Multiple Trojans, CoolWeb

After running through READ ME FIRST my problems have been greatly reduced (thank you for that), but still, I don't seem to be completely clean.

Problem started with a bang a week ago: I was browsing film reviews and followed a link to a website that never loaded. Noticed a command prompt quickly open and close over my desktop and in a flash things got mucked up. Wallpaper was changed; ads and false toolbar popups notified me that I was infected with adware/malware/etc. Computer speed dropped through the floor and I suffered constant IE and Explorer freezes (I run Firefox, but the pop-ups were IE). First few reboots showed a handful of new hardware items "found" at startup, but I've not added anything new for some time.

Obviously I knew something was up, so I ran what I had (Ad-Aware)--loads of threats, loads of infections. 11 CoolWeb variants, several trojans, including Virtumonde (Vundo also showed up repeatedly during the READ & RUN scans). I started downloading different anti-malware programs to try and deal with the problem, but they never killed the bugs and the computer began deteriorating. After rebooting in normal mode, Explorer would fail to load--just background and cursor, no toolbar, no icons. I would still get pop-ups, but upon x-ing them, I went back to a blank desktop. Task manager was also disabled, and attempts to fix it were constantly reversed.

Finally found your site, printed the READ & RUN directions on another computer and downloaded all of the needed components onto a flash drive. But it took several days before I got lucky enough to have my computer boot successfully in normal mode (it probably did this only 3 times out of 30-40 attempts). In the meantime, I took care of what I could in safe mode, and then after booting successfully last night, I ran all of the R&R programs in order.

Computer is much, much better now. Full boot every time, task manager enabled, popups and wallpaper hijack all gone. Speed seems to be fine. But after finishing with MGTools, I ran a SpywareDoctor free sweep and found that I still have a small handful of trojans and one CoolWeb variant left. All of them low- to medium-level risks as opposed to the dozen or so high- and elevated- that I had before. But as bad as it was, I figure that I'm not completely out of the woods.

Thank you for the help so far though; all logs are attached.

Jeff

 

MGlog

MGlogs here.

 

Hi randomname517,
Welcome to Major Geeks!

I believe the viruses must be marketed as packages and you got the standard package "everything". The scans removed a lot, but you do still have some files left that need to be removed. Please do not use your computer or reboot it unnecessarily until we can post you some instructions specific to your computer. This takes some time so thanks for being patient.

Thanks.
abri

 

Hi randomname517,

I can't see any antivirus program running on your computer.

1) Please begin by renaming the following driver:

C:\WINDOWS\SYSTEM32\DRIVERS\phmcd.sys -----> phmcd.sys.zzz


2) Please run the following to remove leftover files from Symantec.

Norton Removal Tool (SymNRT)


3) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
My Way Search Assistant <--- if there are two, take out both
MarketResearch
Java 2 Runtime Environment, SE v1.4.2_03
GameSpy Arcade

4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


7) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://drudgereport.com/
O2 - BHO: {2f4f207e-8955-677a-d284-335ab31f0611} - {1160f13b-a533-482d-a776-5598e702f4f2} - C:\WINDOWS\system32\kwshyyfw.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Sen] "C:\WINDOWS\system32\ASEMBL~1\spool32.exe" -vt ndrv
O4 - HKCU\..\Run: [Obay] "C:\Documents and Settings\Bruce\My Documents\a?sembly\n?lookup.exe"
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe (file missing)


After you click fix, just close hijackthis.

8) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
kwshyyfw

DIRLOOK::
C:\bf1942cdkeychanger

FILE::
C:\WINDOWS\system32\kwshyyfw.dll
C:\WINDOWS\BM9b271721.txt

FOLDER::
C:\WINDOWS\SYSTEM32\pb109
C:\WINDOWS\SYSTEM32\netrax01
C:\WINDOWS\SYSTEM32\dgi
C:\WINDOWS\SYSTEM32\3039a
C:\Temp\itmp4

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1160f13b-a533-482d-a776-5598e702f4f2}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]            
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Obay"=-

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.



9) Now run CCleaner at the default setting with the Windows tab as the top one.



10) Go to How to Protect Yourself from Malware and look for the free resident antivirus programs and download one. At the moment, I recommend Avast. After you install it, allow it to update and run it.


11) Finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log. Also, tell me if the antivirus program found anything and if it did, if it fixed it.


Let me know how things are running now?

abri

 

Thanks; will run these instructions shortly. And GameSpy Arcade is actually a program that I use (it's some sort of multiplayer portal for a game that I have installed). Unless you think I should still trash it as a security measure?

Should hopefully have those logs posted later tonight.

 

Abri--

Okay; I ran through the checklist. Performance seems to be fine, but then again it was more or less OK after the original run-through. I did encounter some problems with our procedure though:

I was not able to uninstall MyWay Search Asst. in the control panel, because of "error loading c:\progra~1\MyWaySa\SrchAsDe\1.bin\desrcas.dll ... Specified module could not be found." So MyWay is still present in my program list...

Also, Market Research was nowhere to be found, so I couldn't uninstall that. And GameSpy Arcade is actually a program that I use to help run some other software, so that was left as well.

In the HTJ portion, both O23 lines pertaining to LiveUpdate were absent from the log, so I couldn't select/fix them.

I installed and ran Avast! at your suggestion, and it reported 21 infections (trojans, trojan generators, and rootkits). All are located in C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP
(So I'm guessing system restore? I would post a rundown of the Avast log, but it's not in a format I can copy, paste or save.) I put all of the infections "in the virus chest" as per Avast's suggestion.

Otherwise, the two needed logs are attached. Thank you for the help so far.

Jeff

 

Hi randomname517,

To remove MyWay Search Assistant, you will either have to reinstall it and then remove it via add/remove programs (which does not always work) or remove it manually. The instructions for removing it manually are as follows:

Delete MyWay Files from the Hard Drive:

1. Click Start, and then Search.
2. In the Search Results window, click All files and folders.
3. Verify the Look In box has Local Hard Drives selected.
4. Type MyWay in the All or part of the file name: text box and then press <Enter>.
5. Delete all the MyWay files found.
6. Close all open windows when finished.
7. Click Start and then Run.
8. In the Run window, type MsiExec.exe /X{78d944d7-a97b-4004-ab0a-b5ad06839940} in the textbox and click OK.
9. Follow the prompts to remove MyWay.
10. Click Start, and then Turn Off Computer and Restart.

When the computer restarts, MyWay Search Assistant will be uninstalled.

Run CCleaner.

Let me know if it is now gone from add/remove programs?

abri

 

Abri--

I carried out the instructions for manual removal; the search turned up a folder named MyWay, which I deleted outright. But even after following the rest of the steps and rebooting, the program still showed up in the control panel. Searched it again after the first reboot, and the MyWay folder that I'd originally found is still gone--yet the program remains in the Add/Remove list.

What's the next move?

Jeff

 

Thanks--I'll get those logs to you later on tonight (hopefully). One question though: BF1942changer is actually a program that I use occasionally--is this still something I should delete?

Appreciate the help,
Jeff

 

Logs, logs, logs. Computer is still running well; I tried my best to delete those files from the folders that you mentioned, but Windows did not allow me to get rid of much...Also, my clock is still on 24:00 time from the ComboFix run (and I did follow the directions properly).

Everything attached--

Thank you,
Jeff

 

Hi randomname517,

Just a quick note to add to TimW's instructions. I had you rename a driver in post 4 by adding .zzz to the end. Please rename it back to what it was.


C:\WINDOWS\SYSTEM32\DRIVERS\phmcd.sys.zzz -----> phmcd.sys

Thanks.
abri