[brian85]

Hi. My Windows XP desktop computer has caught some Malware. I've taken preliminary steps towards removing it (including the Malware and Spyware Cleaning Guide) but I think I'm not out of the woods yet.

A week and a half ago, my computer caught the "Warning! Your're in danger!" malware that is referenced in other posts on this site. My computer's background turned to the "Warning! Your're in danger!" message and the piece of fake antivirus software began running, as described in other threads on this forum. I lost all control of the computer, wasn't able to click on anything or ctrl+alt+delete etc. Eventually I pulled the power plug. After a few tries, I was able to boot in safe mode and run my McAfee antivirus software, which detected the infection and "quarantined" it. I then re-booted in normal mode, and was able to run programs, access the internet, etc.

I then followed the first several steps in this site's Malware and Spyware Cleaning Guide. My most recent Malwarebytes log (I've run it several times, most recently this evening) is posted at the end of this message. As you can see from the log, I'm running XP with Service Pack 2. Step 3 of the guide wants me to install all updates, but I've read accounts of trouble with SP3, including that it might cause stability problems if the computer has other issues. I'm concerned that my computer falls into the category of having "issues". Would it be in my best interest to install SP3 anyhow?

The computer has "relapsed" a few times since then, with the fake anti-virus software attempting to run. Each time I have been able to stop it by running either McAfee or Malwarebytes. Malwarebytes always detects a trojan and claims to have quarantined and deleted it, but if I reboot and run Malwarebytes again, it detects the trojan again.

I guess I'm first trying to figure out if I should install SP3, or just proceed on to step 5 (Rootkit Detection) to get rid of this malware. Or should I do something else entirely?

Your assistance would be greatly appreciated, and I'm happy to provide more information if needed.

Thanks,

Brian

Malwarebytes' Anti-Malware 1.40
Database version: 2555
Windows 5.1.2600 Service Pack 2

8/13/2009 8:59:42 PM
mbam-log-2009-08-13 (20-59-42).txt

Scan type: Quick Scan
Objects scanned: 117069
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekreoxlnxwk.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekreoxlnxwk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

[fenzodahl512]

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop

• Run SysProt >> Click on the Log tab
  
• Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  
• Hit the Create Log button
  
• When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  
• Let it scan until finish
  
• Find the log.txt inside the SysProt folder and attach the log here.

NEXT


Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

[brian85]

Thanks for your quick reply.

I Downloaded and ran SysProt as requested. It generated the following error message: "There is no disk in the drive. Please insert a disk into drive \Device\Harddisk\DR4". It did generate a log though (see attached).

I then ran mbr. The log appears to contain an error message, but it is posted below.

Thanks,

Brian

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

[fenzodahl512]

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:

• Tools->Options->Main tab
  
• Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

[brian85]

Okay, I ran Combofix. Before disabling my antivirus & firewall I habitually disabled my internet connection which of course caused Combofix to be unable to install the recovery console. So I ran it again, this time with my internet connection enabled. I have posted both logs below (Log 1 = Internet Connection Disabled. Log 2 = Internet Connection Enabled). I do not know why the logs indicate "McAfee Personal Firewall "enabled"", as I had disabled both the antivirus and firewall in McAfee.

Thanks,

Brian

[fenzodahl512]

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan
  Wait for the scan to finish
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

How's the computer now?

[brian85]

Please see the logs from my Malwarebytes and ESET scans below. Both scans ran smoothly. The only glitch was when Malwarebytes attempted to reboot my computer after the scan completed, the computer never shut down. It got stuck on the screen that says "Installing update 2 of 2, do not unplug your computer; it will turn off automatically." I let it sit there for 5 hours, then gave up and unplugged it and rebooted.

The computer itself seems to be running okay; hasn't had any major virus "symptoms" since you started helping me. I have lost over a gigabyte of space on my (small) system drive since we started the process though.

What does it look like to you based on what you're seeing in the logs? Do you think I am safe to do things like online banking again? And what about my SP2 vs. SP3 question... any thoughts on that?

I really appreciate your help!

Brian


Malwarebytes Log

Malwarebytes' Anti-Malware 1.40
Database version: 2632
Windows 5.1.2600 Service Pack 2

8/15/2009 7:20:22 PM
mbam-log-2009-08-15 (19-20-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 223773
Time elapsed: 1 hour(s), 18 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\12410314 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\12410314\12410314 (Rogue.Multiple) -> Quarantined and deleted successfully.


ESET Log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=2f770c46e5fdaf4e8dacc37ca4ebb2e8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-16 09:10:33
# local_time=2009-08-16 02:10:33 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=5121 21 100 88 117928451510949
# scanned=102872
# found=0
# cleaned=0
# scan_time=3419

[fenzodahl512]

Looks good to me.. Its okay to do online banking now.. Lets do some cleanup...


Please download OTC and save it to Desktop.

• Make sure you have internet connection..
  
• Double-click OTC
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes

Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop...safesurfing.asp
http://bluefive.pair...afe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread



Have a safe and happy computing day!


Regards
fenzodahl512

[brian85]

I ran OTC and rebooted without incident. Things appear to be running smoothly (knock on wood).

Many thanks for your assistance!

Brian

[fenzodahl512]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.