BleepingComputer.com: Malware is reborn from its ashes like a phoenix

I'm having a recurring problem with a Windows XP system. I've had a few different occurrences of malware, over a period of months. The first few times it was mostly popups, and I went through the techniques on this site to remove that. This last time it was full fledged rogue anti-spyware which practically took over the computer.

My question is how can I know if my computer is clean or if these problems will once again rise from the ashes? Also, how can I diagnose and close any vulnerabilities the machine might have. I have some free antivirus and anti-spyware protection and all of the latest updates to the operating system. I can provide any information that may be relevant.

I appreciate your time, thanks!

Hello and welcome. first let's see if we can find what is on here. You may have done these already . If so post the last infected logs of eac and then the one you'll run now. Are you still having security popups? What is your A/V and other tools installed?

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Thanks for the reply. First here's my log from the Malwarebytes from when I got rid of the latest infection.

Malwarebytes' Anti-Malware 1.41
Database version: 3130
Windows 5.1.2600 Service Pack 3

11/11/2009 6:15:45 PM
mbam-log-2009-11-11 (18-15-45).txt

Scan type: Quick Scan
Objects scanned: 97622
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pakhvsvv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pakhvsvv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Katie\Local Settings\Application Data\mnxkan\bbvqsysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.

-----------------------------------------------------------------------------------------

Post-Infection SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/11/2009 at 08:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4263
Trace Rules Database Version: 2148

Scan type : Complete Scan
Total Scan Time : 00:28:35

Memory items scanned : 213
Memory threats detected : 0
Registry items scanned : 5140
Registry threats detected : 0
File items scanned : 34352
File threats detected : 0

---------------------------------------------

Currently no problems but I'm concerned that it will reemerge as it always does. Is this the most thorough I can be or are there other things I can check?

Thanks for the reply. First here's my log from the Malwarebytes from when I got rid of the latest infection.

Malwarebytes' Anti-Malware 1.41
Database version: 3130
Windows 5.1.2600 Service Pack 3

11/11/2009 6:15:45 PM
mbam-log-2009-11-11 (18-15-45).txt

Scan type: Quick Scan
Objects scanned: 97622
Time elapsed: 6 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pakhvsvv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pakhvsvv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Katie\Local Settings\Application Data\mnxkan\bbvqsysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.

-----------------------------------------------------------------------------------------

Post-Infection SAS Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/11/2009 at 08:51 PM

Application Version : 4.29.1004

Core Rules Database Version : 4263
Trace Rules Database Version: 2148

Scan type : Complete Scan
Total Scan Time : 00:28:35

Memory items scanned : 213
Memory threats detected : 0
Registry items scanned : 5140
Registry threats detected : 0
File items scanned : 34352
File threats detected : 0

---------------------------------------------

Currently no problems but I'm concerned that it will reemerge as it always does. Is this the most thorough I can be or are there other things I can check?

Ok,so far were loking better as only MBAM is detecting.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
      
    • Secondary Mirror
    
    
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
    
    
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
      
      
    • Secondary Mirror
      
      
    • Secondary Mirror
  
  
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  
• Open on your desktop.
  
• Click the tab.
  
• Click the button.
  
• Check all seven boxes:
  
• Push Ok
  
• Check the box for your main system drive (Usually C:), and press Ok.
  
• Allow RootRepeal to run a scan of your system. This may take some time.
  
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hi again,

I actually had to run MBAM again anyway since the infection returned randomly at full force the next day. Here is the report of that cleansing as well as the rootrepeal report you requested afterwards.

-----------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 3168
Windows 5.1.2600 Service Pack 3

11/13/2009 10:41:38 PM
mbam-log-2009-11-13 (22-41-38).txt

Scan type: Quick Scan
Objects scanned: 96888
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\Katie\Local Settings\Application Data\hwrdkn\trnasysguard.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbntvpty (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fbntvpty (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Katie\Local Settings\Application Data\hwrdkn\trnasysguard.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Katie\Local Settings\temp\572.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

----------------------------------------------------

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/13 22:45
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C81E000 Size: 892928 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9D28C000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7d1135e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7d11354

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7d11363

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7d1136d

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7d11372

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7d11340

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7d11345

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7d1137c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7d11377

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7d11368

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7d1134f

==EOF==
-----------------------------------

Thanks!

Hello. I see it is back. It's not in the Rootrepeal log. So....

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report for me to review.
  
• Double-click on Win32kDiag.exe to run and let it finish.
  
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  
• A file called Win32kDiag.txt should be created on your Desktop.
  
• Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.

Then go to > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

Ok here are the logs

------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 3168
Windows 5.1.2600 Service Pack 3

11/14/2009 10:36:42 PM
mbam-log-2009-11-14 (22-36-42).txt

Scan type: Quick Scan
Objects scanned: 96724
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------

Running from: C:\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Katie\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

----------------------------------------------

Volume in drive C has no label.
Volume Serial Number is 648D-7A1A

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:00 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ERDNT\cache

04/14/2008 05:00 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 05:00 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 05:00 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 05:00 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 05:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32\dllcache

04/14/2008 05:00 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,933,824 bytes
0 Dir(s) 66,045,595,648 bytes free

Well looks good. Tho it may be hidden from these tools and still come back as it did. If you want to get a deeper check run HJT. Now that at least we are stable you can post it ,have them certify you clean. It will be about a week as they are swamped,but they will answer you.


You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

This post has been edited by boopme: 15 November 2009 - 05:25 PM

Thank you so much for your help and attention! I will do that shortly.