[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help removing Malware including ClickSpring

Posted on 2009-02-19
17
Medium Priority
?
483 Views
Last Modified: 2013-11-22
I have SpyBot and Sophos.  After updating SpyBot and running immunize and check for problems, it tells me I have some 340 items unprotected "Global (Hosts)".  

When I run Search & Destroy, it finds the following:
"ClickSpring"
"Virtumonde"
"Smitfraud-C."
"Smitfraud-C.CoreService"
"Virtumonde.prx

I need some help.  I have uploaded a hijackthis log.

Thanks,
Jon
hijackthis.log
0
Comment
Question by:ciscotx
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:IndiGenus
ID: 23687087
Hi,
Vundo is running all out here, Spybot will never get this.

Download ComboFix from either of these links to your Desktop.
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. *
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

* The link below is a list of programs that should be disabled. If yours is not listed and you don't know how to disable it, please ask.
http://www.bleepingcomputer.com/forums/topic114351.html

* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

4. Double click on combofix.exe & follow the prompts.
NOTE: As part of the process combofix will now install the recovery console if required. It is recommended to do so in case of any major issues. This is not a requirement.
5. When finished, it will produce a report for you.
6. Please attach the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

PLEASE ALSO NOTE: Combofix will typically fix most and sometimes all Malware entries but many times a script is also needed to finish cleaning up. So please keep CF until advised whether you need the script or not.


0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23688886
IndiGenus's suggestion of running ComboFix should fix your problem.
I would only like to add that you should you not already have this antimalware suite and others such as www.malwarebytes.org, etc. on your harddrive or removeable media that you do so.
Additionally you might want to read up on disabling System Restore. Some types of malware and viruses cannot be removed without turning this XP feature off prior to scans.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx
This is for future informational purposes only.
Please assign all points to IndiGenus.
David
0
 

Author Comment

by:ciscotx
ID: 23707835
I downloaded ComboFix and exited Sophos.  Spybot wasn't on.  Then, I started CF.  A little box came up that said ComboFix.  But, it never did anything.  I eventually did a hard reboot.  

Now, I cannot start CF.  I downloaded another copy of the program and tried again.  Nothing...
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 20

Expert Comment

by:IndiGenus
ID: 23710681
Hi,

Likely the TDSSRV rootkit is preventing it from running. Try this....

Remove any and all copies of combofix. Download a fresh copy, but BEFORE downloading it rename it to combo-fix.exe. Then try again.
0
 

Author Comment

by:ciscotx
ID: 23717084
Ok.  That seemed to work.  Although, now when I boot up, explorer.exe never runs.  All I see is the desktop background picture with no icons and no bar at the bottom.  

I can go to Task Manager (which is how I noticed explorer.exe wasn't there.)

There were several error messages that came up at various points.  One said "Data Execution Prevention"  Windows has closed Windows Installer.

"Init.exe has encountered a problem and needs to close."

"msiexec.exe encountered a problem and needs to close."

"Windows explorer encountered a problem and needs to close."

"Application Layer Gateway Service encountered a problem and needs to close."

Each of these error messages was accompanied by more information (Event Type: BEX, P1, P2, etc.)  If I need to give all the details, I can.
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 23717188
Can you post the combofix log as advised, so we can see what's going on?
0
 

Author Comment

by:ciscotx
ID: 23717492
I thought I copied the log files to a flash drive and I believe these are the two.  But, I cannot access the desktop of the laptop.
log.txt
mbam-log-2009-02-23--16-37-59-.txt
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 23717623
WOW.....

This is not only a seriously infected machine, but the Malware has done serious system damage. In most cases I can advise fixing, but I would suggest on this one you do a wipe and re-load. Both userinit and explorer have been infected. I'm suspecting Virut.

c:\windows\system32\userinit.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!


If you would like to fix the machine I can try and help, but it may be a lost case at this point. I would suggest you slave the drive to another machine, save the data, and start over.
0
 

Author Comment

by:ciscotx
ID: 23717785
That gives me a headache!  

Ok.  Can we at least try to fix it?  Even if it doesn't work, I won't be any worse off than I am right now.
0
 

Author Comment

by:ciscotx
ID: 23717812
Do I need to worry about my PC and other machines I have used?  Are my data files, .docs, xls., etc... are they infected?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 23717850
I'm willing to at least consider giving it a shot, but honestly I don't hold out much hope for this machine. If it's virut then your documents, pics, ect.... will be okay.

I would suggest if possible running DrWebCureIt to see if we're dealing with Virut. And to see how bad it is.

http://www.freedrweb.com/
0
 

Author Comment

by:ciscotx
ID: 23720719
Yep.  it says, "infected with Win32.Virut.56".
0
 
LVL 20

Accepted Solution

by:
IndiGenus earned 2000 total points
ID: 23721147
WIpe and load. You can save all of your docs and personal files. The file infector attacks .exe, .scr, .htm, .html, .xml, .zip, and .rar files. So don't try to save those.

Sorry we could not be more help. Virut is running rampant right now, you had it along with much more on this machine.  

Good luck,
Dave
0
 

Author Closing Comment

by:ciscotx
ID: 31549029
I hated to hear your answer... but that wasn't your fault.  Thanks for the help.
0
 

Author Comment

by:ciscotx
ID: 23739507
Oh, sometimes I transfer (or backup) .exe files to other devices.  If I can't use them anymore, I don't have any other way to re-load the program.  

Is there a way to make sure each one isn't infected and if it isn't... can I still use it?
0
 
LVL 20

Expert Comment

by:IndiGenus
ID: 23739649
""Is there a way to make sure each one isn't infected and if it isn't... can I still use it?""    

You could upload the file(s) to one of the online scanners. If all comes back clean then you're probably okay. This could be a lot of work if you have many files.

http://virusscan.jotti.org
http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html

Any and all of these run across several scanners, over 30.

Sorry I couldn't be more help.
Dave
0
 

Author Comment

by:ciscotx
ID: 23739685
ok.  Thanks, again.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question