I appear to have the same 'instala.php' problem as the one posted by skt4dc8 yesterday. There are three symptoms in my machine when a program accesses the internet (could be IE, Outlook, or even Windows Media Player). The problems do not seem to happen when I am using Firefox, though I have not tested that theory fully.

First symptom: A message that the program instala.php, which appears (and re-appears after deletion) in the C:\Windows\System32 directory, does not have a proper association and can not be run. (Now if I was a Spanish UNIX coder, I might have a need for instala.php, but I do not understand why it is on my Windows XP machine.) I have turned off the XP system restore option, so this file re-appears through some other means.

Second symptom: An aggressive series of pop-ups for numerous but consistent web sites appear. One of the pop-ups is not really an IE browser, although it is imitating one. The icon in the upper left corner of its window is from the wrong version of IE for my machine, and the session does not appear as an application in Task Manager.

Third symptom: An executable file is created (and registered) in my "C:\Documents and Settings\Jim White" folder. It tries to run and is (thankfully) unable to, closing with
a request to send Microsoft an error report. The executable always has four capital letters (seemingly random) as a filemane (e.g. RGOE.exe, LISU.exe, QIEM.exe, and more are currently in my folder.)

I have been on the phone to McAfee five times and run more scans than I can recall. Some were in normal mode, some in safe mode, and even one in DOS mode. Scans included Ad-aware, AntiPuper, ATF-Cleaner, AVG Anti-Spyware, Spy-bot Search & Destroy, and I can't remember the name of the DOS program. I have no confidence in the McAfee team to be able to go beyond their standard call centre scripts and scans in their attempt to discover the problem. They don't seem to be interested that their software can not recognize the problem.

I have started to go into my registry and to delete things I thought were suspicious (like the entries for the four-letter programs above), but I'm not knowledgeable enough to continue there without eventually doing real damage to the machine.

So I'm hoping someone here can help to debug the problem before I end up having to re-format the machine and start over. I have followed the prework instructions and am attaching the AVG log and HJT report.

Report-Scan-20070217-212407.txt

hijackthis 17feb2007.log

I'm also attaching three images to let you see what I see on the screen. The machine sat with Firefow open to this post creation page for an hour with no problems while I ran the AVG scan. After the scan, I simply opened IE7 to the default msn home page, and the show began. Here are examples of the instala.php error message and file details, the browser imitating program, and the exe files that are created.

randomprograms.jpg

instalaimage.jpg

fakebrowserimage.jpg

I appreciate any assistance you might provide.

Cheers,

Jim

Hey Goodlandg,

Welcome to PCHF. We have a wonderful Security Team here, and I am certain that we will be able to help you with getting rid of the RLMs (rotton little monsters) that seem determined to take over your PC.

I am getting off for the night, you will be my first priority tomorrow if none of the other Security Team beats me to it.

Also, thank you for the exceptional post, your descriptions and details are excellent, and will prove very helpful.
TTFN

LGW

LGW, I appreciate the support. Thanks!

I have been watching skt4dc8's post, and I'm happy thet his/her issue has been resolved. Unfortunately, the instala1.php file mentioned is not on my computer. I looked directly in the System32 folder this morning, and have previously searched the entire PC for 'instala'. The search is being re-performed, but it takes a while. I'll post again if it turns up any results.

Meanwhile, it's a nice spring day in London. Guess I'll leave the computer for a few minutes and go outside!

Hey Jim,

Hope you enjoyed your lovely Spring day.

Yup, you've got some issues. But not too bad, I'm afraid that with the way skt4dc8 went about cleaning that malware, he is going to be back. Let's see if we can't a more thorough job on your PC, OK?

First, please right-click on My Computer, and choose, Explore. Click on Tools, Folder Options, and then View. Make sure that there is a tic next to Display contents of System Folders, Show Hidden Files and Folders is selected, and Hide known file extensions is not selected. Now close Explorer.

Next, please download from my signature: CCleaner, RegSupremePro, Shoot the Messenger, Housecall, and SpySweeper. Update SpySweeper, andCCleaner.

Open your Firefox browser, and then go to Tools, Options, Privacy. Under Cookies, Keep until..., choose "I close FireFox". Close FireFox.

Run Shoot the Messenger, this is a simple app that disables the Windows Messenger, a useless utility that leaves you vulnerable to PopUp attacks.

Next uninstall or disable McAffee , (you can reinstall it later if you choose. I am concerned with how invasively it is set up in your system, and may interfere with the other programs and fixes.)

Run Housecall. Let if fix everything that it finds, and allow it to run a second time. If it gives you the option of saving a log, please do so.

Now boot into Safe Mode. Run CCleaner, make sure that all options are selected, including Advanced. Answer OK or Yes to all warnings. Click on Analyze, then Run Cleaner. Repeat this until either no further files appear, or the same files reappear and cannot be cleaned. If you have files that cannot be cleaned, navigate to the location, right-click on the file and choose Properties. Click on the Security Tab, and Advanced button. Give yourself full ownership of the file, and then manually delete. If you cannot manually delete any file, please note that to post back here.

Now run Spy Sweeper, under Options, Sweep, make sure that all available options under Custom Sweep are selected. Run a full system scan, and let it quarantine everything that it finds. Make sure to save the log to post back here.

Next run AVG again, Under Scanner, Settings, choose Quarantine under How to act?, all available files to scan, and put tics next to all options, also select that it automatically generate a report. Run a full system scan.

Now go to Start, Run and type in services.msc and hit Enter. This will bring up your Services window. Locate ntmsdba.exe, right-click on it and choose Properties. On the General tab, under Startup Type, choose Disabled, then click on Stop.

Next open HijackThis!, and click on the Open the Misc. Tools Section button. Click on Delete an NT Service. type ntmsdba.exe into the window, and click OK, close HJT.

Now please locate and delete the following files in bold, also delete any other suspicous four letter files that may have appeared since your scan..

C:\WINDOWS\system32\msscp.exe
C:\Documents and Settings\Jim White\BOCG.exe
C:\WINDOWS\system32\ntmsdba.exe
C:\Windows\System32\instala.php

Now boot back into Normal Mode. Run HJT without a log, and fix the following if they are still there:
Now please rerun HJT with a log to post back here with all of the others.We'll get your registry cleaned after we are sure that the malware infection is gone.

Looking forward to your reply, I realize that this is a lot of work, so we'll keep an eye out for you. .

TTFN

LGW

Thank you for the comprehensive answer. I will do what I can, but I'm having a bad start to the day here...

On first try, the PC lost access to the internet. On reboot, I received a 'blue screen'. A second attempt brought the PC back online, but the properties in the Internet Gateway showed a series of checked but blank services, and Firefox and IE were unable to reach the internet.

The PC started in Safe Mode with Networking. I am now downloading tools and running scans. Wish me luck!

LGW, you are brilliant! But you probably already knew that. On first inspection, the problem has been resolved.

So here's what I did...

Most items were run in safe mode as I lost the network in normal mode. The seettings for foldres and firefox were already set.

Shoot the Mesenger - done.
McAfee was uninstalled.
Housecall was run - no log available.
Ccleaner was run and re-run to a clean result.
Spy Sweeper was run - log attached.
Spy Sweeper Session Log.txt
AVG was run with only one item found - log attached.
AVG - Report-Scan-20070219-113922.txt
The services were stopped, and the files removed - Note: the two executables had similar named .dll's (i.e. msscp.exe and psscp.dll, ntmsdba.exe and nemsdba.dll). I only deleted the exe's.

Back to Normal mode (with network cable unplugged) to run HJT and 'fix' the items noted.

McAfee was reinstalled and started.

HJT was re-run - log attached.
hijackthis.log

This post was created in IE7, and no pop-ups have appeared, no executables have been made, and no error messages referring to instala.php have appeared.

I have to go into town for a while, and I'll check back this evening to see if it all still works.

Thank you for your support!


CC

Hey Jim

Great Job M8!! Looks like you got it all. Go back in and remove those .dll files, and you should be good to go!

Let's get your registry cleaned up before you move on tho, it's always a good idea after a malware attack.

Run RegSupremePro, it will want to make a back up of your cache, let it. Then click on the Registry Cleaner tab, and choose Aggressive. When it has finished, click on Select, and choose All. Click on fix, and let it fix everything that it finds. You can name the backup file, today's date. Reboot your PC.

I'm so glad that we were able to help you, please make sure to recommend us to your friends and family. We look forward to seeing you in the forums for less unpleasant activities, like the Jokes thread .

TTFN

LGW

Marked as Fixed.