Rootkit, Win 7 virus, and other issues

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Moskva, Dec 10, 2011.

  1. Moskva

    Moskva Private E-2

    Hello,

    I was recently trying to clean-up my late father's computer and came across a host of problems. The fake win 7 clean program/virus was the one that got my attention since I basically I couldn't do anything else on the computer. Combolog said I had a rootkit zero virus of some sort.

    I then tried to disable mcafee and run all the recommended programs from your site. I have seen a few error messages saying that pev.3xe of mcafee doesn't work and I need to run chkdsk utility (chkdsk will not run btw). Also I've seen an error for pev.exe. Mcafee when it was still loaded said there was an artemis! virus but did not get rid of it.

    I could not run rootrepeal - not sure why. I still am having trouble running firefox and IE explorer. Now I can get to websites but you can tell from the processes on the bottom that other sites are still trying hijack the broswer when I click a link.

    Also I have the superspyware log but there wasn't room to attach it.

    thanks for the help!

    Computer info:
    windows 7
    service pack 1
    4gb ram (3 usable)
    32-bit
    intel core (tm2) quad cpu Q660 @2.40Ghz
     

    Attached Files:

    Moskva, Dec 10, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now download The Avenger by Swandog46 to your Desktop.

    See the download links under this icon [​IMG]
    Extract avenger.exe from the Zip file and save it to your desktop.


    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Go to the below link and follow the instructions for running TDSSKiller from Kaspersky

    Be sure to attach your log from TDSSKiller

    Please also download MBRCheck to your desktop.

    See the download links under this icon [​IMG]

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Dec 10, 2011
    #2
  3. Moskva

    Moskva Private E-2

    Thanks for the help.

    I ran the programs and here the logs.

    The internet is still deathly slow, though the rest of the computers on the network are working fine. I still see some other unrelated websites popping up in the script at the bottom of browser. The browser goes to the correct site eventually but something is still going on.

    Also when I reboot auto disc check tries to run. The run fails saying it can't access the drive due a "recently installed program." This never appeared before.
     

    Attached Files:

    Moskva, Dec 10, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    1. Run avenger.exe by double-clicking on it.
    2. Click OK at the warning to continue to use The Avenger
    3. Do not change any of the check box options!
    4. Shut down your protection software now to avoid possible conflicts.
    5. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
    6. Now click the [​IMG] button
    7. Click Yes to the prompt to confirm you want to execute.
    8. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
    9. Your PC should reboot, if not, reboot it yourself.
    10. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
    11. Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Dec 15, 2011
    TimW, Dec 11, 2011
    #4
  5. Moskva

    Moskva Private E-2

    I followed the instructions but received this response: Error: invalid script. A valid script must begin with a command directive. Aborting execution!
     
    Moskva, Dec 11, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you copy everything in the quote box?
     
    TimW, Dec 12, 2011
    #6
  7. Moskva

    Moskva Private E-2

    Yes, just as you instructed. It wouldn't delete this folder the first time I ran the program either.
     
    Moskva, Dec 12, 2011
    #7
  8. Moskva

    Moskva Private E-2

    Actually that folder doesn't exist anymore in the c drive - I just looked for it. But I do see this one in its place: $RECYCLE.BIN.
     
    Moskva, Dec 12, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That's not a problem. Tell me what malware issues you are still having, if any?
     
    TimW, Dec 13, 2011
    #9
  10. Moskva

    Moskva Private E-2

    The internet is still running extermely slow - takes two min or so to get a website which makes no sense since all the computers on the network run well. Plus I still can't do a diskchk.

    I was just visiting home and had to go back to Europe, so there's no way I can do anything else on the computer at the moment anyway. Thanks for your help - at least I got the major issues cleared up. I'll take another look next time I'm home. Thanks again.
     
    Moskva, Dec 15, 2011
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    When you return, start a new thread with the requested logs from the Read and Run First instructions and we can see if there is something we missed. Have a safe trip. ;)
     
    TimW, Dec 15, 2011
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds