Malware problem that is kind of fixed?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Kaden, Jan 21, 2010.

  1. Kaden

    Kaden Private E-2

    I got some malware - i'm pretty sure that's what it is, anyway. Just to describe what happened at first, I got a couple popups saying that I had a virus which then opened a fake menu of windows defender encouraging me to go to a link that I assume had more malicious software on it. At this time it also created something in the quicklaunch tray that made one of those fade-in fade-out popups that described a vrius that i didn't take down the name of because I assumed it to be fake. There was a short description of what the virus supposedly did written in kind of bad Engrish. I downloaded spybot at this point (before consulting this site) and hoped i would be able to run its on-boot feature to clear the malware before it loaded like i did when I had a similar problem on a different computer. It didn't get that far, because the computer just wouldn't boot up in normal mode.

    I then booted in safe mode and started googling this problem on another computer and found this site. I followed steps one through five without issue (java is still uninstalled.) I am running Vista, so I clicked that link and began to follow the steps there.

    I didn't pay too much attention to what I was supposed to be doing and I ran malwarebytes' anti-malware first. It failed to load, so I tried to run spybot since it was already installed. It also failed to load, so I began reading more closely and tried renaming MBAM with success. I then tried to run two complete scans rather than a quick one, and both failed to complete in safe mode. At this point I just tried the quick scan, which succeeded, and I have attached that log. After running MBAM, I was able to boot my computer into normal mode, but I was still not able to load any anti-malware software without renaming it, so I continued with the other steps.

    Then I went over to SUPERAntiSpyware (note that I did this out of order with what is recommended, if that makes any difference) and followed the instructions for that as-is. As I am writing this, I tried to upload the log file for that (it did find and remove malicious things - exclusively registry keys if i remember correctly) however, I cannot access it. Both double clicking the log and trying to highlight and select 'view log' do nothing. So, I have excluded it. If there is a solution for this , I can try it to upload.

    After running SAS, my computer seemed to be okay. I had heard that the malware can be found in the system restore and bother me later, so I decided to run combofix and MGTools in order to upload the logs here to make sure everything is okay. After running both, though, my computer will now freeze every few seconds for a few seconds, leading me to believe there is still something wrong.

    The only other thing to note is that when I had to reboot my computer at various times throughout this process, windows defender identified the trojan 'Win32/Alureon.BT' twice, and then it didn't show up on the third reboot. My windows defender history shows it was quarantined, however, when I access the quarantine manually to remove it, there is nothing there.

    I apologize for the length of the post - I just wanted to be very thorough. I don't believe I have left anything out other than the SAS log, but please let me know if I have.
     

    Attached Files:

    Kaden, Jan 21, 2010
    #1
  2. Kaden

    Kaden Private E-2

    After restarting my system, I was able to access the SAS log. I am also no longer experiencing the periodic freezes, but I am not stressing my computer very hard.

    I have NOT messed with any DNS settings as is apparently potentially necessary with this type of trojan and i have NOT toggled the system restore, since I am kind of a wimp and am scared to do it without making sure it's necessary.
     

    Attached Files:

    Kaden, Jan 21, 2010
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, that will be done during final steps, but not before as any restore point is better than none.

    1. You need to tidy up your C Drive, it's in a terrible mess with all kinds of files scattered about which belong in my documents or some other place ideally.

    2. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
KILLALL::

Fcopy::
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys | C:\Windows\System32\drivers\atapi.sys

DirLook::
C:\yay problems
C:\blahblahblah

File::
c:\programdata\h8srtkrl32mainweq.dll
C:\ProgramData\sysReserve.ini

Folder::
c:\program files\Viewpoint

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    3. Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v

    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix. And TDSSKiller.

    5. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jan 23, 2010
    #3
  4. Kaden

    Kaden Private E-2

    Let me just preface by iterating that the computer has been running fine since I did the readme walkthrough, but I've never had malware so malicious that it prevents a bootup so I came here just to be very sure I was thorough in removing it. I'm sorry if that makes this a waste of time :(

    I cleaned up all the loose files in the C drive. I was going to put them and the other folders in a new partition, but decided to do that later in case that just causes more problems - so I tried to put them into my documents... only to discover that 'access is denied' to My Documents. I tried to rightclick and set security permissions to allow me to access it, but upon trying to apply the settings I got the same error. I am not really sure what is going on there, so I just left the folders as they are for now.

    I attached the logs you requested.
     

    Attached Files:

    Kaden, Jan 23, 2010
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Right click the "Documents" folder and choose "properties" from the drop down menu. Click on the "security" tab and tell me what you see.
     
    Kestrel13!, Jan 23, 2010
    #5
  6. Kaden

    Kaden Private E-2

    I figured out why I couldn't access it. Under the Security tab in 'Advanced' under Permissions, there was a line that Denied access to that folder for some reason. I removed it, and now I can access it again.
     
    Kaden, Jan 23, 2010
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    and is everything now running okay? Windows Defender is not detecting anything else, and your PC is no longer freezing every few seconds?
     
    Kestrel13!, Jan 23, 2010
    #7
  8. Kaden

    Kaden Private E-2

    Yeah, everything works fine now. As long as everything looks okay in the logs as far as you can see, then I think we're okay!

    I appreciate it!
     
    Kaden, Jan 23, 2010
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just do this:

    Use windows explorer to locate and delete the following bold temp file:

    Let me know if you are unsuccessful in deletion and we'll go another route. :)

    If it deletes away without problem, then please follow the below final steps.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jan 24, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds