Help please

[malvern]

Hello, thank you for your attention to this problem.

The symptom starts from a series notifications by Symantec Endpoint Protection (auto protect scan) indicating that it found Trojan.FakeAV!gen11 in C:\WINDOWS\Temp\****.tmp\svchost.exe (where **** representing any 4 english letters). And Symantec is able to clean by deletion each time this trojan was found. However, it contiously comes back. One sympatom that I found is that it (or something else) redirected all google search results to some websites in any web browser (not just IE). Another interesting thing is that when I closed my laptop (wireless) internet connection, the Endpoint will not report this trojan. And I tried to restart the the laptop using safe mode, but the laptop refused to start in safe mode (it will automatically go back to reboot each time I choose "start using safe mode").

I followed the "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions":

Step 1: ran full scan using Symantec Endpoint (updated virus definition before the scan) and found nothing (no risk). (However, during the full scan, the endpoint auto protect is continously finding this trojan if I turned on the wireless internet connection). I also disabled system restore when endpoint was scanning.

Step 2: done three times.

Step 3: disabled Symantec Endpoint Protection.

Step 4: attached the log for Malwarebytes.

Step 5: attached the log for superantispyware. (However, during the scan by superantispyware, the symantec endpoint protection notification shows up again - the auto-protect scan found the same thing in C:\WINDOWS\Temp\*.exe (where * is a English letter), but this time endpoint can't delete or clean this trojan. I don't know how to turn the endpoint auto-protect scan off).

Step 6: done as required.

Step 7: done and attached log.

Step 8: done.

Thank you again and waiting for your help.

 

[malvern]

while waiting for some help, I browsed some other posts regarding the similar problem. I tried using ESET online scanner and found 2 threats. I also tried Trojan Remover and attached please find the log. I also attach a new HijackThis log after these actions.

 

[Tmagic650]

There are some things in the Hijackthis log that need to be fixed or deleted:

O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)

 

[Bobbye]

Malvern, you have jumped the gun. Please do not run any more programs at this point. I am checking your logs from entries to be removed. Unfortunately, the member who advised you seems only to have reviewed a few lines.

 

[malvern]

thank you both. I will wait.

 

[Bobbye]

Sorry it took so long, but you have a lot of entries I wasn't familiar with and I check ever one of them:

Please reopen the HijackThis log to 'do system scan only.' Check the following if present:

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - (no file)
O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
8 - Extra context menu item: &UʹÓÃÃ×ÈËÏÂÔز¢ÊÕ²Ø - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Use ViDown to download - C:\Program Files\ViDown\vd_link.htm>> (related to uTorrent(
O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file)>>( related to C:\Program Files\Thunder Network\Thunder\Thunder.exe)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=presario&pf=laptop

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Start> Settings> Control Panel> Add/Remove Programs> Uninstall the following if present:
NamiRobo
Trojan Remover
ViDown
Thunder Network
uTorrent

Using Windows Explorer: first go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected system files-Recommended'> navigate to My Computer> Local Drive (C)> Programs> do a right click> delete on each of the following if present:
NamiRobo
Trojan Remover
ViDown
Thunder Network
uTorrent
Then navigate to Windows> System 32 and right click> Delete the following
oobe and/or DeleteLog.exe

Go back and hide the files and folders.
Empty the Recycle Bin
Close and reboot into Normal Mode

(FYI: Thunder Network: is a download manager and bit torrent client developed by Xunlei corporation. Xunlei is the most commonly used bit torrent client, due to its popularity in China. It uses P2P technology to speed up but essentially not a file sharing tool, because sharing is compulsory. Xunlei users are used as peer to speed up other's downloading, without being noticed. Strongly recommend staying away from this!)

Please download ComboFix HERE:

• With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  
  Important! Save the renamed download to your desktop.
  
• Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  
• Double click on Combo-Fix.exe and Run- follow the prompts.
  (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
• Wait for the scan to be completed.
• If it requires a reboot, please do it.

• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

• 
  1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Then rescan with HijackThis.
Attach Combofix report and new HijackThis log to next reply.

 

[malvern]

Thank you very much for your detailed instruction. I have tried my best to follow these instructions, but each major step (reboot using safe mode & scan using combofix), my laptop had been automatically reboot after a very quick blue screen with some information (but the info in blue screen was too quick to read). Specifically, when I reboot machine using safe mode, the system stopped at .../drivers/mup.sys and automatically reboot again - and this went for a few times, and finally, it successfully rebooted. When I ran combofix (now I'm still trying running it), the system went to blue screen each time at various stage of combofix. - the most recent stage of combofix for me to see is to back the registry and a blue screen showed up - system rebooted). I don't know what should I do, but I think I will continue trying combofix. Please instruct me. Thank you.

 

[Bobbye]

Did you get any message that Combofix could run because of some kind of malware infection? Let's check that out, in case:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

If this scan runs for you, please paste the log in next reply.

If this doesn't work, I'll have you check the Event Viewer for Error corresponding to the blue screen.

 

[Tmagic650]

Bobbye,
this scan works in Google Chrome too

 

[malvern]

thank you. While running virscan, after I clicked ReScan button, a few pop up windows shows up. It looks a software called "Desktop Defender 2010" is running and demanding something through security center. I basically can't click anything in IE.

 

[Bobbye]

Malvern, please follow the removal instructions here for Desktop Defender 2010. It's well done with screen shots:

http://www.bleepingcomputer.com/virus-removal/remove-desktop-defender-2010

Be sure to note this comment:

In reality, the scan results from this program are false and Desktop Defender 2010 is not actually finding any infections. Instead it displays the same scan results regardless of the computer that is run on. Therefore, please do not act upon anything that this program states are infections as it is possible you may delete a legitimate program.

Follow the steps for Malwarebytes. You may have to boot into Safe Mode to remove the programs. Security programs usually can't be removed in Normal Mode. Let me know results.

Thanks Tmagic. Checking with author to verify.

 

[malvern]

Thank you!

1. I have followed your instructions to successfully remove the Desktop Defender 2010. However, I should note that my laptop can't get into the safe mode when rebooting (just like before, each time, it stopped at ....\windows\drivers\mup.sys and automatically reboot). So I ran Malwarebytes in the normal mode.

2. After removing Desktop Defender, I went one step up: check the files using VirScan. Attached please find the log of VirScan. It seems VirScan did not find anything wrong in those 3 files.

3, After the VirScan, I went one step up: running Combofix, but I got the same problem (after I started Combofix, a blue screen showed up and system auto reboot).

4. I re-ran Hijack this, and attached the log in this post.

Please advise. Thank you very much!

 

[Bobbye]

See if this will repair Safe Mode: Run chkdsk c: /r from a Command prompt.

If needed, go to this step: for the 'mups' error:
"If you try to restart your computer in Safe mode, your computer may stop responding (hang) when Windows XP tries to load the Agp440.sys service."

This issue may occur if Windows XP tries to use an incompatible motherboard chipset video driver during startup. To resolve this issue, follow these steps to disable the Agp440.sys service.>>http://support.microsoft.com/kb/324764/en-us

Okay, the scan should clear you of suspected Virut infection. I'd really like to get those programs uninstalled. This will be an extra step but it might work:

Click on Start> Run> type in msconfig> enter> Selective Startup> Uncheck any processes for these programs:
NamiRobo
Trojan Remover
ViDown
Thunder Network
uTorrent

If you can't tell what a process is for, expand the Command column. Hold the left mouse button down on the frame between 'Command' and 'Location' and when you see the double-ended arrow, move to the right to widen the Command Column.

Click ion Apply> OK when you have finished unchecking.

Reboot the computer: NOTE: You will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

Start> Settings> Control Panel> Add/Remove Programs> Uninstall the following if present:
NamiRobo
Trojan Remover
ViDown
Thunder Network
uTorrent

Using Windows Explorer: first go to Tools> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide protected system files-Recommended'> navigate to My Computer> Local Drive (C)> Programs> do a right click> delete on each of the following if present:
NamiRobo
Trojan Remover
ViDown
Thunder Network
uTorrent
Then navigate to Windows> System 32 and right click> Delete the following
oobe and/or DeleteLog.exe

Go back and hide the files and folders. Empty the Recycle Bin
Exit Windows Explorer. Reboot.

Run Eset NOD32 Online AntiVirus Scanner HERE

Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Attach the log in next reply. Advise of any remaining malware related system problems.

 

[malvern]

Sorry for the late reply. I have followed all the instructions. Attached please find the log file for Eset. The following are the symptoms:
1. the laptop can't hibernate (whenever I chose hibernation, it quickly went back on after a short blink).
2. Whenever I started IE, besides a usual home page, a new IE window will automatically open to show some websites (so that there are 2 IE windows opened).
3. Google search results are redirected.
4. From time to time, there is a pop up window called "script editor" asking me to ok a default script editor.
5. Still can't boot using Safe mood (I lost the original system CD, so can't complete the steps describe in Microsoft website).

I also attached the newest HijackThis log. Please instruct.

 

[malvern]

To update my progress, I have luckily found the recovery disks for my compaq presario that I made 5 years ago when I first bought this laptop. Now I have done a re-installation of the whole system (after backup my files). I'd like to thank Bobbye (and Tmagic650) for their support and help. Thank you for your time and careful instructions! I learned a lot in this process. To reinstall the system helps me to clean up all the junk programs that my laptop cumulated in last 5 years, and it now works like anew.

 

[hellokitty[hk]]

You may want to run a scan in case any of the files you backed up were infected...
And I would also like to thank Bobbye for dedication.

 

[Tmagic650]

Yes,
good work Malvern, and I thank Bobbye too. I know how much time and dedication it takes to help members with their "infections"... We try to help all who come here at Techspot. I want no member to feel abandoned

 

[malvern]

Yes, I would like to thank again Bobbye and Tmagic650 for your dedication to help! I'm always wondering that there are people who put in their precious time and efforts to help others, and there are also people who try their best to destroy other people's life (such as the virus producers).

.... I'd like to thank Bobbye (and Tmagic650) for their support and help. Thank you for your time and careful instructions! I learned a lot in this process. To reinstall the system helps me to clean up all the junk programs that my laptop cumulated in last 5 years, and it now works like anew.

 

[Bobbye]

I've been off for bit.You're welcome malvern. hellokitty brings up a good point- if you did back up and there was the chance that malware might have been in any of the files, I would encourage you to go ahead and run the Eset Online scan to check.

Just leave me a log and I'll check it for you.

An aside: Tmagic, you're full of it!