Malware issues persist after following guide

Discussion in 'Malware Help (A Specialist Will Reply)' started by nbass, Dec 16, 2008.

  1. nbass

    nbass Private E-2

    I'm a technician and I have an HP Pavilion running XP Home Edition SP3. I picked it up late last week to repair for someone I know. At the time, it had some errors on the hard disk and was stuck in a boot-time BSOD loop. I've corrected the those issues and brought the system up only to find it's infected with various malware.

    The issues which have been noticed are that Firefox, AVG, a number of different malware scanners and other programs were compromised or just not working properly. My Computer and the Control Panel were inaccessible (changing the start menu links to menus is functioning as a workaround for now). Clicking any of several links in the Start Menu such as Run, Search, etc results in the message "Windows cannot create a shortcut here." There was a mess of unrecognizable files everywhere, with the weirdest being a series of over 65,000 files under Documents and Settings\UserName which were named in sequence from fox1.exe up to foxFFFF.exe. The files took up a combined total of over 5GB space. AVG detected nothing in them. For now, I've removed them myself as they could not possibly serve a legitimate purpose.

    I was able to uninstall the compromised/broken software, then started the process of reinstalling starting with AVG. With AVG installed, I did a full scan before proceeding with Firefox and then other crucial scanning software. With all the scans I've done and various malware removed, problems persist. I was able to restore the Control Panel by correcting system policies, only to have it be taken away again upon reboot, so something is still infecting this system. I came across the suggestions in the Malware Removal Guide on this site and followed through with it, though it was not much more than I have already attempted on my own. I've collected the logs from this process, and hope that anyone here can shed some more light on the issues with this system.

    Thank you for your time, if there's anything additional information needed please let me know and I will get back to you promptly. I am attaching my logs as requested in your guide.
     

    Attached Files:

    nbass, Dec 16, 2008
    #1
  2. nbass

    nbass Private E-2

    Additional post to attach 4th log file.

    Thank you,
    N.Bass
     

    Attached Files:

    nbass, Dec 16, 2008
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any specific malware....but you do need to remove all those temp files:
    Code:
    C:\Documents and Settings\Robin\"
0pcc3.tmp     Nov 12 2008           0  "0pcC3.tmp"
1b32e.dmp     Sep 17 2008           0  "1B32E.dmp"
1f89558.mst   Dec 16 2008     1358336  "1f89558.mst"
2088c80.mst   Dec 16 2008     1358336  "2088c80.mst"
5a2991d.dmp   Sep 20 2008           0  "5A2991D.dmp"
7ZS1.TMP      Dec 15 2008              "7zS1.tmp"
7ZS14B.TMP    Sep 17 2008              "7zS14B.tmp"
7ZSFF.TMP     Sep 17 2008              "7zSFF.tmp
b5c35.tmp

c:\documents and settings\Robin\~nsu.tmp
c:\documents and settings\Robin\7zS1.tmp
c:\documents and settings\All Users\Application Data\dbg
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Your additional problems might best be handled in the software section. :(
     
    TimW, Dec 19, 2008
    #3
  4. nbass

    nbass Private E-2

    I've run the above program to clean stuff out,

    Is there anything else you can suggest to be certain that there isn't a malware still infecting the system? I have been working to fix some of the problems, but take the Control Panel for example, the contents disappear again with each reboot after being fixed. It's rather discouraging to be fixing things and having them just break again on their own, I can't help but feel there must be some malicious software responsible for thwarting my efforts but I'm having trouble locating anything specific.

    Thanks you,
    N.Bass
     
    nbass, Dec 19, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This procedure explains how to get to the BitDefender Online Scan sites and how to setup and perform an online scan. It also explains how to obtain a log so you can attach it to a message. You must use Internet Explorer to run this scan and make sure your Sun Java version it current. Get Sun Java here: Sun Java Runtime EnvironmentBefore installing the current version, you should uninstall all previous versions first!!!!

    ****NOTE**** DO NOT INSTALL Bitdefender's Antivirus program. Make sure you follow the directions below and run the ONLINE SCANNER only.


    To start the online scan go here: Bitdefender

    • Agree to the license and then select Scan.
      • DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files.

    • Once Bitdefender completes the scan:
      • Click-on the Detected Problems tab. Then select Click here to export the scan report
      • When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt)
      • And then in the File name box enter bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html. If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

    • Post the bdscan.txt file as an ATTACHMENT. See: HOW TO: Attach Items To Your Post
    • If you run BitDefender Online scan and have previously run PandaActive scan, the below false detection may be seen in BitDefender:

      C:\WINDOWS\system32\ActiveScan\pskahk.dll
      Infected with: Generic.Malware.SIMDWYNVdprn.D9407F4E
     
    TimW, Dec 20, 2008
    #5
  6. nbass

    nbass Private E-2

    After BitDefender did it's business, AVG began to pick up on infections it had previously missed. I ran a new full scan with AVG and it cleaned up several previously undetected infections. I can only guess BitDefender removed something which had been hiding infections from other scanners. Between the two, I think I've cleaned out the last of the infections that had impacted the system. I was able to eventually fix the long list of Windows related problems that had been caused by malware, and the problems are staying fixed between reboots. BitDefender, AVG, and the other scanners are coming up clean now, so I think that covered it.

    Thanks for your suggestions, and for taking the time to check my logs.
     
    nbass, Dec 23, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know...

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Dec 24, 2008
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds