Need some help with Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by alex308, Apr 27, 2009.

  1. alex308

    alex308 Private E-2

    hello mates, :major

    I think my computer has swine flu.

    I was on the internet the other day when Mcafee told me it had blocked a couple of trojans but nothing seemed out of the ordinary until the next day.

    A windows update icon appeared and I installed it but it never went away. I installed it 3 times but it keeps reapearing. A multicoloured windows icon also apeared that says your computer may be infected with malware. A popup comes up that says i need to download antispyware software and i cant do anything but click "get antispyware software"; a setup program for PCAntiMalware comes up which I close.

    I proceeded to scan with mcafee which wouldnt scan. I also tried to do a system restore (I dont know if that was the right thing to do when you have a bug?) but that wouldn't work either. I then found and followed this guide. I couldn't install SUPERAnitSpyware so i scanned with Malwarebytes and ComboFix. After that i was able to install and scan with SAS and then i ran MGTools

    I was doing the scans in safe mode and noticed when i booted in normal mode i would get a blue screen after about 10 seconds of logging onto an account. That issued seems to be resolved now but internet pages randomly change and i have these bloody advertisments for antispyware software and the windows icons that wont go away!

    Please help

    cheers
     

    Attached Files:

    alex308, Apr 27, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It looks like you did not allow MGTools to run to completion as the runkeys log was virtually empty and there was also a log missing.

    First:
    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Rootkit::
c:\windows\system32\drivers\ovfsthxnsqidwkc.sys
c:\docume~1\BENAND~1\LOCALS~1\Temp\CSC49.tmp 
c:\docume~1\BENAND~1\LOCALS~1\Temp\RES4A.tmp 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.0.cs 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.err 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.out 
c:\windows\system32\ovfsthxekmxeuyx.dll 
c:\windows\system32\ovfsthxempqmcug.dll 
c:\windows\system32\ovfsthxetxlrmpj.dll
c:\windows\system32\ovfsthxlog.dat
c:\windows\system32\ovfsthxufcrvbrj.dat 
c:\windows\system32\ovfsthxwcdothqu.dat

File::
C:\WINDOWS\system32\ovfsthxmbsjjqbv.dll
C:\WINDOWS\system32\ovfsthxstpofyap.dll
oC:\WINDOWS\system32\vfsthxyvkbfpmb.dll
C:\WINDOWS\system32\ovfsthxxjqvrlnv.dll
C:\WINDOWS\system32\ovfsthxtamwuvcw.dat
C:\WINDOWS\system32\ovfsthxhweexuic.dll
C:\WINDOWS\system32\ovfsthxpswtpqdl.dll
C:\WINDOWS\system32\ovfsthxpqdrtcrv.dll
C:\WINDOWS\system32\ovfsthxsbedxvae.dat
C:\WINDOWS\system32\ovfsthxxmwfpfqj.dll
C:\WINDOWS\system32\ovfsthxdbyuecye.dat
C:\WINDOWS\system32\ovfsthxornamcrd.dat
C:\WINDOWS\system32\ovfsthxpprmecxn.dat
C:\WINDOWS\system32\ovfsthxsbpxtmxv.dat
C:\WINDOWS\system32\ovfsthxwcdothqu.dat
C:\WINDOWS\system32\ovfsthxetxlrmpj.dll
C:\WINDOWS\system32\ovfsthxufcrvbrj.dat
C:\WINDOWS\system32\ovfsthxempqmcug.dll
C:\WINDOWS\system32\ovfsthxlog.dat
C:\WINDOWS\system32\ovfsthxekmxeuyx.dll
C:\WINDOWS\system32\ovfsthxixvxtqxt.dat
C:\WINDOWS\system32\ovfsthxbvpdmxno.dll
c:\documents and settings\Amber\Start Menu\Programs\Startup\
e2e671aa9de9dfdaf665b0b7909b83a9.1.dll.lnk
c:\documents and settings\Ben and Arlene\Start Menu\Programs\Startup\
2927b1f42e0508ac0f0b0cc5d8673832.1.dll.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\
2927b1f42e0508ac0f0b0cc5d8673832.1.dll.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\e2e671aa9de9dfdaf665b0b7909b83a9.1.dll.lnk
c:\windows\system32\2927b1f42e0508ac0f0b0cc5d8673832.1.dll
c:\windows\system32\2927b1f42e0508ac0f0b0cc5d8673832.1.dll
c:\windows\system32\drivers\ovfsthxnsqidwkc.sys
c:\docume~1\BENAND~1\LOCALS~1\Temp\CSC49.tmp 
c:\docume~1\BENAND~1\LOCALS~1\Temp\RES4A.tmp 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.0.cs 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.err 
c:\docume~1\BENAND~1\LOCALS~1\Temp\soy_vnjn.out 
c:\windows\system32\ovfsthxekmxeuyx.dll 
c:\windows\system32\ovfsthxempqmcug.dll 
c:\windows\system32\ovfsthxetxlrmpj.dll
c:\windows\system32\ovfsthxlog.dat
c:\windows\system32\ovfsthxufcrvbrj.dat 
c:\windows\system32\ovfsthxwcdothqu.dat 


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2927b1f42e0508ac0f0b0cc5d8673832"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"e2e671aa9de9dfdaf665b0b7909b83a9"=-
"2927b1f42e0508ac0f0b0cc5d8673832"=-

[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ovfsthxtqsntjcx]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and install:
    Java Runtime 6

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 30, 2009
    #2
  3. alex308

    alex308 Private E-2

    Hello TimW

    Thanks for all the help! Everything seems to be working now. No more blue popup screens or windows icons. My computer does seem to be starting up a little slower after this issue though. It may be unrelated

    I'm attaching my logs. I tried to turn off McAfee before running ComboFix but it kept coming back up in the middle of the process and ComboFix gave me a message telling me to turn off McAfee. I hope this didn't mess anything up.

    Anyways things seem to be working better so thanks again for the help, mate. :major
     

    Attached Files:

    alex308, May 2, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use windows explorer to find and delete:
    c:\documents and settings\Amber\Start Menu\Programs\Startup\
    e2e671aa9de9dfdaf665b0b7909b83a9.1.dll.lnk

    Your slowness is probably related to running McAfee with only this amount of RAM:
    Total Physical Memory 512.00 MB
    Available Physical Memory 136.25 MB

    Let me know if you have any additional issues.
     
    TimW, May 5, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds