Malware problem affecting entire comp!!!

[Zaine7673]

Hi, I have just come back from a 2 week holiday to find that my comp is infected with some sort of malware. Other members of the family has used the machine while i was away and it has been difficult for me to find the source of the problem. I have left the details below:

IE windows keep poppin up, Firefox takes you to different links than the ones you click on, overall speed of comp is slower, Antivirus and firewall are prevented from starting up, audio jitters, mouse freezes temporarily, two new unremoval startup entries (Monopod.exe & Nordbull.exe,) previously unseen background processes such as find.exe, a.exe, jqs.exe ect.

I have tried to follow the forum rules before opening this thread however when i try to use tools such as Gmer.exe, Hijackthis.exe & dds.exe I am warned with the following error message: Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.

I am totally baffled as to what to do at this point so I would appreciate any help at this point. I hope this information is of use. thanks to all you guys in advance.

[Blade81]

Hi,

You didn't tell what OS you're running. I assume that it's XP. Let me know if that's not right and stop following instructions further.

Download & extract this archive to your desktop. Double-click .reg file found inside and allow merging.

Then try to run DDS and GMER again.

[Zaine7673]

hey, thanks. It is XP and i have tried what you asked me however it remains the same.

[Blade81]

Hi,

Delete if C:\WINDOWS\system32\desot.exe file is found. Then try to run DDS again.

[Zaine7673]

the file you mentioned was not found in that directory.

[Blade81]

Hi,

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

[Zaine7673]

Iv attached it as a .txt file.
at least something is workin lol

[Blade81]

Hi,

We're on right track

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy C:\WINDOWS\system32\logevent.dll c:\

Double-click on fixes.bat file to execute it.

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  Code:

  Files to move:
  c:\logevent.dll|C:\WINDOWS\system32\eventlog.dll

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

[Zaine7673]

i think i may have ran win32kdiag.exe twice accidently. dont know if this will effect the process somehow ????

[Blade81]

Hi,

I believe it won't affect process too much.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
DDS logs.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[Zaine7673]

YES!! DDS worked this time round. lol
I as only able to attach two logs with this reply so ill attach the other on the next post.

[Zaine7673]

here is the combofix log

[Blade81]

Hi,

There appears to be p2p file sharing programs installed there. Please take a look at this topic > Perils of P2P File Sharing
I recommend to uninstall Limewire and Vuze.

Upload following file to http://www.virustotal.com and post back a link to the results:
c:\windows\system32\sfcfiles.dll



Do you want to give explanation for this or do I have to do it:
mRun: [TrialReset] c:\windows\fix.exe


Get update 9.1.3 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall vulnerable Flash version(s) by following instructions here. Fresh version can be obtained here.


Uninstall Java(TM) 6 Update 7.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Read the requirements and privacy statement then click on the Accept button.

• The program will launch and start to download the latest definition files.

• You will be prompted to install an application from Kaspersky. Click Run

• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
• Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives

• Click on My Computer under Scan.

• Once the scan is complete, it will display the results. Click on View Scan Report.

• Click on Save Report As....

• Change the Files of type to Text file (.txt) before clicking on the Save button.

• Save this report to a convenient place.

• Copy and paste that information & fresh dds log into your topic.

• The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here

[Zaine7673]

Hi, the info info youve shown me on p2p softwares has persuaded me to uninstall them so they have now been removed.

The link to the http://www.virustotal.com results is below:
http://www.virustotal.com/analisis/5...dc7-1252442225

and maybe if you give me a hint about what mRun: [TrialReset] c:\windows\fix.exe is i can explain it... keep in mind other people do use this computer so it may be something someone else changed, installed, ran etc.

I will attach the Kaspersky report in my next post.

hey, just wanted to say thanks for helping out. theres a lot of work and settings i didnt want to loose on this comp so thanks

[Zaine7673]

here is the kaspersky report

[Blade81]

Quote:

and maybe if you give me a hint about what mRun: [TrialReset] c:\windows\fix.exe is i can explain it... keep in mind other people do use this computer so it may be something someone else changed, installed, ran etc.

Hi,

That thing is used to prolong ESET Smart Security trial and it's illegal. You have to uninstall Smart Security and install alternative antivirus program* or purchase legal license. Before that I won't go further with instructions.

These don't look legit either and have to be removed:
C:\Documents and Settings\Zaine\My Documents\All Downloads\Torrents\Windows XP Pro SP3 - Activated <-- you can't get legit XP from p2p network
C:\Documents and Settings\Zaine\My Documents\PC startup Pack\Software\wirelesskeyview <-- wireless password viewer is not needed in normal conditions

When all that is done, provide fresh DDS logs.

*) Good free antivirus programs are:
Antivir
Avast! and
AVG Free Antivirus

[Zaine7673]

hey sorry about the delay... right ok. that ESET thing has been removed. I only installed it because my brother said it was better than zonealarm (what i had before)
The windows thing has been deleted. it was an image of some sort.
and the wireless keyviewer was actually downloaded by me because it helps me to find the network key of my wireless network. the site i downloaded it from looked sorta legit but its gone anyway.

Ive attached fresh DDS logs. sorry about the inconvience.

[Blade81]

Hi,

You still need to get replacement for ESET. May want to take a look at those alternatives in my previous post.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

SecCenter::
{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
File::
C:\Documents and Settings\Zaine\.housecall6.6\Quarantine\_pmnkKbca_.dll.zip.bac_a02192
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\34HI1ZUP\wow[1].exe
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & fresh dds.txt log. How's the system running?

[Zaine7673]

ok its all done and the comp seems to be runnin normal now. but i will give it a few days and see if it goes nuts again! lol
either way ill be sure to let you know.

thanks soooo much for your help. its appreciated the comp was driving me mad.

now i just have to decide which antivirus i should install hmm....

[Zaine7673]

ooh almost forgot this one lol