INfected and can not remove

Discussion in 'Malware Help (A Specialist Will Reply)' started by edit, Jan 17, 2008.

  1. edit

    edit Private E-2

    Hello I really need some help

    I've been infected with a virus that I can not get rid of McAfee did not pick up this virus but when I scanned with NOD32 it found them

    I can not get rid of them seeing how they continue to pop back up everytime I try to remove them. I've also noticed that my Myspace passwords no longer work but thats the only site that is having a problem..

    other then that the files found are:

    Ndt2.sys
    Indt2.sys
    Routing.exe
    Prefmon.exe
    pref.exe

    these are what sent up errors NOD32 was able to remove a few of them except INdt2.sys which it said that i need to send a copy of that file to them for research which I have yet to receive any reply I also sent a copy to webimmune but no reply as well..

    please help me I'm going crazy and my computer makes weird sounds at odd hours of the night when nothing is opened or running.

    thanks in advance
     
    edit, Jan 17, 2008
    #1
  2. abri

    abri MajorGeek

    Hi edit!
    Welcome to Major Geeks!

    Please run the instructions in the READ & RUN ME FIRST and attach the requested logs to your next post. If there's something you can't do, please note what it is and continue on.

    abri
     
    abri, Jan 17, 2008
    #2
  3. edit

    edit Private E-2

    Hello ok I went through all those steps and am afraid the Virus still resides on my computer. Here are the requested logs for your viewing .. thankyou for you help again

    nothing was given by combofix or Spybot So I was unable to post a log from them
     

    Attached Files:

    edit, Jan 18, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not True!!! Your ComboFix log is right where the READ & RUN ME said it would be. C:\ComboFix.txt

    You need to attach it.

    We do not request a log for Spybot.
     
    chaslang, Jan 18, 2008
    #4
  5. edit

    edit Private E-2

    Ahh I apologize
     

    Attached Files:

    edit, Jan 18, 2008
    #5
  6. edit

    edit Private E-2

    I was curious and checking the MSCONFIG and saw that Prefmon.exe and routing.exe was still starting up when ever I booted so I disabled them after I went through that how to clean Vista the Ndt2.sys and Indt2.sys were gone but those were still there

    I'm not sure hot to remove them tho and am still worried
     
    edit, Jan 19, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please see the below which is a quote right out of the READ & RUN ME.
    You need to follow those instructions now and keep your PC in normal startup mode.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 82.98.86.173 ootbr.com

    After clicking Fix, exit HJT.

    Open a command prompt Window by clicking Start, Run and entering cmd and click OK. Enter the below commands in the command prompt window:

    sc stop perfmons
    sc delete perfmons
    sc stop Routing
    sc delete Routing

    Now close the command prompt window.


    Print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

    • Make sure ComboFix.exe is on your Desktop as requested in the READ ME.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFScript.txt and make sure you save it to your Desktop.
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Now attach the below new logs and tell me how the above steps went.
    1. C:\ComboFix.txt
    2. C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 20, 2008
    #7
  8. edit

    edit Private E-2

    OK so I re-enabled everything and went through the steps again

    When It came to the Cmd promt I was unable to delete anything for "prefmons" it said that the file wasn't there and for "Routing" it said access denied

    I don't know enough to know if everythings running the way it should be but when I ran that Combofix the log said it deleted those files

    but here are the logs


    Oh on a Side note my McAfee site advisor is not longer lighting up green after I ran that last fix
     

    Attached Files:

    edit, Jan 20, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to perfmons Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
      • Routing Service
    • Click OK until you get back to Windows.
    • Next, run C:\MGtools\analyse.exe which is really HijackThis, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/paste perfmons into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
      • Routing
    • Now exit HJT but and reboot when it tells you it needs to.
    Now after reboot, run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.


    Are you having any further malware problems?
     
    Last edited: Jan 24, 2008
    chaslang, Jan 21, 2008
    #9
  10. edit

    edit Private E-2

    Ok I wanted to mention this and see what you said before I deleted Prefmons.exe

    I ran a scan through NOD32 and it is find those files over and over again but the files name is "Prefs.exe" and not "Prefmons.exe"

    should I follow those steps and put in "Prefs.exe" instead of "Prefmons.exe"?

    -

    I wanted to post this log as it would not create a notepad file with this in it but these are what it found an deleted but continue to come back - this is from the anti-virus NOD32


    --------------------------------------------------------------------------
    1/15/2008 11:31:58 PM Startup scanner file C:\Windows\system32\ndt2.sys a variant of Win32/TrojanDownloader.Delf.DSX trojan cleaned by deleting - quarantined
    1/15/2008 11:30:45 PM Startup scanner file C:\WINDOWS\System32\routing.exe a variant of Win32/TrojanDownloader.Delf.OBC trojan cleaned by deleting - quarantined
    1/15/2008 11:30:25 PM Startup scanner file C:\WINDOWS\System32\perfs.exe a variant of Win32/TrojanDownloader.Delf.OBC trojan cleaned by deleting - quarantined
    --------------------------------------------------------------------------

    on a side note when checking the Quatantine items there are 8 files it's like they have dupilcate files there is "prefs.exe" and then theres "prefs.exe.vir"

    the files shown:

    indt2.sys
    indt2.sys.vir

    ndt2.sys
    ndt2.sys.vir

    prefs.exe
    prefs.exe.vir

    routing.exe
    routing.exe.vir


    ok let me know if that gives you any more insight as to whats up with my machine.. and if I should continue with the previous steps posted or if I should do something differen't

    thank you again for the help
     
    edit, Jan 22, 2008
    #10
  11. edit

    edit Private E-2

    Ok I went ahead and followed those steps I was unable to deleteeither of them gave me error messages - no reboot was need went ahead and did one anyways - heres the file
     

    Attached Files:

    edit, Jan 22, 2008
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still need to do what I gave you in message # 9 as those service still appear in your HijackThis log.
     
    chaslang, Jan 24, 2008
    #12
  13. edit

    edit Private E-2

    I went ahead and did those steps and still am unable to delete them that way
    I posted the log in my previous reply
     
    edit, Jan 25, 2008
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you referring to the procedure using services.msc and HijackThis that I gave you in message # 9? What error messages are you getting? Explain what happens when you use services.msc and HijackThis to remove the services.
     
    chaslang, Jan 25, 2008
    #14
  15. edit

    edit Private E-2

    Ok I went through the Serivces.msc and disabled both Prefmons, and Routing. I went to properties on both and set start up type to disabled as well then I went to Hijackthis and followed those steps when I was prompted to enter the name of the file I wanted to delete I did

    when I entered prefmons

    it said:

    The following Service was found :
    Short name: Prefmons
    Full name Prefmons Services
    File C:\Windows\System32\prefs.exe(file missing)
    owner: Unknown owner

    I choose Yes to delete and then it gave me the message

    Unable to delete the service 'prefmons' make sure the name is correct and the service is not running.

    --------------------------------------------------------------------------

    With routing

    after I enter in the name it gives me the error message:

    Service 'Routing' was not found in the Registry.
    Make sure you entered the name of the service correctly


    --------------------------------------------------------------------------

    After doing that and I exited Hijackthis I was not prompted to re-boot

    ok thats pretty much it.
     
    edit, Jan 26, 2008
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I did not say prefmons. I said perfmons

    And way back when I said to delete the file, it was perfs.exe not prefs.exe like you kept saying.

    Try again and use the names I gave in my procedures.

    Then not matter what, attach a new MGlogs.zip file after running C:\MGtools\GetLogs.bat.
     
    chaslang, Jan 27, 2008
    #16
  17. edit

    edit Private E-2

    I copy/pasted what you said to do and still it was not removed

    both times I got the same error that I posted above (minus the spelling error)

    site says I can't paste the log because I've already posted that file in this thread before
     
    edit, Jan 28, 2008
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You cannot delete the service until you stop and disable it. There were two parts to the previous fixes. First stop and disable. Then use HijackThis to Delete the Service.

    That's only because you did not get a new log as requested. Don't get one now though. Wait until you do the below.

    Shut down your McAfee Antivirus program to make sure it does not interfere with doing the below.

    Let's try using ComboFix to remove the services.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
perfmons
Routing
 
File::
C:\WINDOWS\system32\perfmons.exe
C:\WINDOWS\system32\perfmons.txt
C:\WINDOWS\system32\routing.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 31, 2008
    chaslang, Jan 29, 2008
    #18
  19. edit

    edit Private E-2

    Ok

    Everythings been disabled since you first told me to disable everything. I even went to proterties and set the start-up as disabled. so thats not why Hijackthis did not delete them I tried it again before I posted this and received the same errors that I posted in my past post

    ok and now when I tried to do the combofix it gave me this error and then sat on the blue screen telling me please wait combofix is getting ready to start for 5 hours

    --------------------------------------------------------------------------
    Error

    The system cannot find message text for message number 0x8 in the message file for System

    please wait

    Combofix is preparing to run

    --------------------------------------------------------------------------

    I didn't go any further because I don't know if that will mess anything up
     
    edit, Jan 29, 2008
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try again after making sure you have shutdown all protection software and also any other unnecessary processes. The above message is an out of memory type message. Make sure you do not have any browsers open when you drag and drop the CFscript.txt file. Try creating a new CFScript.txt file again from my message and try the procedure again.

    If the above does not work and since you seem to have problems getting any of these steps to run properly, your next step may be to format and reinstall.
     
    Last edited: Jan 31, 2008
    chaslang, Jan 30, 2008
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds