Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help finishing malware removal!


  • This topic is locked This topic is locked
22 replies to this topic

#1 deebo82

deebo82

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 03 May 2010 - 07:29 PM

Hi,

My girlfriend's computer recently had a mental breakdown, and suddenly broke out with rogue antivirus scanner windows and all kinds of fun stuff (the ones I remember off the top of my head are "Antimalware Doctor" and "Digital Protection"). I removed as much of the junk as I could with MBAM and Sophos Antivirus in safe mode and not, and they no longer find anything anymore, but some of the symptoms remain. The aggressive taskbar tray messages about "your computer will be hijacked unless you buy our scanner for 3 easy payments of $19.99" are gone, but Chrome no longer works (not positive this is a related issue), and the browsers occasionally redirect to random sites and sometimes they refuse to follow Google results that have to do with "antivirus" or things like that.

The dds.scr logs are attached, but I wasn't able to run GMER to completion for whatever reason... Started up fine, seemed to work OK, but it froze the computer after about 20 mins. I made sure that the antivirus software put it on a permissions list, and also tried renaming the file, but no dice.

Please help!

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 05 May 2010 - 06:01 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 05 May 2010 - 10:44 PM

I'm still here! Thanks a ton, by the way.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 06 May 2010 - 02:15 PM

Very aggressive this rogue. We shall try to get it using a mixture of tools.

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • Please post the resulting log in your next reply.


Then


Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 06 May 2010 - 07:20 PM

OK, done. One other thing: late last night, before I got your reply, I tried running GMER again, after running rkill. It seemed to work, and the log for that is also attached (apk.log), but the machine was being weird (i.e. the windows wireless network application wasn't working, maybe some other stuff too, but I don't know.)

The ComboFix went off without a hitch. rkill didnt indicate any applications being killed in the log, only itself. The ComboFix log is attached. Thanks!

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 06 May 2010 - 08:14 PM

The Combofix log shows that the PRAGMA rootkit has been removed.

Please run Gmer again as I am interested in an entry after Combofix was run.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#7 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 06 May 2010 - 09:12 PM

Hey m0le,

Here 'tis. Amazing that its like 1/10th of its former self. =) Thanks a bunch!

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 06 May 2010 - 09:19 PM

This is still here. mad.gif

We need to find a replacement for the infected file.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    pci.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#9 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 07 May 2010 - 12:43 AM

Lame. dry.gif

OK, here's the log.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 07 May 2010 - 03:34 PM

Okay, as Combofix can't get this variant we need to replace the infected file in the Recovery Environment


First we need to copy a clean file to replace the infected one.

Please do this:
  • Click on the Start button, then click on Run...

  • In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).

  • Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

    copy C:\WINDOWS\system32\dllcache\pci.sys C:\ /y

  • In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.

  • Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  • Exit the Command Prompt window.
Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren pci.sys pci.vir and press Enter.
Then type copy C:\pci.sys pci.sys and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Please run Gmer and post the log.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#11 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 08 May 2010 - 02:49 AM

Bad news.

So when I tried restarting into the windows recovery console, but got the BSOD instead. It says the usual: "A problem has been detected and Windows has been shut down to prevent damage to your computer... blahblahblah, if this appears again, blahblahblah, check for viruses, remove new hard drives, run chkdsk /f, restart.
*** STOP: 0x0000007b (0xf7a22524,0xc0000034,0x00000000,0x00000000)"

It boots into Windows normally, other than that though. The first time I tried running Gmer, just to see if it could detect any changes, it BSOD'd again. When I tried again, it was with the Task Manager open... Turns out that there were two instances open, which is probably what caused the crash. The log from that successful run is attached. Not too much different though. See what you make of it?

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 08 May 2010 - 06:11 AM

In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.

First

Please download ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Paste the following into OTLPE and click Run Fix
    CODE
    :files
    C:\WINDOWS\system32\drivers\pci.sys|C:\pci.sys /replace
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Edited by m0le, 08 May 2010 - 06:11 AM.

Posted Image
m0le is a proud member of UNITE

#13 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 08 May 2010 - 11:26 AM

I will work on it... This is a netbook (no CD drive) and i don't own an external. How complicated will it be to adapt this strategy to booting from a USB? Can i just extract ("burn") the ISO to a flash drive? I will let u know how it goes..

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:54 PM

Posted 08 May 2010 - 12:50 PM

We can do the same with a flash drive thumbup2.gif

IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

    • Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2

    • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror

    • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror


  1. Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop




  2. Please also decompress eeepcfr to your systemroot (usually C:\).
  3. Empty the flash drive you want to install OTLPE on.
  4. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
  5. Press any key when asked to in the black window that opens.
  6. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
    For Drive Label: type in OTLPE.
    Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
    Finally check Enable File Copy.




  7. Click on Start, accept the disclaimers and wait for the program to finish.

Your bootable flash drive should now be ready!
Posted Image
m0le is a proud member of UNITE

#15 deebo82

deebo82
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:54 AM

Posted 09 May 2010 - 04:18 AM

OK, things went fine, the resulting log that popped up at the end said simply
"
========== FILES ==========
File C:\windows\system32\drivers\pci.sys successfully replaced with C:\pci.sys

OTLPE by OldTimer - Version 3.1.38.0 log created on 05082010_173956
"

Looks like it did what it set out to do. I'll post a Gmer log in the morning, unless you say otherwise in the meantime. =)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users