Malware causing many problems and scans would not all work

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by siofra1101, Aug 23, 2009.

  1. siofra1101

    siofra1101 Private E-2

    Hi I am having huge problems with my computer and my husbands laptop. They are both infected with the same malware. My lovely hubby downloads a lot of pen drive applications from unverified websites and installed the onto his laptop. While I was out one night he then put them onto my computer, which I use to work from home.

    I will just deal with this computer in this thread as I need it for work and as he is in the doghouse, his can wait! ;)

    Ok, so around 6 weeks ago I noticed that comodo was not running on startup as it should and neither was AVG. I then started to get internet connection problems and found that it kept timing out. Sometimes a page would load in and others not. I now find that when I type the letters do not always print out. Everything is slow and sluggish. I found that emails that I had supposedly sent were being returned to me in my inbox also.

    Before I went away on holiday I scanned with Malwarebytes and found an infection which I removed. I scanned with SuperAntiSpyware and it found Dynamic Desktop but could not removed it. I manually changed the name of the exe file and deleted it and went on holiday. C:\Install.exe trojan was also found and removed.

    Now back and still problems, no scanner other than Advanced Spyware Remover is detecting anything now. Advanced Spyware Remover finds:

    File Infection Dynamic Desktop c:\windows\winsxs\x86_microsoft-windows-iss-httpredirect_31bf3856ad364e35_6.0.6001_none_3aa9e6f62b23af88\redirect.dll

    It says it removed it but it hasnt. I tried this is safemode also.

    No I followed all the instructions in the Readme and completed the scans...

    SuperAntispyware found nothing, as did Malwarebytes (weirldy though on reboot of my computer malwarebytes has disappeared)

    Next came combofix, here problems started. It kept telling me that avg is running, so I went into processes and tried to manually stop them. Everytime I tried to stop a process, it reopened and multiplied... the rogues are:
    avgwdsvx.exe - avgrsx.exe - avgnsx.exe and avgcxrvx.exe

    I figured as I couldnt stop them I had best just do combofix anyway. This went fine BUT after this finished I tried to use RootRepeat and internet explorer and recieved this error message:

    c:|Program Files\Internet Explorer\iexplorer illegal operation attempted on a registry key that has been marked for deletion.

    I received this message (slighly different for other things) for anything I tried to do and had to restart my computer.

    Then I tried to run RootRepeal and kept getting erro:

    FOPS - DeviceControl Error? Error Code: 0xc0000024
    Extended info (0x000000d4)

    And after reboot this error message on trying to run:
    Could not intitialize drive! Please contact the author!

    So had to skip this one and move onto MGTools which ran fine.

    I have attached all the logs and apologise for the lenght of the post but wanted to try and give as much detail as possible.

    many thanks
     

    Attached Files:

    siofra1101, Aug 23, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    These files belong to AVG Internet Security.

    You have both AVG and Norton 360 installed. Uninstall one!

    Use windows explorer to find and delete:
    c:\windows\system32\ssbtsr.exe

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Aug 26, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually this is from ScanSpyware which should be uninstalled. Then if the file remains, it should be deleted. If ScanSpyware cannot be uninstall (which is probably the case) all folders and files from it need to be deleted.
     
    chaslang, Aug 26, 2009
    #3
  4. siofra1101

    siofra1101 Private E-2

    Thanks, I deleted a lot of norton a while ago but it seemed to leave a little something behind. Used the tool from their website now though and got rid of all.

    Also had ScanSpyware on here, in desperation of fixing this problem but had deleted that also. Anyway, checked all gone and have deleted
    c:\windows\system32\ssbtsr.exe
    Here is the MGTools logs

    Thanks
     

    Attached Files:

    siofra1101, Aug 26, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you not read this:

    1. Make sure you read our policies on illegal software:
    The cracked software came in on the 26th. I suggest that you cease doing anything to your computer that we have not asked you to do until we are finished cleaning your system.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Aug 29, 2009
    #5
  6. siofra1101

    siofra1101 Private E-2

    Many thanks again and rolleyes sorry I hadnt read that post... I will make sure I download nothing more.

    Ok have followed your instructions and here are the logs.
     

    Attached Files:

    siofra1101, Aug 30, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are missing a system file. Let's replace it.

    Now download and save this XPsp3bu.exe to your C:\ root folder. You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\ComboFix.txt
    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 3, 2009
    #7
  8. siofra1101

    siofra1101 Private E-2

    Hi Tim

    Ok well running much faster than before I have to say. I still wasnt able to terminate the AVG files in any way at all before running ComboFix though. It also is still not responding correctly now that I am trying to re-enable resident shield, keeps crashing.

    I am still using 49% of my physical memory on 1GB of RAM and only running outlook.

    Internet Explorer seems to be behaving at the moment though and not keep saying it cannot connect to sites.

    Here are my logs
     

    Attached Files:

    siofra1101, Sep 3, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We need to use combo to copy that file it seems.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

FCopy::
C:\MGtools\temp\eventlog.dllmg|C:\WINDOWS\system32\dllcache\eventlog.dll
C:\MGtools\temp\eventlog.dllmg|C:\WINDOWS\system32\eventlog.dll
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Sep 3, 2009
    #9
  10. siofra1101

    siofra1101 Private E-2

    Ok did everything, dragged the CFscript.txt into ComboFix... Combofix did somethings it hasnt done before, i.e. backed up registry. Then restarted the computer. I had to write a name for the save file...

    Again however, had to run ComboFix with AVG processes running, they will not terminate at all... I have tried the method posted on here and also manually with Task Manager and they just re start up!

    Computer restarted, tried to run MGtools\GetLogs.bat and got a message that access to keys was denied... They needed to be deleted on re-boot. So re-started computer again and then ran.

    Here are the logs (ok just clicked the manage attachments and got windows explorer cannot display webpage) error... trying again (was then logged out)
     

    Attached Files:

    siofra1101, Sep 3, 2009
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    And it just got worse.

    You are now missing numerous system files. You need to back up your data and personal files to a cd. Do not back up any exe files.

    Then I want you to go to start / run / type"
    sfc /scannow

    Let it run twice ( have your xp cd handy). Tell me what happens.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\MGlogs.zip
    If this does not work, we can try a repair installation.
     
    TimW, Sep 3, 2009
    #11
  12. siofra1101

    siofra1101 Private E-2

    Oh my hubby is in soooo much trouble... ok am running vista and dont have a disk, these stupid new machines have it ghost written in as I know you are aware... Its been dying a slow death for a while now...

    without a disk what do you suggest?
     
    siofra1101, Sep 3, 2009
    #12
  13. siofra1101

    siofra1101 Private E-2

    sorry forgot to mention that I do have all my personal data on an external so dont need to back up, thank goodness!
     
    siofra1101, Sep 3, 2009
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need to consult on this. Combo is reporting missing files that seem to be wrong. For one, Vista has no eventlog.dll. So I am not sure why it is reporting all the other files as missing. Let me get back to you before you do anything else.
     
    TimW, Sep 3, 2009
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if we can straight out Combo.

    Please use windows explorer to find and delete:
    C:\WINDOWS\system32\dllcache\eventlog.dll
    C:\WINDOWS\system32\eventlog.dll

    Don't worry about AVG running. Just re-run Combo and attach the new log.
     
    TimW, Sep 4, 2009
    #15
  16. siofra1101

    siofra1101 Private E-2

    Ok have done this. Had to restart of Combofix again as it said files marked for deletion.

    Internet explorer is still freezing, firefox doesnt seem to bad.
     

    Attached Files:

    siofra1101, Sep 4, 2009
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You log shows that you have these installed:
    AVG Free 8.5
    Norton 360 --> did you uninstall this?

    Use windows explorer to find and delete:
    c:\users\Sarah Taylor\AppData\Roaming\ScanSpyware

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 8, 2009
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds