Malware hiding from me

Hi chasgreghall,

It may not be possible to clean your machine because of the software you're using.

When you ran Panda, did you run the online Activescan or did you install their software? You have two folders - Panda Software and Panda Security - which look like they belong to Panda's resident security programs. If you have two antivurs programs on your computer, you need to uninstall one of them. You should keep Nod32 as the resident antivirus and completely uninstall the other one.

Then uninstall the various tools we used that you listed in your last post.

Then I would like for you to go back to where we started which was with the online scans, because you were still able to use these when we started.

Go to
Alternate Scans and look for the section on Free Online Scanning Tools. Run all of them except Panda and Kaspersky.

Hopefully you will be able to recover some lost ground with these scans.

When you've finished them, I would like for you to do a scan of your Windows files. To do this go to Start / Run and copy/paste in sfc /scannow

If missing or corrupted operating system files are identified, you may be asked to insert your Windows XP installation CD. If the scan begins and closes within a few seconds, then it means it did not run. If it doesn't run correctly try it again. If it does run correctly, you may have to run it a second time in order to get the prompt for your cd.

If you make any progress with the above, please reinstall Combofix and the MGTools and run them. In any case, please attach whatever logs you get and let me know how this goes.

Thanks.
abri

 

abri,

do i need to continue with your instructions or wait for recovery console instructions.

 

I was successfully able to get to the C:\Windows prompt in the recovery console.

 

Wow!!! You are the Bomb!
Here is a progress report...
I ran ATFcleaner.
In the recovery console, everything worked except deleting the directory downld.
I still could not boot to safe mode.
I ran SUPERAntiSpyware and Malwarebytes Anti-Malware in normal mode.
I fixed the problems and attached the log files.
Now I can get into Outlook, when I couldn't before !!!!!!!!!!:-D
Let me know what else I need to do.
Thanks again.

 

Hi chasgreghall,

Your computer is still infected. Chaslang can work miracles in recovering almost any computer from the worst of conditions, but it is only a matter of time until your computer will be reinfected, because you have no way of stopping up the holes (i.e. no updates). Just for your information, look at xp pro at amazon. There are good open source alternatives to everything now except the operating system.

In order to make progress for the moment, you will need to use your computer sparingly and try not to reboot any more than necessary. Malware files get started on reboot. I need some information and the fastest way will be for you to help me find it.

What are the following files and the one folder? You can right-click on all of them and go to properties and see if there is any information at all that might tell you what they are. The one which is a folder called "m", you can open and see if there is anything in it. If so, please let me know what is in there. Do not open any files!

in this folder C:\Documents and Settings\chall\Application Data\ look for the following:

a1 Apr 29 2008 4547672 "a1"
a2 Apr 29 2008 2170646 "a2"
M May 9 2008 "m"

Now please do the following:

1) Go to C:\Documents and Settings\chall\Local Settings\Temp\ and delete anything Windows will allow you you to delete.

2) Run one of the cleaners, either CCleaner or ATF Cleaner. If these won't run, but you can get the interfact to CCleaner, go through the objects ticked on the Windows tab (which is the one on top when you open the program) and delete everything you can out of the folders which are mentioned by hand.

3) Then run C:\MGtools\analyse.exe by double clicking on it. (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\chall\Application Data\m\flec006.exe

After you click fix, just close hijackthis.


4) Download and install Erunt. Use it to create a backup of your registry.

5) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Run one of the cleaners, either CCleaner or ATF Cleaner. If these won't run, but you can get the interfact to CCleaner, go through the objects ticked on the Windows tab (which is the one on top when you open the program) and delete everything you can out of the folders which are mentioned by hand.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

I did step 1). I had to use cmd and attrib -h to get to the hidden files. My computer will not connect to my wireless network at home anymore. I guess we deleted something that was necessary. I will run ATF at work on Monday.

Once we get everything done, I will redo my wireless.

 

Hi chasgreghall,

What we deleted was malware. You can return to a restore point directly prior to those instructions and see if you internet wireless connection comes back. Then we can delete the same files one at a time and see which caused the problem.

It would help me alot to see the Avenger log from that post and a fresh MGlogs.zip.

abri

 

I deleted the files and folder mentioned. I don't know what they were.
Everything worked but Avenger. The program worked, but the script gave me an error on the last three lines.

Looks like we are making great progress. CCleaner is working !!

I won't take my computer home anymore. That way I can avoid reboots.

 

Hi chasgreghall,
I don't see any further malware. How is your computer working? Are you still without a wireless connection? Is there a resident antivirus program running?
abri

 

You guys have been wonderful. Where is the "donate" button. I haven't tried the wireless yet because I didn't take it home. I still can't get itunes to run, even if I uninstall and install. Everything else seems fine.

 

And, panda is my resident program and it is not running. when i tried to start it, i got the good old "not a win32 program" message.

 

Hi chasgreghall,

Before you run off to the Software Forum, I want to post you the final cleanup instructions which will remove all the logs and tools we used. If you want to keep HijackThis and its backups, there is an instruction for doing this at the bottom of the following box.

abri

 

Thank you all for everything. Panda is working now. I will take care of the scraps that are left. Go ahead and close the tread if you want.

 

You're welcome from both of us. Good luck with your computer.
abri