BIG malware problem, including Security Tool

First of all, thanks for helping.

I am running Windows XP Media Center Edition, SP3 with Avira AntiVir Personal. About a week ago, the system picked up a serious infection. Logging in with my wife's account, I get an error message that Windows closed the "Services and Controller app". My account was a little more serious. AFTER trying to run any program, I would receive the error code 1073741819 and the system would shut down in 60 seconds. I could not run any of the READ & RUN ME FIRST scanners.

After booting in Safe mode with Networking, I ran all of these scanners. This allowed me to boot in Normal mode, and I ran all of them again.

During this second round of scans, I started seeing Security Tool open. The scanners aren't even picking it up. I can find the .exe file that it loads so I can manually delete it, but I can't find the installer, so it keeps returning.
There are two or three other pieces of malware that Avira catches when I log in, but they don't show themselves all the time.

Sorry this post is so long. Thanks for any help you can give.

Here are the log files.

 

Remaining log files

Here are the other two log files.

Thanks again.

 

Welcome to MajorGeeks.

Is there a reason you installed SUPERAntiSpyware here?

Code:

c:\superantispyware\SUPERAntiSpyware.exe

Download the MBR Rootkit Detector to your desktop.

Go to Start > Run then copy and paste the following red text into the Open field:

Code:

[B][COLOR=Red]"%userprofile%\desktop\mbr.exe" -f[/COLOR][/B]

Next, double click on the mbr.exe file and wait for the log.

Attach the mbr.log in the next reply.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• R3 - URLSearchHook: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
• O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
• O4 - Startup: zavupd32.exe

After clicking Fix checked, exit HijackThis.



Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\rundll22.exe
c:\windows\Pdirogajimono.bin
c:\windows\Pxeceruqapi.dat
c:\windows\ryteny.dat
c:\program files\Common Files\zopypa.dat
c:\documents and settings\Pete\Start Menu\Programs\Startup\zavupd32.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"restorer64_a"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

C:\WINDOWS\system32\54DC745D5C.sys

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.



Now run a new scan with MGtools and attach the log. Using MGtools



Next post please attach:

• MBR Rootkit log
• ComboFix log
• New MGlogs.zip

 

Thanks for your help. I had a few issues that I'll try to address.

This is just a habit of mine. I install to the root directory if I can. Can't really explain it any better than that. If it is a problem (like it creates a vulnerability), I will uninstall and reinstall to c:\Program Files.

I did this, but it seemed to do the same thing twice.

I ran the scan, but could not find the following files in the log:

• O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
• O4 - Startup: zavupd32.exe

I deactivated Avira and ran ComboFix. When I ran ComboFix, Windows Defender popped up and said it had blocked a trojan. ComboFix tried starting two times, and Windows Defender showed the same pop-up both times. ComboFix finished running and rebooted. After rebooting, some things changed. Internet Explorer was reset as my default browser and an icon was placed on my desktop. Outlook Express keeps asking to save space by compacting messages. And Windows Messenger got loaded into my system tray. I already had problems with that junk a few months ago and uninstalled it. I don't know what to make of this stuff...

Here is the log. I also attached it as VirScanlog.txt if you prefer:

VirSCAN.org Scanned Report :
Scanned time : 2009/10/28 17:10:46 (EDT)
Scanner results: Scanners did not find malware!
File Name : 54DC745D5C.sys
File Size : 56 byte
File Type : data
MD5 : d27121e93d1971a062e13ade7c4f2e6f
SHA1 : c6999b70f96e58591788d04ac9c8bf0f4561e844
Online report : http://virscan.org/report/f0e7379473ee1df97d74019ef419d099.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091029023454 2009-10-29 4.21 -
AhnLab V3 2009.10.29.00 2009.10.29 2009-10-29 0.97 -
AntiVir 8.2.1.50 7.1.6.162 2009-10-28 0.23 -
Antiy 2.0.18 20091028.3102810 2009-10-28 0.12 -
Arcavir 2009 200910281552 2009-10-28 0.02 -
Authentium 5.1.1 200910281538 2009-10-28 1.17 -
AVAST! 4.7.4 091028-0 2009-10-28 0.00 -
AVG 8.5.288 270.14.36/2465 2009-10-28 0.30 -
BitDefender 7.81008.4468070 7.28621 2009-10-29 3.84 -
CA (VET) 35.1.0 7087 2009-10-27 5.53 -
ClamAV 0.95.2 9955 2009-10-28 0.00 -
Comodo 3.12 2760 2009-10-28 0.70 -
CP Secure 1.3.0.5 2009.10.28 2009-10-28 0.00 -
Dr.Web 4.44.0.9170 2009.10.28 2009-10-28 6.10 -
F-Prot 4.4.4.56 20091028 2009-10-28 1.16 -
F-Secure 7.02.73807 2009.10.28.18 2009-10-28 0.04 -
Fortinet 2.81-3.120 10.996 2009-10-28 0.17 -
GData 19.8622/19.526 20091028 2009-10-28 5.38 -
ViRobot 20091028 2009.10.28 2009-10-28 0.41 -
Ikarus T3.1.01.72 2009.10.28.74305 2009-10-28 4.21 -
JiangMin 11.0.800 2009.10.26 2009-10-26 3.86 -
Kaspersky 5.5.10 2009.10.28 2009-10-28 0.02 -
KingSoft 2009.2.5.15 2009.10.28.21 2009-10-28 0.49 -
McAfee 5.3.00 5785 2009-10-28 3.33 -
Microsoft 1.5202 2009.10.28 2009-10-28 5.97 -
Norman 6.01.09 6.01.00 2009-10-27 4.01 -
Panda 9.05.01 2009.10.28 2009-10-28 1.68 -
Trend Micro 8.700-1004 6.583.00 2009-10-28 0.02 -
Quick Heal 10.00 2009.10.28 2009-10-28 1.27 -
Rising 20.0 21.53.24.00 2009-10-28 0.26 -
Sophos 3.00.1 4.46 2009-10-29 2.83 -
Sunbelt 5472 5472 2009-10-27 1.57 -
Symantec 1.3.0.24 20091028.006 2009-10-28 0.17 -
nProtect 20091028.01 6034135 2009-10-28 7.55 -
The Hacker 6.5.0.2 v00056 2009-10-28 0.65 -
VBA32 3.12.10.11 20091027.1255 2009-10-27 1.91 -
VirusBuster 4.5.11.10 10.112.82/2011851 2009-10-28 2.38 -

Here they are:

 

Sorry for the delay. I missed your reply somehow and just happened to see it just now.

Yes! You should always let software install to it's default location. You also have C:\Java\jre6\bin\jqs.exe, and C:\Malwarebytes\' Anti-Malware\mbam.exe.

Software is designed to run from it's default location. You can damage your system by doing this.

Please run RootRepeal again and attach the new log.

We will address all of that. Just don't make any changes until we are done cleaning the malware. Then let me know what you need to change (if anything) and we'll go from there.



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Delete ComboFix and download a new copy.

ComboFix.exe

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\uxanoqoy.dll
c:\windows\ubegijanileriheh.dll
c:\windows\ecugacudezenoco.dll
c:\windows\iasren.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Now run a new MGtools scan and attach the MGlogs.zip along with the RoorRepeal and ComboFix logs.

 

Here are the new logs.

FYI - when I rebooted after running ComboFix, I received the following error message:
"Error loading C:\WINDOWS\apeyizovanile.dll
Specified module could not be found."
Also, Internet Explorer was restored to my default browser.

Thanks again for your help.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Java\jre6\bin\jp2ssv.dll (file missing)
• O4 - HKLM\..\Run: [Hxezufirawaxozu] rundll32.exe \"C:\WINDOWS\apeyizajovanile.dll\",Startup

After clicking Fix checked, exit HijackThis.



1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
apeyizajovanile.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hxezufirawaxozu"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Next post add the new ComboFix log and also let me know how the computer is running now.

 

My computer seems to be running OK. I haven't had any problems to note other than Outlook Express running when I log in, and Internet Explorer becoming my default browser. Is that related to ComboFix?

Anyway, I appreciate your help straightening this mess out. Here's the ComboFix log.

BTW - I uninstalled and reinstalled Super Anti-spyware, Java, and Malwarebytes Anti-malware to the default locations.

 

Most likely. See here > Dealing with Startup Process

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

evilfantasy, thanks for your help so far. I just have one more question. I ran C:\MGTools\analyse.exe to open HijackThis and generate a start-up log so I can stop Outlook Express from opening at sign-in. But I don't know what I'm looking at (or how to deal with it when I find it). I read the HJT link you provided, but I can't make heads or tails of it... Can you help me out with this?

Thanks again

 

Sorry, here's the HJT startup log.

 

Try this. If it doesn't work then you will need to ask in the Software forum.

Download StartUp 1.3

* Open StartUp 1.3 and you will see a list of your startups.
* Right click any startup you do not want and choose Remove
* Once complete choose Apply then Exit

 

So I downloaded StartUp 1.3 like you said. Only I couldn't identify ANYTHING connected to Outlook Express. I did a little more digging and found that Windows Search (loads in the system tray) was indexing Outlook Express. I used the Windows Search options to stop looking through Outlook Express, and I killed the Windows Search startup. Problem solved.

Thanks a bunch for all your help. Greatly appreciated.

 

Glad you got it.

Safe surfing...