How do we remove ALL residual infection?

[guyzie]

Hello!

I completed the 8 steps a few weeks back and the problem seemed to be under control so I didn't upload any logs. This week I noticed another infection relapse again, probably because it was never removed to begin with.

I am uploading my logs to you now and hope that you see something that may be causing this to happen.

Also is there any definitive way to remove all possible residual infection without having to reformat the computer? Any suggestions on programs that is the best "disinfectant" for viruses and malware?

Thanks,
Guy

 

[adweston]

The reason is because the 8 steps don't deal with a few key issues regarding infections.

The biggest issue not addressed is rootkits. We experimented with this today at the office, using the tools mentioned. At the end, we installed Kaspersky Internet Security 2009.

The second the computer rebooted after Kaspersky was updated, etc, it caught an infection. The infection was named Temp01.exe, buried deep in the folder tree, called from an entry point in the registry that absolutely none of the logs in the 8 steps pointed out.

What happens, then, is this. The rootkits, typically trojan downloaders, open up a back door to your computer. Just like the Trojan Horse in the War of Troy, they invite other infections. In no time whatsoever your computer will be infected all over again. Unless you are a professional well versed in rootkits and kernel hooks, chances are very, very high of rapid reinfestation.

If I may recommend some steps for you to effect a nearly fully automated process, it would be these:

1) Download Combofix and READ THE TUTORIAL BEFORE PROCEEDING.
2) Download Malwarebytes
3) Download Hijackthis
4) Download Rootkit Hook Analyzer
5) Download AVG 8 Free or Avira. I used to love Avast, but this year we've seen numerous infections that Avast can't deal with effectively, failing to remove the key components.
6) Download WinsockXP Fix

It is of utmost importance that you follow these steps precisely. If I incorporate it into a guide I will incorporate details from the 8 step guide. For now, use that guide as a reference for tips on how to use the programs mentioned.

Run Combofix in Safe Mode (Press F8 repeatedly after the BIOS post screen). Tutorial and current status is here It is important that you read the tutorial before proceeding!

Restart in normal mode and remove any old protections, including Spybot. Removal tools are available for AVG, Norton and McAfee.

Install/update AVG8 or Avira. Preferably AVG8 due to it's superior antimalware/rootkit component. Avira Antivir Pro is the good one, but it's a paid product. The other two best paid products are Eset NOD32 and Kaspersky.

Install/update Malwarebytes.

Do a full system scan with Malwarebytes. AVG 8 will pick up little pieces along the way with it's Resident Shield. Quarantine them. At the end of the scan, click "view results" and then "repair all unhealed infections".

Do a file cleanup and registry cleanup with CCleaner (uncheck the installer category before analyzing/repairing). Do NOT forget to save a backup of the registry before cleaning all entries (you will be prompted for this). The reason for doing the CCleaner registry cleanup now and not earlier is because it will remove broken registry entries left behind from the malware cleanup, especially in the case of removing infections called from abnormal entry points.

IMPORTANT NOTE!: It is absolutely imperative that you save a backup. CCleaner can break your HP printer driver install, necessitating a reinstall of the driver disk. It can also break applications served up by a terminal server or installed from remote locations. To avoid this, uncheck the "application paths" category. You can quickly recover the repairs by double clicking on the backup file and saving it back to the registry.

Do a scan with Hijackthis and save the log. Do not edit any of the entries at this point.

Do a rootkit scan with Rootkit Hook Analyzer (click on Analyze). When the scan is done, do NOTHING except click the Export button and export the log to a text file.

Finally, at the end, do all Windows updates, java, flash and shockwave to address key vulnerabilities. Be careful if you have an AMD based machine, especially HP and Compaq, in installing SP3. There is a file in the system32\drivers folder called intelppm.sys that will cause the computer to blue screen on reboot every time until you rename/remove it (this can be done from Safe Mode).

If, at the very end, you can't connect to the internet, run WinsockXP Fix if you run Windows XP. If you run Vista, right click on the network connection and click diagnose/repair. Finally, restore your browser defaults (Under Tools > Options > Advanced)

Directions on how to use most of these tools is in the 8 step removal process thread.

Upon completion, post all logs in this thread and I'll take a look at them for you. As you may have been able to tell, I combat infections professionally, numerous times a day. 99 times out of 100, we do a complete repair without reformat. In other words, I'm very, very good at what I do. Many moons ago I used to distribute infection code on a BBS. These infections were capable of totalling hard drives and even motherboards and modems. Fortunately I grew up and now fight for the other side.

 

[Bobbye]

guyzie, I would like to offer you an alternative cleaning program. You are free to follow whichever you want:

First, IF you did a System Restore, it is possible that you have reinfected the machine. Malware has been found in the restore points:
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D34DC7D9-5069-4FEB-891F-37A59618FF48}\RP504\A0086883.DLL

These are protected files and because of that, malware cleaning programs do not remove it. We have you drop all of the old restore points at the end of cleaning and set a new, clean restore point. If you did a cleaning previously and weren't told about this, that may be why you got reinfected.

The primary malware is Vundo. There is a special removal program for that which I offer you:
VundoFix:
Please download VundoFix.exe HERE

Save it to your desktop.
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
5. When completed, it will prompt that it will reboot your computer, click OK.
Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Remove bad HijackThis entries
• Run HijackThis
• Click on the System Scan Only button
• Put a check beside the item listed below (if present):

O20 - AppInit_DLLs: C:\WINDOWS\system32\buzalevu.dll c:\windows\system32\soviveri.dll

• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application and boot into Safe Mode:

Right click on Start> Explorer> Windows> System 32> then go up to Tools> Folder options> View tab> CHECK 'show hidden files & folders'> Apply> OK. Type in each of the files below. If found: right click> delete:
buzalevu.dll

FYI: The filename is associated with the malware groups:
* Malware Downloader
* Cloaked Malware
BUZALEVU.DLL has been the subject of the following behavior:
* Added as a Registry auto start to load Program on Boot up
* Created as a process on disk
* The process is hooked into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents

soviveri.dll

FYI: The filename is associated with the malware groups:
* Fraudulent Security Program
* Worm
* Malicious Software
One or more files with the name SOVIVERI.DLL creates, deletes, copies or moves the following files and folders:
* Deletes c:\windows\system32\sejuvoma.dll
* Deletes c:\windows\system32\mrt.exe

Reboot into Normal Mode. Rescan with HijackThis and attach both logs.

It is very likely that you may not find these files. Depending on the followup logs for the Vundo Fix and HijackThis, we may use a program called KillBox to find and remove them.

Some of us handle the cleaning process differently. It is my preference to address what I see in the logs, then go from there. Please feel free to choose whichever method you are the most comfortable with.

Either way, do NOT use the System Restore function while cleaning.

 

[adweston]

System Volume Information files are not protected. You can't access the folder from My Computer without taking control of it and giving yourself access permissions, but AVG 8 will actually scan that folder and remove the infections (spoken from plenty of experience).

 

[Bobbye]

Ignorance is not bliss when it comes to computer information:

To gain access to the System Volume Information folder, use the steps in the appropriate section.
http://support.microsoft.com/kb/309531
Microsoft Windows XP Professional or Windows XP Home Edition Using the FAT32 File System

1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
5. Click OK.
6. Double-click the System Volume Information folder in the root folder to open it.

Windows XP Professional Using the NTFS File System on a Domain

1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
5. Click OK.
6. Right-click the System Volume Information folder in the root folder, and then click Sharing and Security.
7. Click the Security tab.
8. Click Add, and then type the name of the user to whom you want to give access to the folder. Choose the account location if appropriate (either local or from the domain). Typically, this is the account with which you are logged on. Click OK, and then click OK again.
9. Double-click the System Volume Information folder in the root folder to open it.

Windows XP Professional using the NTFS File System on a Workgroup or Standalone Computer

1. Click Start, and then click My Computer.
2. On the Tools menu, click Folder Options.
3. On the View tab, click Show hidden files and folders.
4. Clear the Hide protected operating system files (Recommended) check box. Click Yes when you are prompted to confirm the change.
5. Clear the Use simple file sharing (Recommended) check box.
6. Click OK.
7. Right-click the System Volume Information folder in the root folder, and then click Properties.
8. Click the Security tab.
9. Click Add, and then type the name of the user to whom you want to give access to the folder. Typically, this is the account with which you are logged on. Click OK, and then click OK again.
10. Double-click the System Volume Information folder in the root folder to open it.

NOTE: The System Volume Information folder is now accessible in normal mode to users of Windows XP Home Edition.

Using CACLS with Windows XP Home Edition Using the NTFS File System: see site

 

[DelJo63]

very good Bobby. This has been my experience too.

 

[Bobbye]

Anti-Virus :Software :
AVG Technologies Free Edition
"......so it can as easily restore an infected file if it had been in a protected area, effectively re-infecting your computer right after you have cleaned it. Because of this, it is recommended to turn off System Restore before you test, and when you're done, turn it back on so you are still protected from standard computer problems."
http://freeforum.avg.com/read.php?4,27725,27725

Spybot Forums: Reply to AVG user:
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.1. Turn off System Restore.2. Reboot.3. Turn ON System Restore.

Every AVG user with malware is being advised to clear the restore points by the 'turn off/reboot/turn on' action. Even AVG Command prompts DON'T have anything to remove restore points.

 

[adweston]

It is it is.. So many people with paper smarts and no/minimal real world experience to back it up.

We use and recommend AVG 8 Free every day of the week. I can tell you, 100% for certain, due to real, hands on experience, that AVG 8 does indeed scan and clean the System Volume Information folder.

Take it for whatever it's worth, but it is truly the difference that experience makes....which is why I don't hire fresh blood out of the A+ program...

And of course... I should probably mention that we use other tools for computer repairs (yes, we do them in the real world, not just "cyber tech" on a message board) that actually completely bypass NTFS permissions...

This antique advice of deleting the system restore to prevent reinfection is very much last decade if you actually recommend, know and use the *right* tools. If a Snap-on tool does 10 times the job the Powerfist equivalent does, you use a Snap-on. The customer doesn't give a darn if you don't like Snap-on, or are personally biased against it.. All they care about is that you fix their car and it doesn't break a week later.

But.. suit yourself. We've already seen what happened the first time around. It's kinda like putting bandages on Herpes or spray paint on a rust spot. It's fine I guess.. It gives them something to do.. But unfortunately it doesn't address the concern you put forth in your OP.

EDIT: There's also a little known etiquette in this forum about more than one person trying to help. Kimsland has acknowledged this and follows that practice. It's a shame these posters don't do the same. They had their chance to bash my suggestions in the "suggestions" forum and gave a "bandaid" solution based on those statements that obviously didn't work. Maybe it's time to step aside and let someone else take a crack at it.

 

[kimsland]

You mean this thread in the Feedback forum: https://www.techspot.com/vb/topic119938.html

Yes you may want to read the last replies added recently

 

[Bobbye]

asweston, I am going tired of you ranting about your 'experience' at the loss of anyone else having any!

So many people with paper smarts and no/minimal real world experience to back it up.

You continue to fling these insults when you know nothing about the people you are referring to. Some of us have been handling the cleanings here well before you came on. Many of us have different backgrounds and experience. But NONE of us have had to defend ourselves for what we know and don't know.

EDIT: There's also a little known etiquette in this forum about more than one person trying to help.

Those of us who help out here and know what we're doing do not hesitate at all to ask for assistance if we think we need it. See, that's the big difference- we know our limitations- you don't. I offered this person a reasonable path for the cleaning, omitting all the extra downloads and scan you suggested. I wait until I see what I am dealing with- then decide if and which special program need to be added.

Some of the helpers do have more experience and they have gained it by using both 'hands on' and 'hands off.' I bow to their expertise if I need it and have no problem telling the person who has the problem that I am going to ask for additional help. This isn't an ego trip- I am not threatened by the knowledge of others. But rather I use it when I need it.

 

[adweston]

You mean this thread in the Feedback forum: https://www.techspot.com/vb/topic119938.html

Yes you may want to read the last replies added recently

Not really, but thanks anyways. I put forth an idea, it wasn't received well.. The end.

Well, before this thread turns into a flamefest, I'll just say this thread is living proof of what I've spoken about all along, including the thread you referenced, and now it's up to the individuals seeking help which approach they wish to take.

Claims...and results...are obviously two different things.

And thus I have nothing further to add until the poster posts the logs I asked for.

 

[guyzie]

Thank you all very much for your help and explanations! There is clearly a lot of information here that I will need to read through before everything is clean on my end. I will check in once all these processes have been run!

Thanks so much once again. It is clear to me that you guys care very much about the work you do!

Kudos!!!

 

[Bobbye]

You're welcome.

 

[guyzie]

Hi again guys!

So I've completed all the tests you've suggested for me and here is a breakdown of tests that were run:

- ComboFix
- Rootkit Hook Analyzer (aka SanityCheck?)
- MalwareBytes
- WinSock XP Fix
- AVG 8 Internet Security installed and run
- VundoFix


After running ComboFix, I ran Rootkit Hook Analyzer and everything seemed ok. I ran MWB and ran WinSock Plus. Installed AVG 8 and it is way more effective than Avast. It was installed, cleaned, and removed infections. Real-time scanning an added plus!

I decided after installing AVG 8 to run Rootkit Hook Analyzer and it caused a "Blue Screen of Death" twice when I ran it. So I skipped this and tried a Winsock XP Fix again after removing infections with AVG8. This "reset" the registry I think and I had to reinstall AVG8 for the firewall function to work again.

Lastly, VundoFix was installed and found no other infections on my system which made me happy!

Also I wanted to know if Avira AntiVir Pro is better than AVG 8 Internet Security (or vice versa) and how it is better, or any other packaged solution. Price is no issue.

Please let me know from your analysis what final items need to be removed to finish the infection!


Thanks for all your support and expertise!!

 

[kimsland]

Please un-install:
SUPERAntiSpyware
AVG8 and then run the removal tool
SpybotsSD (if installed)
ComboFix
Then Restart

Install Avira free AntiVirus
Do a full scan
And we may find out if it is better or not

 

[guyzie]

Wow!~ More viruses found!!! I also installed PC Tools Threatfire as I saw a few other people on other forums said it would provide more well rounded coverage as well. Do you think this is so? I've uploaded the logfiles!

Thanks for the help!

 

[kimsland]

I don't find PC Tools Threatfire all that good
Avira and MalwareBytes are the best I feel

Clear & Reset System Restore's Cache

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Restart

How does it seem to be performing now?

 

[Bobbye]

As far as I could see in your original HijackThis log, (Post #1, then again later in Post #14, the antivirus program you had in the system was AVG v8. But later you state:

"Installed AVG 8 and it is way more effective than Avast. It was installed, cleaned, and removed infections. Real-time scanning an added plus!

You asked:

"if Avira AntiVir Pro is better than AVG 8 Internet Security (or vice versa) "

and it was suggested that you "uninstall AVG v8 and install Avira."

On Post #16, you state you installed: " Threatfire" and left a scan report named AVSCAN. Upon investigation of the name AVSCAN, I find:

AVScan is an AntiVirus scanner front end for ClamAV.
A front end for the Clam AntiVirus scanner using Endeavour Mark II. Features a scan list for frequently scanned locations, freshclam update support, and command line calling from Endeavour.
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.
http://www.clamav.net/

So it would appear that you used either an online or on demand scanner. That log states that 28 viruses and/or unwanted programs were found a28 files were moved to quarantine. The next move would be yours- to delete those files from quarantine, rescan and see if those files remain deleted.

Unfortunately some digression in your problem occurred and you were told to run additional scans with additional programs, but nothing was followed up.

At this point I will say: work with the antivirus program you have. Update and scan. See what is found and make sure it is put in the virus vault or quarantined. Once there, it will not affect your system and you may delete it. It does not sound like you are doing the last step. You have no consistency in your security program handling and until you do, you are not going to have control over this problem.

Not all AV program scan exactly alike. Some have a record of finding more false positives than others and you could probably run 6 scans with 6 different programs and only a part of each would be exactly alike. Some lean more toward 'heuristics' where the scan is based more on "sounds like" rather than "is."

 

[guyzie]

As far as I could see in your original HijackThis log, (Post #1, then again later in Post #14, the antivirus program you had in the system was AVG v8. But later you state:

You asked: and it was suggested that you "uninstall AVG v8 and install Avira."

On Post #16, you state you installed: " Threatfire" and left a scan report named AVSCAN. Upon investigation of the name AVSCAN, I find:

Hi Bobbye!

Thanks for replying so quickly. Originally, I had Avast on my system and once it was suggested that AVG8 or Avira was better I upgraded, and AVG8 starts to appear in the hijack log after my second run.

Later I was told to install Avira, so I uninstalled AVG8 and Avira produced the AVScan log you were mentioning. The bulk of the report seems to me to be Avira running a self-scan of all its components of the program and within the 2nd section of this self-scan it indicates the configuration file used by Avira to run the anti-virus scan:

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\avira premium security suite\sysscan.avp"

I uploaded the log so I can get some advice on what should be deleted from the quarantine, in case it was a false positive. Aside from that, the previously detected infections have been deleted that were detected by AVG8.

Since Avira Premium Security Suite caught what AVG8 missed, I'll keep Avira installed for the long haul. Just out of curiosity, Bobbye, what kind of setup do you have on your computer as far as software goes (ie. firewall, anti-spyware, anti-malware, anti-virus, anti-rootkit, etc...)

I loved the interface of the AVG8 Internet Security Suite which was bundled with all the above mentioned protection, but the AVG8 anti-virus scan missed what Avira caught. I read that Avira's Premium Suite's main strength is its anti-virus and its other other components (firewall, spyware, etc.) was lacking in intelligent decision handling requiring constant intervention by the user while other similar programs handle these items automatically only involving the user on important decisions.

Please let me know what you can suggest as a bundle of software or prepackaged solution to new infections!!

Thanks again so much for your help!

 

[Bobbye]

Okay, I see why I was uncertain about the AV. As for this, I think you may be surprised:

what kind of setup do you have on your computer as far as software goes (ie. firewall, anti-spyware, anti-malware, anti-virus, anti-rootkit, etc...)

1. I have Eset Nod32 antivirus.
2. I am behind a router which has hardware firewall.
3. I use the Windows firewall (software)
4. I have Spywareblaster and Spybot Search & Destroy

But the most important security practices for me are:
1. I am VERY careful when I search. I spend half the day searching and only choose the sites I am familiar with or that I think are safe.
2. I use the Firefox browser: Three of the add-ons are AdBlock Plus and the 3 Easy Lists. These keep the trash out. And Flashblock. Firefox won't even allow a redirect of a page on the same site!)
3. I do not use Files Sharing sites. or programs.
4. I do not click on pop-ups
5. I do regular maintenance: I have to clean Cookies several times a day. I only keep History for 3 days, then delete it all.
6. I am very rigid about accepting email- I need to know who sends it. I need to be expecting an attachment and know what it is for and even then I save it to my desktop and do a right click> scan with AV.
7. The ONLY processes I have starting up are the AV, touchpad for laptop and network process.

It's a multi-layered practice. My ISP does a good job of keeping a lot of trash out of the network also. I prefer stand alone programs rather that a suite. They use less resources and if there is a problem, I know 'which' part to look in.

I had AVG v7.5, paid, for a year. But didn't renew when v8 came out. One reason was the bundled spyware program. And I am now seeing multiple reports with getting updates. I do scan with Hijack This and Malwarebytes occasionally just to make sure something didn't get in. But I don't leave them running.

Get:
One GOOD, reliable antivirus program. We've been suggesting Avast or Avira, both free.
One GOOD firewall. I encourage using a router even if you don't have another computer to network. That will provide a hardware firewall. If getting third party firewall, get one that is bi-directional- that is, it listens at both incoming AND outgoing ports. The Windows firewall doesn't do that. We recommend Comodo or ZoneAlarm, both free.
Two or more GOOD spyware/adware programs- a combination of preventative and 'find and fix'.

 

[DelJo63]

like to confirm Bobby's post: My practice and setup is almost identical