Infected - please help!

Discussion in 'Malware Help (A Specialist Will Reply)' started by floridad, Apr 19, 2010.

  1. floridad

    floridad Private E-2

    Thanks in advance.

    I've had problems the past couple weeks getting infected and reinfected. I think I get things cleaned up, but then new stuff pops up. It's always somewhat different, but amongst others I've had the rouge antivirus warnings, the thing where you get a warning of a pending shutdown and then a countdown timer, and random advertising popups/new tabs. It happens in both Internet Explorer and Firefox. My System Restore has gotten blocked (i.e., it won't let me restore to a pre-infection date). However, I haven't had any of the problems with not being able to run taskmanager or various removal tools.

    I went through the "READ ME FIRST" procedures in detail and, so far, things are acting like I'm clean again. So I'm hoping that we're in good shape. But thought it would be a good idea to have the experts take a look.

    Requested logs are attached.
     

    Attached Files:

    floridad, Apr 19, 2010
    #1
  2. floridad

    floridad Private E-2

    here's the MGTools.zip file
     

    Attached Files:

    floridad, Apr 19, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\5mQ6cU6r72D8X
C:\Documents and Settings\NetworkService\Local Settings\Application Data\yd3PCdCL75y
C:\Documents and Settings\Owner\Local Settings\Application Data\4nxd80
C:\Documents and Settings\Owner\Local Settings\Application Data\B8u2j7
C:\Documents and Settings\All Users\Application Data\4nxd80
C:\Documents and Settings\All Users\Application Data\5mQ6cU6r72D8X
C:\Documents and Settings\All Users\Application Data\B8u2j7
C:\Documents and Settings\All Users\Application Data\U860
C:\Documents and Settings\All Users\Application Data\yd3PCdCL75y
C:\Documents and Settings\Owner\Templates\4nxd80      
C:\Documents and Settings\Owner\Templates\b8u2j7
C:\WINDOWS\Rlozunepo.dat
C:\WINDOWS\Rluqusu.bin
C:\Documents and Settings\Owner\Application Data\Adobe\Update\flacor.dat
C:\Documents and Settings\Owner\Application Data\Adobe\Update\32ret.dat

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Behlp"=-
"Getdo"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please run this: GMER - running with a random name and attach the log from GMER.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * GMER log
    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Apr 19, 2010
    #3
  4. floridad

    floridad Private E-2

    Thanks, a couple things:

    First, I'm stuck on the above procedure. I have both Combofix.exe and CFScript.txt on my desktop, but it won't let me drag the CFScript.txt on to Combo fix. (When I drag it around the desktop, I notice that some desktop icons will highlight. I assume that I'd want Combofix to highlight as well, but it doesn't).

    Second, I am clearly still infected (was hoping I'd be clean after the Read & Run me first procedures). While working on the computer, I got several "XP Internet Security Alert" popups and there is a "catchme.log" on my desktop.

    I tried re-downloading combofix as well as restarting the computer. Still wasn't able to drag CFScript.txt on to Combofix.

    Thanks.
     
    floridad, Apr 19, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know why you can not drag the script onto ComboFix. We can try a different route.

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 20, 2010
    #5
  6. floridad

    floridad Private E-2

    Thanks Tim. Performed the requested procedures and got the confirmation that the registry was properly updated after running the fixME.reg script.

    For what it's worth:
    (1) I had to do a hard re-boot after running Avenger as the computer would not shut down using the restart function.
    (2) After restarting, the XP Internet Security rouge antivirus popups were still present and ave.exe was still showing in taskmanager (I didn't kill it, because I read elsewhere the killing it caused more severe problems for some folks).
    (3) After restarting, I had an error message (not sure if it is real or part of the rouge antivirus) that read: Windows - No Disk Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bfc 4 75b6bf7c 75b6bf7c

    I've attached the requested logs. You requested the Combofix.txt log, but never asked me to re-run combofix. So I'm not sure this is updated from any prior files. The file is date-stamped 04/19/10 2:04am. I know I didn't run combofix at 2:04am, but I think I read that combofix temporarily messes with the computer's clock.
     

    Attached Files:

    floridad, Apr 20, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It was a typo with ComboFix, but it is good you ran it as it found things not seen in other logs.

    Please run this: GMER - running with a random name and attach the log from GMER.

    Now please download SystemLook from one of the links below and save it to your Desktop.

    Download Mirror #1


    Download Mirror #2

    • Double-click SystemLook.exe to run it. (If you are using Vista, please right-click and select run as administartor)
    • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy and Paste the content of the following codebox into the main textfield under "File":

    Code:
    :filefind
disk.sys
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. You can close this notepad window as the log will already be saved as SystemLook.txt on your Desktop ( if you downloaded and ran SystemLook to your Desktop as requested ).
    • Please attach this log in your next reply.

    Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\documents and settings\Owner\Application Data\Adobe\Update\flacor.dat
c:\documents and settings\Owner\Application Data\Adobe\Update\32ret.dat
C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\yaG3YsQ4geFa
C:\Documents and Settings\Owner\Local Settings\Application Data\1254755337
C:\Documents and Settings\All Users\Application Data\1254755337
C:\Documents and Settings\All Users\Application Data\yaG3YsQ4geFa
C:\Documents and Settings\Owner\Templates\1254755337
C:\Documents and Settings\Owner\Templates\yaG3YsQ4geFa
C:\Documents and Settings\Owner\Local Settings\temp\1254755337
C:\Documents and Settings\Owner\Local Settings\temp\23631764.nls
C:\Documents and Settings\Owner\Local Settings\temp\yaG3YsQ4geFa
C:\WINDOWS\Temp\PjdH.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Behlp"=-
"Getdo"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * GMER and SysLook logs
    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Apr 20, 2010
    #7
  8. floridad

    floridad Private E-2

    Ok, had a few problems on this step. First off, where we are now:
    • The XP Internet Security rouge antivirus appears to be gone. I'm not getting the popups and I don't see ave.exe in the task manager
    • I can't open most of the programs on my desktop (although I can open internet explorer). When I click them, I get the (standard windows) popup window asking what program I want to use to open the file.

    Now, as for what I was able to do. I'm still not able to drag the CFScript.txt file icon on to the Combofix icon on my desktop. Accordingly, I used the same work around using Avenger.exe that we did earlier (I modified the file list to match those files listed in your most recent message). I also did the REGEDIT4 piece from your earlier post since it looked like the CFScript was suppose to redo that as well.

    After running Avenger.exe, I had to reboot. That was when I had the problem with not being able to run the programs on my desktop. Upon booting, the computer tried to run a program called "cleanup.exe". However, it didn't run because the pop-up asking which program I wanted to use to open the file came up instead. I cancelled out. So if cleanup.exe was supposed to run, it hasn't run yet.

    3 of the 4 requested logs are attached. Unfortunately, since I'm unable to run combofix (I tried re-downloading to no avail), I haven't attached the combofix log.

    For what it's worth, other than the problem with not being able to load most of my desktop programs, things seem to be working and I'm not noticing any other malware behavior. Although the "catchme.log" file is still present on my desktop.
     

    Attached Files:

    floridad, Apr 21, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Crap, I was hoping we could get Combo to work. But good job on switching to Avenger. We still need to replace a system file.

    Please go HERE and scroll down to the ninth file. This should fix your exe file associations.

    Now:
    Use windows explorer to find C:\WINDOWS\ServicePackFiles\i386\disk.sys and copy that file directly to your C:\ drive so you have C:\disk.sys. Make sure it is there.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 21, 2010
    #9
  10. floridad

    floridad Private E-2

    Ok, performed those procedures and it feels like we're getting close.

    One minor problem: When I rebooted after running avenger, it still tried to run Cleanup.exe on startup. It was unable to find that file (because we deleted it), but there is still somewhere telling it to run on startup.

    I also might have a browser re-direct problem. I had one unexpected tab open claiming I had won some prize. It might have just been a normal pop-up, but I think I was just on google.com when it popped, so I'm thinking it might be some malware.

    Not noticing any other suspicious behavior right now.

    Here are the requested logs:
     

    Attached Files:

    floridad, Apr 21, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you copy the disk.sys file? Avenger said it couldnt move it. Can or are you willing to try to do it manually? The clean file from the i386 folder you can right click and then paste it into the existing C:\WINDOWS\system32\drivers\disk.sys?
     
    TimW, Apr 21, 2010
    #11
  12. floridad

    floridad Private E-2

    I had put it to C:\disk.sys, not sure why it couldn't be found.

    Anyway, I have now copied the disk.sys file from the C:\Windows\ServicePackFiles\i386 folder and pasted it to the C:\Windows\System32\Drivers folder. Upon doing that, I replaced a file created on 4/19/10 with a file that was created on 04/13/10. Both had a file size of 35.5 KB.

    Need any additional logs?
     
    floridad, Apr 21, 2010
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The good file was copied to C:\ , you can see it in MGlogs.zip. Avenger could not replace the one in system32 due to the type of malware infection. It needs to be replace from the Recovery Console of use any other special boot CD while Windows is not running at all. ;) Or possibly ComboFix can be used with the TDL command.

    Manually copying the file will like just result in the copied file being infected.
     
    chaslang, Apr 21, 2010
    #13
  14. floridad

    floridad Private E-2

    Tim, I trust you'll follow up with me on this on Thursday. I already copied the file over as noted in an earlier post.

    A couple other things I've noticed.
    • Programs are taking longer than normal to load. Not insanely and ridiculously long, but longer than would be expected.
    • Firefox tries to open a new tab when I start it. It will open my normal home page (just set to Google right now) in the first tab, and then try to open the following URL in a second tab: (sorry, tried to copy & paste the url, but it disappeared when I clicked on it to copy it)
     
    floridad, Apr 21, 2010
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since Tim seems to logged off for the night, just try the below and we will see what happens. This is the easiest possible fix, but it does not always work.



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 21, 2010
    #15
  16. floridad

    floridad Private E-2

    Edit: Nevermind, got the thing to work that I was questioning.
     
    floridad, Apr 21, 2010
    #16
  17. floridad

    floridad Private E-2

    Ok, the last requested procedure seems to have worked. I've attached the new requested logs. I'm not currently noticing any unusual behavior, although it seems that programs might be loading somewhat slower than typical... might just be my imagination though. I'll post and update by editing this post if I notice anything new or different.
     

    Attached Files:

    floridad, Apr 21, 2010
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it worked! ;) Now you need to complete all of the below and get your PC properly protected which is in the link given.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Apr 21, 2010
    #18
  19. floridad

    floridad Private E-2

    Thanks guys.

    Took care of the final steps, refreshed my system restore, and then downloaded and installed Anivra Antivir and Spyblaster.

    Everything is running normal now. However, I just did a random check of my MSCONFIG startup tab and noticed one items that appears to be suspicious:

    C:\Documents and Settings\Owner\Application Data\Helper\bin\liveu.exe

    Doing a Google search for liveu.exe suggests that it could be malware, so I thought I'd mention it here.
     
    floridad, Apr 22, 2010
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Delete the whole folder:
    C:\Documents and Settings\Owner\Application Data\Helper

    If you would, since we didn't recheck, run SAS and MBAM and attach those logs.
     
    TimW, Apr 22, 2010
    #20
  21. floridad

    floridad Private E-2

    Thanks Tim,

    I deleted that folder and then ran SAS and MBAM (logs attached) and liveu.exe is now gone from the MSCONFIG startup tab.

    A couple interesting things of note:
    • I had refreshed my system restore earlier today after we had determined that my system was clean. I tried to do a system restore back to that point, and the computer reported that it was unable to restore to that point. I had another restore point about 2 hours after that from installing some HP printer software and was able to restore to that point. The logs are after completing that system restore.
    • Windows Security Center is reporting that I don't have a firewall enabled when I restart my computer. When I try to enable it, it says it can't. However, it seems like it might be some type of conflict with SAS. During the startup process, I get that windows security center popup and then after 30 seconds or so, the firewall on security center goes to green and is enabled. Immediately after that, I see SAS loading with its logo screen in the middle of my monitor. Probably no big deal, but thought I'd mention it anyway.

    By the way, I found you guys extremely helpful and your instructions are easy to follow without getting excessively into the minute details like a lot of helpdesk tend to do. But I've been reading some of the other threads..... seems like its like pulling teeth to get folks to actually do the Read & Run me First before posting. ;)
     

    Attached Files:

    floridad, Apr 22, 2010
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    LOL, you noticed, eh??

    And you are welcome. Safe surfing. :)
     
    TimW, Apr 23, 2010
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds