Malware getting me down

Discussion in 'Malware Help (A Specialist Will Reply)' started by DangerWilliams, Apr 2, 2009.

  1. DangerWilliams

    DangerWilliams Private E-2

    Hey guys,

    About a month ago i was trying to download DOW 2 from steam when i accidently entered my age as a 1 year old and got blocked at the age gate. I desperately wanted to play this game and despite mutliple reboots and reloads couldn't get the age gate to reset so i went in search for an IP blocker to try and bypass the system, ended up with a bad .exe file and the rest is malware history.

    I was pretty sure i already had a virus of some sort playing around with my IE but this new one messed things up royally! From what little knowledge i have it appears that i have problems with twext.exe and userint.exe in addition to a couple of other nasties.

    Symptoms: multiple SYSTEM started iexplore.exe (generally two on boot up and possibly more over time), multiple unknown svchost.exe and some using up lots of system resources to the point were it won't open up other programs, recently explorer.exe seems to be resetting every 10-30 seconds and randomly shutting down programs i have open.

    I attempted everything in the READ and RUN and although a couple of the scans produced BSOD and some couldn't be completed due to the explorer.exe reboot and program shutdown. The logs completed were all done in safe mode however both MBMS and Combofix can be done normally. Also i normally run AVG however the malware was really wrecking havoc with it and i couldn't shut it down for Combofix so i have deleted it until hopefully we can get the system clean.

    I've had a look around and you guys really do some great work so hopefully i'm not beyond helping, i really don't want to have to reformat or run linux!!

    Look forward to your response,

    Cheers,
    Danger
     

    Attached Files:

    DangerWilliams, Apr 2, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some of you system files are infected. We will try to get you clean, but there is the chance that you may end up having to reformat. :(

    Let's start with this:

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


Drivers::
gel90xne

File::
c:\windows\system32\7.tmp
c:\windows\system32\5.tmp
c:\windows\system32\6.tmp
c:\windows\system32\2.tmp
c:\windows\system32\81.tmp
c:\windows\system32\82.tmp
c:\windows\system32\23.tmp
c:\windows\system32\22.tmp
c:\windows\system32\stu2.exe
c:\windows\system32\43.tmp
c:\windows\system32\44.tmp
c:\windows\system32\4F.tmp
c:\windows\system32\4D.tmp
c:\windows\system32\4E.tmp
c:\windows\system32\4B.tmp
c:\windows\system32\4C.tmp
c:\windows\system32\47.tmp
c:\windows\system32\4A.tmp
c:\windows\system32\42.tmp
c:\windows\system32\3F.tmp
c:\windows\system32\bz2.dll
c:\windows\system32\3E.tmp
c:\windows\system32\48.tmp
c:\windows\system32\2D.tmp
c:\windows\system32\2B.tmp
c:\windows\system32\28.tmp
c:\windows\system32\2A.tmp
c:\windows\system32\41.tmp
c:\windows\system32\2E.tmp
c:\windows\system32\2C.tmp
c:\windows\system32\3B.tmp
c:\windows\system32\3A.tmp
c:\windows\system32\2F.tmp
c:\windows\system32\50.tmp
c:\windows\system32\24.tmp
c:\windows\system32\65.tmp
c:\windows\system32\21.tmp
c:\windows\system32\53.tmp
c:\windows\system32\51.tmp
c:\windows\system32\52.tmp
c:\windows\system32\20.tmp
c:\windows\system32\1E.tmp
c:\windows\system32\1F.tmp
c:\windows\system32\1D.tmp
c:\windows\system32\1B.tmp
c:\windows\system32\1C.tmp
c:\windows\system32\C2.tmp
c:\windows\system32\C0.tmp
c:\windows\system32\C1.tmp
c:\windows\system32\1A.tmp
c:\windows\system32\18.tmp
c:\windows\system32\19.tmp
c:\windows\system32\39.tmp
c:\windows\system32\37.tmp
c:\windows\system32\38.tmp
c:\windows\system32\35.tmp
c:\windows\system32\33.tmp
c:\windows\system32\34.tmp
c:\windows\system32\17.tmp
c:\windows\system32\14.tmp
c:\windows\system32\16.tmp
c:\windows\system32\15.tmp
c:\windows\system32\12.tmp
c:\windows\system32\13.tmp
c:\windows\system32\FE.tmp
c:\windows\system32\FD.tmp
c:\windows\system32\FC.tmp
c:\windows\system32\3D.tmp
c:\windows\system32\3C.tmp
c:\windows\system32\36.tmp
c:\windows\system32\31.tmp
C:\WINDOWS\temp\in8.tmp
C:\Documents and Settings\Danger Damo\10.tmp    
C:\Documents and Settings\Danger Damo\7.tmp       
C:\Documents and Settings\Danger Damo\8.tmp       
C:\Documents and Settings\Danger Damo\9.tmp      
C:\Documents and Settings\Danger Damo\a.tmp       
C:\Documents and Settings\Danger Damo\B.tmp"
C:\Documents and Settings\Danger Damo\c.tmp       
C:\Documents and Settings\Danger Damo\D.tmp
C:\Documents and Settings\Danger Damo\F.tmp
c:\docume~1\DANGER~1\LOCALS~1\Temp\gel90xne.sys

FCopy::
c:\windows\ServicePackFiles\i386\userinit.exe|c:\windows\system32\
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Apr 5, 2009
    #2
  3. DangerWilliams

    DangerWilliams Private E-2

    Hi Tim,

    Thanks for the help, i know you'll give it your best and if i have to reformat then so be it. :)

    Ok so have performed the scans, logs attached. When i first started up my computer to perform the combofix scan it did some really weird things, loading random .exe files, making the task bars go dark and really running amok. have managed to run the scans in safe mode and have run MBAM again which seems to have gotten rid of a whole bunch of stuff i wasn't getting before.

    Also since i ran the combofix the computer isn't booting correctly in either mode, i have to run explorer.exe manually from task manager to get it to boot.

    Fun and games huh!! All good, will await further instruction.

    Cheers,
    Danger
     

    Attached Files:

    DangerWilliams, Apr 6, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    As I said..we may have to reformat..so you need to save your personal data and files just in case.

    We are going to try to do two things to kill this:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Drivers::
gel90xne

File::
c:\windows\system32\D.tmp
c:\windows\system32\B.tmp
c:\windows\system32\C.tmp
c:\windows\system32\3361
c:\windows\system32\vv.exe
c:\windows\system32\C5.tmp
c:\windows\system32\C3.tmp
c:\windows\system32\C4.tmp
C:\Documents and Settings\Danger Damo\11.tmp 
C:\Documents and Settings\Danger Damo\E.tmp
C:\WINDOWS\system32\drivers\gffbkpb.sys
c:\docume~1\DANGER~1\LOCALS~1\Temp\gel90xne.sys



FCopy::
C:\WINDOWS\ServicePackFiles\i386\ndis.sys C:\WINDOWS\system32\dllcache\
c:\windows\ServicePackFiles\i386\svchost.exe c:\windows\system32\
c:\windows\ServicePackFiles\i386\spoolsv.exe c:\windows\system32\
c:\windows\ServicePackFiles\i386\explorer.exe c:\windows\
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and COmbo.
     
    TimW, Apr 10, 2009
    #4
  5. DangerWilliams

    DangerWilliams Private E-2

    Hi Tim,

    Scans complete and logs attached.

    Will start to back up all personal files now in case we have to format, are there any files that i shouldn't bring with me in case of an infection? will get all my work and uni files from my documents and all the exes from programs i know and love from the net i.e. antimalware, speed fan etc.

    Computer seems to be booting up normally now, might try to boot up in normal mode see how things are going there.

    Cheers,
    Danger
     

    Attached Files:

    DangerWilliams, Apr 11, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Unfortunately, it is just getting worse. :)

    The safest and most reliable thing to do for infections like this is to just perform a total clean reinstall. I suggest that hard disk partitions be deleted and then recreated. Then formatted followed by the reinstall of Windows and other programs. We don't recommend backing up anything since the files could be carrying the infection (especially anything that is an executable type file) and you will just reinfect a new installation if you restore these backups. However if you really need personally data from this hard disk, the only method I would use would be the below:

    • physically remove the hard disk from this PC and slave it into another well protected computer. I recommend having Avast on the other PC since it seems to catch this infection.
    • DO NOT RUN ANY PROGRAMS on this infected slave drive while plugged into the other computer.
    • Copy only your data files from the infected drive. DO NOT COPY any executable type files.
    • The put this infected hard disk back into the original PC and start the reinstall process beginning with the deletion of all partitions.

    Also note this infections can spread to shared drives and also writable removable type drives. So if you have a network with shared drives, other computers may be infected. Also if you have plugged a USB flash drive into this PC, the flash drive could now be carrying the infection if any executable type files were on the flash drive. Also any PCs this flash drive has been plugged into could now be infected.
     
    TimW, Apr 13, 2009
    #6
  7. DangerWilliams

    DangerWilliams Private E-2

    Hi Tim,

    So have formatted and reinstalled windows. Took awhile as I had to chase down another copy of the windows cd, I lost it when i moved house. Everything seems ok now, had a couple of hickups when i first rebooted but it looks like I have gotten rid of them.

    Although two things are worrying me slightly, first is that when i try to run Combo (trying to perform the read and run again to make sure) an error msg displays saying that the package has been compromised and it is not safe to run. then it deletes itself. Second i keep getting virus warnings from AVG from files withing a System Volume Information folder, i'm taking a stab and saying it is a restore point that is still infected so am going to toggle my restore points now (i know i saw a tutorial on how to do that somewhere, read and run i think).

    Logs are below, if you could take a quick gander and let me know if i'm as clean as possible, given that the system will always be considered compromised, and that i can start normal operations again!

    Cheers for all your help,
    Danger
     

    Attached Files:

    DangerWilliams, Apr 19, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now you have me confused. If you did a complete reformat and fresh install, then you would have no restore points that could be infected. So I don't know what AVG could be reporting unless you got online and picked something up and then created a restore point and then removed the original infection. :confused

    However, your logs are clean....If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Apr 22, 2009
    #8
  9. DangerWilliams

    DangerWilliams Private E-2

    Hi Tim,

    Thanks for that, since i last posted i have reformatted another 4 times. Finally though i seem to have a clean computer and have worked out what the problem was. The disk i was using for the installation had a virus on it!!

    Whenever i would do a fresh install a number of system files were already infected and as soon as i installed the drivers to go online they would download all they need to infect the whole system. My temporary solution was to run avast as soon as i performed the reinstal of windows and it found the files that were infected and deleted them. This of course means that i am running without the following system files:
    regedit.exe (the only one i knew something about)
    telnet.exe
    expand.exe
    netsetup.exe
    ntsd.exe
    spnpinst.exe

    So far i haven't had any trouble without these files but i'm sure it will come up in the future. thus i have been in contact with microsoft to get ahold of another xp cd. When i get this i should be able to do a repair installation to replace the missing files and have everything back to normal.

    So i'm back with a working computer and no virus!! :)
    Thankyou very much for all your help.

    Cheers,
    Danger
     
    DangerWilliams, Apr 23, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yup....that woulda done it!! Good luck and I hope you are able to get a clean cd.
     
    TimW, Apr 27, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds