Malware removal request

Hello,

A few weeks back I got hit with some sort of virus/malware. I was on the website OKCupid.com with the Firefox browser. My cursor scrolled over one of the sidebar ads, at which point my anti-virus kicked in. I'm running Avast.

Avast informed me that it had blocked a harmful file or connection. However, at the same time, the Windows security center popped up. It was clearly part of the virus, because all of the text was in Cyrillic. I had to force quit the program to get it to go away (clicking on the red X was not working).

Firefox started opening up a bunch of windows to random sites. I force-quited my way out of the program, got a frozen desktop and soft rebooted. After the reboot, I was unable to run .exe files or connect to the internet. I managed to open firefix by "opening with" firefox itself. My internet had been reset to an unknown proxy connection. I set it to auto-detect my network, and managed to get some internet functionality back.

I googled the problem with the .exe files and downloaded, installed and ran a file called "exefix_xp.com" from http://windowsxp.mvps.org/exefile.htm

That fixed the .exe problem. I then ran a boot scan with avast and it found and removed three files. I did an ad aware scan and removed several others.

However, problems persist:

Google was redirecting to a google mirror site: [link removed] - I've since manually reset the home page in firefox to google.ca

Google occasionally gave me a page that told me it was detecting an unusual amount of traffic from my IP and that it thought I was a bot. This has not happened since I did the boot scan.

When I first booted firefox on any session on the laptop, it took foooooorever to load. This continues.

A lot of sites seem to think I'm somewhere in the former USSR - that is, I get Cyrillic versions of things, like sites that autodetect your region. This continues.

My download rates are absurdly slow. My downloading seems to occur in bursts, like my bandwidth is being allocated to something else. I assume I've been boted/zombified. This continues.

I've run the steps in the readme file. The only glitch that I've run into is the final logfile in the mgtools. I can't seem to install .NETFramework. I download the install file, it runs, then it just terminates mid-instal with no prompt.

I've attached all the logs from the various programs to this post. Also, I didn't run the root repeal because I'm using a 64 bit version of Windows.

It'd be awesome if you could help me figure out what's infected my laptop and how to get rid of it.

Thank you very much for your help.

 

Hi and welcome to Major Geeks, Rob604!

First, please uninstall one of the follow antivirus programs:

• avast! Free Antivirus
• Ad-Aware
  • Ad-Aware Security Toolbar <-- Uninstall this too if you chose to remove Ad-Aware

I want you to read and follow these instructions: TDSSKiller - How to run


Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

 

Thanks for the super fast response!

Here are the logs:

Both tests found suspicious objects.

 

MBRCheck indicates that you have an unknown MBR (Master boot record). Unknown does not necessarily mean infected but in your case if you are still experiencing problems, we should restore a clean Windows Vista MBR. Usually this process goes without any problems, however, to be on the safe side; I would recommend that you back up any and all important data from your hard drive before we proceed. Let me know when you have done so and are ready to proceed.

I would also like you to scan with these in the meantime too:

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Please download RogueKiller to your desktop.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When it is finished, there will be a log on your desktop called: RKreport[1].txt
Attach RKreport[1].txt to your next message. (How to attach)

 

Hey!

Sorry for the long delay in reply. Work has been insane lately. I'll follow these steps later this week. Some more info if it helps narrow things down:

While I was running Malwarebytes, my computer was mostly running fine. However, it kept blocking outgoing connections from btdna.exe. I have bittorrent, and I understand that this file is generally ok. However, when Malwarebytes expired last night, I immediately started having internet problems again. Firefox could not find facebook.com, and it took foooooorever to load google.com. It seems to be fine today. Not sure if the two are related, or just random coincidence, but an FYI.

Thanks again for all the help, and I'll get on this asap.

 

No problem. Thanks for letting me know.

 

Here are the logs from the two scans

 

Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the ProxyFix button
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)

 

If you are still experiencing problems after completing the above, I'd like you to update the following scanners / tools and attach the NEW logs of each:

Update and scan with each tool in the order shown below:

1. TDSSKiller
2. SUPERAntiSpyware
3. MalwareByte's Anti-Malware
4. ComboFix

Then after you have completed all 4 of the above, complete the below too:

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)