Need help with malware removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by hedgekat, Jun 19, 2010.

  1. hedgekat

    hedgekat Private E-2

    Back in late February my computer was infected by the sysguard virus first and then the Vundo trojan. Both times I ran Malwarebytes and thought I got it all but since that time I've been having increasing problems with crashing of programs, including browsers.

    I have worked through the Read and Run Me First guide with variable results. The SAS, MB and combofix scans all worked and produced a log. I had some problems with RootRepeal. I ran it three times with different results each time but each time it crashed, unable to scan the external hard drive. I finally ran a scan of the C drive alone and got a log for that. The second time I ran it it did display the information that MBR rootkit was detected on the E drive. Two crash logs were generated and one dmp file. Both crash logs stated:
    ROOTREPEAL CRASH REPORT
    -------------------------
    Windows Version: Windows XP SP3
    Exception Code: 0xc0000005
    Exception Address: 0x00410fc7
    Attempt to read from address: 0x00c0210c

    Proceeded to MGTools and was unable to get it to generate any logs. Both with the initial activation and later attempts using Getlogs.bat a command window would appear very briefly then disappear. Could find no logs anywhere.

    EVen though the instructions didn't say to, I rebooted the computer again after finishing the last scan, in order to see if the Vundo entry that I had previously suppressed in startup with msconfig was gone. It was. One problem solved. However I was appalled to see a popup stating that my copy of Windows was invalid. NOT TRUE. When I clicked on it it wanted me to download some program. I didn't. But now it just sits there on my desktop and I can't get rid of it.

    Is there supposed to be an MBR.exe file in my Windows folder? I saw that when I was searching for the MGTools log and noticed that it had just been created. Wondering where it came from. There were several other files that also had just been created. Modification dates of all of them were much earlier.
     

    Attached Files:

    hedgekat, Jun 19, 2010
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    2. Open notepad and copy and paste the following text in the quote box into the window:

    • Save this as fix.bat
    • Choose to save as all files.
    • Doubleclick fix.bat and let the program run.
    • A small black dos window will flash, this is normal.
    3. Delete file/folder
    Press Start->Run, copy/paste the following command into the box and press OK:
    A blank command window will open on your desktop, then close in a minute or two. This is normal.
    A file called look.txt should appear on your Desktop. Please post the contents of this file.

    4. Use windows explorer to navigate to the below bold file and see if it still exists.

    5. Now go to your C drive and rename MGTools.exe to kestrel.com and I want you first of all to see if you can run it in normal mode, if not please try safe mode, then report back to me with how things are going. Attach the look.txt and the C:\Mglogs.zip if successful.
     
    Kestrel13!, Jun 19, 2010
    #2
  3. hedgekat

    hedgekat Private E-2

    1. fixme.reg run. Success message received.

    2. fix.bat run

    3. file deleted. Look.txt did NOT appear on desktop. Checked entire screen multiple times.

    4. jatmlano.sys not in specified temp folder

    5. kestrel.com run successfully in normal mode. Mglogs.zip attached.


    My desktop is totally messed up. It keeps going black whenever I boot and sometimes while running. And I still have that horrible popup saying my windows is invalid. it shows up while windows is loading and has an icon sitting in systray. That is some program that was installed yesterday. How do I get rid of it? I KNOW my Windows is valid. It was installed from a microsoft disc and had a registration number.


    Sorry, I'm stressed and forgetting my manners. Thank you, Kestrel, and all of you at Major Geeks for all you do for the computing community. I was ready to reformat my harddrive to get rid of this stuff till a couple of friends directed me to this site. Guess that wouldn't help though if the stuff is lurking in my external drive also.
     

    Attached Files:

    hedgekat, Jun 19, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Does this behaviour still occur in safe mode?

    Let's try this (in normal mode)


    1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    2. If you do not know what this is for then please delete it.
    • C:\ADS243.tmp

    3. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

FileLook::
C:\WINDOWS\system32\wuvezase
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4. Please go to Jotti's malware scan

    (If more than one file needs scanned they must be done separately and logs posted for each one)
    • Copy the file path in the below Code box:
      Code:
      C:\WINDOWS\system32\wuvezase
    • At the upload site, click the browse button.
    • Use Windows Explorer to navigate to the file(s) we need scanned and click "submit file"
    • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
    • This will perform a scan across multiple different virus scanning engines.
    • Important: Wait for all of the scanning engines to complete.
    • Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

    5. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this, give me the results from jotti and answer any questions I asked.

    6. How are things running currently?
     
    Kestrel13!, Jun 21, 2010
    #4
  5. hedgekat

    hedgekat Private E-2

    Yes

    1. I have AVG 9.0 and disabled the Resident Shield as instructed at the AVG site but the other Antivirus and the Antispyware both still show as active and I could find no way to disable them.

    analyse.exe run and those items were deleted. At least I know modthesims.info is no longer listed in trusted sites. That had only been there a week.

    2. ADS243.tmp deleted. I've no idea what that was or how long it's been there.

    3. combofix updated and run as directed.

    4. jotti's malware scan done.
    http://virusscan.jotti.org/en/scanresult/e47497f4079d082f94d49b3037a22c16f5ac3f13

    5. getlogs.bat run

    6. I can tell no difference in performance. My desktop is still black. The WGA icon is still in systray and popups still tell me my windows is invalid. I have had three system crashes since running the first scans, with rebooting and the 'system has recovered from a serious error' message. that has occurred occasionally in the past but never three times in two days. Both browsers crash frequently. Firefox to desktop and IE just loses the page. I just installed Chrome a couple days ago and it crashes almost as soon as I start it. I play TheSims2 extensively. It is prone to crashing occasionally and has been since it came out 6 years ago. But yesterday it crashed three times in a couple of hours. Today I started it and it crashed a few minutes after fully loading. Actually general performance is worse than before starting this process.

    7. What is wuvezase? Is it something that belongs in system 32?

    8. How do I get the MBRrootkit out of my external drive? If I could do that I could reformat this harddrive and reinstall everything. If I can find all the cds.
     

    Attached Files:

    hedgekat, Jun 21, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The E drive is not where windows boots from so there is nothing to worry about in that respect.

    Could you please get this: wuvezase into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:

    log retrievable @ C:\collect.zip

    Although jotti reported nothing, I cannot find any information about it, and I don't think it would hurt to rename it to:
    • C:\WINDOWS\system32\wuvezase.old

    Let e few days go by, if nothing untoward happens then we will delete it completely.

    Attach the collect.zip into your next reply.
     
    Kestrel13!, Jun 22, 2010
    #6
  7. hedgekat

    hedgekat Private E-2

    So the rootkit can't migrate back onto the C drive? I can't inadvertently copy it back when restoring a saved game or other data? I copied my writing folder back to C drive a day or two ago when I couldn't find it on C. I don't often copy things from E to C but it does happen occasionally. If this malware removal doesn't fix my computer and I have to reformat the C drive or even go so far as get a new computer I don't want to reinfect it from my E drive.


    Your method of making a zip is very fast. Although I don't think it would be so fast if I had to figure out what to put in the Run box. lol. I better stick with right clicking the file.

    The wuvezase file was grayed out and had no extension visible. I was able to add the old extension though. It's still grayed out afterward.

    So is my system clean now? My desktop is still black. I can't play my game. That WGA stuff is still everywhere. Where did that come from? Anything to do with the Microsoft Recovery Console?

    Oh, yes, Combofix said it was creating a system restore point both times that I ran it. I checked system restore and there were no restore points visible for those times. The last one on the 18th was when I installed the Java update, a couple of hours before running Combofix. The second day there was no restore point within 12 hours of the run.
     

    Attached Files:

    hedgekat, Jun 22, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can delete this file now.

    You have problems, but nothing to do with malware. The MBR report on that drive is a false positive. Nothing to worry about.

    You might well be better off saving your stuff to the E: drive ( if that is an external) and reformat the C Drive and then reinstall. But this can all be discussed in the software forum. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 24, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds