Need Virus Removal Advice & Registry Question

Hi,

Got hit with the nasty bunch of trojans et al going around (think got hit from zedo?) Am postiing from laptop, pulled the dsl connection on the infected pc.

Having same problems getting removal tools to work as others. Primary AVG Free dead, then installed & ran SuperAntiSpyware ... got to run, said it found and removed 25 threats then rebooted, now dead & can't get a log to post. Can install but not run MalwareBytes. Already had HJT on system - it's dead.

Some of the viruses/trojans were a.exe, msa.exe, probable variants of Vundo ... It seems that many have been removed by the initial SAS run. But I am trying to work thru malware removal guide, but can't get anything to work. Since permissions seem to be edited & my Event Viewer Log shows up until when SAS ran that "wuauserv registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key" would I be correct in assuming other unfound registry changes certainly aren't helping ... would running a registry cleaner be a good idea?

Will try to run some removal programs in SafeMode, but at this point it's starting to get a little over my head ... some pointers appreciated.

BTW, while the nasties got dropped all over the system, I see an xvhu and a hpbyv now dumped on C: that are from the exact time that I got hit ... no scans have latched onto them yet, but I know they're no good.

Will try to post any logs I can get later today.

Thank you,
dood1emom

 

Tools run, need help with logs

Hi,

Got hit with virus/trojans while checking gmail 9-3-09. After much trial and error I think we've got all the tools run & logs attached. System is disconnected from internet. We did resort to some renames to get everything ran and logs produced. Logs attached.

I also attached an initial AVG threat that found 9 infected files. When I got hit I immediately saw an hpbyv.exe and an xhue.ex in my c: drive. Other suspect items were msa.exe, a thru e.exe's, 876.exe.

I am quite sure the system still isn't clean and don't know what to do next. Upon rebooting, I get error messages that kabifoti.dll and jisagoyi.dll are missing and when ever I access my HP_Admin folder I get a "Feature unavailable while ... not connected". Also still see a suspect file "1554803941" on c: Prior Event Logs now wiped, but I was getting a message about wuauserv not having proper priviledges (hope I remember that right) and I noticed a text log somewhere that was showing some of the priviledges revoked by virus/trojan.

Please let me know what to do next. Thank you, Dood1emom

 

Re: Tools run, need help with logs

Hi it's me again-- oh fudge, I think I may have missed the "msconfig must be set for normal startup mode". please let me know if i need to rerun tools. Sorry.

 

Re: Tools run, need help with logs

Sorry, forgot to upload the rest of the logs. Here they are.

 

Hi Tim,

Thank you for your reply. Sorry - getting the hang of posting in forums - I mistakenly started a new thread/post with logs already attached: I believe I also made that error of running what tools I could get to run (we had to rename some of them to get them to run) in just selective startup mode - I missed the "msconfig must be set for normal startup mode" step. My second post was "Tools run, need help with logs" 09-06-09, 23:27. What logs I got are attached to it. Did not run anything in Safe Mode. No longer getting the "kabifoti.dll and jisagoyi.dll are missing at bootup, but still have suspect "1554803941" on c: that was generated on date/time of infection. Also, something has generated a 0kb dat file on desktop. Did eventuallly get HiJackThis to run. I am attaching. Have school function tonight, won't be back for a few hours. Oh, after running various tools, Windows looks like the Auto Update has been turned back on, but I think IE8 is no longer set as default browser - think registry mave have been changed. Thanks again for all the help. Will rerun anything tonight if I need to because of msconfig error.

dood1emom

 

Re: Tools run, need help with logs

Hi Tim,

Ran MGTools to make the changes you suggested. Noticed a Service GPCCFGEVA - Unknown owner in Docs & Settings\Hp_Admin\locals\temp\GPCCFGEVA.exe file missing. Is this okay to delete also.

Ran CCleaner.
C:\Documents and Settings\HP_Administrator\Local
Settings\temp\36c05e02-09ca-4657-b973-d474b834dbc7.tmp
C:\Documents and Settings\HP_Administrator\Local
Settings\temp\cf017b09-e27f-4d13-b572-c1f36f74e53f.tmp

These files were NOT removed. Also still see ~DF7B2F.tmp, IadHide5.dll and debugf.txt files, but I think these are ok. Still have the suspect "1554803941" 4kb file on C: that was generated at time of infection and 0kb settings.dat on desktop, although that file could be from when some of the tools were run.

When I chose Set Program Access & Defaults, I can edit custom setup to select IE as my default browser, but upon reentry, the setting is always changed back to "use my current web browser." Have no idea if anything is wrong there because I pulled the DSL connection until desktop is disinfected. Do I need to check for any registry changes?

Taskman shows multiple svchost.exe's running, but one has 30 user objects, mem usage 25,000 K. Have no idea if this is okay, but I did change to normal startup, so everthing is loading.

The last two strange things are anytime I click thru to the HP_Admin folder, a "Windows Live ID Internet Connection ... could not be completed" message appears. I was getting "Feature Not Available ... because offline" message until I unchecked "Work Offline" in IE8. Have no idea if something is still trying to get connected or has changed settings somewhere. And at time of infection, system was intermittantly opening HP Help & Support Center. When I now open the program, it just doesn't seem "right." Accessing the tools area, should allow me to click for "My Computer Information", "Network Diagnostics" or various Tools, but all menu items seem to be dead. When led me to check "All Programs, PC Help & Tools, Connectivity Support Tools (icon seems messed up) and Support Tools is now looking for missing "supporttools.hta".

Thanks for your help & input
dood1emom

 

Hi Tim,

Thank you for merging my threads - sorry for newbie to forum goof.

Ran MGTools anaylse.exe and fix. Attached logs.zip. Was able to finally get Malware Bytes to run this weekend - it fixed a registry item that was preventing auto updates, so I think ok there. Still have weird "1554803941" file in C: and settings.dat on desktop. Windows Live ID still trying to connect when I access HP_Admin folder. Would the link http://smallvoid.com/article/winnt-help-support-service-config.html repair my "Help and Support" Center? Also was able to uninstall and reinstall AVG 8.5 Free to get it functioning til I decide what AV to use. Also see that "Manage Add-Ons" in IE8 messed up, but I've already had to reinstall it once b4 because it's been flakey.

Thanks for advice.
Dood1emom

 

Hi Tim,

Thanks again. Attached neglected MBam log. Ran Avenger and CCleaner as instructed. No problems running anything.

Son installed Zone Alarm for added security. AVG running smoothly. I disabled the "Windows Live ID Internect Connection" popup when perusing the Admin Docs & Settings by deleting the item "My web sites on MSN" from the NetHood subfolder (thanks Google). That probably got dropped onto the system during a rather recent, but b4 virus infection IE8 repair/reinstall.
IE8 is still crashing if I access "Manage Add-Ons", but I think it was messed up b4 virus, so I'll just reinstall it soon. No strange redirects or unusual activity seem to be going on, just Zone Alarm seems to have slowed bootups.

The only annoyance I can find is that all of the links or menu clickables in the "Help and Support Center" are dead. I know they were working correctly b4 virus because we very recently ran Sys Info, etc., in preparation for near future RAM and video card upgrade. It's small potatoes, I know ... all the tools seem to work through the various All Program Menu items, it's just any easy way around the system. If it means anything, the H & S Ctr sometimes tosses out a message that an IE script error occurred, do I want to continue scripts ... that hcp://system/scripts/navbar.js is missing. I have found zilch about that message!

Last questions: my 2 kids have non-admin accounts on the system. Initially ran CCleaner on them as instructions suggested. Nothing seems suspicious on their accounts. Should I run anything on those accounts. Made sure many security items, such as file sharing, etc., are tightened. What should the Data Execution Prevention settings be? Our system has selected the option "Turn on DEP for all programs and services except those I select - IE and MS Help and Support Ctr" BUT those boxes are not selected.

Thanks again,
dood1emom