XP Pro SP3 32bit; windowsupdate blocked, ComboFix & MGtools hang

Pinball Fan · Oct 26, 2010

I'm trying to support a co-worker and this malware is the most difficult one I've faced in a long time. It opens occasional pop-ups (I saw one pointing to "trackmizer.com"), seems to like redirecting Google searches, and blocks any attempt to go to the Microsoft windowsupdate site (Internet Explorer cannot display the webpage). I ran through the list of things to do before posting...

SUPERAntiSpyware found nothing (however, I believe that it had been run previously and found & deleted about a dozen items).

Malwarebytes' Anti-Malware found nothing.

ComboFix hung, after putting up the Autoscan window. It displayed the message "However, scan times for badly infected machines may easily double", and that was it. There was some disk activity for about 2 minutes, then nothing. I waited about 20 minutes. Checking task manager, there was no CPU activity either. I had to power-off the computer.

RootRepeal found several files "Locked to the Windows API!"; these included the Windows hibernation file (C:\hiberfil.sys) and many files apparently associated with Dell's eSupport DownloadManager. There were a handful of other files too; see attached log.

Lastly, MGTools also hung, immediately after starting. The last message it displayed was "NOTE: Ignore any error messages about not finding registry keys! Just wait for the program to finish running!!". Just like ComboFix, I waited at least 20 minutes, there's no disk activity, and task manager shows no CPU utilization either. Also like ComboFix, the only way I could get it to exit was to power-off the computer.

All of the tools were downloaded from the links provided on the page http://forums.majorgeeks.com/showthread.php?t=139313 this morning.

Thanks for any help you might be able to offer...
Scott

Kestrel13! · Oct 26, 2010

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.

Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.

Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky

Click Start scan

It will run rather quickly and will notify you of whether anything is found or not.

Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Try renaming combofix.exe to kestrel13.com and rename MGTools.exe to magpie.com try and run them in normal mode and if that proves problematic in any way then please try safemode.

Attach logs if you were successful.

Pinball Fan · Oct 26, 2010

Thanks, Kestrel13!...TDSSKiller definitely helped. After it ran (and the reboot that it wanted), ComboFix and MGTools ran fine as-is. I didn't have to rename them nor run them in safe mode.

The logs are attached...
Scott

Kestrel13! · Oct 26, 2010

What happened with AVG? Why did you uninstall it? It has left behind many remnants.

If you did not deliberately set this proxy yourself then please include it in the HJT fix below:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
Click to expand...

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:50370
Click to expand...

After clicking Fix exit HJT.

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Driver::
osiul
File::
c:\windows\system32\lsp3.tmp
c:\windows\system32\drivers\fmpbbvgyiynoig.sys 
DirLook::
c:\documents and settings\All Users\Application Data\MFAData
FileLook::
c:\windows\system32\KOBJUJ_L.DLL
c:\windows\system32\Spool\prtprocs\w32x86\KOBJUA_P.DLL
c:\windows\system32\KOBJUA_L.DLL
RegLock::
[HKEY_USERS\S-1-5-21-770428285-1606066415-2055916039-500\Software\Microsoft\Internet Explorer\User Preferences]
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Please go to virustotal and upload the following files for analysis, and let me know the results.

c:\windows\system32\KOBJUJ_L.DLL

c:\windows\system32\Spool\prtprocs\w32x86\KOBJUA_P.DLL

c:\windows\system32\KOBJUA_L.DLL

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Things running okay for you?

Pinball Fan · Oct 26, 2010

Hi Kestrel13!

I don't have the computer at this time -- I'll have to work on your next set of instructions tomorrow (12 hours from now, approximately). After the last set of steps, the computer appeared to be running OK and my co-worker really REALLY wanted it back. I told him OK, but stop using it if anything weird occurred again -- and I also told him that I reserve the right to yank it back from him if necessary.

Re: AVG. My co-worker threw that on there himself to try to fix the problem initially. Since we ALREADY have Symantec on our computers, that really made a mess of things. Hence my un-installing it. I've also removed Symantec, since that was an old version that needed to be replaced anyway. (I'll install the new version when everything's cleaned up.)

No known reason that I know of for the proxy.

I'll update this tomorrow with the results of running your recommended steps.

Thanks again!

Kestrel13! · Oct 27, 2010

No problem. I will be waiting.

Pinball Fan · Oct 28, 2010

Kestrel13!, it looks like my co-worker has decided that he needs his computer "all the time" and isn't willing to let me have it back for any further troubleshooting. Apparently I got "enough" cleaned off of it (with your help!) to make it usable. Oh well.

If I am able to get it back eventually, should I find this thread and post to it again, or open a new thread instead?

Thanks for your help!

Kestrel13! · Oct 28, 2010

You can continue here if necessary. Remember... he needs to know these files need closer examination:

c:\windows\system32\KOBJUJ_L.DLL

c:\windows\system32\Spool\prtprocs\w32x86\KOBJUA_P.DLL

c:\windows\system32\KOBJUA_L.DLL

I think they are malware. But I was going to run them through an online scanner to see what they picked up on.

Pinball Fan · Oct 29, 2010

Well...the problems came back, so my co-worker gave his computer back to me.

All 3 of the files that you asked me to submit to virustotal came back clean. The 1st & 3rd files had not been seen by virustotal before; the 2nd one had been submitted on October 6th.

I re-ran TDSSKiller, ComboFix, and MGTools before doing the additional steps that you outlined most recently, figuring that the computer had been re-infected back to where it was when I started a couple of days ago.

As you requested, the new logs are attached.

Note: As I mentioned recently, I have installed a newer version of Symantec antivirus (disabled while running all the steps tonight), so that probably will be visible in the logs.

Kestrel13! · Oct 29, 2010

Okay, the files we had scanned with VirusTotal are fine. They belong to KONICA.

So tell me, are you still being redirected?

What problems now remain?

Log in or Sign up

XP Pro SP3 32bit; windowsupdate blocked, ComboFix & MGtools hang

Pinball Fan Private E-2

Attached Files:

SUPERAntiSpyware Scan Log - 10-26-2010 - 09-19-52.log

mbam-log-2010-10-26 (09-30-28).txt

RRlog.txt

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Pinball Fan Private E-2

Attached Files:

TDSSKiller.2.4.5.1_26.10.2010_11.29.12_log.txt

ComboFix-log.txt

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Pinball Fan Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Pinball Fan Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Pinball Fan Private E-2

Attached Files:

ComboFix28-oct-log-b.txt

MGlogs.zip

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member