Pls. Help -- folllowed all the procedures listed on Vista Malware Removal but

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Evie74, Jan 9, 2011.

  1. Evie74

    Evie74 Private E-2

    still have problems. I followed the procedures (http://forums.majorgeeks.com/showthread.php?t=139681) to a tee.

    During the process, Malwarebytes found four Trojans. I removed them once, restarted, and ran Malwarebytes again just to be sure, and the four Trojans were still there. So I went into registry and removed one of them remaining manually (it was the second one in the log ... DhcpNameServer), restarted the computer, and ran Malwarebytes again. This time I could no longer find any problems.

    However, I still can't do any of the followings.

    *I can't access Spybot and the other antimalware websites (so can't download and run Spybot)
    *I can't update Adaware, Malwarebytes (19 days old --- btw, I could not update the definitions using the download from MajorGeeks, so I used the old definition -- it is the old definition that found four Trojans.), A-squared, SuperAntispyware ... none of those.
    *during webbrowsing using Firefox, a new window pops up and direct me to various websites, some malicious and some harmless (according to WOT that I have installed).

    BTW the reason I don't have SuperAntiSpyware attached is because the program did not detect anything. It was Malwarebytes that found four Trojans.

    Thanks so much for your help. I'm longingly waiting for your response. Thank you.

    UPDATE: For the heck of it, I ran Malwarebytes again, and I found the same Four Trojans Back on my computer!!!! I don't understand!! Please HELP!
     
    Last edited: Jan 9, 2011
    Evie74, Jan 9, 2011
    #1
  2. Evie74

    Evie74 Private E-2

    PS: Prior to trying the procedures, I also tried running scans in Safe Mode --(Symantec Endpoint, outdated miscellaneous antimalware programs) -- found nothing. Thank you!
     
    Evie74, Jan 9, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Take a look at this ;)

    Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.
    • Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky
    • Click Start scan
    • It will run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
    But I still want to see the log, please.
    Not quite. How about RootRepeal?
    How about Combofix?
    And MGTools?

    I need to see logs from running those as well as the other logs I requested.
     
    Kestrel13!, Jan 9, 2011
    #3
  4. Evie74

    Evie74 Private E-2

    Oh, sorry ,I had thought I attached the logs.

    Thanks so much for responding. I'm reading your comment right now! Please wait a moment for hte log of SuperAnti.
     

    Attached Files:

    Evie74, Jan 9, 2011
    #4
  5. Evie74

    Evie74 Private E-2

     
    Evie74, Jan 9, 2011
    #5
  6. Evie74

    Evie74 Private E-2

    OK, here is my log I got after running the TDSKiller.

     

    Attached Files:

    Evie74, Jan 9, 2011
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Jan 9, 2011
    #7
  8. Evie74

    Evie74 Private E-2

    Hi I made fixME.reg and merged it with registry, but I couldn't find C:\MGtools\GetLogs.bat -- I see C:\MGtools\GetUnKey.txt ...

    Should I download MGtools again?
     
    Evie74, Jan 9, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Where did it go? Did you uninstall it?

    Download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe. file and attach the new C:\MGLogs.zip.
     
    TimW, Jan 9, 2011
    #9
  10. Evie74

    Evie74 Private E-2

    I did it. Here's the attachment. I still don't see the bat file.

     

    Attached Files:

    Evie74, Jan 9, 2011
    #10
  11. Evie74

    Evie74 Private E-2

    Here is the scan log from AntiSuperSpyware. Sorry it took me a while to figure out how to get the log.

    The other logs are attached to a post below. Thanks so much for your help!

     

    Attached Files:

    Evie74, Jan 9, 2011
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"=""    

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"=""    

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"=""    
  
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"=""
    
[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"=""    

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Jan 9, 2011
    #12
  13. Evie74

    Evie74 Private E-2

    Hi, here are the files.
    Thanks so much!!! :)
     

    Attached Files:

    Evie74, Jan 9, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.
    Code:
    :reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"="1.2.3.4"
[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"="1.2.3.4"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"="1.2.3.4"  
[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"="1.2.3.4"
  

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jan 9, 2011
    #14
  15. Evie74

    Evie74 Private E-2

    Hi Kestrel, here are the files.

    Thanks so much for your help!!

    :)
     

    Attached Files:

    Evie74, Jan 9, 2011
    #15
  16. Evie74

    Evie74 Private E-2

    Hello, I wonder if I'm doing something called "bumping," but I don't mean to ... I just wanted to let Kestrel and TimW know that I'm longingly waiting for their response to my posts. I wanted to send Private Messages but as a new user I still can't send them any.

    I still can't access any of the antimalware sites nor update my programs.

    Thanks so much!!!!
     
    Evie74, Jan 10, 2011
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I have been active in the forums today, but I wanted to wait for TimW's opinion on how best to proceed. He will log in during the next hour or so, so just be patient. ;) Thanks.
     
    Kestrel13!, Jan 10, 2011
    #17
  18. Evie74

    Evie74 Private E-2

    Thanks Kestral! You guys are so amazing, I think you should know that!
    :p
    I am going to run out and won't be back until 8pm Eastern ST but I will be sure to check back.

    See you later!
     
    Evie74, Jan 10, 2011
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Stubborn little twit. Let's try doing it again.

    Make sure you have all protection software disabled while we do this.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"

[-HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"

[-HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"
  
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"

[-HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"

[-HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"="93.188.161.105 93.188.166.105 1.2.3.4"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters
"DhcpNameServer"=""
  
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters\interfaces\{6fe45f14-137b-429a-a235-3900826eb308}]
"DhcpNameServer"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Jan 10, 2011
    #19
  20. Evie74

    Evie74 Private E-2

    Thanks so much!! Here are the files.
    I STILL can't update ..... tell me am I infected with some really unusually pesky things??

    :confused

    But thank you, awaiting for your reply ....
     

    Attached Files:

    Evie74, Jan 10, 2011
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try a slightly modified fix.



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 11, 2011
    #21
  22. Evie74

    Evie74 Private E-2

    Hi, a big problem occurred after running the new script(?) with Combofix -- now I can't connect to the internet! It says DHCP server(?) is not available. I made a screen shot of every prompt I saw from Windows and pasted them into a Word doc so please take a look. I'm sending this from another computer. I saved my files to a thumb drive and moved them to the different computer.

    Thanks so much! Looking forward to hearing from you soon!


    ****
    WHoa ... I tried to attach the Word document but it's not letting me! It says something about missing security token. I will try and see if I can send it separately in another post.
     

    Attached Files:

    Evie74, Jan 11, 2011
    #22
  23. Evie74

    Evie74 Private E-2

    I tried again, but the same problem -- this is on a different computer trying to save Word 2003 document and it says I don't have security token.

    "Your submission could not be processed because a security token was missing.

    If this occurred unexpectedly, please inform the administrator and describe the action you performed before you received this error."

    This is what the popup windows are saying:

    "Windows tried a repair but a problem still exists.
    The DHCP client service is not running on this computer"

    Thanks so much for your help. I really need it now!!!
     
    Evie74, Jan 11, 2011
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run and copy and paste the below into the Run box and click OK.

    netsh winsock reset catalog


    Did this fix the problem? If not, please power cycle your router and cable/DSL modems and see if there is any change.
     
    chaslang, Jan 11, 2011
    #24
  25. Evie74

    Evie74 Private E-2

    Hi, Thank you Chaslang -- I tried the command but it didn't do anything.

    Anything else I can do? I wonder if I should do system restore.

    ***

    As I do this, I noticed one curious thing --- every time I restarted my computer which Combofix makes it do, I see a new icon for Internet Explorer on my desktop. My default browser is Firefox so each time I take it to Recycle Bin, and the icon disappears without ever getting into the bin. But when I reboot again with Combofix, the IE icon appears again.

    Also another thing I noticed -- before I started this whole process, I reinstalled the system. I don't know the proper term for it, but basically I wiped out the hard drive and clean installed the system from scrach. -- OR SO I HAD THOUGHT -- now that I am on this another computer, on which foreign scripts are not place on (so I had to go to control panel to install them), it reminded me that after the reinstallation of the system, I didn't need to get the scripts back on at all -- it was already there! So, I'm starting to wonder, if the reinstallation was successful at all.

    I use Lenovo T400 I think it's called "Thinkpad," and I had to order the reinstallation CD. Before the reinstallation, I called Lenovo and tried to reinstall the system through the system partition, without CDs, but it didn't work, the files were corrupt or something like that (excuse my lack of technical expertise), so they sent me these CDs which I thought was wierd because they gave me CD 1, and then 3 (part 1 and 2) = in all 3 CDs for part 1 and 3, the latter with 2 CDs, but without Part 2, addition of which would have made the CD set more than 3.

    I didn't mention about the reinstallation since I had thought that my computer should have a clean slate to work on. Now I wonder though, after using a thumb drive, maybe there are also viruses on it too -- I have to external hard drives, one thumb drive and the other a little more large one.

    Please, I'm waiting for your response. Thank you so much for devoting your time and energy on this. You guys are doing amazing work.

    Thanks so much for your help!!!!!
     
    Evie74, Jan 11, 2011
    #25
  26. Evie74

    Evie74 Private E-2

    [UPDATE] I just called Lenovo and asked them if I had the right CDs for reinstallation, and they said yes, and that I should have been able to reinstall the system and put it back to the clean slate. But I find it so_very_odd that I didn't need to install the foreign language fonts from control panel after reinstallation... not to mention persisting update problems for antimalware programs.

    I wonder if my computer got re-infected in a matter of a few minutes after reinstallation when I downloaded Symantec Endpoint (which is provided through my university website, a trustworthy page, I believe??) or when I moved my data from an external harddrive (if the harddrive was also infected.)

    I'm longingly waiting for your expert advice. :cry Thank you for your help -- Looking forward to hearing from you soon!!!!!!!!!!!!! :cool


     
    Evie74, Jan 12, 2011
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, Run, and enter services.msc into the Run box and click Ok. In the Services window, scroll down to the DHCP Client service and double click on it. Change the Startup type to Automatic ( if not already set this way ) and then click the Start button and make sure that the Service status changes to Started.

    If you get the service started, see if you can then connect to the internet.


    I cannot help you here with regards to CDs from Lenovo as it has nothing to do with Malware Removal and I have no idea what CDs they are sending you. Please stay on topic of malware problems and malware removal.

    Note that PCs need to have protection software installed BEFORE they are even connected to the internet. Infections can occur in as little as 1 or 2 minutes of connecting to a highspeed connection when there is no protection software in place.
     
    chaslang, Jan 13, 2011
    #27
  28. Evie74

    Evie74 Private E-2

    THANKS it's resolved ... I clean-installed the disks again but this time, before I connected to the internet, I reset the routers to default and that seems to have done the trick. So it was DNS problem. I was able to download the spybot and Symantec and the other programs without any problems.

    THANK YOU SO MUCH!!!!!

    :p;):):cool
     
    Evie74, Jan 13, 2011
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jan 13, 2011
    #29

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds