Malware removal steps complete, still have problems

no threats found ARRRGGGGGG !!!!!

I thought you had it that time.... :cry

 

Are all of those detections Tracking Cookies?

 

yes they are, all of them.

 

Did some reading about popureb.E
Seems very likely despite the Hitman scan.

 

I would like you to get me some new logs

• Please re-run ComboFix.exe from your desktop, allow it to update if requested. Attach its latest log here.
  
• Then run C:\MGtools\GetLogs.bat and attach MGlogs.zip when it is finished.

 

I ran combofix a few times. In earlier posts you said not to worry about turning off protection etc at this time, and I ran the program. (It was very late). This was done in safe mode as a normal boot would not allow any programs to run at all. Log attached

This AM I realized that couldn't be right and I turned off protection (MS Security Essentials), disabled UAC, unemulated with Defogger, and then ran combo fix. This time the normal boot worked, and these steps were done in normal mode. Log attached

Then I realized I had missed Malwarebytes and turned it off. Re-ran combo fix, log attached.

Then ran MGtools get logs. Log attached.

 

I have also just noticed the google chrome notice bar across the top of the screen says "This site is attempting to download multiple files" The only site opened has been major geeks. And the only site currently open is majorgeeks.

??

 

I'm not finding any malware in your logs. The only thing that concerns me is the MBRCheck log.

Can you do this please?

How is the PC running when you are in Normal Mode? Please be specific with any problems.

 

Seems to be running fine, but I have only run google chrome and opened the MG site. And since I ran the logs, I have not shut down and rebooted.

I have been using my old laptop while this is getting worked out. And now it is acting up as well! The only common thing between the two computers is my flash drive to access XL files, PDF's, word files and pictures. Plus... one other thing. The kids have played Disney Toontown on both. And it is a program that must be downloaded from the internet (Disney Site). My desktop doesn't get any other games played, no porn sites, and I have Web of Trust for general research/surfing.

This is what I have noticed so far:
This AM spybot listed around 30 tracking cookies, all I have been to is the majorgeeks site. And I did click one majorgeeks link that took me to a florida news site (way off base). I was surfing MG to see if I could find a way to donate to the site, when I got distracted.... :-o

Yesterday, after running the logs, when I opened google chrome, an amber colored bar at the top of the screen warned me "This site is attempting to download multiple files. Proceed?" I have not seen that before. I clicked through to this page and it went away.

During this whole process, at one point the computer seemed to be working fine (Like it is now). Then you asked me to download one of the programs to my desktop and run it. Google chrome does not allow you to save to a specific location. It automatically downloads to "downloads" in the user files. To avoid this, I opened Internet Explorer. Immediately I got the Security Alert box pop up that states "You are about to view pages over a secure connection. No one will be able to see..." .Then, everything froze up. Then, when I would reboot, the desktop icons first apprear as white squares, not all at once, and they slowly fill with color designs. Randomly some don't change at all and remain white. The programs that run in startup do not always run, or they start and freeze up. But it is somewhat random, and they don't always freeze, or freeze at the same point. Sometimes they do not load at all.

When the computer does start successfully in normal mode, programs sometimes work and sometimes don't. Clicking a desktop icon or start bar icon will freeze everything up. Sometimes when this happens the screen changes to a washed out or greyed out image. But even this is inconsistent. Sometimes it is only the startmenu that goes grey. When this first started, once or twice the screen went black. Taskmanager will not open either, to see what is freezing.

Running the disinfection process, and getting the logs does seem to cure most of the problems. Or, at least the symptoms of the root problem are eliminated. But I think something is still there.

After the bios was changed to boot from CD, I noticed the first text line that appeared "CD Boot priority" counts through a couple of numbers, 32 and 34. Now when I reboot, there are five or six numbers in the upper twenties and lower thirties.

I'll be back in an hour or two to make the boot video.

 

Sorry for the delay.
Here is the video booting from the CD, and the new MBRcheck log.

I know there is still an infection. When I boot normally, I am getting the security warning. Pic attached. If I close the box, a few seconds later it pops up again.

Video

 

The security warning pic upload fails every time.

Let me know if you want to see it, I'll take another one.

 

Not able to review your video at the moment (still at work)
Please try to reattach the pic. You can use imageshack.us to upload for free (doesn't require registration). And then just post the link here.

I also want you to try the below:

Please download McAfee Fake Alert Stinger to your desktop.
See the download links under this icon:

Double-click stinger.exe to run (Vista and Win7 right-mouse click and select Run as Administrator)


Stinger opens
Note: Double-check that your C: drive is in the Directories to scan: area.


Click the Scan Now button

When the scan is complete, at the top of the Stinger window..
go to File > Save report to file
stinger.txt will be created on your desktop
Attach stinger.txt to your next message. (How to attach items to your post)

Please download aswMBR by Avast to your desktop.

• Double-click aswMBR.exe to run it (Vista and Win7 right-click and select Run as Administrator)
• Select No when asked Would you like to download latest Avast! virus definitions?
• Click the [Scan] button.
  Note: This scan should only take a few seconds to complete.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach items to your post)

 

Here is the pic

To bad about the video, it is a very high quality production featuring yours truly in the screen reflection!

 

Logs attached

 

This security warning is legitimate. It's a part of Internet Explorer by Microsoft.

Place a check-mark in In the future, do not show this warning. and then press OK.

You won't see this warning again

 

?? I get this even when IE is not used. It happens at start-up as well.

Does it possibly mean some program is trying to access a network connection?

Any enlightening info in the logs?

 

Did you run aswMBR as Administrator? (Right mouse click and select Run as Administrator)

Please do so now and attach the newer log.

 

I just watched your video, you did it right. This is getting strange... Any other problems besides the Windows Security Alert message? It pops up as soon as you power on the PC? Does it still pop-up after you place a checkmark in "In the future, do not show this warning"?

 

All I have done with the security box is close it. And moments later it will reappear. The box appears at start-up. Before the start-up programs have finished loading. This is without any browser open.

It also appears when I open a browser as well. In either case open browser or not, the box appears every few moments unless I don't close it. Randomly, when I click through to a new page the box opens, and doesn't open sometimes.

It is also appearing now beneath the open pages. I don't know it is there until I close or minimize open pages. Which is strange because this AM, it appeared on top of Google Chrome with each new page opened or click through and the page would not respond until the box was closed.

Second aswMBR log attached. Both this one and the previous were both run as admin.

 

No other issues at this moment.... But I have not done much on this CPU. I have been using my old laptop for most of the work.

If I do have popureb.E, Then the measures we have taken so far would not be effective correct? And nothing will show on the logs either correct? When using fixMBR, the virus changes the write code in fixmbr to read. So nothing is changed. How do you get around that and kill this thing?

 

Another question about when you ran aswMBR, were you in Normal Mode or Safe Mode when you ran it? The log it is producing does not appear to be standard. If you were in Safe Mode, please only run it when you are in Normal Mode

That is what some at Microsoft are saying. Hitman Pro claims they have been able to fix this since 126 beta release. Stinger also claims to have a way to fix it.

 

All of the latest logs have been in normal mode.

 

Researching the popureb virus, Microsoft claims MS Security Essentials latest updates will solve the issue. I am downloading and running.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E

I have also queried the computer for some of the files listed in the article. They don't show up, but may have a way to hide. Perhaps, only part of a virus is left.

What are the chances that anti viral/malware companies are the ones releasing the viruses?
Mac users claim they are safe from all but few issues, what are the chances Apple is releasing the viruses?
Inquiring minds want to know, haha.

 

MS Security Essentials found 18 Java related issues. No log is available in MSSE. I typed the following and checked for typos, but ya never know. If something looks incorrect let me know.
Previously
All items were quarantined.
Exploit:Java/CVE-2009-3867.BP
Exploit:Java/CVE-2009-3867.HC
Exploit:Java/CVE-2009-3867.EZ
Exploit:Java/CVE-2008-5353.DX
Exploit:Java/CVE-2008-5353.BH
Exploit:Java/CVE-2008-5353.TC
Exploit:Java/CVE-2008-5353.VW
Exploit:Java/CVE-2008-5353.TD
Exploit:Java/CVE-2008-5353.HN
Exploit:Java/CVE-2008-5353.DB
Exploit:Java/CVE-2008-5353.KE
Exploit:Java/CVE-2010-0094.BQ
Exploit:Java/CVE-2010-0094.BL
Trojan:Java/Bytverify
TrojanDownloader:Java/OpenConnection.EG
TrojanDownloader:Java/OpenConnection.G
Trojan:Java/Mesdeh
TrojanDownloader:Java/Rexec.B

 

Previously in this thread, I uninstalled Java, ran all of the anti malware programs and when I believed the computer was clean, reinstalled the latest version. The infectious files were obtained sometime during the last few days.

 

I am seeking advice on this. Thanks for your continued patience.

 

Please follow the instructions here: GMER - running with a random name

I also want you to try this: antipopureb.exe

 

I attempted to attach the GMER log. It is 0 bytes, and there was no indication of malware found. I suspect the forum system won't upload an empty file. So I have not been able to attach it. Let me know if there is another way.

Antipopureb says Warning: Unsupported Operation System, so I did not run it. (Vista 64). However, it did generate a log, so I attached it.

Awaiting further instructions.

Also, as serious as this seems, I purchased an external hard drive with auto backup capabilities and ran the backup before executing the GMER and Antipopure files. Curious if this problem propogates to the backup?

Back to the security pop-up warning. As long as I am running Chrome, the warning stays in the background. When I use IE, the box appears with each page and must be closed to continue. It appears it is not as random as I thought. But I still have not checked the don't see it anymore option box just in case.

 

Yes I am unsure if it's actually supported with 64 bit OS.
I pressed y (scan anyways) on my Win7 x64 PC and got the following:

Was reading the following: http://download.techworld.com/3249611/webroot-antipopureb-01/
Which indicates that it is supported. Would you be willing to try it?

Also can you retry GMER?

Now please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes).
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Then attach the following logs from Win32kDiag, junction, GMER, and MGlogs.zip

 

Antipopureb ran, results looked just like your screen shot. Log attached.

GMER re-ran, same results, 0 bytes, log not attaching.

Win32diag ran, log attached.

Stuck at the Junction. Vista doesn't have the click/start/run start menu choices. So I opened a command prompt: c:\users\kirk> and pasted the command. The EULA popped up along with a command prompt window. But when I accepted the EULA, both windows closed and nothing happened. I did a little research to find out how to open just c:\ then pasted the command again, pressed enter and nothing happened.

Stopped here, waiting on instruction.

The change I have noticed so far: The security warning box is no longer opening on it's own. It does not open at all with chrome and only opens at each new page when using IE. This change appears to be the result of the Antipopureb program.

 

Next time you see that Security Warning message, put a check-mark in Place a check-mark in In the future, do not show this warning. and then press OK.

Do you have any blank DVD-R discs?

Re-run MBRCheck, attach its latest log.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Tell me what malware problems you are still experiencing!

 

Logs attached.

 

Only problems seem to be a slow start. And the computer seems to be accessing something, I can hear the HD working, even when Idle.

But much improved from the starting point.

 

You did not answer the following:

 

sorry, yes I have plenty.

 

I would like you to try to perform the bootrec /fixmbr command using this newly created DVD:

Download Windows Vista 64-Bit (x64) Recovery Disc

Burn this DVD on a non-infected computer. You can use software such as ImgBurn to create the DVD.

After you have performed the bootrec /fixmbr command from the recovery console using THIS DVD (you will have to boot from it!)

Re-run MBRCheck and attach it's latest log.

 

OK, is it safe to run the MBRcheck program on any computer to see if it is infected? I think my laptop may be as well....

 

Running MBRCheck alone will only tell you if the MBR is infected. You can run it on your laptop. I would get to a computer that doesn't have any infections on it to burn the DVD.

 

Have not yet had access to a clean computer to do the CD burning. Hopefully today.

But until I can do that, I have a question.

Malware bytes is blocking something on an outgoing port. Occasionally it pops up the following:

Port 58750 Outgoing connection attempt blocked. IP-BLOCK 89.28.42.234 (Type: outgoing, Port: 58750, Process: skype.exe)

Is this just Skype? Or is Skype an security risk?

 

Nevermind, answered my own question about the IP Address.
http://whatismyipaddress.com/ip/89.28.42.23

 

Sorry for the delay, it took a while to get to a computer that was virus free and had an unzip utility already loaded to make sure It stayed virus free.

I created the disc and boot from the disc. There is a screen flash for a moment that asks to choose the Op Sys to start, Windows Vista 64 is the only option. This screen is black with white text. I can just read it, very fast screen flash.

Below toward the bottom of the screen is an option to test the memory or something like that. The screen does not appear long enough for me to read it or take a pic.

The computer boots to normal mode without going to the System Recovery options. So, stuck at this point.

I have triple checked the bios boot settings and I get the CD boot message. But no option to touch any key to boot from CD. Two options occur at the Dell splash screen. F2 and F12. F12 takes me to a boot option where I get to choose the drive to boot from. Choose CD drive and hit enter, boots to normal mode.

Also of note: I am getting pop-ups when connecting to the internet via chrome. They are somewhat random, but still getting them. They are ALWAYS rated red by web of trust.

Bootup is better since the last bootrec fix attempt. All the programs load, although not in the same order as before, but they don't stick either, and so far no screen fades and freezes.

Waiting on instruction.

 

No problem.

Sounds like normal startup to me with a timeout around ~3 seconds. (unless this was customized)

Sounds like Dell Memory Diagnostics, we don't want this. Tip: You can press the Pause/Break key on the keyboard to freeze bootup. Then Esc to continue bootup. This way you could get a screenshot if you wanted to.

Not good, we really need to boot off this newly created DVD.

Sounds like it is not detecting that there is a DVD in the tray. Since you were able to boot off the Dell DVD to bootrec /fixmbr, this makes me think that something is wrong with that particular DVD. I would keep trying, how many times have you tried?

Can you hear the DVD-Rom at least attempting to read the DVD when this happens? How long before it finally decides to go to Normal Mode.

Which websites are you going to to make Web of Trust appear?

 

One of the boot attempts, while trying to get the screen to freeze, Memory diagnostics ran. I just let it run, when I can back a bit later, normal boot had occurred after the memory diagnostics.

The CD/DVD is definitely being accessed. But I think the file on the disc may be suspect. File name is Windows Vista x64 Recovery Disc.iso That does not sound right to me... Haha. WTHDIK.

I can hear the CD drive spin up and start/stop as it is accessed. Normal.

I have tried 8-10 times. Normal boot every time but the once I ran Memory Diagnostics while hitting random keys to try to freeze the screen.

I checked the chrome history and revisited the websites that my wife was on this AM. I could not recreate the WOT pop-ups. Although they are in the history. I can give some to you if you like, but I don't really want post viewers to click.

 

Which software did you use to burn the DVD?
Because it sounds like you burned it as a DATA disc, and not as an IMAGE.

Using ImgBurn as I recommended in post #86 would have recognized this .iso file and would have given you all the configuration to burn it as an IMAGE by default.

Try reburning this DVD (as an image this time using Imgburn) on your infected computer and let's see if that works.

 

I will do it again, although the file properties say: Image File

 

Here's some directions on how to burn it as an Image as well.

You can use ImgBurn
See the download links under this icon:

Install ImgBurn by double-clicking SetupImgBurn_2.5.5.0.exe
Don't install the Ask toolbar that tries to install itself by default. (uncheck all of their boxes)

• Now right-click the Windows Vista x64 Recovery Disc.iso you downloaded earlier and select Burn using ImgBurn.
• ImgBurn will open up
• Insert a blank DVD-R into your DVD-Rom tray.
• Click the Write button.

When finished, attempt to boot off this DVD.

 

Hi Thisisu

Over past few months the problems on this thread have resurfaced a few times. Generally running through all of the steps cured, or at least I thought they had cured the problem. But now they are back with a vengeance. Worse than anything before.

I am thinking about just scrapping the computer and getting something else. But before I do, I am wondering if upgrading from Vista 64 to Windows 7 will kill off what ever I have and give a fresh start?

Getting very tired of all this....

 

Further internet research looks as though a full format and reinstall is what is really needed. Might as well upgrade OS while I am at it. I just can't seem to justify new hardware when I know the real issue is software.

Rootkit developer 1, me 0

 

Hi pazzoduc,

Are you still having problems? If you do decide to reformat and reinstall, I would highly recommend deleting any and all existing partitions first.

Best of luck to you,

thisisu

 

Seriously thinking about it. Yesterday I was unable to complete a boot from either the hard drive, or the CD. I toggled the boot bios back and forth trying to get something to work. Gave up on that too. So, I took a break and prepared to go buy Win7 64. When I went to grab my keys off the desk, the machine had booted. Go figure. So I spent the rest of the day running all of the procedures in this thread. For now the machine is behaving. But for how long who knows.

So just doing an OS upgrade does not wipe the MBR sectors? It takes an actual re-format?

I have been researching mutating rootkits. It appears that some need a bit of software to wipe the disc rather than a std format. A std format leaves the rootkit intact for the reload, so you have wasted a lot of time and effort, and gained nothing. Are you familiar with this issue?