Trouble in malware removal (ie: paradise)

Discussion in 'Malware Help (A Specialist Will Reply)' started by juiceinla, Nov 8, 2009.

  1. juiceinla

    juiceinla Private E-2

    Hi there, and thank you for this site. My laptop/Windows XP (professional) has been infected with a couple variants of the Vundo Virus and something mcAfee calls "spyware-agent.bw.gen.e. I am having most of the problems your other forum members are experiencing (slow start up; looping and repetitious IE pop ups telling me to install mcAfee site advisor on my yahoo tool bar which I dont have; constant 100% process load in task manager, unable to boot in any form of safe mode, inability to run various malware removal tools)

    I found your website while researching the issue and began with your "read and run me process. In normal mode (I cannot access safe mode) I disabled system restore.

    Then I followed your "basic maintenance clean up stuff, backed up my personal files, then ran mcAfee virusscan, emptied quarantine file of over 35,000 (not a typo) files sitting there, emptied recycle bin and then cCleaner.

    the first problem I encountered was not being able to access msconfig, in any way you or other sites suggested. i never resolved the problem, but I ran hijackthis (log attached). Then I moved on to your "Windows XP Cleaning Procedure.

    I ran Superantispyware (log attached)
    I ran Malwarebyte's antimalware (log attached) and encountered bad image errors. Here is where we stand:

    At the end of my scan it identified about 30 infected files and I hit "remove the files" it began to do so then indicated about 5-6 could not be removed, and asked me to restart my laptop again to remove them. So I did immediately.

    Before, during and after windows was loading on reboot I began to get "Bad Image" errors associated with many programs and a dll file "wifufulu.dll". MBAM identified the wifufulu.dll as malware in the scan. I assume this means the trojan/virus was trying to load at start up, and am wondering if that is right, and if so, has MBAM gotten rid of it? here are the files identified in the"Bad image" error:

    c:/windows/system32/Lsass.exe
    c:/windows/system32/services.exe
    c:/windows/system32/wifufulu.dll
    c:/windows/system32/mbamgui.exe
    c:/windows/system32/hkcmd.exe
    c:/windows/system32/igfxtray.exe
    c:/windows/system32/igfxpers.exe
    c:/windows/system32/nerocheck.exe
    c:/windows/system32/syntpenh.exe
    c:/windows/system32/mcagent.exe
    c:/windows/system32/WLtray.exe
    c:/windows/system32/QTTask.exe
    c:/windows/system32/iTunesHelper.exe
    c:/windows/system32/Rundll32.exe
    c:/windows/system32/ctmon.exe
    c:/windows/system32/adobeupdate.exe
    c:/windows/system32/reader_sl.exe
    c:/windows/system32/MBAM.exe


    is it normal to get these bad image errors? What do I do next?

    I have one additional question. Assuming this matter can be resolved, I have to say I am completely intimidated by combofix, and afraid to run it as i am NOT even close to an expert. can I run rootrepeal and MGtools without running combofix?

    thank you soo much.
     

    Attached Files:

    juiceinla, Nov 8, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Yes you can run RootRepeal and MGtools without having run ComboFix but we may be asking you to run it if we see other problems requiring the use of ComboFix to remove them.
     
    chaslang, Nov 11, 2009
    #2
  3. juiceinla

    juiceinla Private E-2

    Hi and thanks! ok, I ran rootrepeal and MG tools, logs are attached. I think I did the second Root repeal (111309) wrong, ealving my McAfee running, that is why I sent two logs.

    I have my OS system reinstallation disc, so if combofix is necessary and I screw it up, I can reinstall Windows.

    I hope everythign is gone, but am not optimistic.

    thank you again!!!! for everything!
     

    Attached Files:

    juiceinla, Nov 13, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please see step 4 of the READ & RUN ME and use MSconfig to put your PC into Normal Startup mode as requested.

    You have a bunch of left overs from having Norton Internet Security installed. We need to remove these.

    Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Please remove MGtools.exe from your Desktop as it does not belong there.

    Please explain what the below two files on your Desktop are for:
    Code:
    "C:\Documents and Settings\Justine\Desktop\"
notgme1.exe   Oct 16 2009      291328  "notgme1.exe"
tricky.exe    Nov  4 2009     4045528  "tricky.exe"

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {93e34689-cb26-4bf8-b15a-1e09435a3b5a} - gakikedo.dll (file missing)
    O20 - AppInit_DLLs: wezavova.dll c:\windows\system32\wifufulu.dll
    O21 - SSODL: werosamuw - {c9578673-720c-45f9-977a-b3d87e284978} - (no file)
    O21 - SSODL: mayezoguw - {54f0761f-659f-42cb-bacc-adf7112a1607} - c:\windows\system32\wifufulu.dll (file missing)
    O22 - SharedTaskScheduler: mujuzedij - {c9578673-720c-45f9-977a-b3d87e284978} - (no file)
    O22 - SharedTaskScheduler: tokatiluy - {54f0761f-659f-42cb-bacc-adf7112a1607} - c:\windows\system32\wifufulu.dll (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 16, 2009
    #4
  5. juiceinla

    juiceinla Private E-2

    HI thanks. Ok, so I did go to msconfig and normal mode was already chosen (I have been in normal mode all along, I could never switch to safe, even when I tried) so hopefully nothing changed.

    Ran Norton removal tool, then removed mgtools.exe from desktop.

    notgmer1.exe is gmer.exe renamed so it would run (ran it about a week ago)
    tricky.exe is malbytes antimalware, also renamed so it would run. I had a lot of trouble with MBAM- my computer would not run it, it took 5-6 different tries. I kept downloading and renaming, trying different things.

    I followed the rest of your instructions, only encounter problems after running avenger. After it ran a "regetit.dll" error message popped up. then when trying to safe the avenger.txt file, the PC got hung up. it saved to the desktop, but then I could do nothing else. 2 reboots later I could run Ccleaner. it ran, but then the computer would not respond, my desktop icons all disappeared, leaving only the background. I manually turned computer off and then back on with the on/off button.

    ran mgtools/getlogs.bat. I didn't get a prompt after it was done, like last time, an I can't find the mglogs.zip. I even went back to your "Windows XP Cleaning- Using MGtools" pages to see if I missed a step, but no. I then went into my c:/mgtools folder and found a bunch of txtfiles that were dated with today's date. I compressed them all into a zip file and that is what I have attached here as "procdll.zip". I hope these are the files you are looking for, but cripe, I didn't know what else to do.

    If this is totally wrong, will you let me know? thanks again!

    Juice

    I hope it worked. thanks again!
     

    Attached Files:

    juiceinla, Nov 17, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You were not in Normal Startup mode last time. Now you are. Don't confuse Normal Boot mode with Normal Startup mode because they don't mean the same thing. There is Normal Boot Mode and Safe Boot Mode two different boot modes. Normal Startup Mode means you are not using MSconfig to control any kind of startups at all and that includes using MSconfig to put your PC in Safe Boot Mode.

    Are you sure about that message?? Was it really regetit.dll ? Or was it something else?

    The log is right where the instructions told you it would be. I can see it in the logs you attached:
    Code:
    "C:\"
mglogs.zip    Nov 17 2009       26711  "MGlogs.zip"
    You must not be looking in the correction location.

    I suggest that you remove the below from your Desktop now. We will remove other tools we installed when we get to final instructions.
    Code:
    "C:\Documents and Settings\Justine\Desktop\"
ccleaner.exe  Nov  4 2009     1700664  "CCleaner.exe"
GMER          Nov 11 2009              "gmer"
gmer.zip      Nov  3 2009      282833  "gmer.zip"
hijack~1.lnk  Nov  4 2009        1734  "HijackThis.lnk"
hjtins~1.exe  Nov  4 2009      812344  "HJTInstall.exe"
norton~1.exe  Nov 16 2009      793200  "Norton_Removal_Tool.exe"
notgme1.exe   Oct 16 2009      291328  "notgme1.exe"
tricky.exe    Nov  4 2009     4045528  "tricky.exe"
vundofix.exe  Nov 11 2009      119808  "VundoFix.exe"
window~1.exe  Nov  3 2009     9092032  "windows-kb890830-v3.0.exe"
window~1.msi  Nov  3 2009     5154304  "WindowsDefender.msi"
    You logs are basically clean. We just have a couple left over dead items to remove.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O21 - SSODL: werosamuw - {c9578673-720c-45f9-977a-b3d87e284978} - (no file)
    O21 - SSODL: mayezoguw - {54f0761f-659f-42cb-bacc-adf7112a1607} - (no file)

    After clicking Fix, exit HJT.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 20, 2009
    #6
  7. juiceinla

    juiceinla Private E-2

    Ok, so here we are. To answer your questions

    yes, it was regetit.dll and it came up after I ran Avenger.

    Ok so I removed the desktop items listed; I never used combofix, so I did not remove it. I did remove avenger, and all the other clean up programs. Then I ran MGtools\analyse.exe as you told me, deleted the two files; removed hijack this from programs, then used MGtools.Bat to remove MGTools.

    I had been in "deactivate systeme restore" mode all along. However, Upon trying to reactivate system restore, the system got hung up and I had to manually turn the laptop off (toggle switch). After 2 tries, I gave up.

    Do you think there is still a problem?

    thanks again!
     
    juiceinla, Nov 24, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not malware according to the logs; however do the below.

    • Please save Win32kDiag file to your desktop.
    • Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log
    "%userprofile%\desktop\win32kdiag.exe" -f -r


    Click Start, Run, and enter sfc /scannow and click OK. There is a space after the sfc. This runs System Rile Checker which looks for missing or corrupted system files and attempts to replace/repair them from files on your hard disk or from the CD if necessary. So it will ask for the Windows CD if it needs it.


    Now reboot. After reboot, see if you can enable System Restore.
     
    chaslang, Nov 26, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds