Solved Malware Problem, please help??

[Neurolanis]

IMPORTANT UPDATE: As SUPERAntiSpyware is not able to perminately remove the malware "Rogue.SmartProtector", I took a look at its location (and no, after removing it myself it still returns.) Its location is: C:\Windows\system32\srcr.dat

I Googled it and see that it is listed as a dangerous malware called H8SRT Trojan. The symptoms are exactly the same! The locations it gives for the dowloads were not found, so it must download under different names or locations now. If I can only find them..

Related links:

How to remove H8SRT trojan (Remove Rootkit.TDSS) | My Anti Spyware

What is H8SRT.sys, How to remove H8SRT.sys | HT Logs. Tips, FAQs, Analyze.



Corrine, I had trouble getting that program to work and quit. I've been trying out so many different programs (one at a time, and uninstallling of course) that if one doesn't work properly I just move on to try the next.

 

[Corrine]

ComboFix ran and apparently removed something. This is the CF quarantine:

2009-12-28 17:39:39 ----D---- C:\Qoobox

Please check your computer for C:\ComboFix.txt.

 

[Neverhavemoney]

Corrinie,
I am in no way putting you down, or downplaying your suggestions here. It jsut seems that there is a lot of unneeded posting going around. We know the virus is there, and it keeps coming back. The scanners dont scan the system restore points. The infection can hide in here. This infection, which i have seen before, is quite complex and can hide here quite easily.

Neurolanis,
As long as you have all of your important work backed up, it will be safe to turn off/delete your system restore points. If all of your files are backed up, the worst that could happen is that we would have to do a clean install, which would in turn resolve your malware issue. From an Experienced Malware Remover, i am letting you know it is safe to shut off the restore points. AS LONG AS YOUR WOKR IS BACKED UP. I then can guide you through your last few steps and you hsould be on your way to having an infection free computer!

Let us know,
Ben

ComboFix ran and apparently removed something. This is the CF quarantine:

2009-12-28 17:39:39 ----D---- C:\Qoobox

Please check your computer for C:\ComboFix.txt.

 

[Corrine]

Hi, Neverhavemoney.

Malware in System Restore is harmless unless the computer is restored to that infected point. However, you are correct in stating that in clearing SR "the worst that could happen is that we would have to do a clean install".

TDSS is a rootkit. At a quick look at the RSIT log, this is one indicator of the infection: C:\Windows\system32\krl32mainweq.dll. Clearing System Restore is not the solution.

That said, as a new member of this site, it was rude of me to step into this thread. My apologies. I will leave it in your hands.

Regards,

Corrine

 

[Neurolanis]

I guess I did download ComboFix but it ran in the background and I wasn't able to find any of its files, so I presumed it hadn't worked.


Neverhavemoney, I will try what you advise. From what I've read, the best way to do this is to shut down system restore, wait an hour or so and then restart, run Disk Cleanup, and then turn system restore back on. I'll save my needed files and then attempt this procedure.

 

[Neurolanis]

Windows Vista System Restore Guide

Disable System Restore in Windows 7 or Vista :: the How-To Geek

PC Hell: Disabling System Restore on Windows Me, Windows XP, and Windows Vista

I have tried the procedure described by ALL of the above sites for disabling System Restore, but the procedure is incorrect (for my computer anyway.) I do have Windows Vista Premium, but it isn't the same as the above sites describe for this procedure. I have tried this in both regular and safe mode but the result is the same..

Click on the System and Maintenance menu option.

There is no "and Maintance" file on my computer anywhere. There is only a "System" file.

Click on System Protection in the left-hand task list.

When I do this, "System Properties" comes up.

Uncheck the checkboxes next to each hard drive listed under the Create restore points automatically on the selected disks: section. When you uncheck a disk you will be presented with the following screen...You should click on the Turn System Protection Off button.

There are no checkboxes whatsoever, there is no "restore point" option, and there is no "Turn Syste Protection off" button. The tabs are "Computer Name", "Hardware", "Advanced" and "Remote" (Advanced has "Performance", "User Profiles" and "Startup and Recovery".)

This is what it looks like:

The "System Protection" option is available only on the regular mode and I don't see how it can help, as it doesn't appear to have any of the required options.

Nothing is ever simple is it? :huh:

 

[Neurolanis]

Ok, seeing as though I believe that my computer has a virus called H8SRT Trojan, I searched my whole registry for "H8SRT". One file came up highlighted, but I'm not sure if I should remove it. I tried Googling it and there is NO mention of this particular file anywhere! I'm hoping that someone will know if it's OK to remove this file or not. I found it here:

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager...and after that it will not show me which of several other folders it belongs..

It is called "PendingFileRenameOperations"

File type: REG_MULTI_SZ

"Data": \??\C:\TEMP\H8SRTb144.tmp

 

[Neurolanis]

OK, I may have found it!!!

In System Restore, no less....

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

...and the files named SrCreateRp (Enter) and SrCreateRp (Leave)

This was while I was searching "srcr" (the malware file name that kept returning!)

 

[Neverhavemoney]

That's awsome Neurolanis,
You should be all set with it returning again and again now that it is deleted!

Let us know,
Ben

OK, I may have found it!!!

In System Restore, no less....

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

...and the files named SrCreateRp (Enter) and SrCreateRp (Leave)

This was while I was searching "srcr" (the malware file name that kept returning!)

 

[mailbox3]

Neurolanis, I have been sharing this same problem with you. I've been following this thread for the last couple days, and have removed all 3 hidden registry files that you have pointed out.
No dice, "malware defender" still runs on start-up.
I'm running the superantispyware online scan, and it keeps picking up rogue.smartprotector.
I'm going to try deleting it one more time with the registry entries deleted, to see if I can get rid of it once and for all, but right now, it's still looking pretty persistant.

This is a very well-thought out scam.
If you search "malware defender" in google, it comes up with about 1,000 bogus sites asking you to download even MORE ways to steal your info.

I wish I could give you more information on how I may have picked up this virus, but alas, I was out of town for Christmas, and it was my roomates who discovered this little treat for me. :/

Godspeed, and I will update you if I find out any way to get rid of this beast once and for all.

 

[mailbox3]

And check out this little scam site:

-Warning False Microsoft Site-
Microsoft Windows Update
http:// www .update.microsoft.com/windowsupdate/v6/thanks.aspx?ln=en&&thankspage=5

Does that mean it could do some real harm if a windows update is triggered?

 

[Neurolanis]

Thanks for posting, Mailbox3. Sorry to hear you're going through this ordeal too, although selfishly it is also good to know I'm not alone. If you learn anything important about this problem please let me know, and of course vice-versa if I learn anything I'll post it..

I appreciate your support, NeverHaveMoney. Unfortunately this problem isn't resolved yet...

I removed the following registry items:

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager
HKEY_LOCAL_MACHINE\System\ControlSet003\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\VSS\Diag\SystemRestore

....but, C:\Windows\System32\srcr.dat remains...

"srcr.dat" has been ladled a malware file, and it keeps coming back. One person claims (link below) that "System32" files are important to the system so Windows doesn't let you remove it (or any of its files?) This would make sense, because in another case a file wouldn't let me remove it because it had CREATOR OWNER permission. I downloaded a software that made me the CREATOR OWNER, and so I removed it. In this case, it does allow me to remove the file, it just keeps coming back again!

Either the malware is hidden somewhere else, or "srcr.dat" is the main file but it's protected by Windows. I tried to contact Microsoft on this matter earlier, but they don't make it easy. I finally found a phone number, but I was told that I'd need my Microsoft product number (apparently it's hidden somewhere in the software.) I did a Microsoft scan to "find" the number, but it said it couldn't be found. So, great! I'll have to try calling them tomorrow anyway (I won't hold my breath!)

And I really thought it was SOLVED for a while there. If this finally does get resolved, I think I'll spend one afternoon staring at my computer screen in disbelief, waiting for those damn ad screens to start popping up again..SHEESH...

http://www.file.net/process/system32.exe.html

 

[Corrine]

http://www.vistax64.com/member.php?u=141470Neurolanis, realize I said I was leaving this thread to Neverhavemoney but since he seems to be otherwise occupied, please explain why you are deleting registry entries?

Did you locate ComboFix.txt? Have you been able to update and run Malwarebytes?

 

[Neurolanis]

Because some worms create registry entries to serve them, so I have been carefully removing ones which I believe this malware is creating. Regular files too of course. I kind of feel like at my wits' end right now..

I have searched for ComboFix through the files search option and through the registry and have found nothing. Maybe it was removed by one of the anti-spyware programs I've been using (or by Norton.)

Malwarebytes will still not run (neither will SUPERAntiSpyware, except for the online scanner.)

 

[Neurolanis]

Right now I am looking over the files created on Dec 21, 2009 (when I am very certain this all began.) There are a TON of new files on that day, and a LOT from Norton Anti-Virus. A LOT. The days before and after have only a fraction of as many files. I feel like deleting the whole damn lot, but, I'm nosing over them. I can't see the harm in removing Norton files downloaded on that night when everything went crazy anyway...I see on other sites that people are discussing these very Norton files are being malware:

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=57142

http://spywarefiles.prevx.com/RRDIHD45062222/%7B0C55C096-0F1D-4F28-AAA2-85EF59112...EXE.html

Is it possible that a Norton update may be responsible for this?

 

[Neurolanis]

Well, another long night spent labouring over a seemingly unsolvable problem. Again, I really thought I had it beat...I removed a ton of files that were downloaded onto my computer on the day the problem occurred—srcr, spp.dll, inprocserver32, system32 and a whole bunch of wuclient files. I had to download the “take control” software in order to remove many of these files (link below.) I also hunted down more of these files that appeared after the day the problem began.

http://www.vistax64.com/tutorials/112795-context-menu-take-ownership.html

Windows\System32\srcr.dat (known as "Rogue.SmartProtector") still returns at every restart. I looked up the folder that it is enclosed in (System32) and apparently it is considered a serious malware threat (link below.) The problem is that I have three such files, and I believe at least one of them must be part of Windows. I tried deleting the folder that houses “srcr” but it warned me that it would harm the computer, and indeed some of the files in the folder do appear important (while others are also threats.) Sigh...

http://www.liutilities.com/products/wintaskspro/processlibrary/system32/

So I ran a couple online scans and rebooted, hoping for the best. For a few minutes, nothing—then WHAM! On comes the same old crap, as if all the hard work I did accounted for nothing! This malware is indeed “smart.” Someone out there has waayyy too much time on his hands...and it’s taking ALL my spare time to try to stop this thing. Can it be stopped??

 

[Corrine]

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.

Windows Vista and Windows 7 users need to right-click and choose Run as Admin.

You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

Now try to install and run Malwarebytes.

 

[Neurolanis]

Every time I downloaded (to desktop) and ran one of those, one to three other icons appear and then something happens--the screen sort of blinks as a black box briefly appears, and then the extra icons disappear and the "Windows Help" file on "Safe Mode" reappears. And nothing happens.

UPDATE: Yes! Malwarebytes is working!!

 

[Corrine]

Yes, that was supposed to happen -- and the best is that MBAM is working!!! Yippee!!! That should get you started on the cleanup.

 

[Neurolanis]

It found two Trojan.FakeAlert files and removed them (although it's prompting me to restart now, so I will.) They were found in globalroot\systemroot\H8SRT.

The log:

31/12/2009 3:49:34 PM
mbam-log-2009-12-31 (15-49-34).txt
Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 202744
Time elapsed: 27 minute(s), 8 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
\\?\globalroot\systemroot\System32\H8SRTjtjrujllua.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
\\?\globalroot\systemroot\System32\H8SRTjtjrujllua.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.