Some help after running through removal guide

Discussion in 'Malware Help (A Specialist Will Reply)' started by MartinOz, Oct 10, 2009.

  1. MartinOz

    MartinOz Private E-2

    Hey guys,

    I've managed to clean two computers in the past with help from the great people on this forum so I thought I'd drop in again with some problem I have with my new laptop.

    Just a little background: I'm traveling around Australia at the moment so I'm using internet through a cellphone which means my bandwidth is pretty limited. I started noticing that something was eating up most of my bandwidth, either downloading or uploading stuff, so I used netstat to try and figure out what it was but all I could trace it back to is a bunch of urls with suspicious names running through svchost.exe, which I obviously couldn't kill.

    I looked up your excellent guide again, ran through all the steps and got rid of most of the trojans to the point where SuperAntiSpyware can't find anything anymore. So I thought it was completely alright but then just now I noticed that something was downloading stuff through svchost.exe again so I reckon there's still something lurking around somewhere. I've included all the logs and hope you'll be able to help me.

    I'm running 32 bit Vista.

    On a semi-related sidenote, I've been trying to install Kasperspky antivirus but it keeps saying that I have to delete McAfee (which came with the comp) first, which I've already done. I've looked through the registry for any more McAfee stuff but the only things that are left, I can't remove. Any ideas on how to get past this and install it? I'd use Avast but since my download is very limited it's a bit big to download.

    Cheers!
    Martin
     

    Attached Files:

    MartinOz, Oct 10, 2009
    #1
  2. MartinOz

    MartinOz Private E-2

    And the last log file.
     

    Attached Files:

    MartinOz, Oct 10, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator ) DO NOT attach a log right now. I will ask you to attach one later after we run other scans some of which will be repeats to make sure no reinfection has occurred.


    Now please download and run Win32kDiag per the below instructions:
    • Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    C:\win32kdiag.exe -f -r


    Now we need to reset the permissions that may have been altered by the malware on some files.
    • Download and save inhertit.exe to your Desktop: Inherit.exe
    • It must be in your Desktop or the below fix will not work!
    Now run the C:\MGtools\FixPerm.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).
    • A command prompt window will open and also a license agreement from SysInternals may appear for Junction.
    • Accept the license agreement if it appears and hopefully the scan will begin.
    • Wait until it finishes we can take a while to run since it scans your whole harddisk. e patient and don't do anything else while it is scanning.
    • The command prompt window should close when it finishes.
    • While FixPerm.bat is running, you will get several/many popups that have a title Finish and say OK. Just click the OK button each time. This is an indication that it has found a file and has attempted to fix permissions. Depending on how many files that need to be fixed, you could get only a few or many of these popups.
    Now run the below to see if it will help remove McAfee leftovers:

    McAfee Consumer Product Removal Tool


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from Win32kDiag
    • C:\MGlogs.zip
    How are things working now? Note torrent downloader programs steal/waste tons of bandwidth.
     
    chaslang, Oct 15, 2009
    #3
  4. MartinOz

    MartinOz Private E-2

    Hey chaslang,

    Thanks for your reply.

    I ran through the steps you listed below and added the logs. I didn't download the McAfee cleaner (yet) as I have installed Avast instead of Kaspersky and that had no issues with it.

    I also installed PC Tools Firewall the other day since there hadn't been a reply here yet (not complaining, just thought I'd have to figure it out for myself) and so I went down to the internet cafe and downloaded Avast and the firewall there. That way I could at least block svchost temporarily to disrupt the malware's connection. Not ideal but it's something. I also searched through the MGtools logs that I posted last time and came across one or two files that shouldn't be there and deleted those with killbox (notably Bonjour) but that didn't help much.

    I thought at first that your fix had solved the problem, but I think it's still there. I still get some odd network usage (and it's not from any p2p program or anything like that). It's also nowhere near as persistant as before.. more like an occasional spike but netstat still shows it as a PID which turns out to be svchost.exe. It's a bit harder to be sure now since it doesn't happen all the time anymore but a minute ago it was definitely still there. There was also an instance of svchost.exe using up abour 20-30% of the CPU, which I hadn't seen before now. I've since restarted and been running my internet for a bit now (10 minutes or so) and it's still all clean so I'm not sure what to make of that... maybe you can tell by the logs?

    Either way it's much better than it was, at least I don't have to disconnect every two seconds anymore. I really appreciate your help.

    Oh by the way, you mentioned that Fixperm.bat takes a long time to run, but it took only about a minute so I doubt it searches through the whole harddisk... then again I didn't get the license agreement although the scan did run and I get about twenty or so 'finish-ok' dialogs.

    Cheers,
    Martin
     

    Attached Files:

    MartinOz, Oct 15, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    svchost.exe (if running from the C:\Windows\System32 folder ) is a required and necessary system process that will be seen running anywhere from 3 to n number times ( n is typically 5 to 7 on most PCs depending on the software being run.

    Most likely just due to what you are running. Even Windows update (which was showing as running in your log - wuaclt.exe ) will cause a spike in at least one svchost.exe process.

    What is the below process you are running? It is using alot of memory.
    C:\Users\acer\Desktop\Join ME\JoinMe.exe

    That's because I forgot to have you download a program named Junction to your PC so that FixPerm.bat could run it to check for malware junctions (aka mountpoints) on your PC. We could still do this but I don't think it is necessary since your logs are clean. It would really only be necessary if you were having a problem getting programs to run.

    You should uninstall your old Sun Java version and update to the current version as requested in the READ & RUN ME.

    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


    You should delete the below left over folders from Kaspersky:
    Code:
    C:\Windows\System32\drivers\
AR-SA         29 Jul 2009              "ar-SA"
BG-BG         29 Jul 2009              "bg-BG"
CS-CZ         29 Jul 2009              "cs-CZ"
DA-DK         29 Jul 2009              "da-DK"
DE-DE         29 Jul 2009              "de-DE"
EL-GR         29 Jul 2009              "el-GR"
ES-ES         29 Jul 2009              "es-ES"
ET-EE         29 Jul 2009              "et-EE"
FI-FI         29 Jul 2009              "fi-FI"
FR-FR         29 Jul 2009              "fr-FR"
HE-IL         29 Jul 2009              "he-IL"
HR-HR         29 Jul 2009              "hr-HR"
HU-HU         29 Jul 2009              "hu-HU"
IT-IT         29 Jul 2009              "it-IT"
JA-JP         29 Jul 2009              "ja-JP"
KO-KR         29 Jul 2009              "ko-KR"
LT-LT         29 Jul 2009              "lt-LT"
LV-LV         29 Jul 2009              "lv-LV"
NB-NO         29 Jul 2009              "nb-NO"
NL-NL         29 Jul 2009              "nl-NL"
PL-PL         29 Jul 2009              "pl-PL"
PT-BR         29 Jul 2009              "pt-BR"
PT-PT         29 Jul 2009              "pt-PT"
RO-RO         29 Jul 2009              "ro-RO"
RU-RU         29 Jul 2009              "ru-RU"
SK-SK         29 Jul 2009              "sk-SK"
SL-SI         29 Jul 2009              "sl-SI"
SR-LAT~1      29 Jul 2009              "sr-Latn-CS"
SV-SE         29 Jul 2009              "sv-SE"
TH-TH         29 Jul 2009              "th-TH"
TR-TR         29 Jul 2009              "tr-TR"
UK-UA         29 Jul 2009              "uk-UA"
ZH-CN         29 Jul 2009              "zh-CN"
ZH-HK         29 Jul 2009              "zh-HK"
ZH-TW         29 Jul 2009              "zh-TW"


    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\Windows\temp
    C:\Users\acer\AppData\Local\temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 18, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds