Win32/Heur Infection on Laptop

Discussion in 'Malware Help (A Specialist Will Reply)' started by djames216, Nov 25, 2010.

  1. djames216

    djames216 Private E-2

    Hi.

    Please note that the laptop I am trying to remove malware from is not my own. A friend of a friend has asked me to look at it. So I will not necessarily know answers to questions regarding usage history etc, but I will do my best to answer any questions you may have.

    Symptoms
    On Sunday 21st November, the user reported that AVG Free 8.5 had been reporting multiple threats of a virus known as Win32/Heur. If the laptop is left on long enough, AVG would continue to report new threats every few seconds culminating in a very long list of threats building up in the virus vault. The user seems to think that the problem started on or around the time they had downloaded and installed a Samsung PC suite from Samsung's official site. This may or may not have been the cause of the problem.

    Both Internet Explorer and Firefox refused to launch. When trying to launch IE, it did nothing. When trying to launch Firefox, all it would display is the crash report window every time. I reinstalled Firefox, and when I tried to launch it, the browser window opened normally, but then refused to display any webpage. The error page displayed is "The connection was reset" of "The Connection has timed out.". I tried various webpages, and also tried the IP address of my Router, but with no success.

    I have also found I was unable to uninstall programs. This included old versions of Java. I had to use JavaRa to remove them. The current version of the Java installed does not appear to be working correctly. When I access Java from the control panel, it does nothing, the settings window does not appear . When I attempt to reinstall the current version, the install process stops, saying that I already have the latest version installed. At the moment, I cannot uninstall the corrupted current version or reinstall a fresh copy.

    I have also noticed some unusual behaviour in the processes list of task manager. On more than one occasion, I have noticed two processes both called "iexplore.exe". This is despite the fact that Internet Explorer hasn't even been launched in the current session. I've also noticed similar behaviour with the "Firefox.exe" process. The process would appear in task manager, even though it hadn't been launched yet. On at least one occasion, when closing the Firefox.exe process, it immediately reappeared and I had to close it down a second time, before it would finally disappear.

    The most immediate hurdle I need to overcome is re-enabling web-access to a browser. Net access appears to be working on some level as I have been able to download updates for Super Anti-Spyware, MalwareBytes Anti-Malware and Combofix was able to download and install Recovery Console. I cannot access your site (or any site) from the infected laptop in order to upload the logs. And I would rather not transfer the logs to my Computer and risk infection there too.


    Actions
    • I noted that an out of date version of AVG is installed and only the basic Windows firewall is running.
    • I looked for, but could not find, any "MyWay" or "Viewpoint" programs installed.
    • I installed CCleaner and cleaned out junk files and redundant registry entries.
    • I ran scans with Super Anti-Spyware and Malwarebytes Anti-Malware. (I had to rename the executable for Malwarebytes Anti-Malware, as it did not launch the first time. I renamed it to mb.exe.) They both detected and removed various infections. But afterwards, AVG continued to report fresh infections of the Win32/Heur virus.
    • I removed old versions of Java using JavaRa.
    • I have enabled viewing of hidden files, system files and file extensions.
    • I have looked through the list of known malware and unwanted software. None of them appear to be installed.
    • No disk emulation software appears to be running.
    • I disabled System Restore and it is not currently active.
    • I have performed your "Windows XP Cleaning Procedure". No problems until starting ComboFix, it stated that it was unable to run with AVG installed. So I have uninstalled AVG (I had to use the AVG Removal tool because the normal uninstall process repeatedly failed) in order to start ComboFix properly. On ComboFix's first operation it successfully installed Recovery Console but then a blue screen of death occured on or around stage 50. Near the start of the second attempt with ComboFix, it detected rootkit activity and stated the following file to note down:- "C:\Documents and Settings\Maggie\Application Data\Veykfa\udik.exe". Windows was rebooted and ComboFix reinitiated before Windows fully booted to desktop. Unfortunately another BSOD occurred at around stage 50. As suggested in your instructions, I skipped the ComboFix stage because of experiencing problems with it.
    • The remaining steps (Root Repeal & MGTools) seemed to complete their scans successfully.

    I am unable to upload the logs from the laptop at the moment. If you can help me restore web access first, I can then upload the logs.

    Many thanks for your help.
     
    djames216, Nov 25, 2010
    #1
  2. djames216

    djames216 Private E-2

    I have since managed to restore web access to Firefox. I discovered some proxy settings that prevented the laptop's browser from working properly on my network.

    So here, finally are the logs. The only log I was unable to create is from ComboFix (as described in my first post).
     

    Attached Files:

    djames216, Nov 26, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    C:\Documents and Settings\Maggie\Application Data\Afdeor
    C:\Documents and Settings\Maggie\Application Data\ARBE
    C:\Documents and Settings\Maggie\Application Data\Coeb
    C:\Documents and Settings\Maggie\Application Data\Dycyub
    C:\Documents and Settings\Maggie\Application Data\Exoklu
    C:\Documents and Settings\Maggie\Application Data\Feid
    C:\Documents and Settings\Maggie\Application Data\Fotoyd
    C:\Documents and Settings\Maggie\Application Data\HTC
    C:\Documents and Settings\Maggie\Application Data\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
    C:\Documents and Settings\Maggie\Application Data\Sonayb
    C:\Documents and Settings\Maggie\Application Data\Veykfa
    C:\Documents and Settings\Maggie\Application Data\Ydul
    C:\NAOAPXGL.EXE

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * TDSSKiller log.
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 26, 2010
    #3
  4. djames216

    djames216 Private E-2

    Hi.

    I found all but one of the entries you quoted for removal using HijackThis.
    The only line I could not find is
    O4 - HKCU\..\Run: [{BE9BF95B-849E-65FA-EF68-DBDA1D05AA4A}] "C:\Documents and Settings\Maggie\Application Data\Veykfa\udik.exe" .
    The closest line I could find to match this is
    O4 - HKCU\..\Run: [{BE9BF95B-849E-65FA-EF68-DBDA1D05AA4A}] "C:\Documents and Settings\Maggie\Application Data\Evovb\ixsei.exe"

    I have not told HijackThis to remove any entries yet. Should I mark this "Evovb\ixsei.exe" entry for removal? I have not actioned anything yet and await your advice before I proceed.

    Many thanks.
     
    djames216, Nov 26, 2010
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes. Add that to the fix.
     
    TimW, Nov 26, 2010
    #5
  6. djames216

    djames216 Private E-2

    Performed HiJackThis as requested. The RegEdit integrated successfully. Deleted all but one from the list, could not find C:\NAOAPXGL.EXE . TDSSKiller (2.4.9.0) started up successfully without having to rename the executable. "Cure" was not the default action. "Skip" was the default action, "Delete" and "Copy to Quarantine" were the other 2 options. I selected "Delete". I took a quick look at the hijackthis log in the mgtools zip, it doesn't look like the infection is completely removed yet (correct me if I am wrong).
     

    Attached Files:

    djames216, Nov 26, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go back to the Read and Run First instructions and download ComboFix to your desktop. Do not run it just yet. We need to see if it will work.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\Maggie\Local Settings\Temp\6PBjnYgD.exe.part
C:\Documents and Settings\Maggie\Local Settings\Temp\L426MR2M.exe.part
C:\Documents and Settings\Maggie\Local Settings\Temp\raaB.tmp
C:\Program Files\win\x39.exe
Folder::
C:\Documents and Settings\Maggie\Application Data\Lewiqa
C:\Documents and Settings\Maggie\Application Data\Nifoo
C:\Documents and Settings\Maggie\Application Data\Peeslo
C:\Documents and Settings\Maggie\Application Data\Sany

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"{BE9BF95B-849E-65FA-EF68-DBDA1D05AA4A}"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"rap"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 27, 2010
    #7
  8. djames216

    djames216 Private E-2

    I ran HijackThis and fixed the entries as instructed.

    I created the CFscript.txt file, saved it to the desktop. Downloaded ComboFix (I could not download it directly to the desktop as I could not change the download directory, so had to move it from download folder to desktop).

    The first time I dragged the CFscript.txt onto Combofix, nothing happened. I dragged it a second time and it finally started up. It eventually displayed this message - "Rootkit!! Combofix has detected the presence of rootkit activity and needs to reboot the machine. Kindly note down on paper the name of each file. We may need it later. C:\Documents and Settings\Maggie\Application Data\Sany\lyilw.exe." Clicked ok, machine rebooted, Combofix started up again, machine rebooted again back to desktop.

    Opened Task Manager and noticed 2 copies of iexplore.exe/SYSTEM were running, even though Internet Explorer has not been used. I have been using Firefox this whole time. Closed these 2 processes down and ran Getlogs.bat. I couldn't find C:\Combofix.txt. I assume that this may mean that Combofix didn't work properly on this occasion?
     

    Attached Files:

    djames216, Nov 27, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Nope, it didn't work.

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 27, 2010
    #9
  10. djames216

    djames216 Private E-2

    Ran HijackThis to fix entries as instructed.

    Created and ran fixME.reg successfully.

    Ran Avenger as instructed. No problems apparent. Upon reboot, avenger log displayed on desktop as expected.

    Ran GetLogs.bat.

    Had a quick look at the hijackthis log in MGlogs.zip. Unless I'm mistaken, I noticed a couple of rogue entries still there. Stubborn little beggars aren't they?
     

    Attached Files:

    djames216, Nov 27, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, everything else has been removed except those two items in HJT. Try doing it again and then tell me what issues you have.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.
     
    TimW, Nov 27, 2010
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to attach an new log from either HJT or just rerun GetLogs.bat and attach the new MGlogs.zip file. Otherwise you will not know if they have really been fixed.
     
    chaslang, Nov 27, 2010
    #12
  13. djames216

    djames216 Private E-2

    Thanks for the heads up chaslang, I was gonna post a fresh log anyway :)

    OK, so I have run Hijackthis again, checking the 2 rogue entries to be fixed. Before clicking "Fix", I had Task Manager open and noticed once again 2 iexplore.exe processes open. I closed them and then noticed firefox.exe processes would spontaneously appear multiple times in the list, even though I had closed my current browser session in readiness to run hijackthis. I only clicked "Fix" once I was sure no browser processes were running invisibly. It occurrs to me that perhaps the infection secretly launches these browser processes in the hope of disrupting something such as a hijackthis task? Or am I totally off base? Anyway, I then rebooted, ran getlogs.bat, and those rogue entries still appear to be there. The two iexplore.exe processes had appeared again and firefox.exe processes kept re-launching every few seconds after I closed them for about a minute or so, then stopped.
     

    Attached Files:

    djames216, Nov 27, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Nov 28, 2010
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is just the .DEFAULT registry entries that need to be removed. The files were already removed. ;)
     
    chaslang, Nov 28, 2010
    #15
  16. djames216

    djames216 Private E-2

    I am currently unable to use the bitdefender online scanner because the Java (6-22) installation is corrupt (I mention this in my 1st post). Attempts to uninstall it or re-install the latest version (using the self contained download file) have all failed. I also used the Windows Install Clean Up Utility to remove the java entries in the hope of shaking it loose from the system so I could re-install from scratch. I removed the java update manager and jre entries but this made no difference.

    Every time I try to re-install Java, I get the following 2 messages :-
    Message 1: "The software has already been installed on your computer. Would you like to reinstall it?" (I click Yes)
    Message 2: "This action is only valid for products that are currently installed" (I can only click ok).

    Can you offer any help in fixing this java problem? Then I can use the Bitdefender online scanner. Thanks.
     
    djames216, Nov 28, 2010
    #16
  17. djames216

    djames216 Private E-2

    I have installed AVG 2011 (since I had previously removed AVG 8.5), it is continuing to detect various infections. Most if not all are win32 infections. I have noticed a strange folder, it is C:\Combofix . It has the exact same icon as "My Computer" and when I open it, it displays all drives etc just like the normal "My Computer" icon would. I have discovered the following folder. C:\Program Files\win . It contained 3 files. AVG quarantined 2 of them (x38.exe and x33.exe) a third file named x41.exe remained. I manually deleted this and the folder containing it, but at this stage I won't be surprised if it/they reappear.

    I am not confident in the current installation of AVG for 2 reasons.
    1: It is installed within a current infection which may undermine its operation.
    2: No matter how hard I try I cannot get it to do a full system scan. Whenever I click the "Scan Now" button, nothing happens.
     
    djames216, Nov 29, 2010
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Nov 29, 2010
    #18
  19. djames216

    djames216 Private E-2

    I ran the getlogs.bat, but things did not go as smoothly this time. As soon as the getlogs.bat launched, AVG also popped up to say that it detected a threat with cmd.exe Many errors displayed in the command console. AVG was unable to "heal" the cmd.exe infection and I was reluctant to move it to the virus vault because of attempting to run the logs. Though as you will see from the mglogs.zip, not as much info was successfully collected. Perhaps AVG was disrupting the mglogs process while it awaited my repsonse on the cmd.exe threat?

    AVG has also displayed 3 error messages all stating "Unspecified errors occurred in AVG. Would you like to send diagnostics data to the AVG Technical Support department for further analysis?" (I clicked no on all of them).

    The process avgwdsvc.exe has also crashed. I assume that this is an AVG process that the infection has attacked? Which isn't a surprise, if it is.

    When I tried to launch Firefox, it displayed a crash report, so I re-installed it, in order to log in and upload the mglogs.zip (what there is of it).

    At the moment, I feel like things are spinning out of control a bit. Should I try another attempt with the MGlogs?
     

    Attached Files:

    djames216, Nov 29, 2010
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, it was a worthless log. Disable AVG and try again. But run the other scans as well......
    SAS
    MBAM
    Combofix if it will run.
     
    TimW, Nov 29, 2010
    #20
  21. djames216

    djames216 Private E-2

    Ok, will do. But it will take a while, I am in the UK and its midnight at time of writing, so will probably not post again until tomorrow with new logs etc.
     
    djames216, Nov 29, 2010
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem. I will be here. ;)
     
    TimW, Nov 29, 2010
    #22
  23. djames216

    djames216 Private E-2

    Updated and ran SAS and MBAM. Logs attached.

    To be on the safe side, I redownloaded Combofix.
    I closed down all browser windows, folder windows, and as many unnecessary processes (that I knew were safe to close) as possible.
    The first couple of times that I double-clicked it, nothing happened. I rebooted, closed processes down again, it started up this time, then requested AVG be uninstalled before it could run. This reminded that this was the reason I uninstalled the old AVG first time round.
    I uninstalled AVG, rebooted, closed processes, ran Combofix, but a blue screen of death occurred again. I don't know exactly at what stage in Combofix that it crashed, as I wasn't looking until the BSOD had already appeared. But I know it had got to at least stage 30 or so, it may have got to stage 50 like it had previously. Unsurprisingly, no combofix.txt was created in the root folder.

    Finally, I redownloaded MGTools (again, to be on the safe side). It seemed to run without a hitch this time.

    I feel silly for re-installing AVG, as it seemed to do more harm than good at this stage. I will not be putting AVG back on until (fingers crossed) the laptop is clean.
     

    Attached Files:

    djames216, Nov 30, 2010
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try again:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now see if you can run Combo.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Nov 30, 2010
    #24
  25. djames216

    djames216 Private E-2

    Fixed entries using HJT.

    Created and ran fixME.reg successfully.

    Ran Avenger as instructed. It appeared to be successful.

    Ran C Cleaner, removing only temp files.

    Ran Combofix. It updated itself, then it detected the following rootkit activity:- "C:\Documents and Settings\Maggie\Application Data\Iplypa\botya.exe"

    It then rebooted the machine and restarted its process. Unfortunately, once it got to stage 50, a BSOD occurred again. One small question about using Combofix:- The instructions say to deactivate firewalls, but I couldn't find anything about the built-in Windows Firewall (there is no 3rd party firewalls currently installed). So far, I have left Windows Firewall active while running Combofix. Should I deactivate Windows Firewall while running Combofix?

    Ran getlogs.bat

    I am still seeing unusual processes in Task Manager. At the moment, two firefox.exe processes appear upon boot up before I first launch Firefox in that session. At the moment, I close these whenever possible. The unusual Combofix folder that behaves like My Computer, that I mentioned previously, is also still there.
     

    Attached Files:

    djames216, Nov 30, 2010
    #25
  26. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to tell me what process you see running that you are concerned about.

    In the meantime:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 30, 2010
    #26
  27. djames216

    djames216 Private E-2

    Ran HJT and fixed entry.
    Created and ran fixME.reg successfully.
    Ran Avenger as instructed.
    Ran C Cleaner as instructed.
    Ran Getlogs.bat.

    Processes
    Apologies if my comments were misleading. The only unusual processes I have observed are the firefox.exe ones that I mentioned in my previous post. At the moment two firefox.exe processes appear in Task Manager everytime at boot up. When I attempt to close them in Task Manager, most of the time they close immediately, sometimes they persist for a minute or two before dissapearing. They will also spontaneously reappear, even though I don't have Firefox open at the time. This behavior also happened previously with iexplore.exe, but is not happening at the moment. Are they rogue processes or maybe something is trying to invisibly launch the default browser?

    Combofix
    Do you know if having windows firewall active affects Combofix at all? i.e. might it have been causing the BSOD?
     

    Attached Files:

    djames216, Nov 30, 2010
    #27
  28. djames216

    djames216 Private E-2

    Booted up the laptop the next morning and have noticed that instead of 2 firefox.exe processes appearing only in Task Manager at boot up. It is now two iexplore.exe processes instead. I have a feeling it may vary between iexplore and firefox at boot up at random times.
     
    djames216, Dec 1, 2010
    #28
  29. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. You can not rely on Windows firewall for adequate protection, you should download a third party firewall!! See the final instructions on how to protect yourself.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Dec 1, 2010
    #29
  30. djames216

    djames216 Private E-2

    I am afraid to say that the system is not clean. Rogue entries and files are still present. They are somehow re-appearing. I attach a fresh mglogs for you to look at.

    I am considering wiping the HD and starting again. The only 2 concerns I have is:-
    1. Will reformatting the drive remove the infection?
    2. Backing up files. I obviously don't want to be backing up any trace of the infection across to the re-install. Can you give me any advice on this? i.e. Are there certain file types that are safe to back up e.g. images? music? video? office docments? Or is this a non-starter?
     

    Attached Files:

    djames216, Dec 1, 2010
    #30
  31. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What happened between when you posted your last logs that were clean and now?

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Dec 1, 2010
    #31
  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I wanted to address this separately.

    Yes, a reformat will remove everything including any infections.
    The thing to back up is all your personal info and data, which includes images, music, videos and doc's. Just don't backup any exe files or programs. Once you have done a clean install, installed your AV and AS protection, then you can scan your backup media before reinstalling it on your system.
     
    TimW, Dec 1, 2010
    #32
  33. djames216

    djames216 Private E-2

    Done.
     

    Attached Files:

    djames216, Dec 1, 2010
    #33
  34. djames216

    djames216 Private E-2

    After posting the logs in my previous post. The infection has reared its ugly head again! I am convinced that it is simply unfixable, as we are going round in circles. I don't know how, but it just keeps coming back again and again. I am going to back up files, fully format HD and re-install. Fingers crossed that the backup won't contain any infection. I will be avoiding the backup of any .exe files and programs. Thanks for all your help anyway.
     
    djames216, Dec 1, 2010
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on you last logs, I checked earlier logs. It appears that part of your infection may have been getting missed. The C:\WINDOWS\Explorermgr.exe that is in your logs needed to be removed. If you have not already formatted, let's try the below fix. Also since things may have changed after your last logs were posted, this current fix I'm posting may be a little out of date too and another may still be needed.

    I'm also concerned whether you may have a new form of Ramnit so we will run an online scanner too.

    First I need you to load your C:\Windows\win.ini file into notepad. And go to the end of the file and delete the below two lines. Then save the file and quit notepad.

    [HookAPI]
    DLL_PATH=C:\Program Files\DoubleD\GamingHarbor Toolbar\4.1.2.19770


    Now uninstall the below two programs:
    NOD32 FiX v2.1
    Spybot - Search & Destroy 1.4

    Also you seem to have missed fixing the below with HiackThis as requested last time.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [{BE9BF95B-849E-65FA-EF68-DBDA1D05AA4A}] "C:\Documents and Settings\Maggie\Application Data\Vocoo\bavy.exe"

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now you need to get some protection on this PC to avoid having reinfection. I suggest that you install the below two programs immediately:
    • AntiVir Personal Edition
    • Comodo Personal Firewall
      • WARNINGS:
        • Ask Toolbar may be installed by default but you can uncheck this during the install or uninstall it anytime afterwards if you decide you do not want this feature later.
        • This includes both the a firewall and an antivirus. Do not install the antivirus since you will already have installed Avira.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 1, 2010
    #35
  36. djames216

    djames216 Private E-2

    Thankfully I checked this thread before I had committed to wiping the HD.

    Removed the hook API from win.ini
    Uninstalled Nod32 and Spybot (removed immunizations before uninstall), rebooted machine to complete uninstall of spybot.
    Ran HJT, but could not find the entry you listed (...Voco.bavy.exe), but I did find an entry referring to a similar location but different file - ...Saha\ipezh.exe . So I selected this for removal, I did not notice any other rogue entries.
    On my first run of avenger, I made a mistake. I have been restricting internet access on the laptop. So rather than copy/paste from your website, I manually typed the entries. Unfortunately, I mis-typed the entry referring to Explorermgr.exe. The Explorermgr.exe entry was the only unsuccessful entry on this first attempt. I started over.

    I double-checked that the hook API was still removed from win.ini, it was.
    Was unable to run HJT in this session because Firefox.exe processes would not terminate. Rebooted machine and started over again.

    Double-checked win.ini, hook API still removed.
    Was finally able to run HJT because I could now terminate firefox.exe processes.

    Found two rogue entries:-
    The "...Saha\ipezh.exe" entry was there again and...
    O4 - .DEFAULT User Startup: beqym.exe (User 'Default User)

    I removed these entries and closed HJT.

    I ran the exact same avenger process as the first time. This explains why the log shows successful removal of Explorermgr.exe but failure on the others. The others had been successfully removed first time round.

    Ran C Cleaner.

    Ran getlogs.bat.

    Sorry for the messy removal process. I quickly looked at the HJT log in mglogs.zip and there is still at least 1 rogue entry remaining.


    Other actions and observations.

    After my previous post and before I saw your new post, I had installed Zone Alarm Firewall. I have yet to install anti-virus, mainly because I want to be reasonably sure that the laptop is infection free before I install any. I don't want a lingering infection undermining the operation of the anti-virus.

    During the above tasks, firefox.exe (and on one occasion iexplore.exe) processes would launch without me ever opening a browser window. ZoneAlarm would inform me that Firefox wanted access to the internet. During this session, I have so far denied it access, plus I have not allowed physical connection (wifi & ethernet) to the internet. The only exception being me uploading the required logs and this post. I can't help but wonder if the infection is trying to access malicious web-pages to further infect the laptop or a rogue process is disguising itself? The firefox.exe process kept opening like crazy during the mglogs.bat task. I kept closing it down everytime. It must've opened at least half a dozen times at this stage.

    I also happened to notice a process called ramaint.exe appear in Task Manager. It only seems to appear sometimes and I didn't have any problem ending the process.

    Phew.
     

    Attached Files:

    djames216, Dec 2, 2010
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is still a new one in your last log. It is now beqym.exe

    Also the C:\WINDOWS\Explorermgr.exe came right back. You cannot make mistakes while following instructions as each reboot or mistake can cause the infection to spread and or mutate into a different form which make a fix become obsolete immediately. Also I have to advise you not to reboot or power down your PC after you attach new logs because that would also possibly change your status.

    Uninstall Firefox for now while we continue to work on this. It may help control things a little. DO NOT reinstall it until we finish.

    On the contrary in this case you need to install the antivirus as suggest to possibly help ward off reinfection. This was why it was part of my fix. You need to follow the fixes we give you and not invent your own.

    ramaint.exe is a process belonging to the 3am Laboratories, Remotely Anywhere remote administration tool. You have this because you installed LogMeIn to allow remote access to your PC. Why did you install this?

    However all the above being said, I now looked over your new logs and my suspicion about you having a form of Ramnit is correct. You have one that is making files like below:

    C:\WINDOWS\Explorermgr.exe
    C:\WINDOWS\system32\rundll32mgr.exe
    C:\WINDOWS\system32\taskmgrmgr.exe

    I will give you one more fix but I expect that you will have to reinstall inorder to fix this properly. Ramnit can cause all kinds of damage and result in an unreliable PC.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines ( and any similar ones that look like the infection ) but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - .DEFAULT User Startup: beqym.exe (User 'Default user')
    After clicking Fix, exit HJT.

    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Maggie\Local Settings\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run this:Using ESET's Online Scanner and attach the log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • the log from ESET
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
    After attaching these new logs, DO NOT power down or reboot your PC. You must keep it running to until we give the next fix.
     
    Last edited: Dec 3, 2010
    chaslang, Dec 3, 2010
    #37
  38. djames216

    djames216 Private E-2

    Firefox uninstalled.

    I did not know that ramaint.exe was part of logmein. As mentioned in my first post this laptop is not my own. I use logmein to help people out remotely, so it should be there.

    Ran HJT and removed entry as instructed.

    Ran avenger to delete files and folders as instructed.

    Deleted temp files from C:\WINDOWS\Temp and C:\Documents and Settings\Maggie\Local Settings\Temp as instructed.

    Ran C Cleaner as instructed.

    Ran ESET's Online Scanner as instructed.

    Ran getlogs.bat.

    Laptop left on as instructed.
     

    Attached Files:

    djames216, Dec 3, 2010
    #38
  39. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes and notice that my suspicions of this being a Ramnit infection were correct. I'm sorry but it is time to reinstall. Becareful of doing any backups. Ramnit can/will infect any executable type file and HTML files. For example, see what ESET was showing.
     
    chaslang, Dec 3, 2010
    #39
  40. djames216

    djames216 Private E-2

    OK, well thanks for trying. I will be instructing the user that the only files I will be backing up are music, photos, documents, videos etc. I've only skimmed through but it looks to be mostly music and photos.

    What is the stance on emails? Should I avoid emails with attachments and html-type newsletter emails?
     
    djames216, Dec 3, 2010
    #40
  41. djames216

    djames216 Private E-2

    Never mind. I have since created a backup DVD of music, emails etc., used ESET's Online Scanner to scan (including archives) the DVD (no threats found). And am now thoroughly formatting (i.e. not quick format) the HD for re-install of windows.
     
    djames216, Dec 4, 2010
    #41
  42. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have any malware problems after the reinstall then you should not just format, you should actually delete partitions, create new partitions, and then format and reinstall. This is actually a much safer and recommended solution after having malware.
     
    chaslang, Dec 4, 2010
    #42
  43. djames216

    djames216 Private E-2

    Yes, I had already deleted the partitions and created a new one, but it looks like the hard drive can't take the strain. After the full format, it's noisy and very slow to non-moving. Looks like a new hard drive is in order.
     
    djames216, Dec 5, 2010
    #43
  44. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may want to post in the Hardware Forum to check it out. Running chkdsk may be the first thing to run but you may want to try running some other hard disk diagnostics too.

    However your C and D partitions ( on drive ) show that your drive is fairly small by today's standards and an upgrade may not be a bad idea anyway.
     
    chaslang, Dec 5, 2010
    #44
  45. djames216

    djames216 Private E-2

    Nah, it's cool. Had a spare HD knocking around that I installed with twice the capacity. All back up and running again. Scanned the backup DVD at least 3 times with different software, infection free everytime. Laptop now fully functioning and infection free. Gonna physically destroy the old HD, as it's just not worth bothering to save. Thanks again for all your efforts.
     
    djames216, Dec 6, 2010
    #45
  46. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 6, 2010
    #46

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds