Malware- 24/01/2009

manilka835 · Jan 24, 2009

Dear MajorGeeks Support Forums,

I have detected the following infections in my computer through a Prevx Scan but I am unable to delete them as the scan is unable to clean an the files are hidden in the computer. They cannot be seen even if the folder options are set to see hidden files.

Await for your advice on further action for removal of these files and prevent any future infections.

Thank You,
Manilka.

TimW · Jan 25, 2009

Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

To avoid addtional delay in getting a response, it is strongly advise that after completing the READ & RUN ME you also read this sticky Don't Bump! It Only Hurts You!!!. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

manilka835 · Feb 9, 2009

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory,
Chest Hospital premises,
Welisara,
Sri- Lanka
Monday, 9th February 2009.

MajorGeeks Support Forums

"Malware- 24/01/2009" update

Herewith I am attaching the Logs you have requested.

Initially PrevxCSI 3.0 helped me to find out that there were malware in my computer. In addition, Norton Antivirus and ESET Smart Security also detected them. However AVG 7.5 was unable to detect them. Even though they were detected, I could not find them as they remained hidden even after I revealed the hidden folders to be seen. Initially when I ran PrevxCSI 3.0, it showed 14 infections. After installing and running Bit Defender, it was reduced to 8. Thereafter I contacted you for help as this was the main computer in our laboratory.

I ran all the tools but 2 bad files were left. Namely they are
1. gy.exe (Win32/PSW.OnLineGames.NMY Trojan)
2. uvsqfgwd.cmd (Win32/PSW.OnLineGames.NMY Trojan)

I managed to find them as they started to appear in the Folder C:\ (which were hidden earlier) and deleted them.

I ran PrevxCSI 3.0 finally and it indicates that the system is clean.

I have also attached PrevxCSI 3.0 at the end for you to see what it is.

Once again thank you for your help. Just check out why the tools did not pick up the above files and see what you can do with Prevx 3.0.

I wish all the best for MajorGeeks Support Forum.

Yours truly,
Dr. K.D.J.H. Manilka Jayawardena

:wave

manilka835 · Feb 9, 2009

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory,
Chest Hospital premises,
Welisara,
Sri- Lanka
Monday, 9th February 2009.

MajorGeeks Support Forums

"Malware- 24/01/2009" update - 2nd Upload

The PrevxCSI 3.0 could not be attached. Please follow this link for it.
http://www.prevx.com/freescan.asp

I wish all the best for MajorGeeks Support Forum.

Yours truly,
Dr. K.D.J.H. Manilka Jayawardena
:wave

TimW · Feb 10, 2009

The scans took care of most of it, but we still need to do a few things.

Please Disable Spybot's TeaTimer

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

You have multiple anti-virus programs running, you need to uninstall all but one!! Either keep Norton or avast. Not both.

Part of your problem is this:
Code:
Total Physical Memory    512.00 MB    
Available Physical Memory    47.60 MB
You need more ram if your system will support it.

I assume you have thumb drives or other usb devices as we need to remove a few things from the E and F drives:

E:\yew.bat
F:\ph.com
E:\rqb0v2ot.bat
E:\fun.exe

You also need to use windows explorer to find and delete:
C:\gy.exe
C:\x2csvg.exe

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19a1e4d4-bce6-11dc-a25d-001558db24a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38dc093c-a634-11dd-a381-001558db24a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{841a5c86-4da2-11dd-a2f8-001558db24a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bbcbb8-86d8-11dd-a34c-001558db24a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bbcbba-86d8-11dd-a34c-001558db24a4}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bbcbbd-86d8-11dd-a34c-001558db24a4}]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

Be sure to tell us how things are running.

manilka835 · Mar 24, 2009

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory (Central Laboratory of NPTCCD),
Chest Hospital Premises,
Welisara.
Sri Lanka.
Monday, 24th March 2009.

Dear MajorGeeks Support Forums,
Malware- 24/01/2009
Thank you for your reply to my post on the above topic. Sorry for the delay in responding to your message. I have carried out the following instructions according to your reply:

1. Disabled Spybot's TeaTimer

2. Malware from thumb drives E and F were removed by antivirus & your antimalware programmes

3. After running your anti-malware programmes the following files became visible and hence they were located and deleted
C:\gy.exe
C:\x2csvg.exe

4. A success message about adding fixME.reg to the registry was displayed.

5. After running MGTools, the new C:\MGlogs.zip file has been attached herewith.

I have come across the following problems:

1. How To Uninstall Symantec Antivirus
Program Version
Programme: 10.0.0.846 (OEM)
Scan engine: 103.0.2.7
Virus Definition File
Version: 2/8/2008 rev.3

It is not seen in Add or Remove Programme List.

2. How To Temporarily Disable
BitDefender Free Edition v10 - When the Bit Defender window appeared, there is no button as Virus Shield. I have problem running Combofix as i am unble to disable "Bitdefender Antivirus On-access scanning"

3. realtime blocker - I have installed SUPERAntispyware free version. do I need to have another realtime blocker such as Comodo BOClean Anti-Malware?

4. Startup items
I wish to know which of the following items can be deleted by using CCleaner startup manager.
• ctfmon.exe
• BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
• swg
• WMPNSCFG
• SUPERAntispyware
• SpybotSD TeaTimer
• Mouse Suite 98 Daemon
• SoundMaxPnP
• IgfxTray
• HotKeysCmds
• Persistence
• AMSG
• LPManager
• SunJavaUpdateSched
• DLA
• ISUSPM Startup
• ISUSScheduler
• AwaySch
• TVT Scheduler Proxy
• ccApp
• vptray
• Google Desktop Search
• DiskeeperSystray
• Picasa Media Detector
• PDService.exe
• cssauth
• RemoteControl
• NeroFilterCheck
• USB Antivirus
• BDMCon
• BDAgent
• Adobe Reader Speed Launch.lnk
• TkBellExe

Thanking you.

All the best,
Manilka

TimW · Mar 27, 2009

Your logs are clean....and we can remove some startup items.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Click to expand...

After clicking Fix, exit HJT.

And here is a link to tell you how to disable your protection software if the issue ever comes up again:
How to temporarily disable your AV protection

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

manilka835 · Apr 16, 2009

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory (Central Laboratory of NPTCCD),
Chest Hospital Premises,
Welisara.
Sri Lanka.
Thursday, 16th April 2009.

Dear MajorGeeks Support Forums,

Malware- IBM- 2009.04.16

Thank you for your reply. I have carried out the instructions given in your thread.
1. The recommended Startup Items were removed as instructed.
2. Still I am unable to Temporarily Disable BitDefender Free Edition v10 - When the Bit Defender window appeared, there is no button as Virus Shield as indicated in the link on how to disable protection software: How to temporarily disable your AV protection
3. How To Uninstall Symantec Antivirus?
Program Version
Programme: 10.0.0.846 (OEM)
Scan engine: 103.0.2.7
Virus Definition File
Version: 2/8/2008 rev.3

It is not seen in Add or Remove Programme List.

4.I have detected Malware while running Malwarebytes' Anti-Malware. Therefore, I have carried out the instructions in READ & RUN ME FIRST. Malware Removal Guide again and have attached the relevant logs herewith.

Thanking you.

All the best,
Manilka

:confused

TimW · Apr 19, 2009

Your logs are clean. MBAM did it's job. Now if you are asking about removing Norton, you can run this utility:
Norton Removal Tool.

manilka835 · Jun 21, 2009

Dr. K.D.J.H. Manilka Jayawardena,
Medical Officer,
National Tuberculosis Reference Laboratory (Central Laboratory of NPTCCD),
Chest Hospital Premises,
Welisara.
Sri Lanka.
Monday, 22nd June 2009.

Dear TimW,
MajorGeeks Admin - Malware Expert.

Malware- 24/01/2009

Norton Removal Tool Uninstalled Symantec Antivirus.

However, I am now having the problem of manually updating BitDefender Free Edition v10 as the Internet Facility is temporarily out if service. Please adice from where the relevant update can be downloaded.

Thanking you.

All the best,
Manilka
:cry

TimW · Jun 21, 2009

If you google "bitdefender updates" you will find this link:
http://www.bitdefender.com/site/Main/view/Updates.html

Log in or Sign up

Malware- 24/01/2009

manilka835 Specialist

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manilka835 Specialist

Attached Files:

SUPERAntiSpyware Scan Log - 01-28-2009 - 13-57-04.log

mbam-log-2009-02-02 (09-05-59).txt

log.txt

manilka835 Specialist

Attached Files:

MGlogs1.zip

MGlogs2.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manilka835 Specialist

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manilka835 Specialist

Attached Files:

SUPERAntiSpyware Scan Log - 04-15-2009 - 10-26-39.log

mbam-log-2009-04-15 (12-44-27).txt

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

manilka835 Specialist

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member