Multiple malware attack

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Himo, Oct 28, 2008.

  1. Himo

    Himo Private E-2

    Hi all,

    I'm having a lot of trouble with my computer. My computer seems to have a virus with the following symthoms:
    - google searches send me to comercial sites
    - I can't browse to any antivirus reputable site (including this one) it just doesn't work. (I can log to this website in safe mode only)
    - I can brows to most other websites but very slowly
    - I can't install any antivirus software, not even in safe mode.

    I don't know what to do. Please help!

    Thanks!
     
    Himo, Oct 28, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    chaslang, Oct 29, 2008
    #2
  3. Himo

    Himo Private E-2

    I'm having issues running any kind of anti-malware program. It seems that whatever I have is blocking some programs from running, the rest from installing. Is it ok if I run all these programs from safe mode? (am I going to be able at all?)

    BTW, The original infection seemed to come from XP_Antispyware 2009 (which I uninstalled)

    Thanks!
     
    Himo, Oct 29, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes! Did you read all of my first message including the notes. ;)
     
    chaslang, Oct 30, 2008
    #4
  5. Himo

    Himo Private E-2

    Yeah :-o I noticed when I re-read it before starting to run the process.

    Anyway, it has been quite eventful, but the computer is MUCH better. I'm not sure yet if it is ok, but at least i don't have blocked websites.

    I had to ran almost everything in safe mode. So, as requested, I'll be as detailed as possible.

    - Although up until yesterday I could run the machine in normal mode, by the time I started the RUNME process the computer would crash before finishing loading windows and send me directly to safe mode.

    - While in safe mode I tried to recover previous registry to see if that would fix it. It didn't work.

    - I started the cleanup process. I uninstalled all non frequently used programs. But I ran into a few problems
    - Non of the java runtime would uninstall. It said that uninstall process was not found, probably because I was in safe mode.
    - There was another program with that problem. I can't remember its name

    - While I was uninstalling my computer rebooted by itself and when it got back I had safemode infected too!!!
    I was no longer able to run most antimalware programs or connect to any website that would help me. I went to my work computer, printed the guide, downloaded all the programs and came back.

    - I ran CClean. In the process I deleted a abark registry entry and disabled ctfmon.exe

    - Supera wouldn't run. So I moved to next step.
    - Spybot wouldn't even install (it tries to connect to some website to do that and it was blocked or something)
    - I ran Malwarebytes (attached log)
    - I thought that maybe Malwarebytes worked because I renamed the .exe So I tried the same thing with Spybot.
    - I renamed spybot to Sbot. It worked. (log attached)
    - I went ahead and tried the same thing with supera. I renamed it. It worked. (log attached)
    - I ran MGtools (I know, I should have ran combofix, but I missed that step)
    MG tools had a problem about midway:
    "Failed to delay load library mscorlib.dll. Error 193. Ths program will no longer run"

    Up to this point, everytime I restarted the computer it would crash at boot and restart in safe mode.

    - I ran combofix. It installed recovery console correctly. Then ran the program itself. I got the following error: "Failed to download updated copy. Will continue with existing"
    Combo fix found a bunch of things, restarted the computer itself a couple of times.... the second time it restarted directly into NORMAL MODE (no safemode anymore!! Yay!!)
    (log attached.)

    I wrote this email. Computer seems to be a bit better, but still will have to see.
    Is there an antivirus you would recommend above others? Up until now I had Avira + Spybot (with teatimer... that btw, didn't prevent this virus from changing the registry although it messaged me and I told it to not allow it to do so) I would rather not go through this anymore.
     

    Attached Files:

    Himo, Oct 30, 2008
    #5
  6. Himo

    Himo Private E-2

    MGlogs
     

    Attached Files:

    Himo, Oct 30, 2008
    #6
  7. Himo

    Himo Private E-2

    After all this,(4 hours later) I still keep finding viruses with Avira;the last one was a trojan that somehow I doubt it had been missed before. Specially considering that I haven't browsed outside this forum or the antivirus products related websites. I wonder if avira itself is infected or if I have a backdoor to my system that keeps being exploited.
    What should I do?
    Thanks a lot for all the help I'm getting btw.
     
    Himo, Oct 30, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    We will get to this in my final instructions. But Avira is in our list.

    Wait until you finish 100% of my final instructions. You may only be seeing quarantines and/or System Restore.



    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 10
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now reboot your PC.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Your logs are clean!

    Now it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    chaslang, Oct 31, 2008
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds