System Security Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by Greggp, Aug 1, 2009.

  1. Greggp

    Greggp Private E-2

    System Security and Windows Antivirus Pro Malware Infected

    My son called me at work to tell me our computer was infected. I told him to leave the computer as is, not to touch another key.
    When I came home the computer had turned itself off and it had “system security” and “windows antivirus pro” loaded. A2 Hijackthis, Spybot, Superantivirus spyware, and Malwarebytes icons are disabled. Kohymj.exe is also on my computer in the root directory and I don’t recognize this program.

    System is running with 26-37% cpu useage in normal startup mode, and all programs will highlight but but no progem will start when clicked (yes, including Notepad). CPU useage is virtuall 0 in safe mode, some programs will run, others will not.

    Read & Run Me First results:
    Step 1: done monthly … spybot, super antispyware, malwarebytes run (in that order)
    Step 2: I Run only AVG and Windows firewall.
    Step 3: Can not open Add/Remove Programs. Icon will highlight but not start.
    Can not open house cleaning programs to empty folders
    Recycle bins empty
    I Don’t use Norton, shortcut to AVG is missing, AVG executable is now gone.
    Ran portable CCleaner in safe mode on all user accounts from a jumpdrive.
    CCleaners still will not run in normal mode -from c drive or from jumpdrive.
    Step 4-0: I can enable viewing of hidden files on my uninfected laptop, but “folder options” is missing from infected desktop; therefore, I can not set to view hidden folders.
    Start-run-msconfig displays error message stating it does not find program. I can not confirm system is running in normal startup mode. This is also true in safe mode.
    Step 4-1: Unistall malware via Add/Remove Programs not possible. Add/Remove will highlight but not start program.

    Step 5: 64 bit XP Cleaning attempts:
    As stated above, tried to run programs in normal mode, No program will attempt to start. In safe mode, I can open the Control Panel, but can only open “scheduled tasks”, “scanners & cameras” “printers and faxes” network connections, fonts, admin tools, but not start any other program. I do have access to Notepad in safe mode.
    Attempting to follow “read & run me first directions” …The following results:
    CCleaner would not run from install. Ran CCleaner on all accounts in safe mode from jump drive.

    MGtools. Like other programs will not attempt to run in normal mode.
    MG tools ran in safe mode only, but with the following crash:

    Started and ran …but Got to the point where
    “updating: newfiles.txt <188 bytes scurity> deflating 78%”
    “The C;\MGTools\temp\GRKflag.txt exists. Deleting it!”
    “Zipping hijackthis.log”
    updating: hijacthis.log <188 bytes security> <deflated 61%>
    Then a windows error message: ProcessDll.exe – Application Error.
    The application failed to initialize properly (0xc0000135). Click on OK to terminate the application.
    The log file is unchanged since Dec 2008

    Superantispyware icon disabled. Reload new software download results in apparent install, followed by program to close immediately.

    Malware bytes icon was disabled. . Reload new software download results in apparent install, followed by program to close immediately

    Combofix missing from program files, did not attempted to install again.
    Running XP64, therefore did not run RootReal.

    Obviously my limited ability to run programs is a limiting factor here ...until I can circumvent the initial startup issues that don't allow me to run programs.

    -Thanks
    -GreggP



    admin edit: As mentioned in your signup email, if you have malware issues please run the guide and attach the logs as described in this thread READ & RUN ME FIRST. Malware Removal Guide many thanks.
     
    Last edited by a moderator: Aug 1, 2009
    Greggp, Aug 1, 2009
    #1
  2. Greggp

    Greggp Private E-2

    I have used MajorGeeks malware directions and easily solved problems with my systems and on friends systems for a number of years without needing to ask for assistance.

    Regarding your request for logs:
    SAS - Can not access uninstall or install ver 4.0.0 from safe mode, and can not access any program from normal mode – meaning uninstall & install functions are both blocked in normal mode; therefore, I can not load ver 4.27.0. Version 4.0.0.1154 is currently loaded on this computer, but it does not run in normal mode, it also does not run in safe mode. Since SAS does not run in normal or safe mode, no log is generated. SASlog.txt does not exist on my computer, thus no log to post.

    Malwarebytes – Can not install or run this in normal mode. I can install in safe mode. Update was found and installed manually. Restarted MB, and confirmed software was updated. Upon clicking “scan”, the entire MB screen disappears. MB is gone from task manager applications and processes. Can not reopen MB from desktop, from program list, or from it’s folder. Can only open MB if I reload it again, only to see it disappear as soon as I click “scan”. No log generated, no log to post.

    ComboFix – this time Combofix loaded in safe mode (it didn't last time), it restarted in normal mode. Log is now generated.
    Combofix rebooted system.
    RootRepeal not attempted as system is a 64 bit version of windows.

    Malwarebytes does not run in normal mode. ...But now could run MB in safe mode, updated database and MB now runs. Log generated.

    System rebooted in normal mode. Uninstall now works. Uninstalled SAS. SAS does not install and run. SASlog.txt does not exist yet as I can not run it. System tells me "Windows can not access the specified device, path, or file. You may not have appropriate permissions to access the item."

    MGTools loads and runs in normal mode. MGlogs zipped.

    Attachments:
    SASlog.txt doesn't exist - not attached
    Combofixlog.txt attached
    MBamlog.txt attached
    RootRepeal log doesn't exist- not attached
    MGlogs.zip attached


    Still have trouble. Some programs will not run (i.e. SAS and Spybot) because windows thinks I don't have permission, but I am the Admin.

    We are almost there, just this permission thing remains.

    GreggP
     

    Attached Files:

    Greggp, Aug 2, 2009
    #2
  3. Greggp

    Greggp Private E-2

    I have found a couple things in the past day. The permission restriction stopping me from running or updating SuperAntiSpyware and Spybot was due to the malware holding files open so they become "read only" files. They can not be deleted nor overwritten. Since these programs need full access to these files, the programs don't run.

    Installing SAS and Spybot into a directory by changing the install's default directory name to a unique name, the programs would load and run (normal windows mode).

    My computer now works again. Thanks MajorGeeks!!
    While my computer seems to be working correctly, I'm sure there are things in the log that should be addressed. Feedback would be appreciated.

    final log necessary to complete the MG requested info:
    SASlog.txt now attached

    -Gregg
     

    Attached Files:

    Greggp, Aug 3, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We have numerous items to remove, unless SAS already removed them as I am not sure you did the scans in the proper order. Plus you are using a very old version of MGTools.

    So let's see where we stand.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
9886bd26

File::
C:\WINDOWS\apeqaxuwi.dll
C:\WINDOWS\elayemuyosamav.dll
C:\WINDOWS\ilikepeqe.dll
C:\WINDOWS\oqulapey.dll
C:\WINDOWS\osotodigipa.dll
C:\WINDOWS\alijuxuges.dll
C:\-657938811
C:\bjuqgmay.exe  
C:\kohymj.exe    
C:\nrxgrws.exe
C:\xaaxfvkc.exe
C:\xmwrs.exe 
C:\Documents and Settings\Gregg\Local Settings\temp\2205115700.exe
C:\Documents and Settings\Gregg\Local Settings\temp\4068073556.exe
c:\windows\is-8VCKV.exe
C:\WINDOWS\system32\drivers\9886bd26.sys
c:\windows\oqulapey.dll
c:\windows\okejoxucemu.dll
c:\windows\afahagiq.dll
c:\windows\Axumubasebiweyif.dat
c:\windows\system32\bincd32.dat
c:\windows\system32\sysnet.dat
c:\windows\ppp4.dat
c:\windows\ppp3.dat
C:\nrxgrws.exe
c:\windows\svchast.exe
c:\windows\system32\desot.exe
c:\windows\system32\dddesot.dll
c:\windows\system32\ghaf8jkdfd.dll
C:\WINDOWS\system32\bincd32.dat
C:\WINDOWS\system32\sysnet.dat
C:\WINDOWS\system32\dddesot.dll

Folder::
C:\-657938811
c:\program files\Windows Antivirus Pro

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"10675464"=-
"Ukovasibidukemug"=-

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{A36D2A01-00F3-42BD-F434-00BBC39C8953}"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Aug 5, 2009
    #4
  5. Greggp

    Greggp Private E-2

    Tim.
    Thanks for the instructions.
    I can pretty much guarantee I didn't run the scans in the proper order the first time. It took me over a day before I could run some of them, and I ran them in the only order they would run.

    Your directions were easy to follow and everything went smoothly.

    Thanks for the help.

    GreggP
     

    Attached Files:

    Greggp, Aug 5, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why are you running such an outdated version of MGTools? Download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    You still have TeaTimer running which we asked you to disable in the Read and Run instructions.
    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    You are using an old version of AVG which is no longer supported! You will need to uninstall it and download and install either AGV8 or something else.

    You also did not update your Jave as requested.
    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment Standard Edition v1.3"
    Java 2 Runtime Environment, SE v1.4.0_01"
    Java Web Start"
    Java(TM) 6 Update 3"

    You also did not set msconfig to normal start up. Do that now.

    What is this:
    C:\AA

    You have malware that shows as being created in March of 2008 on top of the malware that has just spawned.
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished) --this includes TeaTimer:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

RenV::
C:\Documents and Settings\Nicholas\My Documents\Computer\PopUp Blocker\SmartPopupBlocker101 OLD .exe

File::
c:\windows\axahavon.dll
c:\windows\eripeyamoledu.dll
c:\windows\orayesubaseb.dll
c:\windows\obuzuzeqijiw.dll
c:\windows\izunufuqo.dll
c:\windows\ehilazexizuxaw.dll
c:\windows\iropecejoxodo.dll
C:\WINDOWS\kjberup.exe
C:\PROGRA~1\MYWEBS~1
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\adbar.dll
C:\WINDOWS\absolute key logger.lnk
C:\WINDOWS\aconti.exe"
C:\WINDOWS\aconti.ini   
C:\WINDOWS\aconti.log   
C:\WINDOWS\aconti.sdb   
C:\WINDOWS\acontidialer.txt
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll     
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe     
C:\WINDOWS\flt.dll       
C:\WINDOWS\hcwprn.exe    
C:\WINDOWS\hotporn.exe  
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\ie_32.exe     
jC:\WINDOWS\d2002.dll   
C:\WINDOWS\kkcomp$.exe  
C:\WINDOWS\kkcomp.dll    
C:\WINDOWS\kkcomp.exe    
C:\WINDOWS\kvnab$.exe    
C:\WINDOWS\kvnab.dll     
C:\WINDOWS\kvnab.exe     
C:\WINDOWS\liqad$.exe    
C:\WINDOWS\liqad.dll   
C:\WINDOWS\liqad.exe    
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll     
C:\WINDOWS\liqui.exe    
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll   
C:\WINDOWS\SchedLgU.Txt
C:\WINDOWS\settn.dll     
C:\WINDOWS\setupact.log
C:\WINDOWS\setupapi.log  
C:\WINDOWS\spredirect.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbecheck.exe  
C:\WINDOWS\wbeinst$.exe  
C:\WINDOWS\wiadebug.log 
C:\WINDOWS\wiaservc.log  
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe   
C:\WINDOWS\xadbrk_.exe   
C:\WINDOWS\xxxvideo.exe  
C:\WINDOWS\wml.exe
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\SYSTEM32\ACESPY 
C:\WINDOWS\SYSTEM32\000070.exe   
C:\WINDOWS\SYSTEM32\eshopee.exe  
C:\WINDOWS\SYSTEM32\mgmrwmrv.exe  
C:\WINDOWS\SYSTEM32\msole32.exe   
C:\WINDOWS\SYSTEM32\vxddsk.exe   
C:\WINDOWS\SYSTEM32\wml.exe      
C:\WINDOWS\TEMP\rgi2.tmp      
C:\WINDOWS\TEMP\rgi2a.tmp 

Folder::
C:\Program Files\WildTangent
C:\WINDOWS\SYSTEM32\ACESPY

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hoadgbw]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MyWebSearch Email Plugin]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WildTangent CDA]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now clean out everything you can in this folder:
    C:\Documents and Settings\Nicholas\Local Settings\Temp\

    Now run Ccleaner to clean out only temp files and nothing else!

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 8, 2009
    #6
  7. Greggp

    Greggp Private E-2

    Hello Tim,
    -Download the current version of MGtools & overwrite your previous file.
    ** DONE
    -Spybot directions
    **DONE. Teatime was noticed and disabled before your reply, but shouldn't have been downloaded at all.

    -Remove Windows Messenger
    ** DONE
    -Disable protection software.
    **Old version of AVG uninstalled. Windows security center still thinks it is there and still reports it is working! Why??

    -update your Java as requested
    **Unistalled Java and now running Java 6 Update 15.

    -You also did not set msconfig to normal start up. Do that now.
    **Ummm, when I type start/ run/ msconfig the information box says I am in normal start up mode. If in fact I am not, I don't know how to change that.

    -What is this: C:\AA
    **This is a empty file where I temporally dump files that I want to find easily. These files can all be sent to the recycle bin at any time. The folder is currently empty.

    **Combofix script run

    -Now clean out everything you can in this folder: C:\Documents and Settings\Nicholas\Local Settings\Temp\
    ** No such folder exists under C:\Documents and Settings\ I only have Administrator, All Users, Default Uses, Gregg, Guest, LocalService, NetworkService, and Nick.

    -Now run Ccleaner to clean out only temp files.
    **CCleaner tab for temp files checked and nothing else, ran and cleaned.

    File requested are attached.

    ** FEEDBACK: My system seemed to run reasonably well, even before your most recent post, a bit faster now. Currently most web sites seem to run fine ...BUT loading even the simplest 8kb message from yahoo-mail still takes 30 seconds (yes I timed it). Accessing a message or photo on yahoo groups responds about the same. I have no idea if this is a yahoo problem or a windows problem. It seems to be the same with firefox and IE.

    Thanks for the support!!

    Gregg
     
    Greggp, Aug 10, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't attach anything.
     
    TimW, Aug 13, 2009
    #8
  9. Greggp

    Greggp Private E-2

    Sorry, I must have missed a required click to upload them last time.
    I have attached them again.

    On a side note. I believe the problem with IE and FireFox are their internal settings. I've since tried GoogleChrome and it is so much faster ...especially when accessing yahoo.com info

    Gregg
     

    Attached Files:

    Greggp, Aug 17, 2009
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean, however there are many traces of AVG still on your system. I would suggest you go here:
    http://www.avg.com/download-tools
    And download the removal tool.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Aug 20, 2009
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds