Followed Read Me...SuperAntispyware failed, possible issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by nova08, May 3, 2009.

  1. nova08

    nova08 Private E-2

    Ok, I followed the read me thread and had the following issues:

    I updated my java runtime and thought I should investigate into windows updates. It appears eventhough I have automatic updates enabled that it is really disabled and I cannot re enable it, I received an access denied when on the services.msc window. Thus I can't even download updates from the windows site.

    Next, I could not change the folder setting to view hidden folders. I did not have the 'folder options' option under tools.
    UPDATE: After following the rest of the steps I now have the 'folder options' menu option to enable the display of hidden files

    I ran CCleaner and cleared out a lot of junk.

    I followed the instructions for SuperAntispyware and after running with the initial setup options I received the blue screen 2 minutes into scanning. I proceeded to reboot and uncheck the 2 other options and received the blue screen again after 1-2 minutes of scanning.

    Moved onto Malwarebytes. Ran a scan and deleted/quarantined many files, about 6 files required a reboot to be deleted. Log is attached.

    Ran Combofix, log attached.

    Ran MGtools, logs attached


    My system is running much better however the fact that I couldn't run SuperAntiSpyware when instructed worries me. Please advise what I should do next. Thank you in advance
     

    Attached Files:

    nova08, May 3, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are seriously infected. Please disconnect from internet while we do this ( copy and print it if you need).

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
Muabiankpu

NetSvc::
Muabiankpu

File::
c:\windows\system32\drivers\fd90537b.sys
c:\windows\system32\drivers\1d9958f5.sys
c:\windows\Jtowituyih.dat
c:\windows\ocinibekepem.dll
c:\windows\system32\wivagoge.exe
c:\windows\system32\REN13.tmp
c:\windows\system32\REN12.tmp
c:\windows\system32\habodotu.exe
c:\windows\S1E40A2DA.tmp
c:\windows\system32\drivers\ovfsthyqlaqcuwyheowapimcnutqmnnepkxhvv.sys 
c:\docume~1\CHRIST~1\LOCALS~1\Temp\ovfsthptnbvfqqmb.tmp 
c:\docume~1\CHRIST~1\LOCALS~1\Temp\ovfsthwhoitgoxxx.tmp 
c:\docume~1\CHRIST~1\LOCALS~1\Temp\ovfsthx000 
c:\docume~1\CHRIST~1\LOCALS~1\Temp\ovfsthyretylnsya.tmp 
c:\windows\system32\ovfsthlrhlrgknsotppxqsepqhdxqprsajdhno.dll 
c:\windows\system32\ovfsthnsrofgbbktxyufnmwnywkbjhltfohsed.dll 
c:\windows\system32\ovfsthreuphxrpptrjnqpupfjgmjehxbqpprta.dll 
c:\windows\system32\ovfsthuaddaafgjioksatmbdxoedftvjpmegsr.dat
c:\windows\system32\ovfsthwnrjsjhhfbmovfpfjauchopkecoheyti.dat

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{97E7F9AB-C1A3-0D8E-9F9D-C5D7F8C824F7}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DL32"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip --> tell me if you have any errors running this as the last MGLog had a newfiles log that was mostly empty.
     
    TimW, May 6, 2009
    #2
  3. nova08

    nova08 Private E-2

    Attached are the logs requested

    When running the getlogs.bat file, the command line displays a series of lines "This process cannot access the file because it is being used by another process." At least 20 lines of the same message. That was the only potential irregularity i could find while running.

    Thanks, I had a feeling there was still a lot of cleaning needed.
     

    Attached Files:

    nova08, May 6, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just a few things to do. Let's see if this helps with the MGlogs.

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\lmn_setup.exe
c:\program files\vbncy.txt

Folder::
c:\program files\Common
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 11, 2009
    #4
  5. nova08

    nova08 Private E-2

    Everything worked. The combofix process seemed to take a little longer than the last run. Also I received a message half way through the process saying I should redownload combofix from a better source, eventhough I downloaded it from the links provided on this site. I just clicked ok and it continued with the process.

    I still received the series of lines "This process cannot access the file because it is being used by another process" while running mgtools. However I do not believe it was as many this time.

    Thanks
     

    Attached Files:

    nova08, May 16, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    For some reason your newfiles log was empty.

    Let's do this now:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    [ If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\windows\system32\ledanozo.dll
C:\WINDOWS\system32\gozomose.dll

Registry::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bad65479-f799-4fda-a4fa-ac98b5a45ae8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"febirakita"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 17, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds