Need help cleaning a machine that has everything

Hi

I'm trying help my neighbor clean several viruses and trojans from his machine. I have run Spybot Search & Destroy, CCleaner, AVG Anti-Spyware, Bitdefender and Panda Active Scan and HJT. When trying to run Getrunkey and Shownew in normal mode, I get a system error "System32:lzx32.sys" and the machine does a memory dump and dies.

logfiles from AVG Anti-Spyware, Bitdefender and Pandascan attached.

HJT Log file to follow

Thanks

 

HJT log from previous post

 

Your HijackThis log appears to be from Safe Mode, I need a log from Normal Mode.

 

I ran HJT in normal mode. Log file attached. HJT finished running about 3 seconds before the system crashed with another memory dump, with same error message as stated in first post.

 

Download
- Pocket Killbox

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Microsoft authenticate service or MsaSvc (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Microsoft authenticate service or MsaSvc (Whichever you found above)

Repeat the process for the following Services:

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Click on the "Back" Button

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download Brute Force Uninstaller to your desktop. http://www.majorgeeks.com/Brute_Forc...BFU_d4714.html

• Right-click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk ( C: )" or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download DeluxeCommunicationsFix by ShadowPuterDude.

Save it in the same folder you made earlier (C:\BFU).

Close ALL open windows & explorer folder's, then double-click on dcFix.bat. Click YES and follow the prompts, when prompted to restart the PC please do so.

Post a fresh HijackThis log.

Try to run GetRunKey and ShowNew again.

 

I am finally at the part of trying to run Pocket KillBox.

Prior to this I had to do what you wanted in small steps as the system kept crashing with the memory dump error of "System32:lzx32.sys" The system will stay up and running for about 3 or 4 minutes before it crashes with the memory dump. This only happens in Normal Mode and is still happening.

Anyway now that I am trying to run Pocket KillBox, when I double click on the file I get the message Component MSCOMCTL.OCX or one of it's dependencies is not correctly registered or a file is missing or invalid.

I have tried downloading Pocket KillBox again and from another source to make sure my download was not corrupt and still get the same message when trying to run it.

Any thoughts on how I should proceed?

 

Just find a thread on this site that explains about MSCOMCTL.OCX
and am in the process of replacing/fixing the file.

FOr anyone else that may read this and be having the same issue with MSCOMCTL.OCX here's is the link to the thread to resolve it.

http://www.majorgeeks.com/faqshow.php?id=8

 

Finally got through your previous instructions, AVG Anti-Virus starting causing errors and for the time being I have uninstalled it and will reinstall it later in the process.

Attached are: new HJT Log, Getrunkey log and ShowNew log

I'm ready for the next step when you are.

 

I'm not really trying to bump myself here, more like trying make sure that I did not fall through the cracks. My post was on page 5 about to roll into page 6 and all the posts around me were all resolved issued.

I have no problem waiting my turn and am very greatful for all the help that you offer.

System32:lzx32.sys memory dump are still occuring (normal mode only) after the last round of cleaning, but it take about 10 minutes now for it to happen instead of the 3 - 4 minutes before the last set of cleaning instructions.

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:

The version of Firefox installed on this compter is out-dated. Install the latest version of Firefox.

Windows Messeger is running in the background on this computer, and represents a security risk. Remove Windows Messenger by running Uninstall Messenger. If you are using this as your IM client then replace it with MSN Messenger.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fesh logs for:
GetRunKey
ShowNew
HijackThis

 

Completed all the steps in your last set of instructions and the logs are attached.

FYI the System32:lzx32.sys error is still occuring. I pretty much can do one little thing, then get the System32:lzx32.sys error, reboot and do the next step until I can get through them all.

Also I noticed when I ran the last HJT, the 04 entry that you asked me to mark to be deleted, I did that and it appears to be back again.

Thank you for all your time and effort. Hopefully we can get through cleaning this machine in one piece confused

 

Download GMER

1. Save the GMER.zip file to your desktop
2. Now uzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Do not select the "Show all" checkbox during the scan.
7. When it finishes, click the Copy button. This will copy the results to your clipboard.
8. Paste the clipboard into a notepad file and save it to a log (like gmer.log).
9. Attach your log to your next reply.

If you don't know how to open notepad, click Start, Run, and enter notepad and click OK. To paste the info you copied into notepad, just hit CTRL-V. Then save the log.

 

I have been trying for what seems like hours to get GMER to complete a scan, but during the process the system crashes and I get the error

system32:lzx32.sys Address F7AD066B base at F7ACE000 DATESTAMP 4591c3e5

this is the same error that I get if the system is running for more than 3 give or take minutes.

When GMER starts it does say that it has found changes that may be caused by ROOTKIT activity. Do you want to scan now and when I reply yes it starts to scan.

Then I get the system32:lzx32.sys error and that's as far as I get, the GMER scan never gets a chance to complete.

In trying to run this so many time I started to copy down some if the items that GMER shows that it found while it is still scanning. the first two things it shows refer to AVG Anti-Spyware, the second two items refer to C:\Windows|System32:lzx32.sys and it lists that file as showing under both syscenter and code.

Other snipets that I was able to write down before the crashes refered to: wanarp.sys
tcip.sys!PTransmit + 10BC
tcip.sys!PTransmit + 2810
tcip.sys!PTransmit + 506D

Sorry I couldn't write fast enough to get more written down for the system32:lzx32.sys crashes

So I'm at a loss as to what to do here :cry

 

system32:lzx32.sys is an Alternative Data Stream (ADS) that is attached to the System32 folder; it's a rootkit.

Since GMER won't finish scanning.

Run AVG Anti-Rootkit and fix the entry that will look something like this: c:\windows\system32:lzx32.sys

Once you have fixed the system32:lzx32.sys, run a complete rootkit scan with AVG Anti-Rootkit and attach the log

 

Ran the AVG Anti-Rootkit, which found the system32:lzx32.sys once it found it I clicked stop scan and checked the system32:lzx32.sys file to be fix. The system re-booted and when it came back up i re-ran the AVG Anti-Rootkit and had it deep scan. It found nothing else.

So just to make sure I rebooted again, and ran the deep scan once more. Again the scan finished and reported no rootkits found. So there are no log files from AVG Anti-Root kit to post.

I'm ready for the next step.

 

OK, since it has been nearly a full day.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

Here are the 3 requested logs.

Thanks for all your help so far. I truly appreciate it.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Post fresh logs for:
ShowNew
GetRunKey
HijackThis

 

In running Pocket KillBox I did get the PendingFileRenameOperations prompt message.

Attached are the requested logs.

 

The rootkit appears to be eliminated. Your logs are looking pretty good.

C:\-1667384477 this is probably a directory, tell me what is in it.

 

It's a file with no extension on it. (and yes I have it set to show all extensions)
Shows as last modified 1/3/07 @ 6:51 pm and a file size of 2 bytes

 

OK,

Delete that file

Empty the Recycle Bin

Run CCleaner

If you are not having any other malware problems, it is time to do our final steps:

• If we used Pocket Killbox during your cleanup, do the below
  • Run Pocket Killbox and select File, Cleanup, Delete All Backups
• If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
• If we used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
• If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.
• After doing the above, you should work thru the below link:
  • How to Protect yourself from malware!

 

Thank you so very much!

I've gone through the clean-up and am in the process of re-installing the AVG anti-Virus. Once that is done I'll be installing ZoneAlarm for them and when I bring them back their computer tomorrow, I plan on spending a little time talking to them about Internet Safety. I have to give them credit though, for using a computer and the internet and being in their late 70's (although their 30ish daughter lives with them too and also uses the computer)

Again Thank-you so very much!

 

You're Welcome