malware log review humbly requested

Lussak80 · Jan 28, 2008

Hello,

I have run through the malware removal procedure and feel that something still isn't right. I have attached the three log files, but there is something you should know. Even after choosing "create log file after every scan:nly when threat is found" AVG did not create a new log file. Instead, I attached my first log from Jan 10.

note: I ran all of these scans on the admin account, not the infected user account. When I ran hijackThis on the user account, after all of this, it still showed many entries which point to malware. Was I suppose to run everything under the user account?

The problem with this workstation began several weeks ago. It didn't come to my attention at first because the user didn't want to be blamed. They didn't admit to anything directly, but another user informed me that they ran an online scan because they were to their system was infected. I suppose I didn't educate enough, meh.

So, popups galore. - and here I am.

I ran combofix all the way through and restarted. I wasn't expecting it to start running again and inadvertantly moved one of the windows during the 'generating log' stage after rebooting. All I know is that program didn't finish - I had to terminate it.

Thank you so very much for your time. I will rerun the AVG scan this evening in hopes of generating new logs. The problem is that AVG was one of the bad files it quarantined. I'm having trouble opening it again... wacko program, it bit itself in the a..

-Shawn

Lussak80 · Jan 29, 2008

Ok - I'm having some trouble with the malware removal procedure.

1.) ComboFix does not entirely complete - even if I do nothing with the mouse. It gets through the whole first part, reboots, and begins running again when I log in. It opens two kmd.exe windows. This is where it stops with a blinking cursor. I've left it alone for over 30 minutes with no change. If I close one of the kmd.exe windows the remaining kmd.exe window says 'cancel batch', I put Y and it continues on to generate logs. It then freezes here with another kmd.exe window - blinking away. I let it sit and nothing.

2.) My AVG log didn't create so I went back to rerun it. However, AVG found its own executable (avgas.exe) to be infected. I found another in the main folder called avgas .exe (with a space). I'm not sure if this is a viral copy, or what.

I could use some direction.

Thanks for your time.
-Shawn

TimW · Jan 29, 2008

It is indicative of a new vundo infection ....try ComboFix in safe mode ...then reboot to normal mode and run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

Lussak80 · Jan 29, 2008

Thank you, Tim.

Logs attached.
However, after rebooting out of safe mode, ComboFix.exe ran some other tasks and got stuck, like before. More precisely: The main window read "Please wait... The system cannot find the file specified", there were also two kmd.exe windows open. I eventually clicked close on one of them. The other prompted "^CTerminate Batch job?" I answered yes, which allowed the process to continue.

The main "Find3M" window read "Preparing Log Report. Do not run any programs until combofix has finished." The other kmd.exe window made no progress after 15 minutes or so. I closed it to get out of the program.

-Shawn

TimW · Jan 30, 2008

What is the below file for?
C:\WINDOWS\U2NvdHQ

* Download and save to RenV.exe from following link to Desktop (
must be on the Desktop)
* Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).
Code:
C:\ComboFix\kmd .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\HPQ\Default Settings\cpqset .exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Symantec AntiVirus\VPTray .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe
* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {2B084F41-9DA4-493D-BCAD-269321CAB1D8} - (no file)
O2 - BHO: (no name) - {BBFFFA67-11FD-4D7B-882B-48E6798109CF} - (no file)
O2 - BHO: 0 - {C1912975-DD66-4FE4-C4A0-C8E49C44CE4C} - (no file)
O2 - BHO: (no name) - {D9FAE83B-EDBF-49BA-8991-CD64826B6761} - C:\DOCUME~1\gdimmett\LOCALS~1\Temp\pmklk.dll
O2 - BHO: (no name) - {E094A71E-CE6B-48ED-A959-7603F7E734B2} - (no file)
Click to expand...

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SunJavaUpdateSched"=-
"ViewMgr"=-
"QuickTime Task"=-
"iTunesHelper"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2B084F41-9DA4-493D-BCAD-269321CAB1D8}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBFFFA67-11FD-4D7B-882B-48E6798109CF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1912975-DD66-4FE4-C4A0-C8E49C44CE4C}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9FAE83B-EDBF-49BA-8991-CD64826B6761}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E094A71E-CE6B-48ED-A959-7603F7E734B2}]
Click to expand...

Now download The Avenger by Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

Files to delete:
C:\DOCUME~1\gdimmett\LOCALS~1\Temp\pmklk.dll

Folders to delete:
C:\WINDOWS\system32\CHE9
C:\WINDOWS\system32\EDCA01
C:\WINDOWS\system32\EZ4
C:\WINDOWS\system32\MP2
C:\WINDOWS\system32\VT8
Click to expand...

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the new logs:

* Log.tx from running RenV
* c:\avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Log in or Sign up

malware log review humbly requested

Lussak80 Private E-2

Attached Files:

ComboFix.txt

Report-Scan-20080110-145953.txt

MGlogs.zip

Lussak80 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Lussak80 Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member