post-"antimalware doctor" infection recurs despite rkill, combofix, mbam, SAS

dgrrr
dgrrr used Ask the Experts™
on
A windows XP Pro SP3 laptop (Dell latitude 600) had a virus called "antimalware doctor". But now I'm not sure what the infection is called - the browsers (ie7 and firefox) keep being redirected, and startup processes keep being regenerated with different names. See the log files below. What's disturbing is that I have run updated combofix, tdsskiller, malwarebytes full scan and superantispyware full scans -- all AFTER running RKILL, and in safe mode with networking an administrative user. But rkill keeps finding and stopping startup programs that appear to be changing name each time I reboot and remove them with mbam or sas:

examples of what rkill ends on different reboots:
C:\Documents and Settings\All Users\Start Menu\Programs\audioparseobj.exe
C:\WINDOWS\system32\verclsid.exe
C:\Documents and Settings\All Users\Start Menu\Programs\bridgeacctobj.exe
C:\WINDOWS\system32\grpconv.exe
C:\WINDOWS\system32\apiscanacct.exe

Sometimes I run rkill (in safe mode), it finds nothing, then I run it again 10 seconds later, and it finds and ends something.

As always, with AVG9, combofix warned me to uninstall it. I did, same message. I used avg remover, same message. So I finally read about deleting the avg program folder. Now I still get the warning about AVG being installed (its not), but combofix will at least allow me to proceed.

But after the first time I ran combofix (I have since moved the laptop to my shop from the owners house), for some reason, combofix will not proceed past the "autoscan / scanning for infected files" point. Windows freezes and I have to reboot. Could it be because I'm not connected to the web? (remember, combofix proceeds to the autoscan menu.)

FYI for what its worth I turned off system restore (but some infected files still appear to be appearing in the restore folders!).

I tried all the above as a result of what I saw on several sites including bleepingcomputer.com:
http://www.bleepingcomputer.com/virus-removal/remove-antimalware-doctor

I'm currently trying kaspersky rescue disk 10 but since I didn't see it referenced online I'm skeptical. (Plus I think it may be getting stuck as well in the "loading nodules" phase!)

Since all the above was done in safe mode with networking, as an admin user -- Should I do these scans all again in normal mode as the user who was infected? Is that likelty to make a difference?

Based on my logs, what do you suggest I try next?
01---MBAM-quick.txt
02---Combofix.txt
03---HJT.txt
04---MBAM-quick.txt
05---MBAM-full.txt
06---MBAM-full.txt
07---MBAM-full.txt
08---HJT.txt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007

Commented:
Oh I see you've also tried TDSSKiller.
I'll check your logs and post back.

deroodeSystems Administrator

Commented:
I just found this product: Microsoft SystemSweeper; It scans your system offline for rootkits and malware. You could give it a try:

http://connect.microsoft.com/systemsweeper
Don't know how much more information this can provide us, but let's try using OTL in the mix also.

Get OTL and save it to your desktop. Then run it and click on Quick Scan. Wait for the results. When finished, a notepad file should open up. Please copy and paste the entire contents of that file here.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2007

Commented:
Did you install SogouInput?

There has been 3 updates since you downloaded that ComboFix version you have, delete that one (do not uninstall it, just delete the combofix.exe) and download a new one and then run the script.

Also run Hijackthis again in normal mode, run all the scan in normal mode not in safe mode.



Run combofix again using this script.
 
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

File::
c:\windows\system32\Vbar332B.exe
c:\windows\system32\nsfD3E.tmp
c:\windows\system32\nsfD3D.tmp
c:\documents and settings\All Users\Start Menu\Programs\dbgappevts.exe
C:\Documents and Settings\All Users\Start Menu\Programs\audioparseobj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cachestreamres.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\bootcabcsc.exe

Folder::
c:\documents and settings\Steve Harnsberger\Local Settings\Application Data\{909FC064-B500-49ED-9119-9CE7F00FB946}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"audioparseobj.exe"=-
"cachestreamres.exe"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*dbgappevts.exe"=-
"*bootcabcsc.exe"=-
"*cachestreamres.exe"=-

------------------------------------------------------------------------

3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
[IMG]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/IMG]  




There's a bad Firefox extension there, that could be causing the redirect, so run gooredFix as well.
Please download GooredFix and save it to your Desktop.
http://jpshortstuff.247fixes.com/GooredFix.exe
Double-click GooredFix.exe on your Desktop to run it.

Select "2. Fix Goored" by typing 2 and pressing Enter.
Make sure all instances of Firefox are closed at this point.
Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system.
Please also allow any registry changes that may be prompted by any of your security programs.






Top Expert 2007

Commented:
Ah yes, also download and run the OTL tool that greyknight17 had suggested.

Author

Commented:
I will try the above - but fyi, in normal mode, combofix froze, and after a few hours said "access is denied" twice.
Author of the Year 2011
Top Expert 2006

Commented:
It may be that CF is being blocked by a rogue process.
If you have downloaded the newest version mentioned by 'rpggamergirl', download and install "RogueKiller" and run it just prior to running CF again (no re-boot).

http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

Author

Commented:
I ran rkill+MBAM in normal mode, it found 9 items (see log), which will probably come right back.
I ran goored (see log). (It had no "#2" option, I just said "yes" to fixing bad stuff.)
I rebooted and ran rkill+OTL (see log). (I just ran "quick scan" as suggested, didn't click the "fix" button.)

I ran roguekiller (see log - BTW I AM administrator), and then the suggested cscript+>updated combofix, but sadly combofix still hangs at the "autoscan / scanning for infected files" stage. (FYI I connected the laptop to the internet but combofix still hangs itself and windows.)

09---MBAM-full.txt

Author

Commented:
UGH, I really wish we couldn't accidentally submit threads using ENTER.
here's the other logs:
CFScript.txt
GooredFix-a.txt
OTL-a.Txt
OTL-a-Extras.txt
RKreport-2-.txt

Author

Commented:
FYI I ran both the kaspersky rescue disk 10 and the bitdefender rescue disk (both updated and run from a usb flash drive), and kaspersky hung/failed, and bitdefender found nothing. (I assume it found nothing - there was no results screen, it just dumped me out to the main "desktop" menu, and the log says nothing but which drive was scanned. (!!!))
Top Expert 2007

Commented:
You didn't say if you installed SogouInput.

GooredFix did remove the bad firefox extension.


(C:\Documents and Settings\Steve Harnsberger\Start Menu\Programs\????) -- C:\Documents and Settings\Steve Harnsberger\Start Menu\Programs\¿¿¿¿
(C:\Documents and Settings\All Users\Start Menu\Programs\???????) -- C:\Documents and Settings\All Users\Start Menu\Programs\¿¿¿¿¿¿¿
(C:\Documents and Settings\All Users\Start Menu\Programs\????) -- C:\Documents and Settings\All Users\Start Menu\Programs\¿¿¿¿


OTL couldn't read/identify that above programs, those may have been your QQ or some programs in other language, are they?.



[2011/06/07 02:22:06 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\Steve Harnsberger\Desktop\wtf.exe
[2011/06/07 02:22:06 | 001,007,108 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iExplore.exe


Are these 2 executables(above) on your desktop "wtf.exe and iExplore.exe" the renamed RKill and other renamed legit file? If they are not a renamed legit files then put them(copy and paste them under OTL section of the script)



Run OTL

•Under the Custom Scans/Fixes box at the bottom, paste in the following(all text/characters between the double lines.

===================================
:OTL
O4 - HKLM..\RunOnce: [*csccachexml.exe] C:\Documents and Settings\All Users\Start Menu\Programs\csccachexml.exe ()
O4 - HKLM..\Run: [csccachexml.exe] C:\Documents and Settings\All Users\Start Menu\Programs\csccachexml.exe ()
[2011/05/30 18:58:57 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Dxapirifad.dat
[2011/06/06 20:04:49 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Pfubiqigis.bin
[2011/05/27 11:01:04 | 000,147,456 | RHS- | M] () -- C:\WINDOWS\System32\Vbar332B.exe
[2011/06/07 10:59:58 | 000,182,272 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\csccachexml.exe
[2010/02/03 21:38:56 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\anvkgp.dat
[2010/02/03 20:39:29 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Steve Harnsberger\Application Data\anvkgp.dat
[2011/06/07 10:59:58 | 000,182,272 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\csccachexml.exe
| M] -- C:\Documents and Settings\Steve Harnsberger\Application Data\AVG

:Files
ipconfig /flushdns /c
c:\windows\system32\Vbar332B.exe
c:\windows\system32\nsfD3E.tmp
c:\windows\system32\nsfD3D.tmp
c:\documents and settings\All Users\Start Menu\Programs\dbgappevts.exe
C:\Documents and Settings\All Users\Start Menu\Programs\audioparseobj.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cachestreamres.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\bootcabcsc.exe

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

==================================

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.





----------------------------------

It could also be that volsnap.sys driver is infected, let's check on that too.
Try Rootkit Unhooker:
http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE

• Please download Rootkit Unhooker and save it to your desktop.
• Doubleclick on RKUnhookerLE.exe to run it.
• Click the "Report" tab, then click Scan.
• Checkmark Drivers, Stealth. Uncheck the rest and then click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Post the report here.



Also download SystemLook and run it.(to find copies of volsnap.sys)
http://jpshortstuff.247fixes.com/SystemLook.exe

Run systemLook and copy the below command into the main textfield:

:filefind
volsnap.sy*


• Click on the Look button to start the scan.
• Whenn it's finished a report will open, post the result.
• the result "SystemLook.txt" is also located on the desktop.



Top Expert 2007

Commented:
@ greyknight17,
I took the liberty to make an OTL script. What do you think of those unknown programs?

Author

Commented:
thanks rpgamergirl

I don't know what SogouInput is. Is taht something installed on the computer?

FYI there is at least one chinese text program on the infected computer - that may account for the ?????? files.

wtf.exe and iExplore.exe are renamed copies of rkill.com. NOTE - the exe's run, but the rkill.com no longer opens a window, at least in normal mode!

I will do the things you suggest -- can I do them in SAFE MODE WITH NETWORKING? (it's faster)

BTW system restore either has been on all this time, or a scan turned it back on. I turned it back off.

Author

Commented:
I ran OTL with the script first in safe mode (generating 2 log files) then realized I was being lazy, so I ran it in normal mode (generating 2 more log files). I didn't check "scan all users".

See the other log files as asked. THANKS!
OTL-b.txt
OTL-c.txt
OTL-d.txt
OTL-e.txt
rkunhooker-a.txt
systemlook-a.txt
Top Expert 2007
Commented:
I haven't look at the OTL logs yet, I'll come back later, or greyknight17 can.

Are you sure there's nothing else after the "STEALTH" section of the Unhooker log? There should be something there if volsnap.sys is infected.
Have you tried running ComboFix again? if it runs it should be able to take care infected volsnap.sys
It looks like volsnap.sys is patched, based on its filesize. We could try replacing that one using OTL... if unsuccessful in replacing it we would have to replace it via the Recovery Console. Do you have the Windows CD? First just check the Unhooker log again making sure it wasn't cut off.


Run OTL

•Under the Custom Scans/Fixes box at the bottom, paste in the following

==============================

:Files
C:\WINDOWS\system32\drivers\volsnap.sys|C:\WINDOWS\ServicePackFiles\i386\volsnap.sys /replace

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

=============================

•Then click the Run Fix button at the top
•Let the program run unhindered, reboot the PC when it is done
•Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Author

Commented:
Here are the new logs you asked for.

Should I be doing rkill (renamed, since rkill won't run anymore) or any other tool immediately before running any of the tools you're suggesting?

I ran unhooker again to check stealth section. Nothing's there. but NOTE - when I generate the report, and then say "close", it says, "Hmm, are you sure"  Am I supposed to do something else?
OTL-f.txt
OTL-g.txt
Top Expert 2007
Commented:
Can you run Unhooker again?

Whoa...it isn't looking good..... I would reformat if this was my system. Something is respawning those files, one of legit files may be infected.

I also suggest you try and install Kaspersky free trial,  Also uninstall any programs that the user did not install(those programs bundles by your software).

Download and install Kaspersky free trial and scan the system.
http://www.kaspersky.com/anti-virus_trial


Or you could also try DrWebCureit(it's alright to have this as well as on demand scanner).
Download and install DrWebCureit:
http://www.freedrweb.com/cureit/?lng=en


Or also an online scan with Eset.
http://www.eset.com/us/online-scanner

Author

Commented:
ok here's a new RKUnhooker report -- with ONLY "drivers" and "stealth codes" checked,
NOT CHECKED - SSDT, Shadow SSDT, Processes, Files, or Code Hooks

And when I'm done, I just close, I don't "fix" anything, Right?

I'll try the other scans too -- but should I assume those are less likely to fix it?

Thank you so much!

Author

Commented:
Ooops heres the file
rkunhooker-c

Author

Commented:
I don't know if this helps, but firefox is still being redirected from google result links to ad sites.

Author

Commented:
NOTE - I noticed that under the folder
c:\documents and settings\all users\application data
all of the bad virus executable filenames that I've seen rkill kill and mbam delete over this whole process are still there. There are 552 of them!  I deleted them but only to recycle bin.

Ran ESET online scanner. It removed stuff but firefox still redirecting and combofix still hanging.

Running drweb cure. (I already ran two other kaspersky tools, so saving that trial til last)

Author

Commented:
DrWebCure found no viruses!!! So did mbam full scan (no viruses).

Tried combofix in safe mode with command prompt. still hung.

Do you think it's this chinese text program? the one that is generating question marks?

FYI under the C drive, is a folder called "combofix", but it contains the same contents as "my computer", including C:\combofix\  and so on (see photo)
combofix-in-explorer.jpg

Author

Commented:
Just to give you all the info I can (getting desperate) I realized I wasn't saving the SAS logs. Here's a recent one attached - notice there are about ten lines likek this:
Trojan.Agent/Gen-IExplorer[Fake]
      C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Author

Commented:
I'm going to have to have the laptop for another day if i'm lucky - any more ideas? (Owner would probably buy a new pc rather than reinstall)
Top Expert 2007

Commented:
Are you sure that ComboFix hung?
It did run before.... the thing with ComboFix is even though you can't see its window and it looks like it's not doing anything as long as the red light is on then it is scanning.

You can try running aswMBR to check for the mbr status.
I was going to make another OTL script but there are just way too many bad files and I'm not sure what maximum number of lines OTL can handle,
If you notice on the log, the virus created about 9 to a dozen bad files per second.
I am still curious to try the Kaspersky trial. Some file or driver is creating this numerous bad files and it's not easy when tools don't run.

Download aswMBR.exe ( 511KB ) to your desktop.
http://public.avast.com/~gmerek/aswMBR.exe
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post it in.


"(Owner would probably buy a new pc rather than reinstall)"

Nice to have a new PC.... or just reformat this one.

Author

Commented:
ok when I get home I'll post the aswMBR.exe results, and I'll try that third kaspersky tool.  I can't cure it by tmr afternoon, I'll pick up the os reinstall cd and reinstall XP.

FYI the first three times combofix hung, I let it run for over two hours. There was no change in the blue "autoscan" window. (e.g., no "stage 1")

Author

Commented:
Here's the aswMBR.exe log you asked for.  Now I'm running a full scan with the Kaspersky AV 2012 trial.

I'm assuming I should do all this in normal mode with the usual user logged in (the one who infected the computer).

I'm also attaching to this post the SuperAntiSpyware (SAS) scan log from yesterday evening that I forgot to attach in an earlier post above.

I might try uninstalling the four chinese text programs from the computer (as you suggested) and retry some scans. That floating desktop translation toolbar is very persistent, It might be interferring with things.

Do you think it's likely that "Microsoft SystemSweeper", mentioned early in this thread, will do anything not already covered?

Thank you again so much, rpggamergirl, for your help!  
aswMBR-a.txt
sas-10.txt

Author

Commented:
oh yes - and do I need to be running renamed rkill, or tdsskiller, or roguekiller, or anything else BEFORE running any of these recent scans?

Author

Commented:
Ran kaspersky av 2012 trial. Found and fixed one file. Rkill and combofix still hanging.

Author

Commented:
Dunno if you also needed "mbr.dat" from aswMBR scan, but here it is. It has been renamed to "mbr.dat.txt" so I could put it here.
MBR.dat.txt

Author

Commented:
The virus might be gone. Stupidly I was using combofix as the "test" of whether the virus is still there. But I noticed that firefox and IE are no longer redirecting. So I tried downloading a fresh copy of rkill.com, and it ran ok without renaming. So I downloaded new copy of combofix, but combofix still hung on autoscan. I tried creating a new admin user and tried re-dl-ing a fresh copy of combofix, but still no progression beyond the autoscan initial message.  (FYI, when the autoscan screen comes up, I can move the cursor around the screen, but nothing else responds (no start button response, no control/alt/delete response).)

The point is, for some time now, the only indcation that there's still a virus (that I see) is combofix hanging, and the presence of those hundreds of files that the malware scans are ignoring.  MBAM full scans are clear, and the SAS scan results are finding only cookies and the extra copies of explorer made by combofix before it hangs.

As you can see in the OTL logs, those files that were being created by the virus on 6/7 are still numbering in the hundreds in c:\program files\, c:\windows and c:\windows\system32, and probably elsewhere too. I don't understand why the MBAM and SAS scan's aren't targetting them. But these files appear to be from 6/7/11 at the latest, so far from what I've seen anyway.

So I'm not sure what my status is.
OTL-h.txt
hijackthis.txt
MBAM-FULL-6-8-11-log.txt
Top Expert 2007

Commented:
Sorry for not being able to reply regularly...
Those OTL logs up to OTL log F is actually good......BUT after that OTL-F the last 2 scans of OTL(OTL-Q and OTL-H) are having those numerous files that no other scanners seem to pick up.

It could be because those are only residing in memory(not a physical file on the disk)...
When I looked at those files they all have 0 bytes filesize. Could be because they are not written on the disk hence no other scanners detect them.

Can you remember what happened after the OTL-F scan?(which was showing a clean log).. Only the last 2 OTL logs have those 0 bytes numerous files.


D:\x\MBR.dat <-- could you please have this dat file scanned online?
http://www.virustotal.com/
http://virusscan.jotti.org/en

Author

Commented:
The online scans say MBR.dat is fine.

According to my notes, I ran a OTL "Run Fix" with this info pasted:

********************
:Files
C:\WINDOWS\system32\drivers\volsnap.sys|C:\WINDOWS\ServicePackFiles\i386\volsnap.sys /replace

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
********************

and it rebooted automatically and created "OTL F". Then I ran a OTL Quick scan, and generated "OTL G".

Author

Commented:
_____________

I have a very similar infection on another computer which I'm posting here at EE as well, but feel I should close this here thread and award points first. But because of the combofix hang I can't be sure which fix was correct. Points all go to RPGgamergirl, I'm just not sure which of these things to award the pts to. Also, I'm trying to contact the owner of the laptop to ensure the virus is still gone (bcz combofix still hung when I returned it to her.)

Things that might have fixed the virus / stopped MBAM from finding stuff and stopped Firefox from redirecting:
- uninstalling the chinese text input programs
- "cfscript+>combofix>
- retry of "cfscript+>combofix>
- manually removing all the 0kb size files til OTL found none
- kaspersky antivirus 2012 trial (found 1 item)

Things to rule out:
- OTL with script (because firefox was still redirecting after I ran it)
- drwebcureit (found nothing)
- eset online scanner (found nothing)
- aswMBR (its passive, right?)
_____________
Top Expert 2007

Commented:
ComboFix was able to run before in this PC..... try running it in safe mode and see if it runs successfully.

Author

Commented:
Unfortunately I had to give the Laptop back. Waiting for confirmation from owner that virus didni't come back. BUT:
to summarize the above re: combofix:  I definitely tried running several different fresh copies of combofix, in safe mode, safe mode w net, safe mode with command prompt, as infected user and as administrator and as brand new user, with original filename and also randomly renamed.  It always hung on the Autoscan screen before the "stage 1" line ever appeared

Author

Commented:
The problem was volsnap.sys, which combofix was not fixing. The problems was fixed either by rpgamergirl's OTL script, or by kav 2012 trial.
Top Expert 2007

Commented:
Thanks for coming back and letting us know, much appreciated.
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial