TechSpot

Need help with 1st step in Malware Removal Procedure

Solved
By geoffd86
Mar 11, 2010
  1. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Please download Sophos Anti-rootkit & save it to your desktop.

    IMPORTANT!
    • Disconnect from the Internet or physically unplug you Internet cable connection.
    • Clean out your temporary files.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
    • After starting the scan, do not use the computer until the scan has completed.
    • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

    • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
    • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
    • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
    • Make sure the following are checked:
      • Running processes
      • Windows Registry
      • Local Hard Drives

    • Click Start scan.
    • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
    • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
    • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
      • Files tagged as Removable: No are not marked for removal and cannot be removed.
      • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
      • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.

    • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
    • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
    • After reboot, a dialog box displays the files you selected for removal and the action taken.
    • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
    • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
    • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\
     
  2. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    it says to delete temporary files...I deleted all the temp files, cookies, etc. from my browsers. How do I delete other types of temp files?
     
  3. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.
     
  4. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    I already scanned once, and it didn't detect anything that required removal. They were all unknown hidden files. I couldn't click clean up checked items because i couldn't check anything. Therefore I couldn't finish, so I couldn't get the log files.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Are you talking about Sophos?
     
  6. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    yes. I can't get it to finish because there are no files to remove
     
  7. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    I'd like you to uninstall Comodo and see, if that will get your connection back.

    In addition...

    Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log.

    =========================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    CREATERESTOREPOINT


    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  8. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    Log Files for OTL & GMER

    I had to attach them because they were too big to post on here
     

    Attached Files:

  9. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    That's fine. Sorry for the delay. I went to the movies :)

    Did you uninstall Comodo? Still no connection?

    I'm reviewing the logs right now.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Logs look perfectly fine.
     
  11. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    I uninstalled Comodo and then i was allowed to install the driver but the internet still doesn't work. The device manager says that it is working properly. Also, after I installed the ethernet driver a bubble popped up from the tray and said something about a problem with hardware installation or something like that. I can't remember exactly. When i go to network connections the 1394 says its connected but the local area connection says disabled, and when i try to enable it says connection failed.

    And don't worry about delaying, I've been watching movies all day. I don't expect you to sit around all day and help me out. I mean seriously do you get paid for this?
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    No, it's my hobby :)
    Same thing with wired connection?
     
  13. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    Thats weird...The wireless connection works but the wired one doesn't.

    I turned on the wireless switch and a new thing came up on network connections called internet gateway, which says connected.

    The wireless network connection says connected, but local area connection 4 says disabled.
     
  14. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    I checked the device manager and the ethernet device has the same driver that it had before. 7.80.0.0
     
  15. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Are you saying, that you can connect to the internet wirelessly?
     
  16. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    yes...for some strange reason wireless works, but wired connection doesn't (though my girlfriends computer works fine using the wire)
     
  17. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Don't touch anything then for now.

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    I guess, it was some issue caused by Comodo.
    Make sure, your Windows firewall is on.
    Later, we'll install new AV program.
     
  19. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    here are the logs for the last part. I think I turned windows firewall on when I saw the last post, and then did the scan, so it might have been on during kaspersky scan and hijackthis. I also had an internet window going...oops...its getting late. Anyway here are the logs.
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 47,019   +255

  21. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    I found two rootkit files when I did the virus scan with avast. Should I delete them, "move to chest" as avast puts it, or just leave them alone for now?
     
  22. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    "Move to chest" is always the best option, just in case it was false positive.

    Give me fresh HJT log, please.
     
  23. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    here is the log. Sorry it's taking so long. I was on spring break before so I could scan all day, but now I'm back in school.

    It was saying error on page when i tried to manage attachments, so i couldn't attach the hjt file. Here it is.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:58:41 PM, on 3/16/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CodeMeter Runtime Server (CodeMeter.exe) - Unknown owner - C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe (file missing)
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

    --
    End of file - 5826 bytes
     
  24. Broni

    Broni Malware Annihilator Posts: 47,019   +255

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE



    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [unless you have paid version]
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [unless you have paid version]


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
  25. geoffd86

    geoffd86 TS Rookie Topic Starter Posts: 50

    Here is the hjt file. Before I performed this last step I installed a bunch of National Instruments - Labview software, just so you know. I hope it didn't mess up anything.
     

    Attached Files:

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.