Many infections

Discussion in 'Malware Help (A Specialist Will Reply)' started by cjon, Mar 14, 2009.

  1. cjon

    cjon Private E-2

    My friend Jason had his machine protected by a suite provided by our ISP called SecureIT. This is my first experience with it. Hopefully it will be my last. Can't turn it off, didn't uninstall cleanly and won't reinstall. Other than that, and the fact that on the first pass MBAM found 600 infected files, it is great.

    This machine is set up with 3 users, so I ran MBAM, SAS and Spybot on all 3 accounts. I had to start over a time or two, so I have a number of logs. They are zipped together. I ran combofix twice, same story.

    Combofix warned about Secureit, although so far as I could tell, it had been removed from the system (I uninstalled it and deleted the program files folder). Maybe it persists in the registry.

    Anyway, take a look and tell me what I've missed.

    Thanks,
    CJon
     

    Attached Files:

    cjon, Mar 14, 2009
    #1
  2. cjon

    cjon Private E-2

    MGLogs attached.
     

    Attached Files:

    cjon, Mar 14, 2009
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    First, it is not a good idea to allow all users to have admin. privileges.

    Did you change any user accounts recently?

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 2

    Now use windows explorer to find and delete:
    C:\Documents and Settings\All Users\Application Data\ZumieSearch
    C:\Documents and Settings\Megan\Desktop\SecureIT.exe
    C:\150174374
    c:\program files\SecureITT
    C:\WINDOWS\~glc0000.tmp
    C:\WINDOWS\~glh0000.tmp
    C:\WINDOWS\system32\drivers\c1f3a2fe.sys

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    o If it is not on your Desktop, the below will not work.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::


Drivers::
SCMonitor

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{137E6E5E-A205-4657-A49F-1AB865787089}\Implemented Categories]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{137E6E5E-A205-4657-A49F-1AB865787089}\InprocServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{137E6E5E-A205-4657-A49F-1AB865787089}\ProgID]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{137E6E5E-A205-4657-A49F-1AB865787089}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{137E6E5E-A205-4657-A49F-1AB865787089}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}\InprocServer32]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}\ProgID]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}\TypeLib]

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}\VersionIndependentProgID]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.
     
    TimW, Mar 16, 2009
    #3
  4. cjon

    cjon Private E-2

    Tim,
    I did the deletions you listed and removed the Java runtime. When I tried to run the combofix script, I got an error "Windows cannot find file 32788R22FWJFW\n.com, check the name..." (the language from the box is inexact, but the filename is verbatim. you know what it says) 5 or 6 OK's later, the box disappeared and combofix aborted. No new log.

    As I noted in a separate post here:
    http://forums.majorgeeks.com/showthread.php?t=184893&highlight=cjon
    the support team from Secureit removed combofix from the machine in the process of "fixing" the broken copy of Secureit's suite. I downloaded combofix 3 times (on different machines, and from different sites) and got the same error. Googling that file seems to indicate it is a likely threat called n.com. It has apparently been removed. How should I proceed?

    I went ahead and ran another MGLog. It is attached.

    I have to make an overnight trip, I'll be back on the 19th. Hope to hear from you then.
    CJon
     

    Attached Files:

    cjon, Mar 16, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes...I see Chas suggested you uninstall Securit. You also have not changed user privileges, not installed the latest Java.
    Did you try removing C:\ 32788R22FWJFW?
    Did you disable SecurIT before running combo?
     
    TimW, Mar 18, 2009
    #5
  6. cjon

    cjon Private E-2

    OK, I removed the C:\32788RE... folder and re-ran the combofix script with Secureit shutdown (thanks to autoruns). I posted chaslang a link to the company that makes it (SecurityCoverage). Since the owner has contracted with his ISP for the service, I'm avoiding removing it, even though I think it isn't very good software.

    When the script ran and re-booted, I got several (9, I think) messages saying access was denied, file locked, but when I compare the old logs to the new ones, it appears that the locked registry keys have been removed nevertheless.

    I installed the updated java (I had removed the old version, just not installed the new one.)

    I have not changed the permissions yet, but I will after I talk to the machine's owner.

    I'm attaching the new combofix and mgtools logs.
     

    Attached Files:

    Last edited: Mar 19, 2009
    cjon, Mar 19, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I apologize for the delay in responding. We had a medical situation.

    Your logs look clean.....:)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Mar 26, 2009
    #7
  8. cjon

    cjon Private E-2

    Thanks.

    I suspected something in the real world had interfered with your response. I'm sorry to hear it was medically related, rather than you hit the lottery. Hope things work out.

    CJon
     
    cjon, Mar 28, 2009
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Hit the lottery ...LOL .....I wish.!

    Thanks for the thought and safe surfing. :)
     
    TimW, Mar 31, 2009
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds