Malware Found in XP

Hi,

I originally posted the following in Software. I was instructed to run the Malware Removal Guide and repost to this forum.
----------------

Last night I was using both Green Browser (it uses IE's engine) and Firefox without an issue. I shut down the system and booted up this morning and the Windows Update icon popped up and said there are updates for your computer.

I went ahead and installed them. When it rebooted the Malicious Software Removal Tool found a couple "viruses": TrojanWinNT/Bubnix.J & VirTool/WinNT:CutWail.L

It said that it removed them successfully. I rebooted and then fired up Green Browser and FF and I had no connection. I checked the DSL modem, my mom's computer, both were working fine and she has a net connection.

I check Device Manager and everything (about 6 entries) under Network adapters was non-functioning. I tried to update the drivers and I got a message that said they were all missing or corrupt.

I ran the Add Hardware Wizard and it found the devices but asked for SP3 on CD, which I don't have.

I ran System Restore but the only point available was this morning. Odd because I've manually run it recently. It wouldn't let me go back a day nor a month. I ran it anyway but it didn't fix the connection issue.

I didn't know what else to do so I reinstalled XP from the CD and it fixed the connection problem. The odd thing is that Device Manager now has only one device under Network adapters: Intel PRO/100 VE Network Connection

I fired up Green Browser and it wouldn't connect. I tried Firefox and it works fine.

I guessed that GB needed a newer IE engine to function and clicked on Windows Update to download it (and the newest Service Pack, 3 I think?) and got this:

"The requested look up key was not found in any activation context." I guess that mean IE got dumped?

I'm about to go here: http://support.microsoft.com/ and find them manually, but I wanted to get some input before.

I'm not sure what the name of the current update was that screwed up the computer, so I guess I can check that by date and make sure I don't install it. Yes/No?

I also don't know if it was just a coincidence that the drivers were corrupted or deleted, or if it was a result of the viruses or a bug in the Malicious Software Removal Tool. Any thoughts?

I checked the board and I didn't see that anybody else had the same issue after installing the update, so I guess it a coincidence, aye?

Is there anything else that I ought to do before or after the updates? I just created a restore point.

By the way I've been running SuperAntiSpyWare v4.41.1000 and somehow still got the viruses.
------------------------------

I've gone through the guide, but I'm unsure whether or not it's fixed. I'm not really sure what to do at this point. I think I'm following proper protocol by posting the log files...at least, that's how I read it.

Please find the files attached here and a subsequent post and let me know what I ought to do next.

Thanks much!
Rock

 

Malware Found in XP addendum & SAS attachment

Note: After MalwareBytes rebooted the system there was a Windows Security Alert that said that ZoneAlarm antivirus was disabled. Hmm? Not sure what's going on there. I, of course, run ZA but I don't have the premium edition and the free edition doesn't offer the antivirus. And I'm not in a grace period for testing the premium version. I did install the premium edition, maybe a year ago, but I disabled the antivirus for that anyway so it was never functioning, at least to my knowledge. I mention it because the malware removal quide said to disable all but one antivirus. The only one I had running was SuperAntiSpyWare.

Also the two SASlog.txt attachments are there because I blew it and ran SAS with default settings and then reread the instructions, got the correct settings input and reran SAS. Sorry, for my mistakes!

 

Thanks much, Dr. M!!

Whew, that was quite a task. I've been working on this since I woke up this morning. The only break I took was because of a family emergency. I just got back and I'm exhausted so I hope I can write this well enough to be understood.

I've included some of the sidesteps I took so that if you see that I did something dumb or not quite right, hopefully, you'll point it out and let me know how to correct it.

I kept a pretty careful record of the steps I took...although I took a few missteps along the way. Also, I had to reboot several times and then go back and recheck the instructions...anyway, that's the main reason I messed up a step or two along the way. Okay...

The first thing I did was clean up the desktop.

I then ran ComboFix and CCleaner as instructed.

I did the next step and got this on the first attempt:
ESET Scanner Unexpected error 2002

And this was the result when successful:

C:\WINDOWS\imahuropifatufo.dll a variant of Win32/Cimag.CK trojan cleaned by deleting - quarantined

I had a difficult time getting SP3 installed, clicking on Windows Update just resulted in errors...

From here: http://forums.majorgeeks.com/showthread.php?t=44525
1. Visit Windows Update:

I linked over the ms page and it told me: "To add Windows Update to the trusted sites zone:

1. On the Tools menu in Internet Explorer, click Internet Options."

I couldn't find a shortcut to open IE anywhere off the start button, etc. (don't know why it disappeared) Green Browser uses the IE engine and IE's Internet Options are usually available through it, but clicking on Tools>> Internet Options did nothing and, of course, GB still didn't connect to the net.

I surmised that I need to install IE before I could get SP3 installed....

I installed IE 8>> Windows Update >> (and tried to install SP3) I installed the recommend updates

Checked System Info and it still listed SP2.

Back to Windows Update>> SP3 (the first attempt failed at about 80%), On the 2nd attempt the Installing Updates box popped up but it never started to download (after 15 minutes). I rebooted. 3rd attempt with the same result...no start. I then tried to get it by going directly to the site but it failed too. Back to Major Geeks.

That lead me here: http://www.microsoft.com/downloads/...A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

...it was for IT Pros only. I scrolled down and found "Windows XP Service Pack 3 - ISO-9660 CD Image File" and figured I'd burn it and run it.

I clicked on it and Software Update Installation Wizard popped up, so I ran through the prompts expecting it to eventually offer the ISO for download. It started with a system compatibility check. Then it just started installing files. After about 25 minutes of installing files, the whole time the hard drive is whirring, the fans were screaming, the processor is being heavily taxed and there were intermittent blips/screen flashes (all unusual) it got to Performing Cleanup. It's now at the same point (80%ish) that the 1st attempt failed/hung up. After about 45 minutes on cleanup I almost canceled it but it succeeded. I rebooted.

Okay, SP3 is now installed.

I installed AntiVir Personal Edition

I deinstalled Zone Alarm and replaced it with Comodo, per the recommendations.

I installed SpyBot-Search & Destroy

--------------

Great directions, by the way, but I messed up and over-did one of the steps (my head is spinning a bit):

"Step 4:
Then install one of the recommended anti-virus programs listed here:

How to Protect yourself from malware!

Step 5:
Then run the C:\MGtools\GetLogs.bat... "

As you read above I went through the page and followed all the directions instead of running C:\MGtools\GetLogs.bat right after installing the AV. I hope it didn't screw up the test results you requested.

So, now, I think I'm up and running and well protected.

RE: "What malware problems are you still experiencing?"

Something that hasn't happened before: When I click on the icons in the Task Bar they flash orange a couple times and don't take focus. Alt-Tab is switching focus though.

Something is taxing the system, i.e. the fans start running very fast. It's not constant but it is frequent.

At some point I lost all audio. I reinstalled the drivers through Device Manager: Realtek High Definition Audio. It's working now.

Question:
Is there a guide that tells you what to reset back to normal/safer, e.g. switching to view the hidden system files back in Windows Explorer?

-------------------
Is the following something I should allow?

WinPatrol: "The program currently associated with this file type is: Run a DLL as an App.
Microsoft Corporation
.c:windows\system32\rundll32.exe, c:windows\system32\ieframe.dll, OpenURL %|

A change was made to use the following program for this file type
Microsoft Corporation
rundll32.exe ieframe.dlll, OpenURL %|

Is is the change ok?"
----------------------
I clicked No. It popped up a couple dozen times during the day.

The reason I mention that is because I don't know if it's safe, the timing was suspicious and I may have accidentally clicked Yes when SP3 was installing asking for similar permissions. Anyway, it's not popping up anymore and I figure the two possibilities are that I clicked Yes, or that one of the anti-malware programs killed it. Is it probable that it was malware trying to install and do I need to do anything to address it?

One last thing, if you don't mind, Avira keeps popping up and reporting that MGTools.exe is malware and it's not giving me the option to ignore. What do I do? I believe it was mentioned somewhere in the instructions/guides and I'll go back and reread them, and Avira docs but if would answer it I'd appreciate it.

By the way, if I got a little too wonky and unintelligible here, please let me know where. I'll get a little sleep and answer with a clearer head. But I wanted to get this posted so you did think I was an unappreciative weenie.

Again, THANK YOU!!

PS- the Manage Attachments isn't functioning for some reason. I'll post this and then try attaching MGlogs.zip to another post. If that doesn't work I'll shut down Avira, because it popped up right when I clicked on Manage Attachments reporting MGTools as malware and see if that works.

 

Avira popped up again, but I was able to get it attached.

 

Thanks, Kestrel!!

I had already started doing the clean up that Dr. M instructed. I had already reset the folders/file extensions back to hidden. If that messed up the scan, please, let me know and I'll go back through the steps and redo the scans.

Of course, I'll hold off doing anything else until I hear from you or Dr. M.

Best,
Rock

 

Hi, Dr. M-

I looked in C:\, then did a system search and it didn't turn up ComboFix.txt. I think I grabbed the right file though.

Not a whine, just an FYI in case it's a bug or simply something to note: The first two times I ran ComboFix I tried to update to the new version and it aborted...I waited about 20 minutes between attempts.

I then tried to run it without downloading the update and it aborted.

I rebooted and shutdown all software that was running, i.e. not just AV, firewall, etc. and CF aborted the first attempt. It was successful on the second attempt at downloading the new version and running the script...I think, that is if DeQuarantine.txt is the correct log.

Dr.M, Do you know of a good video-based learning system for more advanced computing? I'd like to learn things such as how you know what files are infected, or not infected, etc. by looking at log files. I'd like to know more about the system level, and the deeper functions of Windows, etc. I'm not sure if you noticed or not but I've got a little dyslexia going on so it jacks with syntax a bit...reading can be quite difficult at times and I just learn better via lectures.

 

Hi, Dr. M!

I don't know how I missed this. I hope you'll accept my apology.

I want to let you know that I truly appreciate your effort and expertise!

Thank you very much for helping me get my PC clean and running smoothly! I paid it forward and got my cousin's PC cleaned up a couple of weeks ago.

Best,
Rock