Virus\Malware removal logs attached

By Constantino
Nov 3, 2008
Topic Status:
Not open for further replies.
  1. I followed the - UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions. I am in Athens Greece and currently have dial up access.

    AVG found &
    - JS/Downloader.agent
    also while I was running CCleaner, and not online, AVG found
    - Trojan horse backdoor.generic10.SMQ

    Note: was not able to follow the instructions in Castlecops to disable AVG Anti-spyware

    Symptoms:
    primary symptom that continues is that IE is unstable
    - my Internet dial up icon stopped working, so created a 2nd one to bypass the problem, and now it seems each time I log on a different one of the two works
    - after opening the first couple IE windows, cant open additional ones (especially from the IE quick start in lower tray, though have a little better luck through start up menu or links in Word docs). When I close these IE windows that wont go to Google, the messages are:

    Error Signature
    szAppName : IEXPLORE.EXE szAppVer : 6.0.2900.2180 szModName : hungapp
    szModVer : 0.0.0.0 offset : 00000000

    Error Report Contents
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER3b56.dir00\IEXPLORE.EXE.mdmp
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER3b56.dir00\appcompat.txt

    or

    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERa475.dir00\IEXPLORE.EXE.mdmp
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WERa475.dir00\appcompat.txt

    Attached are 3 logfiles

    Thank you,
    Constantino

    Attached Files:

  2. rf6647

    rf6647 TechSpot Maniac Posts: 931

    Here is a bump for your problem.

    My assessment - no threats remain
    SAS log was of the wrong type.
    MBAM log - 3 threats removed [Spyware.Sinowal, wsnpoem, unnamed]
    HJT log - OK


    Your remaining symptoms concerning IE stability suggests "RIES" - reset IE settings.
    Borrowed from Kimsland

    Since your connection speed is limited by dialup access, it is difficult to recommend updating to XP SP3.
    However, updating to IE7 may "repair" the IE browser.

    Posting errors appearing in the events logs for you IE problem should be taken to another thread once this thread reaches closure.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    The two main problems:
    You have no Java running:
    Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
    Please install it and then reboot your computer.

    You have 2 antivirus programs running. If you previously had Symantec/Norton, you need to use the Norton Uninstaller to complete, as these process are still running:

    Download the Removal Tool from here and save to the desktop- don't run yet:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    Reopen HijackThis and scan> Check the following processes:
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot. into Safe Mode:
    Start> Run> type in ;msconfig' without quotes> enter> Selective Startup Startup tab> UNCHECK any Symantec or Norton processes> Apply> OK

    Start> Run> services.msc> right click on Symantec Core LC > Properties> change Startup type to Disabled> Close.

    Double-click on the Norton Uninstaller and run it.

    Delete your temp files.

    Reboot into Normal Mode> close the nag message that comes up after checking 'don't show this message again'.

    Please rerun HijackThis once more to make sure the entries are gone. Attach log. Some of the entries appear to be missing and it's may be due to the problem with IE>
  4. Constantino

    Constantino Newcomer, in training Topic Starter

    Bobbeye, Thank you (& rf6647) for your response. Before proceeding with your recommendations, a couple of comments -

    1) I had JRE 6.0 Update 2 or 3 and went to download the latest version (as part of the 8 Step process) it was huge and taking forever (currently dialup, should have ADSL in a few weeks) so cnacelled the download and also uninstalled the JRE version I had, believing did not really need it

    2) The Norton removal tool site is asking for what year the product is, but dont remember and cant find my documentation. In folder C:\Program Files\Common Files\Symantec Shared\CCPD-LC are these 5 items:

    ez_log HTML doc, symlcrst.dll, symlctnk.dll, (next 3 are core components) symlctnk.dll, symlcnet.dll, symlcsvc
    Would opening any of them give us a clue of what year I had?

    Please advise, thanks!
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Try this:
    Right click on Start> Explore> Programs> right click on Symantec (or Norton)> Properties> look for the Created date. You can also double-click to open the program, then do the right click> Properties on some of the files o the right. Should give you some ides of when you first got it. It looks like 'symlctnk.dll' may be a 2005 product. That may help you.

    You need to stop those Symantec/Norton processes. They will interfere with AVG>

    But you do need Java. There will be some features you won't be able to see or do without it.

    Go to this site and download v6u10: http://www.java.com/en/download/manual.jsp
  6. Constantino

    Constantino Newcomer, in training Topic Starter

    Downloaded the Norton Removal Tool and followed the instructions from your first message (5:03). Have attached 2 HJT logs: a = before / b = after, doing the “Fix Checked”. As you will see in the 2nd log Norton is gone, however I should tell you that in the folder - C:\Program Files\Common Files\Symantec Shared\CCPD-LC, the item - symlcrst.dll remains.

    I did not download Java (it’s huge) but plan to as soon is my ADSL connection is operational…is that OK?

    My problems with IE are continuing, and when appropriate can provide additional details to those found in my initial post. Thanks Bobbye
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I very rarely get to say this, but your HijackThis log doesn't look complete.

    1. There are no IE start and Search pages set up: R0, R1, R2, R3
    2. The programs do not show any browser.
    3. There are no Active X Object loading: 016
    4. The only Services running are AVG and AdAware (old version)

    Use this instruction from kimland to reset IE:
    Then, please review your Services on the sites below. Make sure the ones showing Automatic are set to Automatic. IF you have Disabled any of the Services, check the references for proper settings, them check the Dependency tab. This will show other Services that need to be running.

    Do this in Safe Mode: Start> Run> services.msc>> Review as noted:

    http://www.ss64.com/ntsyntax/services.html
    http://www.blackviper.com/WinXP/servicecfg.htm


    After you have reset IE and the Services, run HijackThis again and attach the log.
  8. Constantino

    Constantino Newcomer, in training Topic Starter

    Before proceeding with your directions looked over the 2 services sites you suggested. Then for a couple days could not open IE at all, did some scans and Malwarebytes found a Rootkit.agent (log attached). Also from the task manager, I deleted 3 iexplore.exe entries thinking that was related to the IE no access issue. Using another PC obtained the directions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html and reset my IE 6 default settings. This has enabled IE access again. Ran HJT and have attached log (017s suspicious?). Now ready to review Services…because I have - Windows XP Pro x64 (64-bit) Service Pack 2 – should I use this blackviper.com/WinXPx64/servicecfg.htm as my reference? Any other recommendations for now, thank you.

    Attached Files:

  9. rf6647

    rf6647 TechSpot Maniac Posts: 931

    I'll take the easy part.

    Use HJT, tick the O17 entries, select Fix (user discretion)
    In the next steps, perform thorough scanning

    Restart

    Update MBAM & SAS

    Until clean or no further progress is noted
    > MBAM, scan quick mode, save log

    Restarts between scans if logs indicate reboot

    SAS > preferences > scanning control > tick: closer browser, tick: terminate memory threats >close

    Until clean or no further progress is noted
    > SAS > scan computer > quick scan, save log

    MBAM > complete scan
    SAS > complete scan
    HJT

    Post logs.& report progress and other observations.

    FYI - included MBAM log did not report rootkit.agent.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I'd like to add some comments. The HijackThis log still does not look complete- either that or the system just plain isn't set up right:

    1. There is no Homepage. Back in Post #7, I said this:
    Regarding:
    .
    DO NOT use System Restore. You have a rootkit malware there. We will drop all the old restore point when through.

    Regarding this ISP:
    This appears to be a legitimate ISP. If it is your ISP or that of your company, it doesn't need to be removed. However that fact that it is just now showing up indicates that something is still changing on the system,.

    Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?

    Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
    Please clarify the Services issue. Have you gone into Services and disable any?

    Have you made the attempt to clean up files as suggested in Step #2 here:
    http://www.techspot.com/vb/topic58138.html

    Continuing to run the malware cleaning programs isn't going to fix the problem is the system isn't configured correctly. It also appears that ComboFix may be indicated rather than Mbam again,
  11. Constantino

    Constantino Newcomer, in training Topic Starter

    Bobbye, I have answered the questions from your last post –

    Have you downloaded/installed or changed anything in the system EXCEPT what we have asked you to do?
    I would say no but advise you of the following - while resetting IE 6 (instructions from malwarehelp.org/how-to-reset-internet-explorer-6-to.html) –
    1. in Temp Internet Files / Settings / View Objects, there was one item in C:\WINDOWS\Downloaded Program Files, had something to do with Active X, and I deleted it.
    2. a number of my settings had been set to a custom level (don’t remember under which tabs) before I changed them to default
    3. home page was defaulted to MSN but have since put it back to Google
    4. have updated to Ad-Aware 2008 (but that was after last scan logs I sent)

    Please clarify the issue of the ISP or company. Please clarify why there is no homepage set up for IE.
    Panafonet is my dialup ISP, will change when I get broadband connection. Maybe the reason the 017 did not show up before is that I was offline when ran previous scans. I do have a homepage set up in Internet options / general (comment 3 above)

    Please clarify the Services issue. Have you gone into Services and disable any?
    I have only looked them over in normal mode and have not changed anything yet, based on blackviper.com/WinXPx64/servicecfg.htm, below are the instances where my services setup currently differs -

    blackviper Pro x64 default / my current settings

    1. Application Experience Lookup Service - Automatic/Disabled
    2. Background Intelligent Transfer Service – Manual/Automatic
    3. ClipBook - Manual/Disabled
    4. COM+ Event System – Automatic/Manual
    5. Network DDE – Manual/Disabled
    6. Network DDE DSDM – Manual/Disabled
    7. Performance Logs and Alerts – Automatic/Manual
    8. Universal Plug and Play Device Host – Automatic/Manual
    9. Virtual Disk Service – Manual/Disabled
    10. Windows Image Acquisition (WIA) – Automatic/Manual
    11. Windows User Mode Driver Framework – Manual/Disabled
    12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled

    However my current settings from above do correspond to the recommendations from the ss64.com/ntsyntax/services.html site (though could not find nos. 1, 8, 10, 11)

    Have you made the attempt to clean up files as suggested in Step #2 here:
    techspot.com/vb/topic58138.html

    I had not since my first post, have now downloaded new version of CCleaner and ran it.

    After CCleaner (forgot instructions and only did it once), ran MBAM & SAS both were clean, then HJT twice - off & online, logs attached.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I recommend you go back in and change these services:
    11. Windows User Mode Driver Framework - Manual/Disabled >> change to Manual>> needs PlugnPlay
    12. WinHTTP Web Proxy Auto-Discovery Service - Manual/Disabled >> change to Manual

    For #1: this is not a standard Services. It is added with the Windows Server download:
    The best rule to follow when customizing Services is to use the Manual Start up, not to disable it, if uncertain of it's function. You appear to have this server so you need the Service to be able to run.

    For #8, Universal Plug and Play in Windows XP UpnP
    For #10, WIA, also a standard Windows XP Service, listed on the reference sites.
    For #11, Windows User Mode Driver Framework:
    Go back in and fix those Services. I'll be reviewing the HijackThis log.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    We're spinning wheels here. Two weeks, no progress! You HIjack Log is still not displaying what are 'normal' entries: Nor is it current because it's not showing what you have said you did- re homepage, updates, etc.

    No matter what you are telling me, I have to deal with the entries I am seeing in our log. If I can't see them, they aren't there!- or you're giving an out of date log.

    Continuing:
    Adobe:
    Your Adobe Reader is out of date
    .
    Update Java:
    You are running an outdated AdAware 2007.
    ( have updated to Ad-Aware 2008 (but that was after last scan logs I sent) Then you log is NOT current.
  14. Constantino

    Constantino Newcomer, in training Topic Starter

    Sorry…was a little overwhelmed at first about changing Services but also could not get online for a couple days.

    Regarding - IE Start, search pages, home page –
    all I can say is that I did the RIES for IE 6 and am not giving you out of date logs. There has to be another explanation…maybe an indication of at least part of my computer problem?

    Services
    I made a mistake on some of the services that reported I had, defined “disabled” as either – not having certain ones listed on Blackviper, or, had it and was actually disabled. The following 3 in fact I do not have:
    1. Application Experience Lookup Service
    11. Windows User Mode Driver Framework
    12. WinHTTP Web Proxy Auto-Discovery Service

    I have changed the following 2 from manual to automatic:
    8. Universal Plug and Play Device Host
    10. Windows Image Acquisition (WIA)

    The only services have left disabled and based on their description (this is a home PC, not networked etc.) don’t feel I need are: Alerter, Clipbook, Human interface device access, Messenger, Network DDE, Network DDE DSDM, Routing & remote access, Telnet.

    Have installed FoxIt Reader & uninstalled Adobe. Since the FoxIt site (and a number of others) required a credit card number for other “free” product offers, downloaded from www.brothersoft.com/foxit-pdf-reader-129745.html, also tried www.techspot.com/downloads/2713-foxit-reader-beta.html but link did not work.

    As mentioned in previous posts I would like to wait till have ADSL connection (~ 3 weeks) before downloading Java - JRE, assumed that was OK.

    I recently downloaded Ad-Aware 2008 version 7.1.0.11 and is updated, the 2009 you suggested actually requires the 2007 shell. Ran it & found a malware. Also, don’t know if is significant but appears there a discrepancy between removed/quarantined
    - Detailed Statistics – win32.backdoor.sinowal. Items found 2; Items removed 1
    &
    - Log
    Number of infections found: 79
    Critical: 2
    Privacy Objects: 77
    Infections deleted: 79
    Total infections quarantined: 2
    Total infections ignored by scanner: 0

    Chronological summary of all infections (including previous posts):
    AVG
    - JS/Downloader.agent
    (and while running CCleaner)
    - Trojan horse backdoor.generic10.SMQ

    Malwarebytes
    - (2) wsn.poem Trojan.Agent

    Malwarebytes
    - Rootkit.agent

    Ad-Aware
    - win32.backdoor.sinowal

    I have not attached another HJT log as the only change I noticed was that Adobe is gone.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Change to MANUAL
    These Services are okay Disabled: Remember, always check the Dependency tab when changing Service Startup. Note- BlackViper site page for WinXP64bit, SP2 is:
    http://www.blackviper.com/WinXPx64/servicecfg.htm
    This is not the case. Apparently you didn't click on the 'Get it Free' button. I have FoxIt and I have frequently recommended it. The FoxIt Reader on the home site does NOT require credit. It is free, so are the updates. There are additional 'paid' products which "include" the FoxIt Reader. But Reader alone is free.

    Please advise system status. If stable, we can remove the cleaning tools as follows:
    Clear your existing System Restore points and establish a new clean restore point:
  16. Constantino

    Constantino Newcomer, in training Topic Starter

    I wanted to confirm with you that my system is stable, before proceeding with OTCleanit. I believe it is, though the IE issues remain - pretty much as described in my very first post as well as no IE start and Search pages set up (HJT log attached)

    Another symptom, although probably the least of my worries, for the past couple months the theme, periodically changes upon start up from Window Classic to Windows XP even though I keep changing it back (task manager > display > themes).

    I also decided to redo the complete 8 step process (for a 2nd time) – the SAS was clean, but MBAM (log attached) found this

    Trojan.Downloader
    C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP97\A0063877.sys

    noticed the location is similar to 11/15 scan (from log in previous post)

    Rootkit.Agent
    C:\System Volume Information\_restore{A2740E0A-AF91-4F7E-B0E2-8E6FFC29790E}\RP91\A0062110.sys

    Should I proceed with OTCleanit & System Restore now? Thank you.
  17. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    First I wanna look a little deeper at your system.

    Download random's system information tool (RSIT) by random/random from here and save it to your Desktop.
    • Double click on RSIT.exe to run.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt <will be maximized and info.txt <will be minimized
    • Please post the contents of both logs in the next reply.

    You also seem to be missing some updates from microsoft. Please visit www.update.microsoft.com after running RSIT
  18. Constantino

    Constantino Newcomer, in training Topic Starter

    Attached are the RSIT logs. The first time I downloaded it made a mistake and it went to a temp file that i now can't find, is also on my desktop. Know not having the MS updates is a problem but it is probably not something I can/should do right now. Thank you & Bobbye very much for your assistance.
     
  19. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Ok, first disable AVG real time monitoring - right click it in the system tray and check/uncheck to disable it

    [​IMG]Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Thank you Blind Dragon.
  21. Constantino

    Constantino Newcomer, in training Topic Starter

    Attached are the 2 logs. There already seem to be signs of improvement, I will await your comments, thanks.
  22. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    One more scan to be sure

    ====================================

    [​IMG]Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
  23. Constantino

    Constantino Newcomer, in training Topic Starter

    The Kapersky scanner got stuck twice at the same point -

    Scan is running (21%)
    Now scanning: VBAOL10.CHM
    Location: C:\Program Files...Office\Office10\1032

    Up to there it had not found anything and I waited 15-20 minutes each time to see if would start again.
  24. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Trend Micro Housecall Free Online Scanner

    • It`s one of the very few online scanners that will actually disinfect viruses etc.
    • First Open Internet Explorer
    • Go to Trend Micro's Housecall website which can be found HERE
    • Click on the link that says "Scan now. It's Free"
    • A new tab will open where you will have to tick a box to agree to the terms of service.
    • Click "Launch House Call"
    • Follow any additional on screen instructions
    • Select any infections then Fix Checked after the scan
  25. Constantino

    Constantino Newcomer, in training Topic Starter

    I had problems downloading Trend Micro Housecall due to my dial up connection. Since am able to get IE to work using various means, have decided to wait ~2 weeks when hopefully will have the ADSL connection, and then do the following:

    - install a firewall (probably Comodo)
    - redo the 8 step Instructions and if I see anything new in the logs, send them to you before proceeding further
    (from here on, would appreciate your input)
    - reset IE 6 Settings (RIES)
    - really not sure if I should do this -- redo random's system information tool (RSIT) & Combofix (also files from the 1st time I ran them are on my system, OK to leave them there)??
    - then am inclined to try Kaspersky again, have cleared temp files so assume 1st dowload of the program is gone, researched the file it was getting stuck on (C:\Program Files...Office\Office10\1032...VBAOL10.CHM) and it appears to relate to Outlook which I do not use

    I will look forward to your instructions Blind Dragon, thank you very much!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.