Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still Infected After Trying Combofix, Avg8, Trend Micro


  • Please log in to reply
3 replies to this topic

#1 csw2002

csw2002

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 22 June 2008 - 06:27 AM

I have spent the last 2 days trying to remove some serious infection that occurred due to a browser hijack.

I initially had AVG7.5 installed and it was alerting me to the presence of virus by requesting quarantining of the files. I shut down my internet and started to run a manual scan of the entire computer with AVG. It identified a number of files as malicious and among them mfc40u.dll in system32 directory. I was able to successfully replace that file with an uninfected one from system32\dllcache. I then ran combofix and it asked me to reboot. However, when the boot screen next came up, I was unable to gain access after receiving error message along the line of invalid LPtrSessionName in lsass.exe when loading mfc40u.dll. After much research, I have found out that lsass.exe has also been infected (but AVG didn't appear to have picked it up). I was able to boot up using BartPE and replaced the infected lsass.exe with the one in the dllcache. Everything then came up as per normal when I next rebooted. I then painstakinly went through Browser Helper object and ShellExecuteHooks in the registry to remove all suspicious entries. I went through the run, runonce and controlset part of the registry and removed many references to DLLs that have been previously deleted by AVG.

I thought my job was done and boy how wrong I was. I decided to run HouseCall overnight just to be on the safe side during the night. When I woke up the next morning, HouseCall didn't really identify anything more suspicous (other than a couple of harmless tracking cookies). However, I noticed that my IE start-up page was altered. This alerted me to continued infection of my machine. I then downloaded TrendMicro Internet Security 2008 (and removed AVG of course) and ran another scan. Other than picking up the quarantined file from ComboFix and AVG, it didn't really do much. I then installed AVG8.0 and sure enough it identified further infection against explorer.exe and a file called mpckxw29vj.dll in the system32 directory. While AVG successfully removed this file and cured explorer.exe, the next reboot resulted in the error message that windows was not able to load "mpckxw29vj.dll". That means there still must be something that is attempting to load the DLL into memory. However, I searched through registry and I couldn't find anything that is loading this DLL.

I ran another combo fix, and it didn't make any difference. However, I have noticed the following 4 entries in the Find3M section:

2004-08-08 05:51 520 --sh--w C:\WINDOWS\system32\rnmxajkl.sys
2004-08-08 05:53 520 --sh--w C:\WINDOWS\system32\smdsbsrv.sys
2004-08-08 05:58 520 --sh--w C:\WINDOWS\system32\vlhxaklo.sys
2004-08-08 05:54 520 --sh--w C:\WINDOWS\system32\xscqbhlp.sys

However, I am not able to find them in the specified directory at all until I used dos dir /ah command. These files have been given system file setting and hence was not picked up despite having view hidden file option on. I have then run Microsoft Malicious Virus removal and AVG8 against these files and none found anything suspicious either. Any idea what else I should be looking for to get rid of these pesky bugs?

Thanks in advance

Edited by Orange Blossom, 22 June 2008 - 07:37 PM.
Move to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


#2 csw2002

csw2002
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 24 June 2008 - 03:44 AM

OK, I am still infected for sure. I managed to track down that RunOnce part of the registry has rundll32 mpckxw29vj entry each time I reboot my machine (despite me deleting that entry each time). That indicates that there is a process that is editing the registry. I used HijackThis and couldn't find any suspicious processes. My feeling is that one of my the core Microsoft windows DLL has been hacked on my XP machine. At this stage, I am open to suggestions. Any ideas?

#3 csw2002

csw2002
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:20 PM

Posted 24 June 2008 - 05:45 AM

One more interesting tibit. When I run ComboFix, I get the mpckxw29vj.dll not found as well just before the cmd window opens.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 24 June 2008 - 08:36 AM

Please note the message text in blue at the top of this forum.

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

This issue will require further investigation and probably the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a hijackthis log.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users