NtMapViewOfSection

Discussion in 'Malware Help (A Specialist Will Reply)' started by jobjob, Jan 23, 2014.

  1. jobjob

    jobjob Private E-2

    Hi. I'm new here. Here's my problem:

    About 8 months ago I found some malware on my old machine. I ran several cleaners and anti-virus programs (Malwarebytes Anti-Malware, SUPERAntiSyware, Norton) and my machine seemed to be clean. Then I got more malware, ran the anti-virus/anti-malware programs and things seemed fine. But because I got malware again so quickly I wondered if I should run another anti-virus/malware program and I chose AVG Free. AVG Free found an infected rootkit called "NtMapViewOfSection" but it would not let me remove it. It listed it as "hidden." AVG slows this old machine down a lot, so I deleted AVG and just kept using the machine. I run anti-virus/malware regularly, and my machine has seemed fine (it's been slow for a while, but that's just because it is old and doesn't have much memory). Several months ago I downloaded and ran AVG Free again and it found the same NtMapViewOfSection problem that it could not remove plus a few other malware that I fixed and deleted. I tried Malwarebytes-Anti-Rootkit, but it didn't find any problems. I ran AVG Free 2014 again the other day and it only found NtMapViewOfSection and still can't remove/fix it. It is a rootkit/service function problem and I regret that I don't have the number sequence associated with it (it was a lot of zeros and an F, and I don't remember what else). I then removed AVG Free 2014 (because I use another anti-virus on the machine primarily - though it doesn't catch everything, for sure). I tried Malwarebytes Anti-Rootkit again, and again it found no problems.

    So, I suspect "NtMapViewOfSection" may be a malware remnant, but it could be worse than that since it is a rootkit (service function) problem.

    I read forums on AVG's website about this issue, but I didn't find any that showed the problem was resolved. So, I thought I'd try here.

    I have read the "READ & RUN ME FIRST" post and have gone through all the steps and run the five programs according to the instructions given in that post. I have also read the "Don't bump!" post. I will be patient.

    I have attached the logs.

    Thank you.
     

    Attached Files:

    jobjob, Jan 23, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we begin, I'm seeing remnants of AVG and avast scattered. So let me know which antivirus you are going to be using untilmately. You can only install and use ONE.
     
    Kestrel13!, Jan 24, 2014
    #2
  3. jobjob

    jobjob Private E-2

    I have Norton on my machine.

    I have tried to remove all AVG and Avast remnants, but I don't know how to remove the remnants you see. If I need to do so, could you please guide me on how to remove them, or direct me to a post that has instructions for the procedure? I intend to keep Norton on the machine.
     
    jobjob, Jan 24, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there.

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.


    For AVG you can download the applicable removal tool for you, available here.


    For Avast... Here.


    You should uninstall >>> Viewpoint Media Plyer.


    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKUS\.DEFAULT\[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe [x]) -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-18\[...]\Run : SearchProtect (C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect\bin\cltmng.exe [x]) -> FOUND
    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.


    Code:
    :Files
C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect
C:\Documents and Settings\Brian Page\Local Settings\Application Data\Conduit

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 25, 2014
    #4
  5. jobjob

    jobjob Private E-2

    Hi, Kestrel13!

    I've completed the list in your last post.

    1) I returned the machine to normal start up mode.
    2) I uninstalled Viewpoint Media Player.
    3) I downloaded and ran AVG Remover
    4) I downloaded and ran Avast Clean.

    I then ran MS search tool for "Avast" and "AVG" in files and folders and found the following:

    "Avast" (file or folder name, location, type):
    avast5.ini C:\Documents and Settings\User Name Configuration Settings
    avast5.ini C:\WINDOWS Configuration Settings
    x86_avast.vc.110.crt_2036b14a11e83e4a_11.0.60610.1_x-ww_e6822ee2 C:\WINDOWS\WinSxS File Folder
    x86_avast.vc.110.crt_2036b14a11e83e4a_11.0.60610.1_x-ww_e6822ee2.cat C:\WINDOWS\WinSxS\Manifests Security Catalog
    x86_avast.vc.110.crt_2036b14a11e83e4a_11.0.60610.1_x-ww_e6822ee2.manifest C:\WINDOWS\WinSxS\Manifests Manifest File
    x86_policy_avast.vc.110.crt_2036b14a11e83e4a_x-ww_96cea1b1 C:WINDOWS\WinSxS\Policies File Folder

    "AVG," all of which are in C:\WINDOWS\Prefetch:
    AVG_FREE_STB_ALL_2014_4259_CN-04A0012D.pf
    AVGCMGR.EXE-0716269B.pf
    AVGCSRVX.EXE-07AC458C.pf
    AVGDIAGEX.EXE-1BC14C03.pf
    AVGEMCX.EXE-398AE7C3.pf
    AVGIDSAGENT.EXE-3817F697.pf
    AVGMFAPX.EXE-02E1D9E1.pf
    AVGMFAPX.EXE-263D236D.pf
    AVGNSX.EXE-31F33D31.pf
    AVGRDTESTX.EXE-30990F17.pf
    AVGRSX.EXE-303B67CE.pf
    AVGUI.EXE-0C2B3B7.pf
    AVGUIRUX.EXE-39715E46.pf
    AVGWDSVC.EXE-27944B80.pf

    Should I delete these? Or might some of them not have anything to do with either Avast or AVG?

    5) I ran RogueKiller and deleted the items you listed. The log was not named RKreport[2].....txt. It was named RKreport[0]....txt.
    6) I downloaded and ran OTM.
    7) I downloaded and ran JRT.
    8) I ran the MGTools file you specified. (I presume it simply updated the MGlogs.zip file since a new one wasn't created but the old one was - I think - modified.)

    Logs are attached.

    At first I didn't notice any difference in the machine's performance. But now that I've run MS Word and used the internet again I do notice a significant improvement. THANKS!

    It still takes forever to boot, but this is an old machine (512 RAM - woot!), and installing the programs to execute this cleanup caused a noticeable drag on the machine and increased the boot time. Oh, well. I can remove them, and I will want to customize the start up again, when we are done.

    Two things:
    1) Since completing the READ & RUN FIRST list for this forum I have been getting an MS hardware install notice in the systray when the machine boots. Then the "Welcome to the Found New Hardware Wizard" opens and asks me to select an option to complete a hardware install. I cancel it each time it opens - which is every time the machine boots. It doesn't list what hardware it is. Any suggestion as to what I should do about it?

    2)I originally posted about a specific service function called NtMapViewOfSection which is listed by AVG as a rootkit and as "infected." Can you confirm if we've resolved this problem? Or will I need to re-install AVG to check this myself?

    I love the improved performance of the machine and it certainly needed a cleanup.

    Thanks a bunch!
     

    Attached Files:

    jobjob, Jan 26, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    They are indeed to do with avg and avast, however - those items are in the prefetch folder, and not really anything to worry about.

    You can ask about this in the software forum.

    Why not give this a run?

    Malwarebytes Anti-Rootkit - How to run

    A search protect folder remains (junk) so I'm going to have you run avenger. Obviously, avast and avg are not malware, but we might as well run the fix this way to get rid of all in one fell swoop being as their removal tools didn't quite complete the job.



    Download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.


    Don't forget to attach the log from Malware Bytes Anti Rootkit.
     
    Kestrel13!, Jan 26, 2014
    #6
  7. jobjob

    jobjob Private E-2

    I have run the programs and attached the logs you requested in your last post.

    Thank you.
     

    Attached Files:

    jobjob, Jan 27, 2014
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 27, 2014
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds