Infection which disables Anti-virus software, repeatedly opens IE

Discussion in 'Malware Help (A Specialist Will Reply)' started by Nonym, Jul 28, 2007.

  1. Nonym

    Nonym Private E-2

    Hello,

    I'd like to start by saying that yes, I did read the READ & RUN ME FIRST thread, and I did attempt to follow all of the steps. However, after having downloaded and installed Spybot Search & Destroy, I was unable to run it as the main .exe file was missing. The same thing has happened when I've tried downloading Avast, and it wouldn't even let me complete the installation for AVG or Norton.

    Furthermore, when I tried to boot in safe mode, all I got was a nice little BSOD for a split second before the computer rebooted again. I attempted to boot into safe mode several times, but it wouldn't let me. I can boot just fine into normal mode with no BSOD, however.

    I'm also a bit wary of performing step 6A, since the malware infection has been repeatedly opening IE, I'd rather not risk opening it myself to use for anything. I've used Opera for years, and am using it right now to post this.

    So with that in mind, I did attempt to complete the rest of the steps, and ran Ccleaner and Counterspy in normal windows. Since running Counterspy, I haven't had any trouble, but I am skeptical that the infection is gone, as I've thought I had killed it already a few times only to have it reappear later.

    I've included the logs from Counterspy, runkeys, and newfiles, and will make a second post with the log from HijackThis. I'd just like to note that since the username for my windows account is the same as my real name, I've replaced all instances of it in those files with my nickname on this forum for my own privacy.

    So here's the history of the infection and everything I know about it:

    About a week and a half ago, I finally got around to installing SP2 and all of the security updates available for windows through windows update. Shortly after this, I downloaded a file I obviously shouldn't have, which promptly infected my computer BraveSentry. I removed the infection, but soon my computer started beeping at me incessantly (the "default beep" sound, to be specific). So I opened the task manager and found three instances of iexplore.exe running despite there not being a single IE window open. I promptly closed all three, and went back to what I was doing, when it started beeping again. I opened the task manager again and closed it again.

    I also looked for suspicious processes running and found svehost.exe running, so I closed that as well, found and deleted the file, then googled it to find out it was WORM_SPYBOT.H. I deleted the registry keys mentioned on the page I found, and thinking that might be the end of it, I continued what I was doing. A little while later I get the same beeping, and an IE process running again. Fed up, I try the bandaid solution of renaming the iexplore.exe file so that the virus can't open it any more, but either it or windows just creates a new one over and over every time I try deleting or renaming it.

    At this point I decide I need to permanently fix this, so I run Adaware (which seemingly worked fine, and did find and remove some cookies) and go to run the anti-virus software I had on my computer (but had never used) called ClamWin (an open source program) but I find the .exe file is missing. So I decide to download AVG. I do, and get an error just as it finishes installing. I try again to no avail. I download and install Avast and discover that its main .exe file is missing too, but AHA! There's still the file ashSimp2.exe in the Avast directory, which I use to run a scan with. It finds about half a dozen trojans (whose names I can't remember) by the time it finishes its thorough scan. I have them all deleted, and hope that it's over. But it isn't. A little while later I get that beeping again and again I have to go close the IE process over and over. I run the Avast and Adaware scans again, they fnd more trojans and cookies and delete them, but that obviously doesn't do anything to fix the problem.

    I start thinking to myself that maybe Avast just isn't equipped to deal with this infection, but something like Norton might be. So I go to download NAV, but again I get an error when I try to install it. This infection is one tough nugget. Also by this time, I've found and removed three worms running as proccesses in the task manager: svehost.exe (WORM_SPYBOT.H), wintems.exe (W32/Bagle.gen aka Win32/Mitglieder.CT!Trojan) and hldrrr.exe (Trojan.Toosoo.R).

    I then decide to ask for some help on a forum, I found this one and started to follow the procedure in the READ & RUN ME FIRST sticky before creating a new thread, and I followed all of the steps I was able to follow before posting this thread.

    So essentially what I have is a very nasty infection that is either spoofing other infections or actually installing these other trojans and worms on my computer; which is able to disable anti-virus software I download even when I've disabled every single non-essential process (including explorer); and which for some reason or another, is constantly running the iexplore.exe process but not actually opening any IE windows.

    I would greatly appreciate any help that any of you can offer, and I thank you deeply for offering your time to help me.
     

    Attached Files:

  2. Nonym

    Nonym Private E-2

    Hijack this log
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are strongly advised to do the following immediately:

    1. Disconnect infected computer from the INTERNET and from any networked computers until the computer can be cleaned.

    2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

    3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.




    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 3
    PokerOffice (remove only)"
    PokerStars"
    PokerStove version 1.21
    Re-boot and install:
    Java Runtime 6

    Download this file - Combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Attach this log to your next reply

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Attach new logs for:
    ShowNew
    GetRun
    HJT
    ComboFix
     
  4. Nonym

    Nonym Private E-2

    I'm in the process of doing everything you've stated, including even removing the poker software, and I will post an update along with the information you requested when I am finished.

    However, I have to tell you that I am 100% certain that this infection is not a result of Pokerstars, Pokerstove or Pokeroffice. Pokerstars is a highly reputable card room that would have way too much to lose by offering infected software and Pokerstove and Pokeroffice are used by so many people, none of whom have ever complained about malware caused by them that I am absolutely certain they are safe to use. I do know where the virus originated and it had absolutely nothing to do with poker.

    I don't know why you see the word Poker and immediately assume that it must be bad, but I can assure you that those programs are not at all malicious.
     
  5. Nonym

    Nonym Private E-2

    I've finished everything that you've asked me to do (including removing the poker software even though I know it is safe), and here are the log files:
     

    Attached Files:

  6. Nonym

    Nonym Private E-2

    And here's the combofix file
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now re-Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking fix, exit HJT

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Attach new logs for:
    ShowNew
    GetRun
    HJT

    Tell me how things are running.
     
  8. Nonym

    Nonym Private E-2

    I know this problem was close to being solved anyway, but my computer was a mess and I wanted to be 100% sure it was clean, so I just decided to reformat the partition. Just wanted to let you know. I've got some questions about organizing my partitions (Their letters got all messed up when I installed windows) but I'm sure there's another forum for that, so I'll ask there. Thank you very much for your help.
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is always a choice ...but you were close to being clean. You can post the partition questions in the software section.:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds