    TOSSER:2943            imap-vmc.mx.aol.com:imap  TIME_WAIT
  TCP    TOSSER:2946            srv12.digitalpacific.com.au:pop3  TIME_WAIT
  TCP    TOSSER:2948            pop.secureserver.net:pop3  TIME_WAIT
  TCP    TOSSER:2950            pop.bluetie.com:pop3   TIME_WAIT

Looks like a bunch of email type connections!

Shutdown ALL unnecessary applications, especially browsers, instant messengers, Skype, Yahoo Mail (or any other email apps), CuteFTP if running (make sure no FTP servers are running), Limewire, uTorrent (or any other P2P apps), and so on. And then tell me if these packets are still found leaving your PC. Also have you ever checked to see if this occurs after booting in safe mode.

Have you run a netstat -a while the problem was occuring? Capture one from then?
Have you captured any of these packets with Ethereal?

Do you use or connect to AOL?

Disable all of these from loading at startup! You can use HJT to permanently remove them if you never need them, or for now you can use MSconfig.



Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

You have a Rustock.b rootkit infection.

Run this procedure: Rustock.b - msguard, pe386, & lzx32 RootKit Removal attach the requested log.

Then reboot and run Blacklight again and attach a new log.

 

Good news!

No! You should be finished unless you have other malware issues.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome and thanks!

It's purely optional, but if you wish to you can PM me with an email address and I can send you PayPal info.

Either way, surf safely!