Security tool removal - failed

Security tool removal - failed

Sneakyone was nice enough to post the entire path to a PC without 'Security Tool'. Greatly appreciated.

But..... after completion of the tutorial, to quote an old movie, "It's baaaaack."

One thing that I had to do, which may have messed it up was, I had to download RKill & OTL on one PC, then using a USB flash drive, transfer it to the desktop of the infected PC. The bad PC wouldn't let me do anything.

Seemed to work, ran the scan and whatever else there was and when it finished, I had 2 text files on my desktop; OTL & Extras. Copied those onto the flash drive and transferred those to the good PC so I could send them to you. (I'm told that the OTL text file; OTL, is not valid, so I'm adding it to this post. Don't know what else to do.) If you need the Extra file, I send it in another post to this thread.

OK, I'm real close to forgetting about this post. I tried to add the OTL at the bottom of this post but I was told that it is too big. EVEN THOUGH.... it says on the bottom of the post that I have Characters Left: 288. I can send them by email if you want or need them but this site isn't letting me do what I need to do.

I restarted the infected PC and yep, it was still infected. Any ideas of what I did wrong and how can I fix it?

Thanks to all the folks here who donate their time and expertise to help us who really need it.

IlliniJim

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:

• Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  
• If you have already asked for help somewhere, please post the link to the topic you were helped.
  
• We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  
  Reply to this topic with the word BUMP, or
  see this topic.
  
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

---

We need to do some diagnostics to get started.

1. Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

2. Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

4. In your next reply, please post the following logs for my review:

• MBRCheck log (2)
• Cheetah log (3)

Thanks!

Here it is.
Cheetah to follow.

For some reason, I can only send 1 file at a time.

I don't see either report. If you are having trouble getting the reports to me, then upload them via Rapidshare.com and post the download links here.

http://rapidshare.com/files/409923053/rkill_log_file.txt

http://rapidshare.com/files/409923054/OTL.Txt

http://rapidshare.com/files/409923055/MBRCheck_07.28.10_00.29.36.txt

http://rapidshare.com/files/409923056/Extras.Txt

http://rapidshare.com/files/409923057/cheetah.txt

Thanks for all the help.

Illini Jim

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

Found 7, thought they were removed. Still not there yet.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18928

7/30/2010 11:52:19 AM
mbam-log-2010-07-30 (11-52-19).txt

Scan type: Quick scan
Objects scanned: 132223
Time elapsed: 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fsonohahozewuj (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yzutoroxaziv (Trojan.Agent.U) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8a0b485-d4d3-4d4a-85e6-5469b62bb203_46 (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Heather\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken.
C:\Users\Heather\AppData\Local\ocategefixipugo.dll (Trojan.Agent.U) -> No action taken.
C:\Users\Heather\AppData\Local\Temp\0.6233235756477156.exe (Trojan.Dropper) -> No action taken.
C:\Users\Heather\AppData\Roaming\d8a0b485-d4d3-4d4a-85e6-5469b62bb203_46.avi (Trojan.FakeAlert) -> No action taken.

Please make sure to remove those items, then re-scan and post a new log.

Please download OTL to your Desktop. (If you already have it downloaded, then just follow the instructions below).

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in
  
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\*.sys
  %systemroot%\system32\drivers\*.dll
  %systemroot%\system32\drivers\*.ini
  %systemroot%\system32\drivers\*.exe
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.
  %appdata%\*.*
  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  disk.sys
  nvstor32.sys
  ahcix86s.sys
  nvrd32.sys
  symmpi.sys
  adp3132.sys
  mv61xx.sys
  usbstor.sys
  /md5stop
  CREATERESTOREPOINT
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time

Note: in the event that OTL fails to run, please use alternate download links to try again:

http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr

I ran mbam and found 1 infected file, got rid of it. For some reason, the PC restarted on it's own. So I and ran mbam again and it didn't find any infected files.

After the OTL scan, there was no "Extras file".

The OTL is here at Rapidshare.
http://rapidshare.com/files/410256527/OTL.Txt
http://rapidshare.com/files/410256886/mbam-log_last.txt

Please run OTL

• Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:
  
  :otl
  O4 - HKCU..\RunOnce: [733582] C:\Users\Heather\AppData\Local\733582.exe ()
  [2010/07/27 03:41:00 | 000,000,120 | ---- | M] () -- C:\Users\Heather\AppData\Local\Okatisohahozewuj.dat
  @Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:DFC5A2B2
  
  :commands
  [emptytemp]
  [purity]
  [resethosts]
  [reboot]
  
  
• Then click the Run Fix button at the top.
  
• Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, this is normal.
  
• Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
  Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Here it 'tis. (I hope, I hope, I really hope!) :lol2:

All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\\733582 deleted successfully.
C:\Users\Heather\AppData\Local\733582.exe moved successfully.
C:\Users\Heather\AppData\Local\Okatisohahozewuj.dat moved successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Heather
->Temp folder emptied: 1119721900 bytes
->Temporary Internet Files folder emptied: 65882563 bytes
->Java cache emptied: 90487613 bytes
->FireFox cache emptied: 36639184 bytes
->Flash cache emptied: 174237 bytes

User: Papa

User: Pappa
->Temp folder emptied: 142209 bytes
->Temporary Internet Files folder emptied: 674426 bytes
->FireFox cache emptied: 56093315 bytes
->Flash cache emptied: 733 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 142383246 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 704308 bytes

Total Files Cleaned = 1,443.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.9.1 log created on 08022010_073635

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Just to let you know, when I rebooted, I forgot to put it into "Safe Mode".

I'm looking at a nice clear desktop. No pop-ups so far. I haven't touched a thing. (A little afraid to.)

I was using a Kensington Orbit USB ball mouse and it no longer is working. (It's an OK trade off if that virus is gone!!!! I switched to a Logitech USB mouse and it works fine. Might you know what happened to the Kensington and how to fix it or point me to where I can find an answer?

Thanks

Excellent, let's check for remnants:

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

Jay,

Here's the eset scan and it looks clean. But what do I know; I'm the one that got myself in trouble in the first place.

C:\_OTL\MovedFiles\08022010_073635\C_Users\Heather\AppData\Local\733582.exe

a variant of Win32/Kryptik.FSA trojan

cleaned by deleting - quarantined

YOU DID IT!!!!! Words fail me when it comes to thanking you enough, but I'll try.

I appreciate your diligence and patience with me. Every time I would reply with a curve ball, your expertise would let you hit a home run. (Sorry 'bout that. It's baseball season and my all time favorites the St. Louis Cardinals and my now local team, the Tampa Bay Rays are doing great.)

On behalf of all you have worked with, thank you for your dedication to helping those of us who really needed assistance. I'll always be grateful.

Thanks again,
Illini Jim

Hiya! If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
  
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
  
• For a few moments the system will make some calculations
  
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
  
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
  
• Ran OTC
  
• Ran TFC
  
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

I cleaned System Restore, ran OTC, ran TFC and Security Check.
All went smoothly except TFC. It ran for about 8-9 minutes and then I got the following message: TFC has stopped working.

I rebooted the PC and ran TFC again. This time it worked well and completed it's task. (It deleted 10 MB of files.)

* Cleaned System Restore
* Ran OTC
* Ran TFC
* Ran Security Check


Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
Avira AntiVir Personal - Free Antivirus
Norton AntiVirus
Norton Internet Security (Symantec Corporation)
Norton Internet Security
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 13
Java(TM) SE Runtime Environment 6
Out of date Java installed!
Adobe Flash Player 9 (Out of date Flash Player installed!)
Adobe Flash Player 10.1.53.64
Adobe Reader 7.0.8
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
Windows Defender MSASCui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

Completely Uninstall Norton software using:

• SymNRT.exe
  

Instructions

1. Please download and save SymNRT.exe to your desktop.
   
2. Close all programs and double click on the tool.
   
3. Follow the on-screen instructions.
   
4. Restart the computer if asked.
   
5. Then delete the SymNRT.exe tool from your desktop.
   
6. Open the Program Files folder on your local disk ( normally C: )
   
7. Find and delete the following folders (if present):
   
   • Norton AntiVirus
     
   • Norton Internet Security
     
   • Norton SystemWorks
     
   • Norton Personal Firewall
     

---

Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

---

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

See this page for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?