Clean Removal?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Shoyz, Jan 20, 2009.

  1. Shoyz

    Shoyz Private E-2

    A few days ago, my computer started losing its audio capabilities. After an hour or so of uptime, Windows would not be able to detect any audio device; but this would be fixed on restart - for another hour or so. Whenever this happened, I would receive a "Generic Host Process for Win32 Service has been shut down..." message the next time I restarted.

    Reinstalling my drivers did not work. And system restore was not able to restore my system to a previous point. After googling said issue, I came up with a possible blaster worm - so I ran the whole spyware/malware/AV lot. Malwarebytes came up with a Trojan.Agent (I have attached the log for this scan as well as it did not turn up in the Quick Scan).

    The sound issue has not appeared again since then but none of my scans came up with a blaster worm or anything. I ran through the entire README process and while my computer came up clean, I was just wondering if there was any residual malware/trojan left behind that managed to hide from the scans.

    I have not tried to system restore since then, so I am not sure if it is working again or not. Should I perhaps create a restore point and just roll it back a few minutes to see if it works?

    I would appreciate any help that you can provide. Thank you for your time!
     

    Attached Files:

    Shoyz, Jan 20, 2009
    #1
  2. Shoyz

    Shoyz Private E-2

    Attached Combofix and MGlogs.zip
     

    Attached Files:

    Shoyz, Jan 20, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    I see you logged in and I'm trying to create a fix. Do you know what the below are?
    R4 softyinforwow;Remote TCP/IPG;c:\windows\System32\svchost.exe -k netsvcs [2007-07-27 14336]

    O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
     
    Last edited: Jan 21, 2009
    chaslang, Jan 21, 2009
    #3
  4. Shoyz

    Shoyz Private E-2

    Thanks for your help chaslang,

    I have no idea what the file in the system32 folder is.

    However, the Mabinogi file would just be a download for a game that I've deleted since.

    Thanks!
     
    Shoyz, Jan 21, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
    O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 23, 2009
    #5
  6. Shoyz

    Shoyz Private E-2

    Terribly sorry about the late reply, Chaslang. Really appreciate your help, but stuff came up and I had to go overseas for a while.

    In fact, when I came back, I had problems starting up my computer. It would sort of freeze while "Loading your personal settings". My mouse would still move, but the screen would not progress past that. When it did, often the icons did not load.

    It has been fixed since I did everything you told me to in Safe Mode, so hopefully that doesn't happen again. Not quite sure just -how- it happened while my computer was left untouched for 3 or so weeks, but anyway.

    Everything was a bit of a mess because of the trouble I had loading the computer, so any help you can provide (if you can still remember stuff about my computer!) would really really be appreciated.

    Thanks!
     

    Attached Files:

    Shoyz, Feb 11, 2009
    #6
  7. Shoyz

    Shoyz Private E-2

    I wasn't able to edit my last post so I figured that I might as well just put in a new reply.

    Even though I deleted check350_750.dll like you told me to (I think it deleted it anyway), I just received a warning from Avast! that it detected it again as a Virus/Trojan.

    Also, after I asked Avast to delete it, a few minutes later, Avast detected another Virus/Trojan.

    C:\System Volume Information\_restore{EF322E23-4CEC-4019-BE2B-86F334B08228}\RP12\A0014871.dll

    The only website I was on at the time was gmail, so I'm not quite sure how that happened.
     
    Shoyz, Feb 11, 2009
    #7
  8. Shoyz

    Shoyz Private E-2

    Sorry about the triple post.

    I think Avast detected the check350_750.dll in Qoobox, which is part of ComboFix...I think?

    Just thought I should throw that in there since I just remembered.
     
    Shoyz, Feb 11, 2009
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not get ComboFIx to run properly. Online Armor more than likely got in the way was stated in the READ & RUN ME. Online Armor must be shut down and possibly uninstalled to to properly run ComboFix. It forced ComboFix into reduced functionality mode which cause some parts of the fix not to work. Please try booting into safe mode and shut down anything from Online Armor and Avast that you see running and then run the WHOLE FIX again. Attach all new logs when finished.
     
    Last edited: Feb 15, 2009
    chaslang, Feb 13, 2009
    #9
  10. Shoyz

    Shoyz Private E-2

    Oh sorry about that.

    I had to run CF in safe mode and I couldn't do anything about my antivirus because of the problems I was having.

    I've attached the new logs below.

    Thanks!
     

    Attached Files:

    Shoyz, Feb 14, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks much better. The logs are clean now.



    If you are not having any other malware problems, it is time to do our final steps and get your protection software reinstalled.
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Feb 15, 2009
    #11
  12. Shoyz

    Shoyz Private E-2

    Thank you for all the help chaslang!

    Much appreciated.
     
    Shoyz, Feb 16, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Feb 17, 2009
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds