Malware removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by steelbull, Jul 7, 2011.

  1. steelbull

    steelbull Private E-2

    i got this virus last night. i was browsing on chrome and my AVG anti-virus thing popped up and said it blocked my access to a malicious site, but since it was chrome and not firefox with noscript, i worried that the damage had already been done. i tried a sweep with MBAM and it gave me some problems. when i rebooted i could suddenly not use my browsers anymore so i followed the instructions in the read-me thread.

    i had to grab the superantispyware portable version because the other wouldnt load. this means unfortunately i dont have a log for that scan. it did find a trojan, though i cant remember what exactly unfortunately.

    after that scan finished and it rebooted my PC, i was getting a bunch of error messages on startup that the system couldnt identify .exe files. i had a fix for that and run it but now, even after going through the whole read me post, i get the same error messages and must run the fix every time i start my computer.

    i did get a bunch of errors when combofix was trying to write logs. it said somethings in an HIV folder couldnt be accessed or something. and when i ran mgtools, the hijack part told me something about not being able to access the "hosts" thing and gave me some instructions on how to do it manually or something but i wasnt sure what to do about that since i didnt see it in the read me.

    here are the logs. the only lingering problem i've noticed is the .exe thing every start up.

    thanks in advance. never using chrome again :/
     

    Attached Files:

    steelbull, Jul 7, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please go here and scroll down to the exe file fix:
    http://www.dougknox.com/xp/file_assoc.htm

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
QZQCTACVOHC

File::
c:\docume~1\Owner\LOCALS~1\Temp\QZQCTACVOHC.exe
C:\Documents and Settings\Owner\Local Settings\Apps\F.lux\flux.exe

Folder::
C:\Documents and Settings\Owner\Local Settings\Apps\F.lux

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F.lux"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 7, 2011
    #2
  3. steelbull

    steelbull Private E-2

    I followed your instructions, I am still having the problem of my computer not recognizing the .exe association and each time I start the computer I must run the registry file I got in the link you provided.

    When I ran the analyze.exe file, i couldn't find the

    "O4 - HKUS\S-1-5-21-3517542941-223606305-1753810289-1005\..\Run: [F.lux] "C:\Documents and Settings\Owner\Local Settings\Apps\F.lux\flux.exe" /noshow (User '?')" line

    and when I ran the getlogs.bat i got the same message about not being able to access the "host" something.

    here are the logs
     

    Attached Files:

    steelbull, Jul 7, 2011
    #3
  4. steelbull

    steelbull Private E-2

    Sorry, I have tried to reply to this before but I think my post got caught in a spam filter or something. I followed the instructions but I am still having the same problems. Logs are attached
     

    Attached Files:

    steelbull, Jul 7, 2011
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jul 7, 2011
    #5
  6. steelbull

    steelbull Private E-2

    I deleted the folder and reset the registry settings, as the post instructs. i noticed that during a section when it was resetting C:\Windows settings, every single one failed

    also, I cannot get those microsoft instructions to work, as when I type, regedit.exe regedit.com I get the error "Cannot import regedit.com: Error opening the file. There may be a disk or system error." and windows still won't recognize .exe on start up until I run the fix.
     
    steelbull, Jul 7, 2011
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Do you have your installation disc? I don't think this is malware related as your logs are looking clean. You may need to run a repair install.
     
    TimW, Jul 9, 2011
    #7
  8. steelbull

    steelbull Private E-2

    yep, i've got it. are there any special instructions i should follow?
     
    steelbull, Jul 9, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to go into the bios and change the boot order so that the cd/dvd player is the first boot device.

    Then insert the disc and reboot. It will ask quickly if you want to boot to the cd. Hit enter. It will load some files and ask you to hit f8 to agree to the license, then it will ask if you want to install or repair. You will choose install, it will find your previous install and again ask if you want to install or repair. This is where you want to choose repair ( R ). It should then run and keep all your files and programs. Let it run.
     
    TimW, Jul 9, 2011
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds