Invasive Malware Take Over. Please Help!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Max Hennings, Jul 5, 2009.

  1. Max Hennings

    Max Hennings Private E-2

    I hope so one can help me with this problem. Recently my computer has been acting up. It started with random link redirects when clicking Google but quickly progressed into something much worse. I had Adaware and Spy Bot installed but they were unable to stop whatever Trojan or malware I had been infected with. Spy Bot won't work at all anymore and I can't update my old definitions for Adaware nor can I manually update it. I tried reading forums to get an idea of what to do but I haven't had any luck. I tried downloading A-squared and the Malwarebytes Anti-Malware but both programs failed to install correctly even after attempting multiple times. I tried installing Malwarebytes Anti-Malware in safe mode but I won't run in normal mode. Anyways long story short I was about to reformat but now I can't get my DVD-RW to even brun a copy of my XP ISO so I am completely stuck. I have a feeling the DVD-RW is a related issue as it is not recognized as a DVD-RW by burning programs like Nero, MagicISO, PowerISO... etc.

    So I came here after the guys from Hijackthis never got back to me. I can still use a lot of the programs on my computer and can access the Internet but my machine crashes a lot and slows down horribly for no reason plus my spyware removal software no longer works. I can't seem to install anything new as well.

    I tried to do everything on the "READ THIS FIRST" document but I could get half the programs to work even with the notes listed in the document. SUPERAntiSpyware wouldn't install properly and I couldn't even download Malwarebytes Anti-Malware without having an error. I was able to run the CCleaner, RootRepeal, and MGtools. I attached my root logs and mgtool logs to this post.

    Please someone help me figure this out or at least help me burn a copy of my windows iso to reinstall. Unhappy

    Thanks in advance to any kind soul out their willing to help me.

    -Max
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Why am I not seeing any anti-virus software on this machine? And you may as well uninstall Ad-aware as it is a useless tool.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Please double-click the RootRepeal.exe previously downloaded.

    * Select File then Scan
    * On the Select Drives form select drive [ insert drive infected here ] by "ticking" the box for drive [insert drive here] and click OK
    * When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
    C:\WINDOWS\system32\drivers\gxvxcrqodjoenrtnxtmnubwwosrrvkbgjxjxf.sys
    C:\WINDOWS\system32\gxvxcuwboevpxuwkkliudltiwkyfulhmlrvqa.dll
    C:\WINDOWS\system32\gxvxccsuxndkqpqjkxflafrtnymksjvwsvnsp.dll
    C:\WINDOWS\system32\gxvxccount
    * After Wiping all files, immediately reboot your pc!

    After reboot, download/install/update and run the scanning tools you couldn't run!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
    and the SAS and MBAM logs.
     
  3. Max Hennings

    Max Hennings Private E-2

    Well I uninstalled Adaware and followed your instructions but now my internet browser doesn't want work. I have a good wireless connection but firefox can't load any websites? Right now I'm posting using my laptop. I also had problems following your instructions in rootrepeal as I did a scan but did not find the files you listed as ones to select and wipe. I was able get the programs I couldn't previously use to work and produce logs. Will reply again with the logs attached once they are done hopefully my laptop battery will last I left my charger in at work. Anyways if you can think of anyway to restore my internet let me know. I

    I'll post again once the programs are done.

    -Max
     
  4. Max Hennings

    Max Hennings Private E-2

    Here are the new logs...

    Thanks,


    -Max
     

    Attached Files:

  5. Max Hennings

    Max Hennings Private E-2

    Plus one Rootrepeal log

    -Max
     

    Attached Files:

  6. Max Hennings

    Max Hennings Private E-2

    I solved the Internet issue... Turns out that I had setup my IP address to be static and somehow the router dropped me. I just turned automatic DHCP back on and everything is back to normal.
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your MBAM log indicates you did not fix anything. Did you save the log before fixing the issues. If not, then you need to re-run it and fix them.

    You need to move Combo to your desktop as instructed in the Read and Run First, not here:
    Running from: e:\downloads\ComboFix.exe

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Please double-click the RootRepeal.exe previously downloaded.

    * Select File then Scan
    * On the Select Drives form select drive [ insert drive infected here ] by "ticking" the box for drive [insert drive here] and click OK
    * When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
    C:\Documents and Settings\Max\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
    C:\Documents and Settings\Max\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
    * After Wiping all files, immediately reboot your pc!

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now use add/remove programs to uninstall:
    Java(TM) 6 Update 2"
    Java(TM) 6 Update 3"
    Java(TM) 6 Update 7"
    Java(TM) SE Runtime Environment 6 Update 1

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
  8. Max Hennings

    Max Hennings Private E-2

    OK first off, I did run Malwarebytes' Anti-Malware and you are correct I posted logs produced prior to cleaning as I thought you may want to see what I was infected with. I apologize for this error as I did run Malwarebytes' Anti-Malware and it did clean the system.

    Second, I ran ComboFix from my desktop and attached the logs as instructed. Sorry for carelessly running the program simply from a shortcut placed on my desktop rather than actually placing the program in my desktop folder.

    Third, I ran Rootrepeal again and this time I was able to follow your instructions as the files you listed appear... I wiped both the files and attached the new log.

    Forth, I was able to add the .reg file from the text you provided no problems.

    Fifth, I uninstalled the following:
    Java(TM) 6 Update 2"
    Java(TM) 6 Update 3"
    Java(TM) 6 Update 7"
    Java(TM) SE Runtime Environment 6 Update 1
    But did not uninstall Java(TM) 6 Update 14 which you did not list, and still remains on my system.

    Finally, I ran C:\MGtools\GetLogs.bat and attached the new log.

    Hope I did everything right. Again thanks for your help while we work through this I really appreciate it.

    -Max
     

    Attached Files:

  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet.....much better! Now install an AV program immediately!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  10. Max Hennings

    Max Hennings Private E-2

    Thanks for your help ill get an AV program right away.

    -Max
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your welcome.....safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds