Some help please

My computer is full of malware. I've spent the day following the instructions from this guide: http://forums.majorgeeks.com/showthread.php?t=35407.

It seems to have done some good, but there are still signs of infection. I will include logs from the programs i have run.

It started with a notice from windows security center (not a microsoft program..) which turned out to be a fraud. After that a lot of irregularities followed, but most of it is gone now.

When i startup now these are the messages i get: (i translate the messages from norwegian windows, sorry about the language. i try my best...)

-cannot run samgf.dll invalid access to memory area

-from avg anti-spyware: malware found. its a downloader.agent.bcc. located in c:\windows\system32\dczef.dll even though i put it in quarantine it pops back up instantly. After a while i also get the same or similar messages but other files.

- when executing getrunkey and shownew the command prompt first states: d:\mplay.com cannot be recognized as an internal or external command, executable program or (something i couldn't translate) file.

-counterspy alerts me of a program called 1001.exe trying to start..

-i get a runtime error from microsoft visual C++ runtime library. It is apparently some trouble with a program called SBCSSvc.exe from the counterspy folder.

- i have gotten a toolbar in IE that is full of jibberish. Probably a chinese or japanese tool. I dont understand anything it says..



When running through the procedures in the guide i was unable to do the online scan in safe mode. Maybe this has affected the results.

Attached are the first two logs, as stated in the guide. Couldnt attach a third one...


I would be very very grateful if some of you guys could give me a hand here!

7samurai

 

here are two more logs.

i can't upload the runkeys.txt because it is empty. Nothing was stored in the file after i ran the program...

 

here are two logs from hijackthis. The new one (hijackthisnew) is the one i saved after going through the steps in the malware removal guide. But i also attached an older one, from yesterday. I don't know if it is useful at all...

I also tried to attach a log from hijackthis after renaming it to analyze. But i got the message that the log has already been attached..


Puh.. I hope i have done everything correctly now.. At least i have done my very best on following the guide.

Appreciate any replies!

 

RunKeys was blank because it was not extracted to the location specified in our tutotrial. For that matter neither is ShowNew.

Extract both GetRunKey and ShowNew to C:\MGTOOLS and run both batch files form that location.

Attach runkeys.txt and newfiles.txt when done.

 

Ops..

I've followed your instructions and attached the files. Thanks!

 

HijackThis is not in the location specified by our tutorial. You have not renamed HijackThis as requested. Move HijackThis to C:\Program Files\HJT\ and rename hijackthis.exe to analyse.exe. Do this now before continuing with my instructions.

Download
- Pocket Killbox
- ExplorerXP

Empty the Internet Explorer Cache
Empty the Recycle Bin

Run CCleaner

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install Java Runtime Environment (JRE) 6 available here at Major Geeks.

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Download and install RegistrarLite. Make sure you select a Majorgeeks download link and not the Authors!

Run Registrar Lite navigate to each of the following keys (one at a time) and take ownership of them (explained further down).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32

To take ownership of the key do the following:
* Copy & Paste the registry key from above into the Address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
* Click-on Security in the top Menu
* Select Take Ownership
* Repeat these steps for all of the registry keys given above before continue to the next steps below.
* Now leave RegistrarLite running and continue
* Now run the fixME.reg REGISTRY PATCH below in this message.
* Tell me the results. Any error messages?
* Now in RegistrarLite click View and then Refresh
* Now navigate one at a time to each of the above keys we took ownership of to make sure they were deleted.
* If any of the keys still exist, move on down to PART 2 - Setting Permissions for Everyone below!.

Registry Patch

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as"; type is set to "all files"; Once you have saved it double click it and allow it to merge with the registry.

PART 2 - Setting Permissions for Everyone

Run the below if some of the registry keys still exist after running the above steps.

Now I want you to use Registar Lite again to navigate to each of the below keys (one at a time) by pasting them into the Address Bar and hitting return. But this time click the Security menu item and select Edit Permissions so we can change permissions to everyone ( I describe this down below the list of registry keys).

After click Edit Permissions, here is what I expect you to see in the Group or user names area of the form:

Everyone
SYSTEM

Select Everyone by clicking on it. Now at the bottom in the Permissions box click the check box for Full Control. The click Apply and then OK to get back to the main Registrar Lite screen. Nowright click on the registry key and select Delete. The click View and Refresh. Check to see if the registry key just deleted truly deleted. If so, move on to the next to work thru the whole list. If it does not delete, boot into safe mode and repeat these exact same steps from safe mode. Reboot your PC!

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Follow the directions for the Virtumonde aka Trojan Vundo Removal procedure.

Post the following logs:
1. Log from VundoFix
2. ShowNew
3. GetRunKey
4. HijackThis

Make sure to tell me how things are working.

 

Thanks for all the help! But unfortunately, it hasn't done much.. The problem is still there. I've attached the logs you wanted. I think a problem was that i used the computer while waiting for your reply, making it possible for new malware programs to spawn. I think the best thing is for me to start over with the scanning process and give you new up-to-date logs.

I'll start the whole process again now. So in a later mail i will post new logs. Then i'll await your reply and follow that one, without doing anything else. Hopefully, you'll give me another chance and look through the logs and make recommedations once over...

Cheers

 

old hjt-log

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button. Click the 'Scan' button.

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post the following logs:
ShowNew
GetRunKey
HijackThis

 

Thanks!

I've just completed the instructions and so far it seems that my computer is feeling a lot better! A few setbacks came at the startup and right afterwards, i've listed them below. For the first time in weeks my home page in IE does not go back to a chinese page after startup!


Here is how the process went:
When trying to delete the two processes msie.exe in Hijackthis, i get the message: the selected process could not be killed. It may be protected by windows.

Still in HJT: Some of the processes i was supposed to place a checkmark at could not be found.

I got a pending operations notice from killbox


at startup i get these messages (i assume that i have deleted some files that have come up as false positives in a virus scan or something):

error loading c:\windows\system32\samgf.dll unvalid access to memory area

error loading c:\windows\system32\rolnf.dll the requested module can not be found

in addition i can't open partition d in my computer, but instead i have to go through windows explorer.

Do you know how to fix this?

i also got this trojan warning from avast antivirus:
C:\WINDOWS\system32\drivers\vcbxvwh.sys
What do i do with it?


I've attached log files. Hope you can't find any signs of malware there..

Thanks again!

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.

On the page that opens, scroll down to Norman API-hooking helper or NipSvc (Whichever is present) ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the 'None of the above, just start the program' button at the bottom of the choices. At the lower right, click on the 'Config' button, and then the 'Misc tools' button ... select 'Delete an NT Service' ... copy/paste the following into the box that opens, and press 'OK':

Norman API-hooking helper or NipSvc (Whichever you found above)

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Download new copies of ShowNew and GetRunKey

Post fresh logs for the following:
ShowNew
GetRunKey
HijackThis

 

OK, i've followed your instructions.

Couldn't find this one in HJT: O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Programfiler\norman\Nvc\BIN\nipsvc.exe


This time i did not get a pending operations message from killbox.

Attaching the logs

Thanks

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot

Post fresh logs for the following:
ShowNew
GetRunKey
HijackThis

 

Thanks!

couldn't find O20 - Winlogon Notify: cryptimg - cryptimg.dll (file missing) in HJT

i've attached the logs

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot

Follow the directions for Using Sophos Anti-Rootkit.

Post the following logs:
Sophos Anti-RootKit
ShowNew
GetRunKey
HijackThis

 

OK

When i run HJT avast antivirus reports to have found a virus:C:\WINDOWS\system32\drivers\vcbxvwh.sys

 

runkeys

 

The below leads me to believe that a RootKit is active on your computer.

The following in HKLM Uninstall Programs list
"DisplayName"=" "
"DisplayName"="???"
"DisplayName"="a0d9ca90"

Avast finding C:\WINDOWS\system32\drivers\vcbxvwh.sys when nothing else does.

These won't delete in HJT
O2 - BHO: (no name) - {4ac5609b-75db-412f-8b0d-4e03f37a8dbf} - C:\WINDOWS\system32\412fcfsb.dll (file missing)
O20 - Winlogon Notify: cryptimg - cryptimg.dll (file missing)

Sophos Anti-Rottkit fails to run.

ShowNew and GetRunKey show nothing of interest.

Download GMER

1. Save the GMER.zip file to your desktop
2. Now uzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Do not select the "Show all" checkbox during the scan.
7. When it finishes, click the Copy button. This will copy the results to your clipboard.
8. Paste the clipboard into a notepad file and save it to a log (like gmer.log).
9. Attach your log to your next reply.

If you don't know how to open notepad, click Start, Run, and enter notepad and click OK. To paste the info you copied into notepad, just hit CTRL-V. Then save the log.

 

Ok, the log is attached

 

Run GMER and scan for rootkits.

Right-Click on the following items and delete them:
---- System - GMER 1.0.12 ----

SSDT vcbxvwh.sys ZwCreateFile
SSDT vcbxvwh.sys ZwLoadDriver

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\drivers\vcbxvwh.sys Ingen tilgang.
.text roln_f.sys F7884300 61 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text roln_f.sys F788433E 9 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text roln_f.sys F7884348 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text roln_f.sys F7884353 41 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text roln_f.sys F788437D 50 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
? C:\WINDOWS\system32\drivers\pjems.sys Prosessen får ikke tilgang til filen fordi den brukes av en annen prosess.
? System32\Drivers\a6tt07w6.SYS Systemet finner ikke angitt fil.

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F78858C0] roln_f.sys


Reboot to Safe Mode

Run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Attach the following logs:
Sophos Anti-RootKit
ShowNew
GetRunKey
HijackThis