Problem with a trojan (msupio32.exe and inject.94208)

Yes, you need to read this:

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You very much do need to post logs if you would like me to assist you in removing the malware. Until you do, I'm about as much use to you as a glass eye.

I have already linked you to the procedures that have to be run If you want the trojan gone so desperately then you should follow my instructions.

 

And at no time did we request a HJT log. You originally stated that if there was more needed to be done for us to then tell you. I have very clearly told you that more indeed does need to be done. So if you have completed all of the steps, why not post logs so we can finally get cracking on malware removal instead of wasting time? I only have your interests at heart here... I don't want to delay in malware removal.

 

Forgive me, it's 4am here and I am rather tired

But if you had read any of what I had posted of the Read and Run Me First then you would know exactly which logs to post. I require logs from you running:

• SUPERantispyware
• Malware Bytes
• RootRepeal
• Combofix
• and... MGTools

But of course, as again, you would know if you had read it, there is alot of preliminary things to do before hand, the information needs to be carefully read. Same goes for any good malware removal sites. So complete what you can of it, take your time. Attach logs when done.

 

I would like you to run combofix as you will be using it under my supervision. So do that now, and then afterwards, you need to run MGTools as you still haven't run that either. Attach the C:\Mglogs.zip.

 

No! I want to see the C:\Mglogs.zip file. That zipped log contains ALL of the logs I need to see so that it saves you the trouble of attaching them seperately.

If you have run MGtools.exe after already running ComboFix, you will not need to separately attach the combofix log as it will already be inside of the C:\Mglogs.zip that I have asked you to attach. However if you run ComboFix after having run MGtools, you will need to attach the c:\combofix.txt log yourself.

 

No it is not. Check again as I just downloaded the program without a problem.

 

Let's take a few other steps before worrying about ComboFix.

First, you MUST do what was requested in step 6 of the READ & RUN ME and disable your disk emulation software. We cannot properly help you if you leave Daemon Tools running. It needs to be disabled and kept that way until we are finished.

Now delete the below copy of MGtools as it does not belong here:
C:\Documents and Settings\Migvelio\Escritorio\Tools\MGtools.exe




Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [917] C:\WINDOWS\system32\scvdll.exe
O4 - HKLM\..\Run: [MSODESNV7] C:\WINDOWS\system32\msvmiode.exe
O4 - HKLM\..\Run: [378] C:\WINDOWS\system32\scvdll.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Archivos de programa\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\wndrive32.exe
After clicking Fix, exit HJT.




Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You need to continue with ALL of my instructions.

 

Uninstall Avira and then run the below.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [HP Software Update] C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Driver Setup] C:\WINDOWS\wndrive32.exe
O4 - HKLM\..\Run: [MSODESNV7] C:\WINDOWS\system32\msvmiode.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\wndrive32.exe

After clicking Fix, exit HJT.

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp\
C:\Documents and Settings\Migvelio\Local Settings\TEMP

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Not problems.

Yes these are part of your problem. It is important that you DO NOT reboot or power down your PC unless I request it or unless a program like Avenger or ComboFix make it reboot. Once you attach logs, do not power down or reboot for any reason. Also do not run anything except what we ask you to run. Make sure that you DO NOT run any P2P or torrent programs or Skype like I see on your PC. These are likely the source of your problem and are opening up connections to your PC from other computers on the internet.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Not yet! Quickly run HostXpert exactly as requested earlier. Your hosts file is infected again. Do this now while I look thru the rest of your logs.

 

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\wndrive32.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No! The below keep returning.

C:\WINDOWS\system32\bscs.ini
C:\WINDOWS\system32\msvmiode.exe

See if you can delete these files.

 

Add one more to delete:

C:\WINDOWS\wndrive32.exe

 

Please run : GMER - running with a random name and attach the requested log.


Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\MGlogs.zip

 

Looks like you reenabled your disk emulation software based on your GMER log. We cannot help you unless you leave this disabled as it confuses the tools and makes it appear like there are rootkits or master boot record infections when there may not be. You must either completely uninstall this software (which never seems to work) or disable it and keep it disable until we are 100% finished. After disabling it, you will need to attach new logs from GMER and MGtools

Some of the problems you are having are likely problems within Windows itself. Your installation seems a little messed up based on your HijackThis log.

 

And the below show in your log and need to be delete:

Code:

"C:\WINDOWS\system32\"
12.exe        May 29 2010      155648  "12.exe"
25.exe        May 29 2010      155648  "25.exe"
84.exe        May 29 2010      155648  "84.exe"
bscs.ini      May 29 2010          77  "bscs.ini"
dn.exe        May 29 2010           0  "dn.exe"
i             May 29 2010          87  "i"
woot.exe      May 28 2010           0  "woot.exe"

 

Is Daemon Tools disabled or uninstalled now?

Uninstall "DAEMON Tools Toolbar"




Download ProcessExplorer

• Unzip it to its own folder somewhere you can locate it.
• Now run procexp.exe by double clicking on it.
• Let's configure some options first:
  • Click View and select Show Lower Pane. And where it says "Lower Pane View" make sure DLL's is checked.
  • Now click on explorer.exe.
  • Now also under the View menu choose "Select columns" and put a check mark on "Image Path".
• Now click on File and then Save As. And save the process list.
• Post it back here as an attachment.
• Also, from now on if you have to kill any processes and you cannot kill them with Task Manager, use Process Explorer instead. Sometimes ProcessExplorer can kill things that Task Manager cannot. And Task Manager will not always show all running processes.

 

Also see if you can run ComboFix now. If so, attach the log.

 

Disk emulation software programs are constantly problems since they are not designed to have proper installation and uninstallation programs. And now you see why I kept asking about Daemon Tools. Both GMER and ComboFix agree with my assessment that it is still installed and running. Thus it never uninstalled all the hooks/drivers it put on your PC. A sign of a poorly written program.

Did combofix create a log after the reset? If not, run it again and see it you can get it to create a log.

 

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You did not say how things are working. Your logs look good.

 

This could just indicate issues with Windows. As I indicated a few messages back, you do seem to have issues in your Windows installation.

Seems like you are either getting reinfected from somewhere or that something is still hiding. Avira maybe getting in the way of uncovering the real source of the problem. So please uninstall Avira now and then reboot.

After reboot, download the current version of combofix.exe to your Desktop and run a new scan.

Now download and install PC Tools Firewall Plus <-- make sure you uncheck the options to install Google Toolbar and Threatfire free edition. There's is no sense in installing excess baggage.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\ComboFix.txt
• C:\MGlogs.zip

 

Your logs are clean. Now you need to reinstall your antivirus.


If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!