Antivirus XP 2008 and Other Trojans

Discussion in 'Malware Help (A Specialist Will Reply)' started by PCneedsHelp, Sep 17, 2008.

  1. PCneedsHelp

    PCneedsHelp Private E-2

    I think I got infected about 3am EST today. However, it is possible that I got infected on Monday by being redirected to a malicious website (I have the address if needed). Since the website was displaying images and popups for Antivirus 2008, I closed Firefox with taskmanager and I ran Malwarebytes AntiMalware. Nothing was found and I didn't experience any further problems.

    I did experience problems this morning when my browser suddenly closed and my desktop was changed to display a picture of supposed infections. A window came up asking me to install Antivirus XP 2008 which would close under taskmanager. I ran Malwarebytes Antimalware and when it finished I rebooted as instructed. Then I got an error with explorer not opening. I rebooted into safe mode and ran Malwarebytes Antimalware again and it found an unindentified object. I rebooted again the error was still there. I closed it in taskmanager and loaded up explorer through taskmanager. The desktop background was blue and there were no popups.

    That's when I decided to look for help so I followed the Read & Run Me.

    I didn't see any malicious programs in Add/Remove programs.
    I updated Java.
    I made sure the startup was normal in msconfig.
    I deleted the quarantine in Malwarebytes Antimalware.
    I deleted the contents of the VIRUS folder for Officescan.
    I had the latest version of CCleaner but I didn't have it on default settings so I removed, reinstalled, and ran it.
    I changed the settings to view hidden files ( I already had the full file name extensions displayed).

    XP Instructions

    I downloaded the files.
    I ran SAS (updated it first) and it found and fixed a few things.
    I installed the latest version of Spybot (updated and immuized) and it found and removed: Hitslink and Win32.Agent.pz
    I ran Malwarebytes Antimalware again(updated it first) and it found nothing.

    Combofix

    The Officescan firewall was off, and I killed all the TrendMicro processes in processexplorer.
    I turned off SAS using the tray icons.
    I couldn't get the Adaware aawservice.exe to stop.
    I downloaded the recovery console and dragged it onto the Combofix icon since I don't have a XP Pro SP2 CD, only an original XP Pro CD.
    I let Combofix run.

    I ran MGTools and I didn't see any errors.

    I'll post the logs now. Do you need to see my old(from this morning) Malwarebytes Antimalware logs that had a lot of trojans detected and removed?
     

    Attached Files:

    PCneedsHelp, Sep 17, 2008
    #1
  2. PCneedsHelp

    PCneedsHelp Private E-2

    Here is the MGTools log.
     

    Attached Files:

    PCneedsHelp, Sep 17, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the below log from MBAM
    Code:
    "C:\Documents and Settings\computer31\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
mbam-l~3.txt  Sep 17 2008        3588  "[B]mbam-log-2008-09-17 (03-11-28).txt[/B]"

    The below suspicious files and folders showed up on Sep 17th. Do you know what these are? Most are hidden which makes them very suspicious
    Code:
    2008-09-17 19:15 . 2008-09-17 19:15 107,241 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]00190E1.uf
2008-09-17 19:15 . 2008-09-17 19:15 100,869 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]001A0EE.uf
2008-09-17 19:15 . 2008-09-17 19:15 26,405 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]0019640.uf
2008-09-17 19:15 . 2008-09-17 19:15 4,925 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]0019E3E.uf
2008-09-17 03:35 . 2008-09-17 03:35 107,241 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]001F0B4.uf
2008-09-17 03:35 . 2008-09-17 03:35 100,869 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]00203FD.uf
2008-09-17 03:35 . 2008-09-17 03:35 13,069 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]001F1CD.uf
2008-09-17 03:35 . 2008-09-17 03:35 4,925 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]00203AF.uf
2008-09-17 03:34 . 2008-09-17 03:34 107,241 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]0019E6D.uf
2008-09-17 03:34 . 2008-09-17 03:34 100,869 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]001B292.uf
2008-09-17 03:34 . 2008-09-17 03:34 14,157 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]0019F58.uf
2008-09-17 03:34 . 2008-09-17 03:34 4,925 --ah----- C:\WINDOWS\system32\twain_32\[u]0[/u]001B243.uf
2008-09-17 03:31 . 2008-09-17 03:31 <DIR> d--hs---- C:\Documents and Settings\LocalService\Application Data\twain_32
2008-09-17 02:59 . 2008-09-17 20:59 <DIR> d--hs---- C:\WINDOWS\system32\twain_32
2008-09-17 02:59 . 2008-09-17 19:55 48,825 --a------ C:\WINDOWS\system32\twain_32\local.ds
2008-09-17 02:59 . 2008-09-17 21:09 528 --a------ C:\WINDOWS\system32\twain_32\user.ds
2008-09-17 02:59 . 2008-09-17 20:58 126 --------- C:\WINDOWS\system32\twain_32\user.ds.cla

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 18, 2008
    #3
  4. PCneedsHelp

    PCneedsHelp Private E-2

    I attached this log.

    I don't know anything about these files and I certainly didn't install anything other than the required programs yesterday. I really don't know what those files are for.


    I ran C:\MGtools\analyse.exe by double clicking on it.

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    I fixed those files.

    I used CFscript with Combofix.
    I attached the log.
    I merged fixme with the registry and got a success message.
    I ran CCleaner.
    I ran the C:\MGtools\GetLogs.bat file by double clicking on it.
    I attached the MGlogs.zip

    After the MBAM quarantined a few files yesterday, I didn't really see any problems other than the error with explorer not opening when booting XP.

    I'll restart my PC a few times to check if explorer is working.

    Other than my desktop having a blue background, I can't detect anything wrong so far. I am a bit worried about those twain32 files.
     

    Attached Files:

    PCneedsHelp, Sep 18, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay see if you can delete the twain_32 folder. If not, I will give you a procedure to delete it.

    Is everything ok?

    Change your background to what you want.


    Other than the twain_32 folder your logs look fine.
     
    chaslang, Sep 19, 2008
    #5
  6. PCneedsHelp

    PCneedsHelp Private E-2

    I deleted the folder,changed my desktop background, and restarted my PC.
    Explorer seems to work.
    The twain32 folder didn't come back after restarting so I guess everything is alright.

    Thank you very much.
    I guess I should go create a new restore point.
     
    PCneedsHelp, Sep 19, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    See all of my final instructions below which includes this.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Sep 19, 2008
    #7
  8. PCneedsHelp

    PCneedsHelp Private E-2

    I did that.

    Thank you very much.
     
    PCneedsHelp, Sep 19, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Sep 19, 2008
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds