Please review logs from removal 8-steps

[jrajaram]

Could some one please help me:

Issue:
I started encountering popups on my PC in IE & Firefox couple of days ago. The browser started by itself and accessed various sties. At times IE seemed to access some site with title as "internet speed montior".

My System Specs:
Motherboad.......: ASUSTek Computer INC, Kamet2, 2.01
CPU..............: AMD Athlon(tm) XP 2600+ Socket A(462)
Sound card.......: Reaktek AC'97 Audio for VIA (R) Audio Controller
Video card.......: VIA/S3G UniChrome IGP
RAM..............: 768 MB
Hard drive.......: 2 Disks: 40GB Seagate (ST340015A) and 160GB Seagate (ST3160023A)
Power supply unit: HP pavilion a410e PSU (Not able to find info as no specs on PSU)
Optical drives...: 2 Drives: ASUS CD-s480 and Toshiba DVD-ROM SD-R5112
Operating System.: Windows XP Professional Service Pack 2


Steps completed:

• followed the steps in "UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions" thread
• Malwarebytes and SuperAntispwareScan indetified and removed "Trojan.Vundo" and "GetModule30.exe".
• The logfiles requested in the thread are attached. (Note: I had to abort malwarebytes complete scan as I was afraid it wouldn't complete scanning all the drives during the initial run. So I ran it for each drive after completing a quick scan and have included the logs from all the runs).

Current symptomps:
No more popups. But PC still feels little slower intermittently.

Need help with:

• Log file review
• Knowing what the next steps are(if any ?)
• Need help with making sure my PC is clean: I am worried there might be some backdoor or rootkit hidden in my PC.

Thanks
jrajaram

 

[rf6647]

An extraordinary problem description complete with completed steps, remaining symptoms, and clear objectives.

HJT is the sweeper. It detected a part of the infection was not cleaned. For your situation, we will take an unusual action to perform back-to-back scans with ComboFix. From your observations, this residue is most likely no longer a threat.

O20 - AppInit_DLLs: kughce.dll

Successive scans are used to uncover additional infections, since masking is common with many infestations. When a tool reports something it can not clean, that's when the strategy calls for a stronger scanner. The sequence for applying the scanners begins with the standard scanners (fully updated) and ends with the stronnger cleaner, with a side benifit that it adds information about the comparative effectiveness among the tools.


Overview -

• ComboFix is a very effective tool that scans / fixes hard to clean infections. Additionally, it includes diagnostic information.
• Uninstall old copy of ComboFix - if tool was used previously

Supplement to guide. Successive scans used to uncover additional infections.

• Update both MBAM & SAS. Rerun them both.
  
  
• This effort is complete when logs report NO infections/threats, or reporting something it can not clean.
  
  
• Follow ComboFix instructions referenced below.
  
  
• Examine the last few lines in the log for ‘Completion time:’ ……. ‘machine was rebooted’
  
  
• Restart the computer, if first run of ComboFix did not concluded with ‘reboot’.
  
  
• Repeat ComboFix.
  
  
• Scan with HJT. (part of instructions for ComboFix)
  
  
• Posts logs. Report progress & what changes are observed. Include logs that found infections.

Uninstall Combofix

Simplified Instructions for ComboFix + link to download
How-to-use instructions - full version

Please see this for instructions:
Temporarily Disable Real Time Monitoring Programs:

• 1 Spybot S&D (Teatimer)
• 2 Ad-Aware Ad-Watch
• 3 Spywareguard
• 4 Windows Defender
• 5 TrojanHunter Guard
• 6 Disable SpySweeper
• 7 WinPatrol
• 8 CounterSpy
• 9 AVG Anti-Spyware (formerly ewido)
• 10 Spyware Doctor
• 11 Prevx
• 12 ProcessGuard
• 13 ZoneAlarm's OS Firewall
• 14 Ad-Aware 2007 Service

 

[jrajaram]

Thank you rf6647 and the forum for helping us so effectively.

As per your recommendation the following steps have been completed:

• Updated and re-ran Malwarebytes, (No malicious items detected in the log)
  
  
• Updated and re-ran SUPERAntiSpyware scan, (2 Adware.Tracking Cookie identified and cleaned)
  
  
• Ran (first time) combo fix, system automatically rebooted
  
  
• Ran (second time) combo fix, manually rebooted
  
  
• Ran HijackThis

Scan Logs are attached. I still see the following in HJT log:

O20 - AppInit_DLLs: kughce.dll

Please let me know my next step

 

[rf6647]

Both runs of combofix had deletions. Another run of ComboFix is needed. In consultation with another specialist, ‘kughce.dll’ will be deleted on this run by combofix. On that point we disagree. I do agree that it is no longer a threat.

What is your averall impression about the health of the computer? Are any symptoms still present?

I recommend the following sequence

• Update both MBAM & SAS
• Rerun MBAM, quick mode.
• Rerun SAS
• Rerun ComboFix
• Restart the computer
• Scan with HJT.
• Post the logs.

Rationale: MBAM & SAS confirm that no new infections entered the picture. A clean run of ComboFix is needed.

 

[mflynn]

Hi jrajaram

Rich should be back soon so do the below and post results for him.

You have 1 remainder or an item Combofix can not fix.

Run Combofix again to confirm the below is gone this time!

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\xvfylojj.ini

.
(((((((((((((((((((((((((   Files Created from 2008-11-07 to 2008-12-07  )))))))))))))))))))))))))))))))
.

Mike

EDIT: Opps we were posting at the same time, but I had a phone call!
EDIT2: I suggest Combofix first.

 

[rf6647]

aka - mad hatter

Mike, at times I refer to myself as the 'mad hatter'. My sequence was an attempt to understand more about how these tools work. Rather than ask the user to test if the file existed, I was using MBAM for this. A potential side benefit would be recognition if MBAB updates cleaned up the 'malware buster' that detected the infections. I saw this for the 'karma' thingy. I think I understand that updating combofix throws away the history used by the program.

In the end, combofix and hjt logs are needed to analyze the current infection.

 

[jrajaram]

Rich,

Please confirm if I should be following your steps or run combo fix as is, as per mflynn's recomendation.


Current PC symptoms: My PC is acting normal. No more popups or slowness.

Thanks again for your help
jrajaram

 

[rf6647]

Sorry for the confusion. Follow Mike

Combofix
Restart the computer
HJT

This run of ComboFix confirms the last deletion - a final check.

I emphasis the 'restart'. HJT that is ran immediately after restart gives a view not cluttered with applications opened by the user.

The other steps were intended to 'prove' to me what Mike understands about the role of each tool that we use. That's right - I'm the newbie.

Some cleanup steps will follow.

 

[jrajaram]

Rich/Mike,

I have completed the following steps

• Downloaded and re-ran combo-fx (log is attached)
• Manually restarted PC
• Ran HJT (log is attached)

There are no new deletions by combo-fix and HJT log still shows

O20 - AppInit_DLLs: kughce.dll

Please let me know the next step.

Thanks
jrajaram

 

[mflynn]

Hi jrajaram

Run HJT Scan only select and remove the below
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - AppInit_DLLs: kughce.dll

Close HJT then run again to confirm gone.

Hold on as I am composing additional steps.


EDIT:
Download SD Fix to Desktop among other things Catchme to look for RootKits.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mike

 

[jrajaram]

Mike,

As suggested I completed the following:

• Ran HJT Scan and fixed suggested 2 files
• Re-ran HJT to confirm the files are gone.
• Followed instructions and completed SDFix scan (Report is attached)

Please let me know the next steps

Thanks
jrajaram

 

[jrajaram]

Mike/Rich,

Any help on this one ?

Thanks
jrajaram

 

[mflynn]

Hi jrajaram

Sorry your post slipped past.

Run MBAM Click More Tools-Run Tool copy and paste the line below into the File name: and click OK

c:\windows\system32\xvfylojj.tmp

Run ComboFix once more to confirm a removal.

Post new HJT log.

Mike

 

[jrajaram]

Hi Mike,

As requested I have completed the steps. Combo-fix log is attached. Please let me know if additional cleaning is required.

Thanks
jrajaram

 

[jrajaram]

Mike, Rich,

Just updating this thread so it won't fall through...Please let me know if additional cleaning of my PC is required.

Thanks
jrajaram

 

[rf6647]

The log file confirms the file deletion. Other aspects of the log are unchanged. If you are not experiencing new symptoms, then remove the tools and set a clean restore point. I will borrow from Mike's quote.

Great I think you are good to GO!

Thread closing-------------------------------------------------------------------
Please download OTCleanIt http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe

Save to desktop.

This will remove all the tools we used to clean your computer.
These tools update so often they require downloading again later if needed.

Double-click OTCleanIt.exe. Click CleanUp. Yes to the "Begin cleanup Process?"

Approve all if prompted by Firewall, Widows Defender or other guards or security programs about OTCleanIt attempting access to the Internet, allow all.

If prompted to Reboot click Yes.
OTCleanit will delete itself when finished, if not delete it by yourself.

-------------------------------------------------------------------------------------
Run CCleaner again twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean.

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
-------------------------------------------------------------------------------------

Every 2 weeks or so run mbam and sas until clean They take a while so leave scanning while you are sleeping working or watching TV. If not done under the gun they can be schedules not to interfere with computer time.

If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year, it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/
-------------------------------------------------------------------------------------
Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.
http://www.safer-networking.org/en/download/

Install Hostman and allow it to disable DNS Client and select all 4 Host files and the Update
Hostman http://www.abelhadigital.com/2008/07...-released.html

A Disk scan and Defrag are in order.

Mike