Need Maleware Removal Help

Please attach the requested logs from doing the Read and Run First instructions:
SAS
MBAM
RootRepeal -- if it runs
ComboFix
C:\MGLogs.zip

 

Your MGLog.zip was virtually empty. Did you get any error messages when you ran it? Please do the following:

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.

Now attach the new C:\MGLogs.zip

 

Please download OTL by Old Timer and save it to your Desktop.

See the download links under this icon

1. Double click OTL.exe to run OTL (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output
3. Put check-marks in LOP Check and Purity Check
4. Now click the button.

When the scan is complete, a file entitled OTL.txt will be created on your Desktop. There will be another file called Extras.
Attach these logs to your next message. (See: HOW TO: Attach Items To Your Post )

 

Please try it again now. There was a problem with the last file. I just updated it. Download and run the new MGtools See if it makes the MGlogs.zip file now. Thanks!

 

Yes, it may prove useful since you could not run ComboFix.

Also two more thins.

1. You said you disable virtual drives but I see Daemon Tools running.
2. Why do I see two instances of ping.exe running? What are you pinging and why would it be always running and why two instances?

 

Okay I see that you are running ping with the below options. Are you running these manually or part of some other program/game? Why?


"C:\Windows\SysWOW64\ping.exe" -g no -t 3 -o http://revalati0n-startup.com:8344/ -u sdrkuqykq -p fibkxml

C:\Windows\SysWOW64\ping.exe 127.0.0.1 -t

Code:

REVALATI0N-STARTUP.COM - Geo Information
IP Address: [URL="http://cqcounter.com/traceroute/?query=178.162.224.229"][COLOR=#000099]178.162.224.229[/COLOR][/URL]   [URL="http://cqcounter.com/traceroute/?query=184.82.193.155"][COLOR=#000099]184.82.193.155[/COLOR][/URL]   
Host: revalati0n-startup.com
Location: [IMG]http://n1.dlcache.com/flags/us.gif[/IMG] US, United States
City: Scranton, PA 18501
Organization: RAZÃO DIGITAL c/o Network Operations Center, Inc.
ISP: NetDirect

 

More questions:

1. Your IP shows that you are in Ireland. Is that correct?
2. Why are you using DNS server addresses in Sterling, Virginia, USA?
3. And why are you pinging that address in Pennsylvania?

[edit] Ah! I just notice you are using Comodo and those DNS severs are for comodo secure DNS. Put the pinging question remains.

 

Double-click OTL.exe to start the program.

• Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code

Code:

:processes
:files
@Alternate Data Stream - 487 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:C0EC8D57
@Alternate Data Stream - 1124 bytes -> C:\Users\Seán\AppData\Local\Temp:pYsQuHJIHNfoEkQqaQb6sQpVwDK
@Alternate Data Stream - 1124 bytes -> C:\ProgramData\Microsoft:jYIikL2QpDCskA7z52zDN0V
@Alternate Data Stream - 1090 bytes -> C:\ProgramData\Microsoft:hpZA7W0IwgHSK1nhyXYXrbz
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:A4C20950

:commands
[PURITY]
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]

• Then click the Run Fix button at the top.
• Click the OK button.
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• C:\MGlogs.zip
• OTL log

Make sure you tell me how things are working now!

 

You need to tell me how things are running.

Just to cover all bases, let's have you do one more thing:

Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

Be sure to attach your log from TDSSKiller

Please also download MBRCheck to your desktop.

See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

Very good!!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0


Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

MajorGeeks on FaceBook

 

That's a topic best suited for the software or hardware forum.

 

You are most welcome.