Persistant malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by markoc, Apr 21, 2009.

  1. markoc

    markoc Private E-2

    Hi all, I need help.

    My Laptop (windows XP sp3) is infected with some malware that I can't get rid off. I had free AVG8 (uninstalled now) that reported the following:
    Trojan horse Rootkit_agent.cw
    Trojan horse Dropper.Generic.Alpl
    Trojan horse Agent_r.mu
    trojan horse sheur2.abmk
    virus win32/heur.
    AVG could not help to solve the problem. I also could not get to the internet.

    I carefully followed instructions on this forum (http://forums.majorgeeks.com/showthread.php?t=35407) and it went like this.
    0. Run CCleaner, updated SunJava etc.
    1. SuperAntiSpyware. Didn't wanted to run initially. When I unchecked options
    * Use Kernel Direct File Access (recommended)
    * Use Kernel Direct Registry Access (recommended)
    run went smoothly and nothing was detected (SUPERAntiSpyware Scan Log - 04-20-2009 - 22-01-01_first.log).
    2.Malwarebytes – scan detected some problems (mbam-log-2009-04-21 (00-02-24)first.txt). It appeared that all was successfully removed.
    3. ComboFix – went smoothly (ComboFix.txt)
    4. MG also went fine (MGlogs.zip).
    5. I then toggled off, rebooted and turne on system restore.
    6. Afterwards I installed PCTOOLS Firewall (previously had only windows xp built-in firewall). Also disabled windows XP built-in firewall.
    7. I tried to check if my system is clean. However, Malwarebytes freezed at some point. I disabled PC tools firewall (probably this was the cause) but also deinstalled ComboFix, MG and HiJackThis as found in one post on this forum (just to be on the safe side). After that, Malwarebytes run smoothly and found malware again and successfully deleted it. However, after reboot malware was still present (mbam-log-2009-04-21 (10-15-01)second.txt). At least some of the malware was removed. Security.Hijack and Disabled.SecurityCenter remain. In my next attempt I tried not to reboot and run Malwarebytes again – this time it didn’t find anything. However, after reboot, problems are again here.
    8. I also tried AntySpyware for the 2nd time – didn’t run until I disabled PCtools firewall. It did not found anything (again), (SUPERAntiSpyware Scan Log - 04-21-2009 - 12-46-45_second.log).
    10. I do now have internet access, but malware is still presnt.
    I don’t know what to try now. Please, I surely need some advice.
    Many thanks.
    PS. I can add only 4 logs at the time. Will try to add two more in my next post.
     

    Attached Files:

    markoc, Apr 21, 2009
    #1
  2. markoc

    markoc Private E-2

    ...two additional logs.

    thx
     

    Attached Files:

    markoc, Apr 21, 2009
    #2
  3. markoc

    markoc Private E-2

    I tried to go through hijackthis log by myself and found the following line that seems suspicious:

    O23 - Service: Network DDE DSDM NetDDEdsdmhkmsvc (NetDDEdsdmhkmsvc) - Unknown owner - C:\WINDOWS\system32\AcSignExtResm.exe

    that particular file is hidden.

    Can this be the cause of problems? Can find anything about this file through google.


    btw. I noticed that I ran superantispyware that is not the last version (although I had the latest update definitions files). I ran it again the the last version, but again nothing is detected.
     
    markoc, Apr 21, 2009
    #3
  4. markoc

    markoc Private E-2

    Sorry i just posted something in error in this reply. Previous 3 posts are correct.
     
    Last edited: Apr 21, 2009
    markoc, Apr 21, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Now we need to use ComboFix again.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 24, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds