Malware Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Anyhoo, Jun 1, 2011.

  1. Anyhoo

    Anyhoo Private E-2

    I had a Malware infection that was causing the following observable issues:

    1. Making a lot of changes to my registry (that Spybot S & D TeaTimer detected, so I was aware of them.)
    2. Repeatedly turning off my mcAfee anti-virus where I could not keep it on.
    3. Turning my task bar to gray
    4. Corrupting and causing various Windows services to crash, including McUICnt.exe.
    5. Limiting mouse movement where I could not move my mouse to the task bar.
    6. Showing a red shield icon in the system tray saying that McAfee anti-virus was disabled.

    I followed all the steps that I could from Windows safe mode in your readme of what to do to resolve Malware issues. After following all of those steps that I could, I thought the issue was fixed until I restarted Teatimer in regular boot mode and saw that changes were being made to the system registry that appeared to be from Malware, such as disabling task manager, disabling command prompt, etc. TeaTimer notified me of these changes, which I promptly denied and rebooted into safe mode so I could make this post. Looking at the keys being changed, it appeared that Malware was making the changes.

    I do not believe the issues happen at all in safe mode but they do appear in regular boot mode.

    I had been having issues similar to this for around two weeks and I thought I had resolved them with System Restore but apparently whatever the issue is it involves more than just a corrupted registry. I believe software has been modified on my PC to cause havok even after I restore the registry to an uncorrupted state. I believe I caught this latest virus by visiting a porn website (hey, at least I'm admitting it) because immediately after I went to a page I noticed the red shield icon (see Number 6 in the list above) appeared in the system tray, and then various other issues started happening later on.

    Below I am going to post the logs of the diagnostic software (from the readme) that I was able to run. One of the programs refused to run on my system.

    RootRepeal would not run on my system. It hung at an "Initialization..." dialog box twice.

    So my current state is that I am able to boot into safe mode without issue but booting into normal mode brings out the "hidden" malware. I hope you can help me fix this.
     

    Attached Files:

    Anyhoo, Jun 1, 2011
    #1
  2. Anyhoo

    Anyhoo Private E-2

    One thing I would recommend adding to your readme is for people who have it to turn on Tea Timer at the end of the steps before trying to determine if the issues have been resolved or not. Since earlier instructions said to turn off Tea Timer, it would be nice if later instructions said to switch it back on. Had I not thought to turn it back on, the malware would have made all of those registry changes without me having control over them and I might have been in a worse position than I am now. Just a thought.
     
    Anyhoo, Jun 1, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to try and complete this fix in normal mode now please if at all possible.

    Java(TM) 6 Update 24 <--- uninstall outdated java.

    Ensure Teatimer is still disabled please otherwise it will interfere with my fix!

    We usually remind people at the end about it but this is something that the user should remember to do really without us having to prompt. We already cover such alot of ground, and we deal with what matters primarily...malware removal. I do not personally rate spybot, much preferring the free versions of both MBAM and SAS.

    If you did not deliberately set this proxy yourself then please include it in the list of fixables.
    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.121.145.53:3128


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\NoExplorer]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
File::
C:\Documents and Settings\Hiep Nguyen\Templates\5ylm6bl030n65jmb31m68g6dd47x83u656710c33x46s
C:\Documents and Settings\All Users\Application Data\5ylm6bl030n65jmb31m68g6dd47x83u656710c33x46s
C:\Documents and Settings\Hiep Nguyen\Local Settings\Application Data\5ylm6bl030n65jmb31m68g6dd47x83u656710c33x46s
RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jun 1, 2011
    #3
  4. Anyhoo

    Anyhoo Private E-2

    I had some issues right at the start, so I am posting back what happened:

    I rebooted in normal mode and attempted the removal of Java. I received an error message saying that the Windows Installer Service could not be accessed. It mentioned this can happen if the PC is in safe mode (which I was not in).

    I checked the Windows Installer Service and found it was not running. I attempted to restart it. It gave an error message saying the service could not be started in safe mode.

    Also, the toolbar was gray instead of the normal blue. So the PC thinks it is booting in safe mode when it is not.

    I rebooted using the "Last Known good configuration" option of Windows hoping this would solve the issue. (I hope doing this did not ruin some of the earlier fixes). But even doing this I had the same issue as above. The PC thinks it is in safe mode.

    So I cannot even follow the first step of your instructions and am back for more assistance.

    btw, I am running Windows XP Media Center SP3.
     
    Anyhoo, Jun 1, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Skip what you cannot do and continue on.
     
    Kestrel13!, Jun 1, 2011
    #5
  6. Anyhoo

    Anyhoo Private E-2

    Two logs you asked for are attached.

    I had the following issues while following the remaining instructions:

    1. After rebooting into normal mode, the red "X" shield came up saying "Your computer computer might be at risk...McAfee anti-virus is turned off, etc." but after awhile it went away.

    2. McUint.exe crashed with unhandled exceptions. I don't know if this is caused by Malware or not. This is a component of McAfee anti-virus and to my knowledge it has been doing this for months.

    3. I was able to install the latest Java and all seemed to go okay with the install, however at the end of the Java install I got this error message: Installer: Wrapper Create File failed with error 5. Access is Denied. I did not remove the old version of Java before installing the new version but when I check in add/remove programs the old version is gone and the new version is displayed.

    4. When I ran MGTools\GetLogs.bat, I got three error messages, as follows:

    Cannot export C:\MGTools\temp\xlmsysccsa.txt. Error writing the file. There may be a disk or file system error. This same error happened with two other files: xlmsyscs1a.txt and xlmsyscs2a.txt.

    At the end of this, I do not see any visible signs of an issue but I am reluctant to say its all fixed. Let me know what you recommend I do next.
     

    Attached Files:

    Anyhoo, Jun 1, 2011
    #6
  7. Anyhoo

    Anyhoo Private E-2

    Update:

    After making the changes you suggested, my PC has been booted into normal mode and I used it last night without issue. It appears to be fixed. I want to thank you for your assistance and also ask the following question. My PC was supposed to be protected by McAfee anti-virus, anti-spyware and yet visiting a single web site caused malware to be installed on my PC as if I was completely unprotected. That makes me feel very insecure, as if I could get new malware at any time and have no control over it. How can I prevent this? Would disabling scripting in my internet zone do it? I like Active X but if it having that on is going to make me vulnerable to Malware then I would just as soon sacrifice it. Feeling secure as I browse the web is important to me. Please tell me what you think.
     
    Anyhoo, Jun 2, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 2, 2011
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds