Solved Broni: Please review these "Kitty had a snack"? logs

[drwizgeek]

I cleaned up this infection on a Gateway 510 Desktop using MBAM, Combofix...

I was reviewing the post-cleanup logs and found this excellent topic here:
techspot.com/vb/topic150302.html

Broni did an excellent job directing this cleanup. So much so that I decided to attach a .zip file containing my cleanup logs for Broni's review to ensure that my cleanup is complete. I thank you all in advance.

Best regards,
Wiz

 

[Broni]

Welcome aboard

Please, never zip any logs. It's an extra work for us. We're busy enough

Please, attach straight logs.

 

[drwizgeek]

Here are the logs

Hello Broni:

Thank you for your prompt response. Here are the "straight logs." Thank you again!

 

[Broni]

It doesn't look like you followed steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

I didn't ask for HJT, or Combofix logs. You should never run Combofix on your own.

GMER log is missing.

 

[drwizgeek]

Clarification of Review Request

Hello Broni:

Thank you very much for your prompt action. I think I should clarify a few points:

1. Before I found techspot.com/vb/topic150302.html (or techspot for that matter), I had completed all those cleanup procedures, following guidelines of a couple of reputable sites such as bleedingcomputer.com and malwarebytes.com.

2. Even though I am a newcomer on techspot, I have several years of experience in computer security and malware cleanup. Yet, I was so impressed with you work that I decided to ask for your help to ensure nothing of this serious infection is left over on that PC.

3. I just reviewed your guidelines at techspot.com/vb/topic58138.html. It looks like they are not that different from the cleanup process I applied; except, I used Ccleaner, instead of OTC. Also I did not use gmer, but I think that is done in the combofix scan. Here is the relevant part from its log:
...
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 18:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0
...

4. my friends are away from home. I will not have access to their PC until, perhaps, Sunday. Otherwise, I would have run GMER again.

5. I believe that my cleanup has been successful. Indeed, all the symptoms were gone at my last check.

Thus, I would appreciate it if you could review these logs and advise me on the best way to cleanup this infection's leftover bits and pieces.

I thank you in advance for your assistance, and congratulate you on such a great job on topic150302.

Best regards,
Wiz

 

[Broni]

Thank you

3. CCleaner is a fine tool, as long, as you don' touch registry cleaning part.
Mainly for that reason, I prefer TFC, which is very straightforward and it doesn't touch registry.
GMER section in Combofix runs only part of GMER full scan, MBR part, nothing else, so it's always better for me to see a whole scan.

Now, as you can see from Combofix log, one system driver (adpu160m.sys) was infected and apparently, that issue has been fixed, but re-running GMER scan will show me, if the issue is over and if there is nothing else hiding there.

Couple of registry entries shown in Combofix also need to be adjusted.
Other, than that, the log looks clean.

Then, we need to run couple more scans to make sure, nothing else is hanging out there, plus we need to get rid of casual garbage.
Said that, you'll need an access to that computer anyway.

Good job, so far, though

 

[drwizgeek]

Thank you very much, Broni!:approve:

I really appreciate your prompt responses. I agree with you on Ccleaner's registry cleaning part, which I don't use.

I will run GMER, following your techspot.com/vb/topic58138.html guidelines early Sunday, morning, PDT. I will post the scan report then. I have noticed a few registry items in ComboFix log that need to be fixed, as well. Please let me know how you want me to fix them.

Could you please advise on what other scans you need. I was thinking of running MBAM, Antivir, SAS, SBS&D, and Ad-Aware scans. I will download any other software that you advise in advance so that I could post the results without delay. I hope that you could review them on Sunday and advise me of what needs to be done.

Once again, thank you for taking time off your Friday evening to respond to my request.

Keep up the good work!
Wiz:wave:

 

[Broni]

Sounds like a plan.
For now, I'll need just GMER log and we'll go from there.

 

[drwizgeek]

Please review GMER log

Hello Broni:

Please review this GMER log. The scan took more than 2-1/2 hours! I appreciate your prompt response. I am uploading this log from the infected (hopefully, now almost cleaned) desktop. I submitted all other logs yesterday. Thank you again!

 

[Broni]

GMER log looks fine

We'll adjust those registry keys through another tool, since Combofix is rather clean and it takes a while to re-run.

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[drwizgeek]

OTL Scan Results

Thanks, Broni!

Attached please find the OTL Scan Results. They proved too long to post!

Please let me know if you need any other information. Thanks, again!

 

[Broni]

Your computer would perform much better, if you added another 512MB of RAM.

=======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No CLSID value found.
  O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\CD-MENU.LNK = D:\MENU.exe File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  [1 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp -> ]
  [1 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp -> ]
  [1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
  [2008/07/04 17:16:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
  [2004/01/08 07:38:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  [2008/07/04 17:20:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Grisoft
  [2004/02/22 20:30:00 | 000,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 1.job
  [2004/02/20 17:01:13 | 000,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 2.job
  [2004/03/06 19:30:00 | 000,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 3.job
  @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

====================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[drwizgeek]

OTL Fix & Security Check Logs

I had downloaded Java V6R21 before for later installation pending this cleanup! I installed it and removed JQS.exe from startup, as you advised.

Attached please find the OTL Fix & SecurityCheck Logs.

I will run TFC and Kaspersky next. I decided to submit these logs first because the last scan takes a long time, if my memory is not failing me!

Thanks, again, Broni!

 

[Broni]

You're correct. Kaspersky may take a while...

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

 

[drwizgeek]

Kaspersky locked up!

Sorry for the delay, Broni. But, Kaspersky locked up after ~ 3 hours at 80% scan on a 0_0_0.jpg file in a game under program files. Please advise what we should do next. Thanks!

 

[Broni]

Run this instead....

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[drwizgeek]

ESET Online Scanner Nearly Completed!

ESET Online Scanner was run in IE but sat at 99% complete for more than 25 min. The scan time was around 1:15 hr:min at that point. I had to stop the scan because it was getting too late for my friends. The scan had detected only 1 infected toolbar by then.

Thank you very much for your advice and understanding. I will, of course, complete the scan and report back some time this week. Please keep this topic open.

Thank you again, Broni, for such a superb job that you have done for us.

Best wishes,
Wiz:wave:

 

[Broni]

Thank you

If Eset still gives you problems....

Please run a BitDefender Online Scan

• Disable your antivirus program.
• Click Start Scanner button.
• Click Start scan button
• Allow browser plug-in to be installed when prompted.
• Click I Agree to agree to the EULA.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on View log.
• Notepad will open with scan results.
• Save the report to your desktop and post its content in your next reply.

The above should be quick.

 

[drwizgeek]

Will run ESET Online Scanner Soon!

Hello Broni:

Thank you very much. I would run ESET Online Scanner again as soon as I can schedule another visit with my friends. Based on our conversations last night, it may be this Wednesday or Friday. I will post the results shortly thereafter. Thank you again!

 

[Broni]

No problem

 

[drwizgeek]

ESET Scan Report

Hello Broni:

I just completed the ESET Scan. It found only one toolbar threat: Here is its Report:

C:\troubleshooting\nero_6_update\Nero-6.6.1.15a.exe Win32/Toolbar.AskSBar application

I recall installing a Nero Patch last year to fix a conflict that had resulted from a Windows Media Player update. This conflict prevented Nero start.

Please advise if we need to take any more cleanup actions. I intend to update all the security software and Flash players and run Ccleaner and TFC, again.

Thank you again for your support and patience!

 

[drwizgeek]

Correction to ESET Scan Report Post

I just found my notes for the Nero Fix. I should have said:

"I recall installing a Nero Patch last year to fix a conflict that had resulted from [upgrading to XP SP 2] ... This conflict prevented Nero start."

Please visit gateway.com/s/issues/2-1733930029.shtml for more information. Please advise if we need to take any additional cleanup actions. Today was the first time that I had access to this tower XP again. Sorry for the delay in posting the results. But, ESET Scan took quite a long time.

Thank you again, Broni, for such a great, prompt support that you have provided us throughout this cleanup process.

 

[Broni]

Unfortunately, this is today's reality.
All kind of legit programs are trying to force some "drive-by-install" garbage.

I don't see from your OTL log for that particular toolbar to be active, so you're OK.

It's always important to pay attention while installing anything to see, if some crap doesn't come along.

Said that.....

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[drwizgeek]

Thank You, Broni!

It is encouraging to see that our security safe-guards are quite similar! I custom install all software to block "freeloaders." Thus, that toolbar probably was never installed.

I have completed steps 1-8 of your last instructions, including changing passwords, which I had advised them to do on a clean machine right after the infection's discovery. Steps 9-11 had to be put off until next time since I ran out of time. I was familiar with the Step-12 topic and had incorporated their advice in my security safe-guards.

13. Since I had just a bit of time left, I ran the latest HJT. I am pleased to report that the log was "as clean as a whistle!" I don't have it with me to post it now, though.

14. The machine is running just great, even with less than 512 MB of RAM! I still agree with you on adding more RAM. There are two slots available. (The other two slots are used by a pair of 256-MB sticks.) Do you recommend adding another pair of 256-MB or 512-MB sticks? (I also advised them that they should get a new PC within a year or two.)

Once again, I would like to express our appreciation for such a wonderful job you have done helping me clean this badly infected PC. It is nice to see that there are a few "good guys" that are fighting the "bad guys"!

Thank you very much, Broni!:wave:

 

[Broni]

You're very welcome

Do you recommend adding another pair of 256-MB or 512-MB sticks?

It really doesn't matter. 512MB may be cheaper.

Good luck and stay safe