Computer infestation - need help!

Hey,

My computer is having major issues and I can't seem to figure out what's wrong and how to fix it. I'm running XP SP2.

This started in September when I first loaded the computer, and I found a trojan three days after the clean install. I already had the corporate edition of Symantec on the computer, along with Ad-Aware and Spybot S&D. I thought I managed to clean it off, but wasn't sure, as pop-ups and obvious spyware/malware was still evident (including WinAntiVirus 2006 stuff). I ran all three of the above programs periodically with their most current updates, and sometimes it would seem that I was winning, sometimes not.

At one point, I believed that I had virtumonde, and I used a Symantec tool (I believe) to try to clean it off, but it couldn't even find it.

In mid-december, symantec started posting warnings about a file svstani.dll in c:\windows\system32\macromed. It would give a new warning every second, and I figured it was due to virtumonde, but it was also finals week, so I didn't have time to deal with it. Quarantine didn't work for symantec, and I couldn't manually delete it, even in safe mode.

Then the computer sat for a month until two days ago (winter break).

When I got back, it still ran as before. Similar to before, boot ups took FOREVER (especially after logging in). But yesterday morning, something killed both my internet connection and windows firewall. The computer says that the Windows Firewall/Internet Connection Sharing service isn't started, and it can't be started (even if I try to start it manually). The internet connection had worked the night before, but now it just sits and attempts to acquire a network address. If I plug another computer into the same LAN cable, I immediately am online.

I went through the Read & Run Me First, including uninstalls for virtumonde and smitfraud (spybot saw that every now and then, but it always came back). Just prior to running the virtumonde uninstall, I used the XP disk to get a DOS command prompt and manually delete the svstani.dll file. The virtumonde uninstall found other associated files with the filename backwards of the above file. The smitfraud uninstaller found nothing.

Since my internet doesn't work, I wasn't able to run the online scans, BitDefender and PandaActiveScan. I also wasn't able to update the programs such as spybot and symantec, although that was up to date just before my winter break, when I last ran it (not including this current process). Other than that, I followed the Read and Run Me First instructions carefully.

Attached are the log files from the various programs.

Please help!

Thank you,
--Tyler

 

Rest of the files...

 

Download
- Pocket Killbox
- WinsockXP Fix

Using Add or Remove Programs in the Control Panel; uninstall the following:

Run WinsockXP Fix

Download DelDomains and unzip it to your desktop.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

Afterwards run Spybot and make sure you re-Immunize immediately. Then run a full system scan. If you get any reported problems, attach the log from Spybot.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windowss Explorer navigate to and DELETE the following folders:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions on How to Reset Web Settings.

Run the following and post the logs:
1. BitDefender Online
2. Panda ActiveScan
3. GetRunKey
4. ShowNew
5. HijackThis

Be sure to tell me how everything is running.

 

Hey,

Thanks a ton for the help. I'm not sure if everything is fixed now, but I'll go through what I did and the responses by the computer.

Once I'd removed J2SE, Thunderbird, and Viewpoint and run WinSockXP, my computer began booting up (meaning, loading the desktop after I logged in) much much faster (meaning a reasonable speed). My internet connection and firewall started working again. Oh, and I didn't mention before, the firewall that stopped working is the Windows XP firewall. I am also using BlackICE, which seemed to run fine through all this time.

Spybot found SearchToolbarCorp.ToolbarVision and Win32.Agent.At, both of which I had it fix (log is attached).

When running HijackThis, the second O2 line that you listed to fix didn't appear at all (same with at the end when I ran it), so I assume that wasn't a problem. I fixed the others.

Killbox did NOT return a Pending Operations type error message. However, when I when I shut down to boot into safe mode following this, I received an "end program" prompt for explorer.exe. I don't think this is related to Killbox though, as it started happening about a week ago and appeared a few more times through this current process.

When trying to delete the three folders, I could not find the ipwins folder. Doing a search for it found nothing as well.

I then went back to normal boot mode and shut down and restarted a few times. One of the times (and this has come up a few times in the past few months, after I started noticing problems) it said "One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful.", to which you can only hit "ok". I don't know if this is related to anything, but as something seems to be altering the registry, I thought I'd mention it.

Again I was not able to run BitDefender or Panda Active Scan. I could get to the websites for them, but clicking on the buttons gave no response in IE. For BitDefender, the "I agree" button responded like it was only a graphic. For Panda Active Scan, the mouse changed to a hand like it was a link, but clicking gave no results. For both, using Firefox and clicking on the links gave responses, but I was told in both cases that IE was necessary. What do I need to do to use these programs?

Also, regarding deleting the java, Thunderbird, and viewpoint media player programs, are these programs I shouldn't have on the computer. The one I care most about is Thunderbird, as that is my email application. Do they load spyware or contain possible security risks? If so, do you recommend an alternate for Thunderbird? If not, can I reinstall them safely once this is all fixed?

I'm attaching the logs for spybot, hijackthis, getrunkey, and shownew. The second spybot scan is from a second scan I ran later in the process after accessing the internet a couple times (only for majorgeeks.com and perhaps the BitDefender and Panda websites).

Thank you again!
--Tyler

 

Spybot files...

 

You can go ahead and reinstall Thunderbird. I only had you remove it temporarily, your email and profile are still on the system.

I'll post further instructions shortly.

 

C:\Program Files\ISS\ has a creation date of today; give me a list of files in that folder.

 

All that is in there is a folder named "rogueapp". I can't see any other files in the iss folder or the rogueapp folder, and it would seem that all the hidden (and super super hidden) files are currently being shown.

--Tyler

 

Delete the entire C:\Program Files\ISS\ folder.

Run CCleaner

Run AVG Anti-Rootkit and attach the log!

 

I did as you said, and AVG Anti-Rootkit found no problems, both with the rootkit scan and the in-depth search.

I also noticed that each time I reboot my computer, the ISS folder is recreated.

--Tyler

 

OK, let's get some new logs.

Run the following and post the logs:
1. GetRunKey
2. ShowNew
3. HijackThis

 

Here are the new logs.

--Tyler

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot into SAFE MODE

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for Virtumonde aka Trojan Vundo Removal

Post the following logs:
1. VundoFix
2. ShowNew
3. GetRunKey
4. HijackThis

Be sure to tell me how your computer is running.

 

I followed your instructions and it went pretty smoothly. Pocket Killbox gave no Pending Operations type error message. However, I did run into a couple (hopefully minor) problems.

For one, when deleting the c:\windows\system32\macromed folder, it would not allow me to fully delete it, as it denied access to a file in there (c:\windows\system32\macromed\flash\flash9.ocx). I even booted to a DOS prompt to attempt to remove it, and access was still denied. I'm assuming that this folder was valid and was used by a Flash application, so hopefully that file isn't a problem.

When I rebooted to normal mode toward the end, I started receiving error messages that there was a problem with blackd.exe, and later that BlackICE wasn't started (it should have automatically), asking if I wanted to start it, and then being unable to start and thus asking me again. I assume I can just reinstall BlackICE later if necessary, unless you know of a method of fixing this. (As a side note, any thoughts on the program Proventia, by the same people that make BlackICE?)

Virtumonde was not found. I removed virtumonde earlier just before starting this thread and had hand deleted svsnati.dll, which HijackThis was showing remnants of.

The folder c:\Program Files\iss came back again when I rebooted to normal mode.

The logs are attached.

Thank you!
--Tyler

 

Virtumonde log...

 

Go ahead an leave this alone, c:\windows\system32\macromed. Flash is using it.

I'm thinking BlackIce may be creating c:\Program Files\iss.

Reinstall BlackIce.

Otherwise how are things working.

 

I reinstalled BlackICE and it seems to be running fine now.

My computer seems to be running MUCH better than when I first started this thread. It boots up quickly (like it should) and I haven't seen any signs of spyware (random pop-ups, etc.).

Thank you VERY much for all the help you gave. I really appreciate it.

--Tyler

 

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!