Laptop infection help sought - Eight Steps logs attached

[jonnycowbells]

Hi,

Hoping somebody can help me out. I got an infection on an XP Pro SP2 Dell Latitude a few weeks back - first noticed it when search results (Google, MSN for sure, others not tried) were hijacked to send me to malware pages (though right-click, open in new window got around this). Followed swiftly by a fake alert infection. Task manager and anti-virus became disabled. Everything got generally sluggish.

Has McAfee VirusScan Enterprise 8.0.0 on it with up-to-date definitions as far as I know but didn't spot anything. Installed Mbam which found a lot. Since then, been updating and running both (often in Safe mode), but the infection seems persistent! Reached a head this week when Mbam would only start on renaming the .exe and starting from 'Run...' on Start menu.

Followed eight steps. Quite painful in places - had to use the rename trick above for HijackThis. SuperAntispyware caused blue-screen, so rebooted in safe mode whereupon SAS wouldn't start. Reran mbam (after a rename) to see if it could clear something out to let SAS run - this worked and SAS found a bunch of stuff.

Less sluggish now so hopefully I'm getting somewhere, but would appreciate expert help in ironing out anything that's left.

Many thanks in advance.

Cheers,

Matt

 

[touch]

Hello jonnycowbells

It looks like you´ve got a rootkit there.

Please download combofix here ->
ComboFix

Before Saving it to Desktop, please rename it to something like 123.com to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

 

[jonnycowbells]

Hi touch,

Many thanks for your help. It took me a while to get a logfile, but I got one finally and attach it here.

I'll summarise the difficulties here in case they're relevant:
Downloaded Combofix no problem. Ran it and it installed windows restore console (or whatever it's called). It asked me to note down 10 file names which I did. It then rebooted. I logged in as normal.

AutoScan ran and it got to 'Completed Stage_32A' and then hung (I presume it hung - I went away for an hour and it hadn't moved on). Killed the window and rebooted in Safe mode. Tried it again and AutoScan was running again. I went away for 10 minutes and when I came back the laptop had rebooted again. I logged in as normal and the blue Combofix window opened, but nothing else happened ( it was blank, and no desktop or toolbar appeared). Waited 20 minutes, still no change. Closed the blue window. A couple of others popped up and closed in quick succession (Combofix windows, that is) and the my normal desktop appeared, but nothing else happened - no log file.

Rebooted to safe mode and tried again! Got as far as AutoScan window, but then got the normal 'Windows is running in safe mode' Windows pop-up. Clicked on 'yes' and after that got no more progress with the AutoScan window. 'Ended' this window and tried running it again. I got the Windows pop-up again, but this time it went away on its own and AutoScan continued to run - so this time I watched like a hawk!

It said 'Deleting files: "C:\windows\system32\a9k.bin"' then ran through Completed Stage_1 up to Stage_50. Then the same 'Deleting Files: "C:\windows\system32\a9k.bin"' message. Rebooting please wait message.
This time I put it into Safe mode on the reboot. ComboFix window seemed to run okay this time. Find3M window popped up with 'Preparing Log Report' - this ran to completion. Log attached. Phew!

Let me know if I messed up somewhere in all of this and need to try something else.

Thanks again.

Cheers,

Matt

 

[touch]

It is some times exciting to run combofix

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\a9k.bin
c:\windows\system32\drivers\exsfwczo.sys
c:\windows\system32\drivers\ophmzvs.sys
c:\windows\system32\nar.bin
c:\windows\system32\saifx.dl
Rootkit::
c:\windows\system32\a9k.bin .
c:\windows\system32\drivers\exsfwczo.sys
c:\windows\system32\drivers\ophmzvs.sys
Driver::
Evhognvp
Mblgi

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[jonnycowbells]

Hi touch,

Did it all in safe mode again, but ran okay this time.

Log attached.

Continued thanks

Matt

 

[touch]

It is not clean - yet. I think there are some nasty stuff hiding, we can´t see in a combolog, therefore ->

Click here: http://www.gmer.net/
and download the installer for Gmer to your desktop, then click that file to run Gmer.
(scroll down, and click on – Download Exe – Button)

If on it's opening scan Gmer locates items shown in red or indicates "hidden" or "rootkit", stop there, and click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Attach the information and post it here please. We don't want any crashes just from taking an initial look at things.

If not, then click on Scan (before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document.

Once the file is created, attach to your next reply.

 

[jonnycowbells]

Hi touch,

Managing to run this stuff in 'normal' mode rather than 'safe' mode, so it feels like we're getting somewhere

No red, hidden or rootkit items indicated on startup, so ran scan. Output attached.

Continued thanks...

Matt

 

[touch]

Looks like we are getting somewhere

Please attach new combofix log.

 

[jonnycowbells]

Hi touch,

Sorry for the delay in replying. Had to run Combofix in Safe-mode again because it ran and rebooted, but then did nothing once I'd logged on - there's something about my laptop it doesn't like!

Asked if I wanted to update to the newer version, which I said 'yes' to. Then it ran and didn't require a reboot this time. Log file is attached.

I'm wondering if running these tools in Safe-mode is preventing anything nasty from not getting loaded and, therefore, not getting detected?

Continued thanks!

Matt

 

[touch]

Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
c:\windows\system32\sorrd.sys
c:\windows\system32\drivers\jssx.sys
Filelook::
c:\windows\system32\nar.bin
Dirlook::
C:\456
Driver::
Sorrd
wade
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys]

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[jonnycowbells]

Hi touch,

Ran in Safe-mode again using the switchfile created from your code. Combofix produced another alert about an update being available. Clicked yes to download. Seemed to run fine.

Log attached.

Many thanks,

Matt

 

[touch]

If you don´t know this file: c:\windows\system32\nar.bin << Delete it.

Attach fresh hijackthis log, and tell how things are running ?

 

[jonnycowbells]

Hi touch,

I deleted that file.

New HJT log attached. System's running well I think. Haven't noticed anything bad in a week or so now to be honest.

Many thanks,

Matt

 

[touch]

That´s good news, and hijackthis log looks clean

Now your computer problems are solved, it is time for the clean-up procedure
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present.
The C:\Deckard folder, if present.
The C:_OtMoveIt folder, if present.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place?

Keep safe :wave:

 

[jonnycowbells]

Hi touch,

Many, many thanks for your patient help. Please keep up the good work. That's a beer I owe you!

Thanks also for the link to Tony Klein's article. I think I'll keep MBAM on the laptop, take off SuperAntiSpyware, then install SpywareBlaster, install Outpost (disable XP firewall), and install MVPS Hosts. I've still got McAfee on there.

Does this sound about right to you? Will do the same for my desktop and the wife's laptop too...

Thanks again. Cheers,

Matt

 

[touch]

I'll keep MBAM on the laptop, take off SuperAntiSpyware, then install SpywareBlaster, install Outpost (disable XP firewall), and install MVPS Hosts.
Does this sound about right to you?

It´s a really good idea