Antivirus XP 2008 and possibly Vundo

Discussion in 'Malware Help (A Specialist Will Reply)' started by SWario, Aug 17, 2008.

  1. SWario

    SWario Sergeant

    Hi there again! This time a friend's computer has exploded into malware goodness. She complained of getting Antivirus XP, so I offered to run the standard suite of scans on it to ensure removal of the baddies. Unfortunately, after running SUPERAntiSpyware, the computer now refuses to boot into Windows, Safe Mode or Normal Mode. She's on the verge of going for a format/reinstall or running recovery console, System File Checker, or chkdsk.

    So, ideas on why it would now refuse to boot or what to do about it?
     
    SWario, Aug 17, 2008
    #1
  2. SWario

    SWario Sergeant

    OS: Windows XP Professional SP2

    An update. I have discovered that Windows actually boots all or most of its processes, except explorer.exe. If I use CTRL+ALT+DEL to open Task Manager and try to run explorer.exe, Windows claims that it cannot find or recognize explorer.exe. However, I can open things such as Opera by browsing for it and running it, I have verified the existence of explorer.exe, but it will not run.

    Thoughts on this recent development and the already existing problems?
     
    SWario, Aug 17, 2008
    #2
  3. SWario

    SWario Sergeant

    Sorry for yet another update post, but I've discovered a problem with the ComboFix instructions and the computer I'm currently working on. Given that explorer.exe will not run, I cannot graphically explore any directories (to my knowledge), so I have been using the NT CMD environment to copy files and launch programs for the time being. However, when trying to install the Windows Recovery Console according to the ComboFix instructions, it wants me to perform a drag-and-drop operation, which I cannot do. If there is a command-line alternative for this, I would be more than happy to do that after acquiring the XP Pro SP2 Boot Disk utility since the owner does not have a Windows disc for the computer (computer shipped with the OS, not the discs, to my knowledge).

    Not sure what to do here, but I've run all of the other steps prior to this point in the instructions. Computer auto-locked after inactivity and the owner is sleeping, so further activity will have to wait until morning. Though, it DOES have a fingerprint scanner. Maybe I could swipe it past her finger while she's sleeping... *ponders*

    Anyways, advice/feedback/inquiries on her computer's current situation would be very helpful.

    Thank you, once again, in advance, for your help!
     
    SWario, Aug 18, 2008
    #3
  4. SWario

    SWario Sergeant

    Alright, finally got explorer.exe back up (apparently an unintentional restart fixed it?) and finished running ComboFix and MGTools. I'm attaching logs now. Her computer seems to be fine, but I don't want to hook it up to the Internet until after I get an "all green" from you guys. Also, she's been browsing with only XP's firewall, so I'm installing Comodo for her after this is all said and done. Lastly, my system's AntiVir detected an infection in a "system.exe" file on the thumb drive I was using to copy tools over. I denied access to the file several times, and eventually just ended up deleting it. Now neither of our systems will open the root directory of the thumb drive in explorer by default, but I figure that formatting the thumb drive will fix that. My concern now is that something may have been passed to my computer since my icon/file arrangements are a bit messed up now (sorted Z-A), but I will address that in a new thread after her laptop is taken care of.

    Here are the logs for her computer.
     

    Attached Files:

    SWario, Aug 18, 2008
    #4
  5. SWario

    SWario Sergeant

    MGLogs file.
     

    Attached Files:

    SWario, Aug 18, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The below files do not belong where they are being saved. This is a bad practice. If they are needed, they should be moved.
    Code:
    2008-05-31 18:17 11,776 ----a-w C:\smbusdh.sys   <-- this should just be deleted as it is not where it should be located.
2008-03-09 20:55 37,404,672 ----a-w C:\Program Files\SAV1017win32.exe
2007-12-24 04:08 4,922,104 ----a-w C:\Program Files\Opera_9.25_Eng_Setup.exe
2007-12-23 19:51 21,216,112 ----a-w C:\Program Files\aaw2007.exe
2007-10-13 19:23 2,585,872 ----a-w C:\Program Files\WindowsInstaller-KB893803-v2-x86.exe
2007-10-13 19:12 5,154,304 ----a-w C:\Program Files\WindowsDefender.msi
2006-09-11 22:23 8,606,208 -c--a-w C:\Program Files\vpnclient-win-4.8.01.0300.exe
2006-07-10 01:54 1,355,912 -c--a-w C:\Program Files\install_flash_player.exe
2006-07-08 02:48 4,849,080 -c--a-w C:\Program Files\Opera 9 Eng Setup.exe
2006-05-08 07:48 524,065 -c--a-w C:\Program Files\citrus_setup.exe
2006-02-26 18:25 1,014,477 -c--a-w C:\Program Files\wrar351.exe
2005-12-18 01:24 21,273,600 -c--a-w C:\Program Files\NortonAVw32.exe
2005-12-07 18:13 9,816,152 -c--a-w C:\Program Files\NapsterSetup-US-3.5.2.5.exe
2005-09-20 02:18 51,619,029 -c--a-w C:\Program Files\iPodSetup.exe
2005-03-27 19:18 9,000,041 -c--a-w C:\Program Files\Trillian 3.1.exe
    Who is installing things like below (shown in the MBAM log). This is also a very bad practice as you can see how they are being detected as malware. Whoever is doing this needs to learn to install programs to the default folders so that they will not be suspected as malware. In some cases, these could have been removed by default.
    Is the below proxyserver setting valid?
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = wchwe25:80

    Uninstall the below old versions of software:
    IBM 32-bit Runtime Environment for Java 2, v1.4.1

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)

    After clicking Fix, exit HJT.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 19, 2008
    #6
  7. SWario

    SWario Sergeant

    Ran the scans as instructed, though I didn't realize that Symantec had been enabled before I ran ComboFix, so I disabled it after ComboFix had started to run. ComboFix finished and produced a log file, so I didn't think that it had interfered with ComboFix, and I didn't think that running the script again without instruction would be wise. The R1 entry from HijackThis does not appear to be intended by the user, but I forgot to fix it before going through the other instructions. I will take care of it after these logs are reviewed.

    Her computer seems to be working fine now. Explorer starts up, and her icons and wallpaper are back. The only weird things that have occurred recently are:
    1. Occasionally when trying to log in, the error message, "Are you sure you want to log off the current user?" appears, though no other users should be logged in at the time.
    2. Symantec Antivirus stopped functioning. It gave an error message about a missing file when trying to start it, so I had her reinstall it.

    Other than that, I had her install Comodo Firewall Pro and disabled the Windows Firewall. She just wants to know when it's safe to put the computer back on the net. How are things looking from your end?
     

    Attached Files:

    SWario, Aug 20, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what this is about.

    The DOMAINSERVICE malware is still there.


    Copy the bold text below to notepad. Save it as fixDS.reg to your desktop. Be sure the "Save as" type is set to "all files" Do not attempt to double click on it. See further down how we are going to apply this fix.


    • Please go to this link: http://live.sysinternals.com/
    • find the psexec.exe file listed in the list and click on it and download and save it to your Desktop. Doing this properly is critical for other steps below.
    • Now click Start, Run, and enter cmd and click OK. This will open a command prompt window with a prompt that shows the current folder you are in.
    • For you the prompt should show C:\Documents and Settings\Anita>
    • Now type cd Desktop and hit the enter key. There is a space after the cd. If you do this properly, your prompt will change to C:\Documents and Settings\Anita\Desktop>
    • Type the below bold text and hit the enter key. This will open the Window Registry Editor. You will have to agree to the SysInternals License Agreement first that pops up.
      • psexec -s -i regedit
    • In the Registry Editor click File, Import and then navigate to the fixDS.reg file on your Desktop from the previous fix and double click on it to import it into your registry. If it works properly you should get a success message.
    • If you get a success message continue on with the below, otherwise stop and explain to me any problems you had.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



    Then attach the below log:
    • C:\MGlogs.zip
     
    chaslang, Aug 21, 2008
    #8
  9. SWario

    SWario Sergeant

    Got a success message. New MGLogs attached.
     

    Attached Files:

    SWario, Aug 21, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean now.


    If you are not having any other malware problems, it is time to do our final steps:
    1. You can uninstall SUPERAntiSpyware now.
    2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
    4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Aug 22, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds