Malware Removal

McAfee started to block suspicious sites. Decided to run through Malware removal. Below are the logs.

 

Adding TDSSkiller Log.

 

MGtools - Process runs. I get an error that says:

"zip error: Could not create output file <c:/MGlogs.zip>

 

Welcome to MajorGeeks, benefieldcs

Delete items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Once the scan is complete, go to the Registry tab and checkmark everything except the below items:

• [HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0)
• [HJ] HKLM\[...]\System : EnableLUA (0)

Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[3].txt
Attach RKreport[3].txt to your next message. (How to attach)

__

Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  /md5start
  afd.sys
  i8042prt.sys
  netbt.sys
  nsiproxy.sys
  svchost.exe
  tcpip.sys
  tdx.sys
  /md5stop
  %windir%\$ntuninstallkb*. /120
  %windir%\system32\drivers\*.sys /lockedfiles
  %systemdrive%\mgtools\*.*
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

I appreciate your help.

I didn't find RKreport[3].txt after running the scan, however, I did find RKreport[1].txt and RKreport[2].txt that were recently created on my desktop.

 

The attached file was also created after running the OTL script.

 

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.


Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1Qzuzy0C0ByBtD0D0EtAyCyDzz0EyByB0F0CtN0D0Tzu0CtCzytDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=219683998
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1Qzuzy0C0ByBtD0D0EtAyCyDzz0EyByB0F0CtN0D0Tzu0CtCzytDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=219683998
IE:64bit: - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1Qzuzy0C0ByBtD0D0EtAyCyDzz0EyByB0F0CtN0D0Tzu0CtCzytDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=219683998
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1Qzuzy0C0ByBtD0D0EtAyCyDzz0EyByB0F0CtN0D0Tzu0CtCzytDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=219683998
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
IE - HKU\S-1-5-21-3335385458-117607771-4245467744-1000\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3335385458-117607771-4245467744-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3335385458-117607771-4245467744-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1Qzuzy0C0ByBtD0D0EtAyCyDzz0EyByB0F0CtN0D0Tzu0CtCzytDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=219683998
IE - HKU\S-1-5-21-3335385458-117607771-4245467744-1000\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
FF - HKCU\Software\MozillaPlugins\@nsroblox.roblox.com/launcher: C:\Users\Benefield Family\AppData\Local\Roblox\Versions\version-c1e3ff7c94e44086\\NPRobloxProxy.dll ()
O3 - HKU\S-1-5-21-3335385458-117607771-4245467744-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/07/09 10:24:35 | 000,384,844 | ---- | C] () -- C:\Users\Benefield Family\AppData\Local\funmoods-speeddial.crx
[COLOR="DarkRed"]:files[/COLOR]
C:\ProgramData\Anti-phishing Domain Advisor /d
type C:\mgtools\newfiles.txt /c
type C:\mgtools\runkeys.txt /c
ipconfig /flushdns /c
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

 

Here is the latest. Thanks again for all of your help!

 

You're welcome.
This log looks like it took care of the malware.
What problems are you still experiencing, if any?

 

Looking good! I am not experiencing any problems. Thank you for your help! You guys are awesome. Now if I could somehow prevent getting Malware again in the future.

 

You're welcome. Be sure to complete the below cleanup steps:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Good Morning,

As soon as I re-enabled my Disk Emulation software via DeFogger, I noticed IE started to bog down, and at the same time McAfee popped up a couple of messages about blocking malicious sites. I've included a screen shot of the McAfee report.

I turned off Disk Emulation again as a precaution.

Thanks,
Chris

 

Good morning.

Ok, you can leave this off, however it may just be coincidence as DeFogger doesn't do anything but disable emulation software, like Daemon Tools or Alcohol 120%.

Have you gone through the remaining cleanup procedures? At least run c:\MGtools\MGclean.bat as that should get rid of the items we quarantined.

__

Let me know if the problem persists while you have Disk Emulation disabled and once you have run MGclean.bat.