need help

Discussion in 'Malware Help (A Specialist Will Reply)' started by BD2021, Aug 20, 2009.

  1. BD2021

    BD2021 Private E-2

    Last night my computer started exhibiting some erratic behavior (running slower than normal, fans running really fast at idle). I tried to run Malware-bytes, which i had previously installed on my computer, and it would not run. I tried to uninstall it via add/remove programs, but I couldn't access the add/remove programs. I decided I'd deal with it today.
    When i went to get on my computer today i found that the screen was completely black and the computer was unresponsive, so I had to do a forced shut down. When it reloaded a "threat assessment" from Windows Antivirus Pro pop'ed up. I closed it out and it kept popping up, so I tried to shut down the process through task manager. It closed the process, but it kept coming back.
    I next tried to use msconfig to stop it from starting up. This wouldn't work if the Antivirus Pro process was running, but in the short time the process was down i was able to open msconfig and stop Antivirus pro from starting.
    I rebooted and found that my icons on my desktop had white outlines. I can now use most of the programs on my computer, but I can not open any anti-virus software. The programs will open once, scan and find an infection but close almost instantly upon finding the infection and not allow me to access the anti-virus scan again, nor can i uninstall them.
    I have tried Malware-bytes, Superanti-spyware (alternate startup), AVG 8.5, root repeal, rootkit buster (from trend micro), combofix, and avenger.

    The only program that will do anything for me is combofix, which tells me that these files are infected:

    C:\Windows\system32\drivers\kbiwkmlxjeyoxj.sys
    C:\Windows\system32\drivers\UACwonbpkrswb.sys
    C:\Windows\system32\kbiwkmmspfvnse.dll
    C:\Windows\system32\kbiwkmqtnnkcxi.dat
    C:\Windows\system32\kbiwkmdbyuwfjp.dll
    C:\Windows\system32\kbiwkmmbiqxiyu.dat
    C:\Windows\system32\UACyuwqipymtw.dll

    combofix then says goes on to try to remove the files (it also tried to remove a lot of other files that I did not get a chance to write down) upon reboot. It then reboots again and tries to save a log. It never saves the log file (i waited for about an hour and it had the same screen up). I closed the combofix app window and my screen blanked for a second before changing the background and rearranging my desktop icons.
    I'm really stumped at this point, other than reformatting (which i really don't want to do). Any help would be greatly appreciated!

    Also, I'm sorry I can't post any logs, but as i stated earlier none of my anti-virus programs would work long enough to create a log. I also attempted MGtools and Autoruns, but they would not open either!
     
    BD2021, Aug 20, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is rarely an instance where MGtools will not run. Make sure you have downloaded the current version and shutdown your protections software and try again. Also do the below just to make sure ComboFix removed what it said it found.




    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 23, 2009
    #2
  3. BD2021

    BD2021 Private E-2

    Thanks for the reply chaslang,
    Between my first post and now I have gotten most of the malware removed (I think). After running combo fix i was able to unistall all of the anti-virus software that I had previously installed (I had to redownload and run a repair for AVG). Since then I have run through part of the "read first" cleaning procedure. I'm attaching the MGtools log, combofix log, and mblog to this post, if you need any of the others I'll make another reply and attach them. I ran The Avenger, as specified, but I can not locate avenger.txt (did a search on my C drive that yielded no results). I did look at the log when it came up and it said that the files did not exist. If you want I can try to run again and save a new log to attach. SAS returned a clean computer. spybot s&d did as well. MB found a file, but for some reason appears to have not been able to remove it (see attached log).

    The computer seems to be running almost normally now, but a little slower on start up than before. I've also had a problem with desktop/start up icons reverting to the Windows generic file icon. I tried to just re-associate the files with the programs that run them (ie .doc with MSWORD, .pdf with Acrobat Reader), but this did not seem to do anything. When uninstalled, and then re-installed AR, the .pdf's started using that icon again. I'm not sure if this is a result of the malware or something else?

    Edit: I forgot to mention that I will be away for a few days (tuesday-friday) so if you reply to this message between then I will not be able to get back to you until at best saturday.

    Thanks again!
     

    Attached Files:

    Last edited: Aug 24, 2009
    BD2021, Aug 24, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are still very badly infected! And no wonder! You have no protection installed.

    I suggest that you attach the logs from SUPERAntiSpyware and RootRepeal.

    You need to put your PC into normal startup mode with MSconfig as requested in step 4 of the READ & RUN ME. You must remain in this mode. Do this now before continuing.

    Then you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment, SE v1.4.2_03

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - AutorunsDisabled - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: {3b54074e-7863-c368-ced4-bda1b6d8d501} - {105d8d6b-1adb-4dec-863c-3687e47045b3} - C:\WINDOWS\system32\cfabmk.dll
    O2 - BHO: (no name) - {5A94A509-1911-49FF-9070-D44DCBF4B62D} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ssqrQHXr.dll
    O2 - BHO: (no name) - {776AB29C-9990-4DF9-B06A-5087957E99AE} - C:\WINDOWS\system32\pmnLEVli.dll
    O2 - BHO: (no name) - {d45cc5b0-dc86-439f-bc78-8aaf286d3f0e} - C:\WINDOWS\system32\domemaha.dll
    O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
    O4 - HKLM\..\Run: [nalazikosu] Rundll32.exe "C:\WINDOWS\system32\mirububu.dll",s
    O4 - HKLM\..\Run: [7c0a0ede] rundll32.exe "C:\WINDOWS\system32\lugiviwi.dll",b
    O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
    O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Dave\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKUS\S-1-5-20\..\Run: [nalazikosu] Rundll32.exe "C:\WINDOWS\system32\mirububu.dll",s (User 'NETWORK SERVICE')
    O4 - Global Startup: AutorunsDisabled
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - AppInit_DLLs: ,C:\WINDOWS\system32\takisupe.dll cfabmk.dll
    O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
    O20 - Winlogon Notify: ssqrQHXr - C:\WINDOWS\SYSTEM32\ssqrQHXr.dll
    O24 - Desktop Component 0: (no name) - (no file)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Dave\Local Settings\temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 28, 2009
    #4
  5. BD2021

    BD2021 Private E-2

    Ok, I uninstalled Java 2 Runtime Environment, SE v1.4.2_03, but J2SE Runtime Environment 5.0 Update 8 told me that the transformation was not valid. When I ran HJT (analyse.exe) I did not find a lot of the lines that you told me to put a check next to. I attached the log that I had when running HJT tonight as well. I ran ComboFix as specified, the log has been attached. I tried to delete all the temp files as specified, but could not delete this directory
    C:\Documents and Settings\Dave\Local Settings\temp\clclean.0001.dir.0000
    because the files contained could not be deleted. The files are:
    ~df394b.tmp
    ~efe2.tmp

    Although Windows Messenger was removed prior to running ComboFix, it automatically reinstalled itself upon reboot. I do not currently have spybot s&d installed on my computer, so I could not turn off teatimer.

    Overall I think the performance is about the same as it was during my last post, the computer seems to be running ok, but some of my icons (like MS office exe and file icons) are coming up as generic file icons. They still open fine and the association is with the proper program, but the icons do not appear correctly in the start menu or in the folders.

    On a side note, I was running MB for protection, but I have uninstalled all my AV software in order to run the removal tools in the read and run 1st. I plan on installing McAfee again once I get this mess sorted out.

    Thanks again, sorry it took so long for me to get back to you, I'm moving into a new house so things are a bit hectic right now.
     

    Attached Files:

    BD2021, Aug 30, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm still looking for the log from RootRepeal.

    We don't need it. It is already in the MGlogs.zip file and this one is the one from after running the fixes, not from before.

    No it didn't. Windows Live Messenger is not the same thing as Windows Messenger.

    You will probably have to post about this in the Software Forum where some one can help you restore any necessary associations, but you can find tips for this here: http://www.dougknox.com/xp/file_assoc.htm

    Do you mean Malwarebytes Anti-Malware? Was it the free version? If so, it does not give you any protection. The free version is only an after the fact scanner.

    You have many many things trapped in MSconfig registry keys and also have more trapped in AutoRunDisabled keys. You never want to use MSconfig like this as state in the READ ME, but no matter what you use, you must remember to remove them from whatever you are blocking them with, before uninstalling software. Otherwise you get dozens of left overs. Let's see if we can fix some of these unnecessary items.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 4, 2009
    #6
  7. BD2021

    BD2021 Private E-2

    Chaslang, thanks for the help. I ended up just reformatting my hard drive as i was begining to have driver issues with my audio and video cards and i needed the computer to be operational for school.
     
    BD2021, Sep 5, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. That was probably a good idea anyway since your system was showing signs of residual problems from the malware that probably would have left your system in a unreliable state.

    Make sure you work thru the below now:

     
    chaslang, Sep 5, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds