Better, but not there yet

Discussion in 'Malware Help (A Specialist Will Reply)' started by LfsAlot, May 21, 2009.

  1. LfsAlot

    LfsAlot Private E-2

    My daughter came home from college and told me her laptop started acting up about May 2nd with the following problems:
    Random windows opening up
    Security warnings that the firewall was disabled
    Symantec anti virus was disabled
    Machine just acting 'wonky'
    Then her internet connection completely stopped.

    When she got home a week ago I ran MalwareBytes and Super AntiSpyware but each time I ran SAS I would get the blue screen. I started with over 200 Trojans and other viruses and got it down to 9 but it was still a mess so I came to your site and followed the directions from your "Read & Run Me First"

    I did the House cleaning and set up and followed all your instructions.
    The laptop still cannot connect to the internet even after following the directions from ComboFix.

    I have attached the logs that were requested.
    Any help you can give me would be greatly appreciated!

    Shelley
     

    Attached Files:

    LfsAlot, May 21, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This computer is seriously infected. We will have a lot of things to do, so please follow the instructions as I lay them out. And this system has been infected since the end of January.

    Please Disable Spybot's TeaTimer

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
40d0bc1c
doqpn
e0fb38
xwufuip
hwdrv

File::
C:\yoqae.exe
c:\WINDOWS\system32\jkshfuiehi.dll
c:\wavunte.exe
C:\-534490222
C:\WINDOWS\system32\asarf
C:\WINDOWS\system32\bkczwcd      
C:\WINDOWS\system32\easokmppd
C:\WINDOWS\system32\ecmynysl.dll
C:\WINDOWS\system32\fogiguzu.exe
C:\WINDOWS\system32\fovativu.dll  
C:\WINDOWS\system32\ghkkxp       
C:\WINDOWS\system32\hovuguya      
C:\WINDOWS\system32\inpdrqiv.dll
C:\WINDOWS\system32\iqlcodn       
C:\WINDOWS\system32\jasamohu.exe  
C:\WINDOWS\system32\jbzpj        
C:\WINDOWS\system32\kehuseju.dll
C:\WINDOWS\system32\kimefeya.exE
C:\WINDOWS\system32\lblnovdw.dll  
C:\WINDOWS\system32\lcjju         
C:\WINDOWS\system32\oasrwt
C:\WINDOWS\system32\ohqkslonl
C:\WINDOWS\system32\phjxulkr.dll
C:\WINDOWS\system32\pqxjgdpww
C:\WINDOWS\system32\rusdznvu.txt
C:\WINDOWS\system32\sdnaxsqm.dll
C:\WINDOWS\system32\stsdalj
C:\WINDOWS\system32\tmp1.log     
C:\WINDOWS\system32\umycewm       
C:\WINDOWS\system32\drivers\40d0bc1c.sys  
C:\WINDOWS\system32\drivers\doqpn.sys    
C:\WINDOWS\system32\drivers\e0fb38.sys  
C:\WINDOWS\system32\drivers\xwufuip.sys   
C:\WINDOWS\system32\drivers\hwdrv.sys
C:\\DOCUMENTS AND SETTINGS\Shelley\LOCAL SETTINGS\Temp\sxrvo9.exe
C:\Program Files\Mozilla Firefox\extensions\{0ECBDF81-40C8-4A89-BC35-8BB770D73B0B}\chrome\content\overlay.xul  
C:\Program Files\Mozilla Firefox\extensions\{10A077CC-4109-466B-A7FE-DA3F68FE5352}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{10EB51AF-013E-4980-A834-DD7685C44100}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{19CB568A-09FC-4872-807E-5334BBBFEC8A}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{1B0CF064-4C10-4BD0-A19A-89D25EB045ED}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{28CFC2BC-7876-4D7A-8DBE-3033DA1AC00C}\chrome\content\overlay.xul  
C:\Program Files\Mozilla Firefox\extensions\{2A5DEB85-5FED-4722-A1A9-035057D650AA}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{2E7B7D30-29DF-4248-9409-34931527FB00}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{3E159048-320A-4D37-8820-15B41A24F56A}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{52EDDC1E-8896-4720-9774-FC4A195C12ED}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{53EED965-335D-48CD-B152-3AF1DBC15379}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{5AD201B6-26F5-4585-B47C-38A5C7AC21C7}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{73A5EA59-547E-4165-B2BB-06F9A0449EF6}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{7F46F010-DB66-4770-BC21-3FC7E2FB14F4}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{85CFA41C-30FC-4097-8CBD-5C93037E83CB}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{951131BB-B929-46B3-AF3B-F5167CDFE044}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{954F8DDF-8FB1-401E-9DF0-1A8598239111}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{9AC564BB-5CC2-4402-8E03-D40042B7617C}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{A918AD24-1963-4081-9F06-4F839F0E5180}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{AE389236-C2C4-4880-9FCF-747926901AA4}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{BB0C9556-7B88-4C5F-8A0A-22224AF24527}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{C8359C47-03E8-4169-B28F-43928B8E7F1D}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E060687C-16BA-45A3-9D43-E20F6D3E820E}\chrome\content\overlay.xul   
C:\Program Files\Mozilla Firefox\extensions\{E3CD45FA-423A-4BB8-831E-50F96F7C7831}\chrome\content\overlay.xul   

FCopy::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\dllcache\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys
c:\windows\$NtServicePackUninstall$\user32.dll | c:\windows\ServicePackFiles\i386\user32.dll
c:\windows\$NtServicePackUninstall$\user32.dll | c:\windows\system32\dllcache\user32.dll
c:\windows\$NtServicePackUninstall$\user32.dll | c:\windows\system32\user32.DLL

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c2ba40a1-74f3-42bd-f434-12345a2c8953}\inprocserver32]
@Class="REG_SZ"
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\jkshfuiehi.dll"
"ThreadingModel"="Apartment"

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7e853d72-626a-48ec-a868-ba8d5e23e045}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 23, 2009
    #2
  3. LfsAlot

    LfsAlot Private E-2

    First, thank you so much for your help!!
    I have attached the logs you requested.

    The machine is still pretty much the same but it will now recognize the thumbdrive which it would not before. This is good! I still have a pop up window telling me Symnatec is not enabled and I still cannot connect to our home wireless network which is secure but was able to connect to my office's unsecured network, very odd to me :confused

    Thanks again for your help!! What do I do next?

    Shelley
     

    Attached Files:

    LfsAlot, May 23, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The malware is gone....we just need to do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Use windows explorer to see if this still exist and if it does, delete it:
    c:\DOCUMENTS AND SETTINGS\Shelley\LOCAL SETTINGS\Temp\sxrvo9.exe

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 24, 2009
    #4
  5. LfsAlot

    LfsAlot Private E-2

    Thanks for your help TimW!

    I could not find sxrvo9.exe so it must be gone.

    And I did receive a success message after merging fixME.reg

    Still getting the pop up message that Symantec Corporate Edition is turned off. And I am unable to turn it on because when I right click on it in the system tray there is a check beside "Enable Auto-Protect" which I have tried to un-enable but cannot.
    Still getting the Windows Security message that virus protection is off.
    And still unable to connect to our home wireless network which the laptop could do in March or early April when my daughter was home.
    It tries to connect, says "Signal Strength is excellent. Status: Acquiring network address" but it never connects successfully.

    Should I uninstall Symantec (which her university provides) and install AVG until she goes back in the fall?

    I am at a loss as to what to do with the wireless connection.

    Thank you so much for your patience and persistence with me!!! I really appreciate you and all you are doing to help me!

    Have a wonderful Memorial holiday!

    Shelley
     

    Attached Files:

    Last edited: May 24, 2009
    LfsAlot, May 24, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your system is clean at this point. Symnatec is having an issue because you are not connected to the school network. I would suggest that if it is going to be awhile before she returns to school that you use the Norton removal tool:

    Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

    Then download Avast.

    As far as you internet connection is concerned, you will need to post in the networking forum. The best thing to do is to check two computers ( one that does connect in your network and this machine) by doing an ipconfig run in the command prompt.

    Post both results in the networking thread.

    To do this, go to start / run / type "cmd" without quotes, and in the command prompt, type : ipconfig /all

    This will show what your connections should be set at.
     
    TimW, May 26, 2009
    #6
  7. LfsAlot

    LfsAlot Private E-2

    TimW, you ROCK!

    Thank you so much for all your help and for getting my daughter's laptop 'squeaky' clean. :-D
    I have run Norton Removal Tool twice and am installing Avast right now.

    Thank you, thank you, thank you!

    I am indebted to you!

    Shelley
     
    LfsAlot, May 27, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.....If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, May 30, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds