Malware mostly fixed, still have some redirect problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dougcha, Nov 17, 2010.

  1. dougcha

    dougcha Private E-2

    Hi all,

    I'm fixing a friend's computer so I don't have all the details of what led up to the problem, but here's what I know in a nutshell.

    Sometime in the week leading up to last Tuesday 11/9/10 one of the users of the computer in question surfed to a suspicious website (which we don't remember) and after that Firefox started redirecting randomly.

    On Last Tuesday 11/9/10 a different user clicked yes on some suspicious sort of "do you want to fix this problem /clean these files / whatever" dialog box (details are lost in other people's memories).

    After that AVG popped up a message saying that a bunch of Windows\system files were infected with win32\patched.fs and win32\patched.fd or something close to that, I don't have those notes in front of me at the moment. The patched.fs and .fd part is right, but I don't remember the exact path. I shut the computer down and restarted and it came up with a fake virus screen for Thinkpoint. I also found several other problems like the Folder Options weren't available in Explorer, and Regedit could not be started. At this point I turned off the computer until I could look at again which was yesterday 11/15.

    In the meantime I did some googling and ran across this excellent forum.

    Yesterday 11/15 I started running through everything in the RUN & READ ME FIRST post and today I finished it up. The various scanners found many things and cleaned most of them, but we're still having problems. I googled AVG free and when I clicked on the link firefox redirected me to Tazinga.com. When I finally got to the AVG free download link I clicked download and it redirected me somewhere else.

    Additionally, there are some suspicious looking registry entries in the hijackthis log created by MGTools. I fired up Regedit and looked in HKLM\software\microsoft\windows\currentversion\run and the entry [GEST] m‘|\ü is there, but the entries that are long random character strings are not.

    At this time I attach the various log files, defer to greater experts than me, and anxiously await your reply.

    Thanks in advance folks. I can see you're helping a lot of people and I appreciate that.

    Doug
     

    Attached Files:

    Last edited: Nov 17, 2010
    dougcha, Nov 17, 2010
    #1
  2. dougcha

    dougcha Private E-2

    MGTools log attached.
     

    Attached Files:

    dougcha, Nov 17, 2010
    #2
  3. dougcha

    dougcha Private E-2

    Additional info:

    When combofix started it said that c:\documents and settings\microsoft\application data\cleanmgr.dll was trying to attach itself.

    Combofix also asked me to write down rootkit activity:

    Service: sptd
    File: c:\windows\system32\drivers\sptd.exe

    Moving back to the topic of problems we're still having, when I log into the other user account on this computer (NOT the account I was using when I ran through the RUN AND READ ME FIRST instructions) I get three "Error loading dll" messages:

    windows\system32\ygd5j6irdw.dll
    windows\system32\unzhk7b3.dll
    windows\msescd32.dll

    So it looks like the offending .dlls have been removed, but there's still something is still trying to run them.

    Thanks for any advice you can offer. I appreciate it.

    Doug
     
    Last edited: Nov 17, 2010
    dougcha, Nov 17, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    c:\docume~1\Trish\LOCALS~1\Temp\nvsvc32.exe

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    • Attach this log to your next message



    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Nov 17, 2010
    TimW, Nov 17, 2010
    #4
  5. dougcha

    dougcha Private E-2

    Hi Tim,

    Thanks for the help. I appreciate it.

    First, I should give you more details about the computer setup, in case it becomes relevant. It's running XP Pro SP3 and is kept mostly updated. Two user accounts, both of which are administrators (this will change once the current mess is cleaned up). Last night after I finished all the ReadMe stuff I reinstalled AVG free 2011 because I didn't want to be connected to the internet without it. I've since uninstalled it to run through your steps (because I can never figure out how to turn the #@$$ thing off and make it stay off). Also, out of general paranoia I'm mostly working on this computer with the ethernet cable unplugged, so if there's some step that specifically needs internet access let me know. Also, no software firewall (and this will also change soon).

    So anyway, I ran through your steps:

    When I clicked Fix in HijackThis I got an error message. See attached. Those registry entries still exist and I went ahead with the rest of your suggestions despite this.

    The reg file was successful.

    The file nvsvc32.exe did not exist in that temp folder.

    TDSSkiller.exe found and fixed one malicious object (which I forgot to write down). It also found (and skipped) one suspicious object: Locked file: c:\windows\system32\drivers\sptd.sys.

    I tried a quick internet test (without AVG) and used Firefox to surf to google, then to avg. When Firefox was sitting on AVG's website the status bar was flashing stuff like "downloading from www.nexac.com" so I unplugged the ethernet cable again.

    Thanks for the help so far. I think there's still something fishy going on, but we're definitely making progress.

    Doug
     

    Attached Files:

    dougcha, Nov 18, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try removing those HJT items again:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now use windows explorer to find and delete:
    C:\Documents and Settings\Trish\Local Settings\temp\7zS9.tmp
    C:\Documents and Settings\Trish\Local Settings\temp\7zSA.tmp

    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...

    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.


    Now ( With AVG uninstalled ) re-run ComboFix. Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * MBRCheck log.
    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Nov 18, 2010
    #6
  7. dougcha

    dougcha Private E-2

    Hi Tim,

    Here are today's results.

    When I ran HiJackThis I got the same errors as before. Four error messages, presumably one for each entry it tried to delete.

    The temp files were located and deleted. Attached is a pic of the temp folder right now.

    MBRCheck.exe, ComboFix, and GetLogs.bat all ran with no issue. Logs are attached. Looks like those hidden autorun entries are still there.

    Doug
     

    Attached Files:

    dougcha, Nov 19, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, the hidden run keys are still being an issue. Let's try combo:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\docume~1\Trish\LOCALS~1\Temp\nvsvc32.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-
"4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-
"4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 19, 2010
    #8
  9. dougcha

    dougcha Private E-2

    Hi Tim,

    Here's where we're at.

    I made the new CFScript, ran ComboFix and GetLogs, and attached are the results. Hijackthis log still shows those startup entries, and the TDSKiller log reports a suspicious locked file. Is this something of concern? There might be other stuff I missed.

    2010/11/17 21:09:06.0796 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2010/11/17 21:09:06.0796 sptd - detected Locked file (1)

    At this point I decided that the thing to do was install a virus scanner and firewall and connect this computer back to the internet to see what happens. So far, after minimal surfing, everything is working fine. I retraced my web steps from my last update and got the same messages on the status bar when sitting at the AVG download site on Cnet.com. Maybe that's just how that website is set up.

    At the same time I created an account called "Boss" on this machine, made it an Administrator, and gave it a password. I demoted the Trish and Marianne accounts to user accounts.

    Then I ran a virus scan using Comodo and it came up with 26 threats. I've attached the log if you're interested.

    Up to this point, the computer has had two user accounts, Trish and Marianne. Both administrators. I believe that Marianne was the account that was logged into when the computer got infected. All the work I've been doing has been from the Trish account. At this point, the Trish account seems to work fine. When I log into the Marianne account I get a message that a couple exes couldn't be found. Looks like something is still pointing to them even though they're no longer there. See attached.

    Also, Comodo is popping up firewall messages that look suspicious to me, like CCC.exe is trying to access the internet and its parent is MOM.exe. Neither of these ring a bell as something legit to me, but I could be wrong.

    I'm not sure if this computer is ready for primetime yet, or if we need to do more cleaning. Let me know your thoughts.

    Doug
     

    Attached Files:

    dougcha, Nov 20, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The Comodo scan is mostly finding files in the quarantine folders as well as a few false positives.

    Please boot into the other user account ( Marianne ) and then do this:

    Download OTM by Old Timer and save it to your Desktop.


    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    
:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=- "4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=- "4h41Z4HpEhduxyXdtYSJsoO1s4ST4oRQWH7sxxhy9itUOE9VSH81lBJXSBMBAQA7=="=-

:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
     
    Last edited: Nov 21, 2010
    TimW, Nov 20, 2010
    #10
  11. dougcha

    dougcha Private E-2

    Hi Tim,

    I ran OTM.exe and it completed seemingly without error, but I still have the three "error loading dll" messages on login to Marianne. Also, I noticed that I still do not have Tools|Options available in Explorer, and also when I try to run Regedit I get a message saying this has been disabled by Administrator. This behavior is only in the Marianne account.

    Attached is the OTM log.

    Doug
     

    Attached Files:

    dougcha, Nov 20, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is possible that you are having system errors. Please run MGTools on the Marianne account and attach the log.
     
    TimW, Nov 21, 2010
    #12
  13. dougcha

    dougcha Private E-2

    Hi Tim,

    I ran MG Tools on the Marianne account. XP didn't show me a "Run As..." option for MGTools.bat so I unplugged the network cable, turned off Comodo, made Marianne an Administrator, then ran it.

    Lots of errors. About 50 that said "registry editing has been disabled by your administrator" and a similar amount that said "A temp file could not be created." Both are attached, as is the MGTools log.



    Doug
     

    Attached Files:

    dougcha, Nov 21, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your system is in bad shape. I don't know if we can get you clean, but let's try.

    What is this:
    C:\Documents and Settings\Marianne\Application Data\hotfix.exe?

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\WINDOWS\system32\unzhk7b3.dll, SystemServer
C:\WINDOWS\system32\ygd5j6irdw.dll, SystemServer
C:\DOCUME~1\Marianne\LOCALS~1\Temp\x5frjwxr9.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\mitvsjh.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\system.exe
C:\WINDOWS\win.exe
C:\WINDOWS\user.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\debug.exe
C:\WINDOWS\login.exe
C:\WINDOWS\hexdump.exe
C:\WINDOWS\install.exe
C:\WINDOWS\wininst.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\avp32.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\setup.exe
C:\WINDOWS\mdm.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\gdi32.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\iexplarer.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\sysedit.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\gdi32.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\hexdump.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\user.exe
C:\DOCUME~1\Marianne\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\nvsvc32.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\user.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\system.exe
C:\WINDOWS\avp.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\iexplarer.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\csrss.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\hexdump.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\sysedit.exe
C:\WINDOWS\cmd.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\login.exe
C:\WINDOWS\winamp.exe
C:\WINDOWS\services.exe
C:\WINDOWS\taskmgr.exe
C:\WINDOWS\debug.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\avp.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\win32.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\spoolsv.exe
C:\WINDOWS\winlogon.exe
C:\WINDOWS\drweb.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\avp32.exe
C:\WINDOWS\setup.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\mdm.exe
C:\WINDOWS\avp32.exe
C:\WINDOWS\smss.exe
C:\WINDOWS\nvsvc32.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\debug.exe
C:\WINDOWS\spoolsv.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\smss.exe
C:\WINDOWS\win32.exe
C:\DOCUME~1\Trish\LOCALS~1\Temp\winamp.exe
C:\WINDOWS\sysedit.exe
C:\WINDOWS\system.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Nov 22, 2010
    TimW, Nov 22, 2010
    #14
  15. dougcha

    dougcha Private E-2

    Hi Tim,

    I don't know what c:\documents and settings\Marianne\application data\hotfix.exe is. I cannot see this file through windows or DOS. Therefore it seems likely that it's part of the problem.

    HiJackThis ran mostly fine. I got two errors similar to the HijackThis errors that I attached to my message posted on 11-17-10 21:34. Otherwise it appeared to run fine.

    When I tried to run ComboFix it started, then I got the progress bar, then I got an error saying "Installation failed" as soon as the progress bar was complete. No C:\Combofix.txt was created.

    Attached is the newest MGTools log. Again, I got a bunch of errors saying "registry editing disabled by your administrator" and "a temp file could not be created". I think I got more than last time - about 60 of each instead of 50 of each like last time.

    Question: Do these problems only exist in the Marianne account? If so it would not be a large inconvenience to delete this account and create a new one. If it's affecting the whole system (looks like it might be) then I'll have to flatten and reinstall everything. It can be done but I'd obviously rather not, and I'm finding this process somewhat interesting so I'm willing to continue if you are.

    Doug
     

    Attached Files:

    dougcha, Nov 23, 2010
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try Avenger.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Nov 23, 2010
    #16
  17. dougcha

    dougcha Private E-2

    Hi Tim,

    Not much luck with Avenger. Immediately after starting it gave me two errors then stopped. I tried it again with loading a script from a file instead of pasting it in, with the same results. Both errors are detailed in the log.

    I ran CCleaner choosing only to remove Windows temp files (not IE Temp files) and it said it removed 28 system files.

    MGLogs ran with the same errors as last time, which I suppose is not at all surprising.

    Doug
     

    Attached Files:

    dougcha, Nov 24, 2010
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Some of the problems are system wide. That could indicate some registry corruption. It would be a good idea to delete the Marianne account and create a new one. In the meantime, boot back to the other account and get me a new MGLogs. so I can see what is corrupt in that account.
     
    TimW, Nov 24, 2010
    #18
  19. dougcha

    dougcha Private E-2

    Hi Tim,

    I ran getlogs.bat twice. First with a brand new account I had created called Boss. Then with the Trish account - one of the two that was on the computer when it got infected. In both cases I counted 67 if the "a temp file could not be created or could not be written to" like I attached to my post on 11/21/10 15:33.

    Doug
     

    Attached Files:

    dougcha, Nov 25, 2010
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Both accounts have the same problem. Neither account will populate the newfiles log. Plus the same items are appearing in each that we have tried to remove before. We are thinking that there is some registry corruption that may be causing this, which may indicate that it would be best to consider doing a clean install.
     
    TimW, Nov 26, 2010
    #20
  21. dougcha

    dougcha Private E-2

    Hi Tim,

    Before I reformat and reinstall this machine, is there anything you would like me to do? This website seems to have a great body of knowledge behind it and some dedicated people are putting that knowledge to good use. This problem we've been dealing with seems to be a tough one, and if there is any further research you'd like to do on this problem before I wipe everything clean, please let me know. I could send you files or more scans or whatever.

    In the meantime, while I'm locating all the needed software for the rebuild, I've told the two users to go ahead and use the computer and let me know if they run across any problems.

    One more question: The problems we've seen so far seem to be with the windows system. It seems to me that it should be safe to backup the My Documents folders, pictures, music, desktop files, etc and not have to worry too much about a virus hiding in them. What is your assessment of this?

    Thanks for all the help so far. I really appreciate it.

    Doug
     
    dougcha, Nov 27, 2010
    #21
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Yes, it is an issue within the windows system, so you can back up those files and personal info. Just make sure you scan your backup media before you transfer it all back.
     
    TimW, Nov 27, 2010
    #22

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds