Need Help Please - Malware & Mailer Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by i-worx, Dec 21, 2006.

  1. i-worx

    i-worx Private E-2

    Hi all,

    First note: "READ & RUN ME FIRST Before Asking for Support" steps have been followed up to Step 7.

    I thought I had gotten off easy with a malware infection, but it seems not. A client of ours (home user) had been blocked from her ISP's mail servers (incoming and outgoing mail) because of mass spam originating from her IP. She has only two machines behind a wireless AP/router/firewall at her home, one laptop and one desktop, and it seems like her husband's desktop is probably the root of the problem, as his email account has been receiving lots of NDRs lately. I am also in the process of running through the steps on the laptop, but I wanted to post this so long, as the laptop is now running CounterSpy and seems to be pretty clean.

    Easy scans did not wipe out the problem on the desktop (Trend PC-Cillin' was already installed & run), but I did find earlier two processes, nordsys.exe and syspools.exe, that were taking up 100% CPU time between the two of them. those were deleted and seemed to bring the system to a normal state, but her ISP blocked her again, so it seems that the problem remained.

    There was a SpySheriff installation on the machine, as well as the Viewpoint Media Player and Viewpoint Manager (Viewpoint products removed via Add/Remove) that I am aware of.

    I believe that we're in the clear now, but I wanted to submit the logs to the experts to see if that is indeed the case.

    Any help would be greatly appreciated.
     

    Attached Files:

    i-worx, Dec 21, 2006
    #1
  2. i-worx

    i-worx Private E-2

    More Logs

    Some more logs. This post also includes a file "log.txt" that was found in the root of C:\.
     

    Attached Files:

    i-worx, Dec 21, 2006
    #2
  3. i-worx

    i-worx Private E-2

    Last Logs, including HTJ

    I also exported some logs from Spybot as it ran after steps 1-6 of the "READ & RUN ME FIRST" sticky. They might not be useful, but maybe someone wanted some extra information.

    HJT log attached here.
     

    Attached Files:

    i-worx, Dec 21, 2006
    #3
  4. i-worx

    i-worx Private E-2

    Re: More Logs

    CORRECTION: The second post did not include the log.txt file. The datestamp was from 2004, so I thought it would be fairly irrelevant.
     
    i-worx, Dec 22, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: More Logs

    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to Windows Service Manager
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteWSCM into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2

    Make sure you reboot after uninstalling the above!

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O4 - HKLM\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKLM\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
    O4 - HKCU\..\Run: [Nord] C:\WINDOWS\system32\nordsys.exe
    O4 - HKCU\..\Run: [system spool] C:\WINDOWS\system32\syspools.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    After clicking Fix, exit HJT.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\Chad Taylor\Start Menu\Programs\Startup\spysheriff.lnk
    C:\WINDOWS\SYSTEM32\bexajrsz.exe
    C:\WINDOWS\SYSTEM32\hikvzqgd.exe
    C:\WINDOWS\SYSTEM32\niboiskt.exe
    C:\WINDOWS\system32\nordsys.exe
    C:\WINDOWS\system32\syspools.exe
    C:\WINDOWS\SYSTEM32\sfxmgrdf.exe
    C:\WINDOWS\System32\service.exe
    C:\WINDOWS\SYSTEM32\ywdvyvrd.exe
    C:\WINDOWS\SYSTEM32\zfyfobhn.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Dec 22, 2006
    #5
  6. i-worx

    i-worx Private E-2

    Stage 2

    I have to admit, I got a little anxious and had gone ahead and deleted some of the reg keys and files that you mentioned for Kill Box to delete. Here's a summary:

    * Had some trouble removing the installation of Java 2 Runtime Environment. The error it threw said that it could not read the installer msi file. Fortunately, I have use of a Windows Installer Cleanup Utility that was able to remove the installation.

    * HJT Fix: I had manually deleted the HKCU run keys for %windir%\system32\nordsys.exe and syspool.exe previously. Also, the two "09" entries for msjava.dll were not present. My assumption is this is as a result of the Windows Installer Cleanup utility.

    * Deleted temp files through Killbox for all local users

    * Killbox file deletion: I had manually deleted the SpySheriff shortcut some time ago, and the nordsys.exe and syspools.exe files (as mentioned before).

    * Killbox prompted for reboot and rebooted the machine, and no PendingFileRenameOperations prompt appeared.
     

    Attached Files:

    i-worx, Dec 22, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: Stage 2

    Looks good but it appears you skipped the first part with stopping,disabling, and deleting the NT Service. Do that now and attach a new HJT log after rebooting? You will have to reboot this time even though my previous procedure said not to.

    You also did not tell me how things are working!
     
    chaslang, Dec 22, 2006
    #7
  8. i-worx

    i-worx Private E-2

    Weird, I'm positive I completed that step. I guess I must have missed something. Anyhow, the WKS has been delivered to the client (deadline).

    They will be unavailable for the next little while (holidays and all), but I will connect up to the machine remotely once their available to remove that service.

    As for how things are going: There wasn't a huge performance problem to start with, but the machine is definitely responding more quickly. The biggest problem originally was the ISP blocking the IP because of mass spamming originating from the WKS. The block has not yet been lifted (time-based), but the litmus test will be whether the users can get sustained access to their email without the ISP blocking them out b/c of spam.

    I will report back as soon as I hear back from them.

    P.S. Thanks so much for your help.
     
    i-worx, Dec 22, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! What you should look for is to make sure that the below gets removed from the HJT log after following my procedure:

    O23 - Service: Windows Service Manager (WSCM) - Unknown owner - C:\WINDOWS\System32\service.exe (file missing)
     
    chaslang, Dec 23, 2006
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds