Vicious Viruses and Horrible Horses

[sergeant259]

Finished... I think...

I've been through the 8 Step process - I did restart before running HJT and creating a log. Attached in this post should be the latest Malware and HJT logs (It's saying I can't attach the SuperAntiSpyWare log because I have already attached it in this thread).

I have noticed the ammended 8 Steps - that is less confusing - thank you

Just a few things I want to note:

- So far the symptoms seem to be gone

- The link to the download for Malwarebytes posted in Step #4 still takes me to download a file called "downloadget.php" not "mbam-setup.exe" - I had to goto download.com to download the program.

- Everytime I start Malwarebytes I get a window automatically trying to install "Easy Creator 5 Basic" though after I cancel that the Malwarebytes program comes up and works fine.

- I am still unable to uninstall earlier java updates with add/remove programs.

- The link to HijackThis in Step #7 also takes me to a file called "downloadget.php" and not "HJTInstall" - I had to goto download.com to download the program.

It seems everything is running fine. The Easy Creator install window popping up bothers me, but I can live with that I guess. I am curious about Combofix - think I'll read up on that and maybe give it a whirl - I'm guessing it couldn't hurt, right?

Thank you sooooo much kimsland for all your help, advice, and support - I thought my system was a gonner and you really saved my **** - Thank you

If you see anything in those logs that I need to address please let me know. And if you have any suggestions on correcting the Easy Creator autoinstall coming up when I start Malwarebytes I'd be interested in hearing that too - though I think I should be fine for now. Again, Much thanks for everything.

~SGT

 

[kimsland]

I like this line, because it kinda goes along with what I said earlier
Running the 8-step process may be all you need to do

- So far the symptoms seem to be gone

Sadly there is still one clear Trojan on your system
Please start HJT program again, and place a tick next to this entry:

O20 - AppInit_DLLs: karna.dat

Then select "Fix"

You may also want to do a search for karna.dat and then delete it
Note: As it is highly likely presently running, you may need to restart first, after you hae fixed the startup in HJT of course

Please do that. 2 Restarts require in entire process

 

[sergeant259]

Wow! You are good!

After seeing your latest post I ran HJT and fixed the suggested file then rebooted. After rebooting I went to Start -> Search and searched for karna.dat in the local hard drive + subfolders + hidden files and folders + tape backup and it found nothing. Then I ran HJT again and the file was gone! I then rebooted and repeated the search + ran HJT and still couldn't find it! I think it's gone now! And it feels sooo good!!!!

Attached is the latest HJT Log... I don't know how to thank you... I trust you understand how it feels to have such problems... and hope you understand how much I appreciate your assistance in fixing it... Thank you

Cheers,

~SGT

 

[kimsland]

I had a little more time to view your log

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint Manager Service - Viewpoint Corporation

Please re-open HJT and place a tick against the following, then fix them:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab

Once complete, restart your computer

Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 Update 10
Scroll to Java Runtime Environment (JRE) 6 Update 10 and click on the download button
http://java.sun.com/javase/downloads/index.jsp
(if you don't want the google toolbar -- uncheck this option before installing Java.)

Click on the Accept License Agreement button
Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
Download Now! Windows Offline Installation, Multi-language

Now close all windows, including your browser.
Double click on the Java installation that you downloaded and follow the prompts.

NEXT-remove all older versions of Java
Go to Start > Control Panel double-click on the Software icon > add/remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select it and click Remove.
Close any programs you may have running - especially your web browser.
Repeat as many times as necessary to remove each older Java versions.
Reboot your computer once all Java components are removed.

After the computer starts back up go here and autoupdate your Java to the current version: http://java.com/en/download/installed.jsp?detect=jre&try=1
(please note this process may be lengthy)

Once complete do the following:

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Finally restart once more, and supply yet another HJT log
Although I'm pretty sure you will be clean at that point

 

[sergeant259]

I was hoping you'd find more... something just didn't seem right

While nearly all the symptoms seem to be gone when I click or open a page I'm often hearing many multiple clicks in rapid succession even though I've only clicked once.

kimsland: I don't have viewpoint manager listed in Add/Remove Programs - so I'm okay there.

I did run HJT, checked and fixed each of the 7 items you listed and I did restart.

I have not followed your instructions for fixing my Java problem yet as I have a few questions and a couple things I want to let you know - just so I can be clear on what I'm doing.

I am currently running Java 6 Update 10. Though what I downloaded and installed was "Windows XP/Vista/2000/2003 Online" found here https://www.techspot.com/downloads/6463-java-se.html

I have noted your instructions call for

Windows Offline Installation, Multi-language

Should I be reinstalling what I originally downloaded to get me running on Java 6 Update 10 or should I try to uninstall what I have and download from your link here: http://java.sun.com/javase/downloads/index.jsp

I appologize for my late reply and for all my questions - I just want to be sure I get this right. I am going to have to work for the next few days so I will be away from my home pc. My replies my be delayed and I may not be able to work on this as soon as I'd like, though I assure you I have not mistakenly wandered off thinking everything is fixed.

As always, your expertise, advice and patients is greatly appreciated.

Thanks again.

~SGT

 

[kimsland]

ViewPoint Manager is listed as a current startup
Please go to Start->Run-> Services.msc
Maximize the Services Window that opens
Scroll through the list, and search for ViewPoint
If found. Double click on it, and change the startup type to Disabled
Press X to close Services Window

Java 6 Update 10 is the current version
There is an automatic check found here that can confirm your installed version with: http://java.com/en/download/installed.jsp?detect=jre&try=1
Please also go to Control Panel, and confirm no other older versions exist in the list

Regarding the multiple clicks heard. Yes I have heard of this issue as well
If the Java update does not fix it, please do the following precisely:

How to use Reset Internet Explorer Settings (RIES

To use RIES in Internet Explorer 7, follow these steps:

1. Click the Tools menu, and then click Internet Options.
(Note: pressing ALT on the keyboard will show the toolbar if hidden in IE7)
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box, click Reset.
4. When Internet Explorer 7 finishes restoring the default settings, click Close, and then click OK two times.
5. Close Internet Explorer 7. The changes take effect the next time that you open Internet Explorer 7.

Restart

 

[sergeant259]

kimsland,

Here's where I'm at:

ViewPoint Manager is listed as a current startup
Please go to Start->Run-> Services.msc
Maximize the Services Window that opens
Scroll through the list, and search for ViewPoint
If found. Double click on it, and change the startup type to Disabled
Press X to close Services Window

This has been done - I found it and Disabled it.

I may have messed up clearing the older versions of Java from Add/Remove Programs... I have verified that I am running the most current/up-to-date version of Java (6-10)... but I could not remove/uninstall older versions in Add/Remove Programs - I kept getting the error: "Fatal error during installation" ... I used "Microsoft install clean up" and they are no longer listed in Add/Remove Programs... Though I'm not sure if that means I have acutally gotten rid of them or just made it so they don't show on the list... Did I mess up?

Also (since I'm not sure I correctly removed the older versions of Java) I have not performed these steps which you listed in a recent post.

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter
* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply
Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

After doing the things listed above and before posting this I did restart my computer.

 

[sergeant259]

Before I head to work...

I have reset my internet explorer settings - I'm still getting the multiple clicks.

I have not cleared and reset my restore points yet as I'm not sure I'm completely clean.

I've run Avira, CClean, MalwareBytes, and SuperSpyWare all with the latest updates and they are reporting no problems - though the warnings reported by Avira do concern me -

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!

Attached are my latest Logs from Avira and HJT. I may not be able to get back to all this until Tuesday - but I am still interested in finding out what's going on so I will be back.

Thanks again kimsland

 

[kimsland]

I have contacted a Virus\Malware specialist, just in case I've missed something
So if you receive other support replies please follow their guidance

It is also possible that you may have a Harddrive issue
So whilst we wait, it may be a good move to run a Diagnostics Scan on your Harddrive

Oh, the above files "The file could not be opened!" are normal, please disregard those errors

 

[rf6647]

I have reset my internet explorer settings - I'm still getting the multiple clicks.......... as I'm not sure I'm completely clean.

I may not be able to get back to all this until Tuesday - but I am still interested in finding out what's going on so I will be back.

In a PM with Kimsland I expressed my interest in this type of problem.

I understand that your availability will not be until Tuesday or later.

I am proposing an "experiment" using ComboFix. This is using another tool that gives assessment about "residue" from using MBAM & SAS, as well as, your protections.

My particular nag involves how HJT treats O20 entries. This one specifically:

O20 - AppInit_DLLs: karna.dat

ComboFix, seems to find Registry entries for deletion that are related to O20 items "fixed" by HJT.

After applying the CFscript.txt, HJT is re-run. HJT logs are compared for differences that occur.

You can independently monitor for the mysterious clicks.

If ComboFix does not create a new quarantined txt file, this ends the experiment (CFscript step is not performed).

ComboFix instructions & Link {courtesy of Blind Dragon}

The instruction to disable AVG, applies to Avira.

From your posts thus far, you have "hit a trifecta" : TDSS, brastk, karna. As time marches on, tools improve. It appears that MBAM was successful dealing with these. In the past, ComboFix was needed.

 

[sergeant259]

Back to the bugs

kimsland, rf6647: Thank you both for your latest replies!

I'm still having problems - I've updated Avira, SuperSpyWare, and Malwarebytes and ran all three this afternoon - Avira and SuperSpyWare each came back clean, but Malwarebytes showed an infection - I'm also still getting the multiple clicks. I've attached the latest logs for Malwarebytes and HJT.

I'm back from work and will be spending the next couple days trying to get clean again.

As of now I'm going to try to run the diagnostic scan, then I'll see what I can do with combofix. I'll post back when I'm finished or as questions come up.

Thanks to you both for your help.

~SGT

 

[kimsland]

Inside the MBAM log:

C:\System Volume Information\_restore{77352729-73E8-4011-88DF-D7AF06E98FD3}\RP1233\A0057144.sys (Trojan.Downloader) -> No action taken.

You missed fixing this issue
Don't worry, just do this:

Howto Clear & Reset System Restore Points

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

 

[rf6647]

Conflicting post - Kimsland will help me delete

I consider this to be a false positive

Files Infected:
C:\System Volume Information\_restore{77352729-73E8-4011-88DF-D7AF06E98FD3}\RP1233\A0057144.sys (Trojan.Downloader) -> No action taken.

MalwareBytes/Forum has a mechanism for submitting false positives, if you are interested.

ComboFix may help decide this. This tool finishes with a check for rootkits.

 

[sergeant259]

Got it

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 and then press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

Thanks for reminding me

I may be having trouble with the Diagnostics Scan... I'm not too good with this stuff... I went to Start >> Run - typed chkdsk /r restarted and let it run - it completed 5 of 5 stages - when it finished it said it was clean... but I should have downloaded something and ran it, right? From here - http://www.hgst.com/hdd/support/download.htm?

Sorry for the stupid questions.

 

[sergeant259]

rf6647: I'm about to restart and install combofix now - thanks

 

[sergeant259]

Combofix

I ran combofix - it's log and a new HJT log are attached - For some reason it wasn't detecting my internet connection at first and I could not get the latest update for combofix... Should I try it again?

~SGT

 

[rf6647]

The prognosis is grim! . And yeah - my bedside manners are terrible.

I will call in an expert to administer to your final affairs for this Hard Drive. Momok or Blind Dragon are the two names that come to mind.

I believe that this signifies the kernal level rootkit.

(((((((((((((((( Drivers/Services )))))))))))))))
.-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys

GMER.EXE from GMER net would be the real confirmation for this infection. It is a simple tool to run. It is easy to SCAN & Copy results. Only an expert can effectively use the tool to root out the infection. The kernal rootkit infection is not worth the effort, since professional help would be needed.

However, let's await a pronouncement from our expert.

[extra]
The case cited as an example of TDSS Kernal Rootkit infection is not a complete match with this problem. It is unkown if improvement in MBAB account for these differences in detection, In the example, TDSSserv.sys is similar to the names appearing above. [/extra]

 

[momok]

These are the following Combofix/CFScript instructions.

1. Open notepad and copy/paste the text in the quote box below into it:
   
   

   File::
   c:\windows\system32\REN42.tmp
   c:\windows\system32\REN41.tmp
   c:\windows\system32\REN40.tmp
   c:\windows\system32\RENF.tmp
   c:\windows\system32\RENE.tmp
   c:\windows\system32\REND.tmp
   c:\documents and settings\Bob\Application Data\yvehikewer.bat
   c:\documents and settings\Bob\Application Data\zetymiqyc.bat
   c:\windows\ycumowasy.scr
   c:\windows\sequ.vbs
   c:\documents and settings\All Users\Application Data\asadavaki.com
   c:\windows\system32\uguwufy.scr
   c:\documents and settings\Bob\Application Data\ykenunygoq.pif
   c:\windows\aduhyti.com
   c:\windows\dyqaxubi.bat
   c:\windows\system32\TDSSmtpe.dat

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post a fresh HJT log as well as the resultant ComboFix log from the above instructions as attachments into this thread.

Next, can you download and run Panda antirootkit from HERE? Post back with results.

Also, let us know the contents of this folder:
c:\documents and settings\Infected Bob

 

[sergeant259]

Give it to me straight, Doc

momok: I have completed steps 1-4 of your last post. The requested logs should be attached.

Note: Combofix was still unable to connect, download, and install it's latest update.

RE: "Infected Bob" - Some one had suggested creating a seperate user account; Infected Bob is the name of that account. Inside that folder are 4 folders; Infected Bob's Documents, Cookies, Desktop, and Start Menu - One star-shaped icon "Favorites" - and a DAT File called NTUSER.

I will now attempt to download and run Panda Antirootkit. I will post the results as the come.

Thank you both for your help

~SGT

 

[sergeant259]

Panda AntiRootkit

I have run Panda Antirootkit - Results: "No rootkits have been found."

I want to thank you all again - This time last week I was in pretty bad shape. Each time I complete your instructions I end up with fewer symptoms and things run better. I'm still getting that multiple clicking sound (status bar goes crazy reading things like ad.yeildmanager, doubleclick, yardbarker, etc.) but my pc seems much improved since I've found your help - Thank you very much.

~SGT

 

[kimsland]

I wonder if momok would allow this as an additive: http://www.mvps.org/winhelp2002/hosts.htm

Regarding Hosts file and blocking things
I use it
But I'll wait for his go ahead on that

 

[rf6647]

I don't speak 'Combofix', but I do look for patterns.

Deleted files timestamps
2008-10-26 17:34 . 2008-10-26 17:34 12,129 --a------ c:\windows\dyqaxubi.bat
2008-10-26 17:21 . 2008-11-06 08:53 681 --a------ c:\windows\system32\TDSSmtpe.dat

Latest Log - Does any of this come with the tools?
2008-11-07 15:02 . 2008-11-08 09:09 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-08 09:04 . 2008-11-08 09:08 <DIR> d-------- c:\documents and settings\Bob\.SunDownloadManager

SGT reports still seeing flashes in a status bar.

I realize that solutions are preferred over more questions.

 

[sergeant259]

rf6647: Latest Log - Does any of this come with the tools?
2008-11-07 15:02 . 2008-11-08 09:09 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-08 09:04 . 2008-11-08 09:08 <DIR> d-------- c:\documents and settings\Bob\.SunDownloadManager

I hope you're not asking me... 'cause I don't know


I have (since my last post) downloaded, installed, updated and ran SpyBot Search & Destroy, and allowed an Automatic Windows Update. SpyBot alerted to a file:

(SBI $3604910C) Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride (is not) dword:0

I'm not sure if I should let SpyBot "fix" this - Any Suggestions?

I've attached the "Report" file and the "Results" file from SpyBot

 

[rf6647]

It was NOT my intention to leave you hanging, I wanted Momok to have an opportunity to examine my concern.

How is the computer running?

A safe way to test my theory is to rename the file's extention .dll --> .dlx

If it is a system file, it will come back. If it is needed, it will record as an error in the events log.

I chose to avoid file delete to accomplish this.

 

[sergeant259]

rf6647:

It was NOT my intention to leave you hanging, I wanted Momok to have an opportunity to examine my concern.

-- No worries - I didn't think I was left hanging. I know you guys are very busy - have a lot of people here who need help and lives of your own. I may have susptected my problems were considered resloved and my thread lost in the mix - after all the bulk of my problems seem to be gone.

How is the computer running?

-- For the most part things are good - I don't think I'm being blocked from sites anymore - the red circle with the white "X" and it's popup message: "Your computer is infected" are gone - I don't think it's restarting on it's own while I'm not around... But I'm still hearing multiple clicks as pages load and even though I've set IE to block 3rd party cookies scans will show tracking cookies if I surf even just 1 page after clearing the cookies. And some sites (or at least 1 that I visit regularly) will not load fully without refreshing.

A safe way to test my theory is to rename the file's extention .dll --> .dlx

If it is a system file, it will come back. If it is needed, it will record as an error in the events log.

I chose to avoid file delete to accomplish this.

-- I'm not sure what you mean here... Are you refering to this line:

Latest Log - Does any of this come with the tools?
2008-11-07 15:02 . 2008-11-08 09:09 410,976 --a------ c:\windows\system32\deploytk.dll

? Suggesting that I find and rename the extension on that file then scan it with something?

Thanks for the reply and your time. If you think it's best to delete the other thread I created today I don't mind at all if you'd help remove it - it seemed best to start a new one addressing the multiple clicks. Thanks again,

~SGT