TechSpot

Please review logs from removal 8-steps

By jrajaram
Dec 3, 2008
Topic Status:
Not open for further replies.
  1. Could some one please help me:

    Issue:
    I started encountering popups on my PC in IE & Firefox couple of days ago. The browser started by itself and accessed various sties. At times IE seemed to access some site with title as "internet speed montior".

    My System Specs:
    Motherboad.......: ASUSTek Computer INC, Kamet2, 2.01
    CPU..............: AMD Athlon(tm) XP 2600+ Socket A(462)
    Sound card.......: Reaktek AC'97 Audio for VIA (R) Audio Controller
    Video card.......: VIA/S3G UniChrome IGP
    RAM..............: 768 MB
    Hard drive.......: 2 Disks: 40GB Seagate (ST340015A) and 160GB Seagate (ST3160023A)
    Power supply unit: HP pavilion a410e PSU (Not able to find info as no specs on PSU)
    Optical drives...: 2 Drives: ASUS CD-s480 and Toshiba DVD-ROM SD-R5112
    Operating System.: Windows XP Professional Service Pack 2


    Steps completed:
    • followed the steps in "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" thread
    • Malwarebytes and SuperAntispwareScan indetified and removed "Trojan.Vundo" and "GetModule30.exe".
    • The logfiles requested in the thread are attached. (Note: I had to abort malwarebytes complete scan as I was afraid it wouldn't complete scanning all the drives during the initial run. So I ran it for each drive after completing a quick scan and have included the logs from all the runs).

    Current symptomps:
    No more popups. But PC still feels little slower intermittently.

    Need help with:
    • Log file review
    • Knowing what the next steps are(if any ?)
    • Need help with making sure my PC is clean: I am worried there might be some backdoor or rootkit hidden in my PC.

    Thanks
    jrajaram

    Attached Files:

  2. rf6647

    rf6647 TS Maniac Posts: 931

    An extraordinary problem description complete with completed steps, remaining symptoms, and clear objectives.

    HJT is the sweeper. It detected a part of the infection was not cleaned. For your situation, we will take an unusual action to perform back-to-back scans with ComboFix. From your observations, this residue is most likely no longer a threat.

    Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scanner. The sequence for applying the scanners begins with the standard scanners (fully updated) and ends with the stronnger cleaner, with a side benifit that it adds information about the comparative effectiveness among the tools.


    Overview -
    • ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
    • Uninstall old copy of ComboFix - if tool was used previously


    Supplement to guide. Successive scans used to uncover additional infections.
    • Update both MBAM & SAS. Rerun them both.

    • This effort is complete when logs report NO infections/threats, or reporting something it can not clean.

    • Follow ComboFix instructions referenced below.

    • Examine the last few lines in the log for ‘Completion time:’ ……. ‘machine was rebooted’

    • Restart the computer, if first run of ComboFix did not concluded with ‘reboot’.

    • Repeat ComboFix.

    • Scan with HJT. (part of instructions for ComboFix)

    • Posts logs. Report progress & what changes are observed. Include logs that found infections.



  3. jrajaram

    jrajaram TS Rookie Topic Starter

    Thank you rf6647 and the forum for helping us so effectively.

    As per your recommendation the following steps have been completed:

    • Updated and re-ran Malwarebytes, (No malicious items detected in the log)

    • Updated and re-ran SUPERAntiSpyware scan, (2 Adware.Tracking Cookie identified and cleaned)

    • Ran (first time) combo fix, system automatically rebooted

    • Ran (second time) combo fix, manually rebooted

    • Ran HijackThis


    Scan Logs are attached. I still see the following in HJT log:

    Please let me know my next step

    Attached Files:

  4. rf6647

    rf6647 TS Maniac Posts: 931

    Both runs of combofix had deletions. Another run of ComboFix is needed. In consultation with another specialist, ‘kughce.dll’ will be deleted on this run by combofix. On that point we disagree. I do agree that it is no longer a threat.

    What is your averall impression about the health of the computer? Are any symptoms still present?

    I recommend the following sequence
    • Update both MBAM & SAS
    • Rerun MBAM, quick mode.
    • Rerun SAS
    • Rerun ComboFix
    • Restart the computer
    • Scan with HJT.
    • Post the logs.
    Rationale: MBAM & SAS confirm that no new infections entered the picture. A clean run of ComboFix is needed.
  5. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi jrajaram

    Rich should be back soon so do the below and post results for him.

    You have 1 remainder or an item Combofix can not fix.

    Run Combofix again to confirm the below is gone this time!

    Code:
    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    
    c:\windows\system32\xvfylojj.ini
    
    .
    (((((((((((((((((((((((((   Files Created from 2008-11-07 to 2008-12-07  )))))))))))))))))))))))))))))))
    .
    Mike

    EDIT: Opps we were posting at the same time, but I had a phone call!:)
    EDIT2: I suggest Combofix first.
  6. rf6647

    rf6647 TS Maniac Posts: 931

    aka - mad hatter

    Mike, at times I refer to myself as the 'mad hatter'. My sequence was an attempt to understand more about how these tools work. Rather than ask the user to test if the file existed, I was using MBAM for this. A potential side benefit would be recognition if MBAB updates cleaned up the 'malware buster' that detected the infections. I saw this for the 'karma' thingy. I think I understand that updating combofix throws away the history used by the program.

    In the end, combofix and hjt logs are needed to analyze the current infection.
  7. jrajaram

    jrajaram TS Rookie Topic Starter

    Rich,

    Please confirm if I should be following your steps or run combo fix as is, as per mflynn's recomendation.


    Current PC symptoms: My PC is acting normal. No more popups or slowness.

    Thanks again for your help
    jrajaram
  8. rf6647

    rf6647 TS Maniac Posts: 931

    Sorry for the confusion. Follow Mike

    Combofix
    Restart the computer
    HJT

    This run of ComboFix confirms the last deletion - a final check.

    I emphasis the 'restart'. HJT that is ran immediately after restart gives a view not cluttered with applications opened by the user.

    The other steps were intended to 'prove' to me what Mike understands about the role of each tool that we use. That's right - I'm the newbie.

    Some cleanup steps will follow.
  9. jrajaram

    jrajaram TS Rookie Topic Starter

    Rich/Mike,

    I have completed the following steps

    • Downloaded and re-ran combo-fx (log is attached)
    • Manually restarted PC
    • Ran HJT (log is attached)

    There are no new deletions by combo-fix and HJT log still shows
    Please let me know the next step.

    Thanks
    jrajaram

    Attached Files:

  10. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi jrajaram

    Run HJT Scan only select and remove the below
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O20 - AppInit_DLLs: kughce.dll

    Close HJT then run again to confirm gone.

    Hold on as I am composing additional steps.


    EDIT:
    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.


    Mike
  11. jrajaram

    jrajaram TS Rookie Topic Starter

    Mike,

    As suggested I completed the following:

    • Ran HJT Scan and fixed suggested 2 files
    • Re-ran HJT to confirm the files are gone.
    • Followed instructions and completed SDFix scan (Report is attached)

    Please let me know the next steps

    Thanks
    jrajaram
     
  12. jrajaram

    jrajaram TS Rookie Topic Starter

    Mike/Rich,

    Any help on this one ?

    Thanks
    jrajaram
  13. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi jrajaram

    Sorry your post slipped past.

    Run MBAM Click More Tools-Run Tool copy and paste the line below into the File name: and click OK

    c:\windows\system32\xvfylojj.tmp

    Run ComboFix once more to confirm a removal.

    Post new HJT log.

    Mike
  14. jrajaram

    jrajaram TS Rookie Topic Starter

    Hi Mike,

    As requested I have completed the steps. Combo-fix log is attached. Please let me know if additional cleaning is required.

    Thanks
    jrajaram
  15. jrajaram

    jrajaram TS Rookie Topic Starter

    Mike, Rich,

    Just updating this thread so it won't fall through...Please let me know if additional cleaning of my PC is required.

    Thanks
    jrajaram
  16. rf6647

    rf6647 TS Maniac Posts: 931

    The log file confirms the file deletion. Other aspects of the log are unchanged. If you are not experiencing new symptoms, then remove the tools and set a clean restore point. I will borrow from Mike's quote.

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.