redirect virus? Microsoft Security Essentials no longer working

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Superlost6, Dec 6, 2013.

  1. Superlost6

    Superlost6 Specialist

    Hello. I have a dell dimension 3000 running XP operating system with a 70 gig hard drive 1.5 gig ram. My sister dropped this off to me because there was a "SLOOOW" issue when trying to do "anything" in windows.

    I noticed that when I ran a scan using MWB that after 20hrs on a "quick scan" MWB was still in the temp folder ie5 temp files. I at that time stopped the scan and looked at the Hard Drive "Pie" It was 100% FULL I ran "clean-up" scan for well over 29hrs until it deleted every internet explore temp file and I regained the hard drive back to a normal 40+gigs of free space..

    I then noticed that her "Virus Scanner" Microsoft Security Essentials was not running nor would it open. I uninstalled then re-installed with no success in re-installing

    At this point I ran a few online scans: Mcafee security scan - Bitfinder online scan - and Trend Micro House calls All scans came back NO INFECTIONS

    I then knew it was time to do the malware removal scans and have my logs checked. That's were I'm at now..

    I ran malwarebytes found 1 trojan (see log)

    I ran superantispyware Found some threats (see log)

    I ran Hit Man Pro It found some NASTY virus items including a redirect virus for Microsoft Security Essentials (my trial is over for this program so I COULD NOT FIX any of the findings on this scan) (see log) :cry

    I ran TdssKiller No threats found (see log)

    I ran RogueKiller scan (see log)

    I ran MGtools It had a issue with scanning at "Processing dll.exe" so I hit cancel (see log)
     

    Attached Files:

    Superlost6, Dec 6, 2013
    #1
  2. Superlost6

    Superlost6 Specialist

    Here is one more log
     

    Attached Files:

    Superlost6, Dec 6, 2013
    #2
  3. Superlost6

    Superlost6 Specialist

    Sorry, the MWB scan from last post was a "quick scan" I just did a "Full scan" here is the log



    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org

    Database version: v2013.12.05.02

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 7.0.5730.13
    thomas mitchell :: D8XZLM71 [administrator]

    12/6/2013 6:20:30 AM
    mbam-log-2013-12-06 (06-20-30).txt

    Scan type: Full scan (C:\|)
    Scan options enabled: Memory | Startup | Registry |

    File System | Heuristics/Extra |

    Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 315166
    Time elapsed: 4 hour(s), 32 minute(s), 15 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 12
    C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165

    416\U\00000001.@ (Trojan.0Access) -> Quarantined

    and deleted successfully.
    C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165

    416\U\80000000.@ (Trojan.0Access) -> Quarantined

    and deleted successfully.
    C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165

    416\U\800000cb.@ (Trojan.0Access) -> Quarantined

    and deleted successfully.
    C:\RECYCLER\S-1-5-21-3682724716-343198631-368314940

    0-1007\$821e52c3da2fd9873946971d5e165416\U\00000001

    .@ (Trojan.0Access) -> Quarantined and deleted

    successfully.
    C:\RECYCLER\S-1-5-21-3682724716-343198631-368314940

    0-1007\$821e52c3da2fd9873946971d5e165416\U\80000000

    .@ (Trojan.0Access) -> Quarantined and deleted

    successfully.
    C:\RECYCLER\S-1-5-21-3682724716-343198631-368314940

    0-1007\$821e52c3da2fd9873946971d5e165416\U\800000cb

    .@ (Trojan.0Access) -> Quarantined and deleted

    successfully.
    C:\System Volume

    Information\_restore{202550A8-7A33-4BCA-9586-051D24

    DDBF8F}\RP2462\A0351467.exe (PUP.Optional.iBryte)

    -> Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\17.11.2012_21.25.14\mbr000

    0\tdlfs0000\tsk0006.dta (Trojan.TDSS) ->

    Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\17.11.2012_21.25.14\mbr000

    0\tdlfs0000\tsk0007.dta (Rootkit.TDSS.64) ->

    Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\17.11.2012_21.25.14\mbr000

    0\tdlfs0000\tsk0011.dta (Rootkit.TDSS) ->

    Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\17.11.2012_21.25.14\mbr000

    0\tdlfs0000\tsk0015.dta (Rootkit.TDSS) ->

    Quarantined and deleted successfully.
    C:\TDSSKiller_Quarantine\17.11.2012_21.25.14\mbr000

    0\tdlfs0000\tsk0016.dta (Rootkit.TDSS) ->

    Quarantined and deleted successfully.

    (end)
     
    Superlost6, Dec 6, 2013
    #3
  4. Superlost6

    Superlost6 Specialist

    Here is what happens when I re-install Microsft Security virus program (see image)
     

    Attached Files:

    Superlost6, Dec 6, 2013
    #4
  5. Superlost6

    Superlost6 Specialist

    Sorry for all the additional logs.. I'm doing this between 2 Jobs. Thanks for your patients. Here is the LAST LOG I did a combo fix scan.
    Thanjks Guys & Gals.
    Any assistance is welcome
    Superlost6
     

    Attached Files:

    Superlost6, Dec 6, 2013
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there. :)


    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the File/Folder tab and locate these detections:

    • [ZeroAccess][File] n : C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165416\n [-] --> FOUND
    • [ZeroAccess][File] @ : C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165416\@ [-] --> FOUND
    • [ZeroAccess][File] @ : C:\RECYCLER\S-1-5-21-3682724716-343198631-3683149400-1007\$821e52c3da2fd9873946971d5e165416\@ [-] --> FOUND
    • [ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165416\U [-] --> FOUND
    • [ZeroAccess][Folder] U : C:\RECYCLER\S-1-5-21-3682724716-343198631-3683149400-1007\$821e52c3da2fd9873946971d5e165416\U [-] --> FOUND
    • [ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-18\$821e52c3da2fd9873946971d5e165416\L [-] --> FOUND
    • [ZeroAccess][Folder] L : C:\RECYCLER\S-1-5-21-3682724716-343198631-3683149400-1007\$821e52c3da2fd9873946971d5e165416\L [-] --> FOUND
    • [ZeroAccess][Junction] Backup : C:\Program Files\Microsoft Security Client\Backup >> \systemroot\system32\config [-] --> FOUND
    • [ZeroAccess][Junction] Drivers : C:\Program Files\Microsoft Security Client\Drivers >> \systemroot\system32\config [-] --> FOUND
    • [ZeroAccess][Junction] en-us : C:\Program Files\Microsoft Security Client\en-us >> \systemroot\system32\config [-] --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.




    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=2159&gct=hp
    • R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    • R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    • R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    • R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    • O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    • O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    After clicking Fix exit HJT.



    Delete this:
    c:\windows\system32\drivers\jmfibpaf.sys


    What are these?
    • C:\Documents and Settings\thomas mitchell\Local Settings\Application Data\bdvsjlfda
    • C:\Documents and Settings\thomas mitchell\Local Settings\Application Data\xtfdkyhgr



    Re run Malware Bytes and attach the log.

    Re run Hitman, let's see if anything remains. Attach the log from that too please.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Dec 6, 2013
    #6
  7. Superlost6

    Superlost6 Specialist

    Sorry for the late reply, it took all night to run the scans.

    1.) RogueKiller scan finished and NO "log" was created. (I clicked get log) it was empty note pad. I also went ti files tab "empty".. (see below image)

    2.) I ran C:\MGtools\analyse.exe and deleted the list of selected

    3.) Could not find c:\windows\system32\drivers\jmfibpaf.sys

    4.) bdvsjlfda & xtfdkyhgr were not in the files/folders of C:\Documents and Settings\thomas mitchell\Local Settings\Application Data\

    5.) Rab MalwareBytes all clean

    6.) Ran Hitman, a frw tracking cookies

    7.) Ran the C:\MGtools\GetLogs.bat (see logs)

    NOTE:
    After last post were I ran "Full Scan" on MWB and ran Combo fix I was able to sucsessfuly re-install Microsoft Security Virus Program.

    PC seems a little slow to get going (yet it is 1 million years old) However, if you see anything elese from this post let me know.

    Thank you so very much for your kind assistance Kestrel13! :)
    Superlost6
     

    Attached Files:

    Superlost6, Dec 8, 2013
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi. :)

    Re run RogueKiller for me (just a scan) and attach the newest log report it creates.
     
    Kestrel13!, Dec 8, 2013
    #8
  9. Superlost6

    Superlost6 Specialist

    Kestrel, Unfortunately I don't have the PC here. My sister came by yesterday and picked up the PC (she's so impatient) Thanks for all your assistance.
    Superlost6
     
    Superlost6, Dec 9, 2013
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    In future, your Sister must not be so impatient. What if malware still remains? She will be coming back to you, who will be coming back to me. :) Next time, if there is a next time, we must see the procedures out from start to finish. And if she is still infected, she must realise it's not my fault or yours.
     
    Kestrel13!, Dec 9, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds