WinXP SP3 caught a nasty virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by jabird, Jul 8, 2010.

  1. jabird

    jabird Private E-2

    At about 8pm last night I started having lockups, slowdowns and a rogue anti-virus program trying to sell me software. This later progressed to opening IE and browsing to pornographic websites.

    I was currently using Avast! Free which reported that at around 8pm somewhere around 103 files where infected. I ran my usual scans, i used to work in a computer shop so I can usually knock these suckers out. But finally I wasn't finding any infections and was having the same problems. So I did a quick search, found your READ ME tutorial and followed it as closely as it fit to my situation.

    After running all of this in safe mode, I rebooted to normal mode and am still experiencing lockup and IE keeps getting set as my default browser. Currently my only option is to boot in safe mode in order to do work. So now I'm at your mercy, my log files are being attached as directed. Let me know if you need anymore, thanks in advance!

    Still waiting on RootRepeal but I need to post a new message anyway. It found several things earlier but I forgot to save the log.
     

    Attached Files:

    jabird, Jul 8, 2010
    #1
  2. jabird

    jabird Private E-2

    And here's the RootRepeal log, once again thank you. I'll be out off and on for the next few hours sorry if I don't reply in a timely manner. :major
     
    jabird, Jul 8, 2010
    #2
  3. jabird

    jabird Private E-2

    Woops didn't get it added to that one, sorry about that. here it goes again.
     

    Attached Files:

    jabird, Jul 8, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What products do you or did you have installed from symantec? I am seeing the below installed in the logs:

    • LiveReg (Symantec Corporation)
    • LiveUpdate 1.6 (Symantec Corporation)

    I am not now seeing any malware apart from what SUPERantispyware removed. There is a strange directory I am taking a look inside of though. Let's do this:

    Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe <--- This needs to be directly on your desktop as stated in the R&R. Please move it there now.

    Remove this outdated Java from add/remove programs.
    • J2SE Runtime Environment 5.0 Update 1
    • Java(TM) 6 Update 17

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
KILLALL::

File::
c:\windows\system32\pool.bin

DirLook::
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ceslywahv
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Tell me how things are running.
     
    Kestrel13!, Jul 9, 2010
    #4
  5. jabird

    jabird Private E-2

    The symantec listings you see are for PCAnywhere, I use it to connect to a Private Network to do work from home.

    I've made a few more advances in fixing the problem since my last post; I can now work in normal mode, before everything was done in safe mode with networking. It still takes a while to load some programs, it seems to hang for a while but I've changed a lot probably could stand a nice defrag. I also no longer get network discovery for my home workgroup but can still access shares with \\Computer-Name\Share . I can probably fix that one just haven't been home much lately.

    Anyway, here are the log files you requested.

    Thank you!
     

    Attached Files:

    Last edited: Jul 10, 2010
    jabird, Jul 10, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What do you know about these 0 byte files?
    • C:\Documents and Settings\Shawn\Application Data\Comedy Noises
    • C:\Documents and Settings\Shawn\Application Data\Commands
    • C:\Documents and Settings\All Users\Application Data\Colors
    • C:\Documents and Settings\All Users\Application Data\Command Line Utility

    Are you set up to use the following proxy? I suspect not, so if that's the case let's fx it:


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT.

    Do not forget to install new java.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
KILLALL::

File::
c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
C:\Documents and Settings\Shawn\pool.bin

Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\ceslywahv
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know how things are running now and answer my question regarding those files.
     
    Kestrel13!, Jul 12, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds