VICIOUS, EVIL malware

If you have access to a different computer, you can download and create this disc. You can use it to do a repair in the vista recovery environment:

Vista and Win7 Recovery disc

 

Yes, you now need to try to run all the required scans:
SAS
MBAM
ComboFix
C:\MGTools.exe --> and attach the C:\MGLogs.zip

 

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!


Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

• Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
  Vista/Windows 7 users right-click and select Run As Administrator.
• If TDSSKiller does not run, try renaming it.
• To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
• Click the Start Scan button.
• Do not use the computer during the scan
• If the scan completes with nothing found, click Close to exit.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
• Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
• A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
• Attach this log to your next message

 

That looks like it took care of your MBR infection. Let's have you run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Yes, you can re-run MBAM and attach that log as well.

 

MBAM first.

 

Let's see if this helps:

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

Driver::
gbaehybc

File::
c:\windows\system32\gbaehybc.dll

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the previous file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe

* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

How rude!! Go HERE and click on the exe to get the zip registry fix.

Tell me if that works.

 

Try rebooting.

 

Still not seeing any malware in your logs. Please do an online scan and attach the log when done:

eSet Online Scan.

 

I don't think we are at that point yet.

Hard to say, but it might have.

That is a chance you take when using a flash drive instead of using a cd.

The virus's rarely attach themselves to documents.

If your eSet online scan failed, then lets try doing this:
Using BitDefender Online Scan.

 

I think you will be safe. Your logs have been indicating that you are malware free, but the online scan may find something I am missing. If you are worried about connecting at work, I would wait until you return home and connect there. Just to be on the safe side.

The other thing that I have been considering is to have you try to do a system restore to before this all occurred. Even if you go back to a point that still has malware, then we can re-run the scans. You risk losing anything you downloaded since then. But it may be a better choice.

 

Do you have a restore point before this all started happening?

 

Yes, just go to start / programs / accessories / system tools / system restore. Once that opens, you can click back to last month and choose a restore point.

 

Usually on the calender that comes up on a system restore, you have the option to click forward or backward on the months. Top left corner to go back a month. The restore point of the 5th would not do us any good.

When CheckDisc ran, did you happen to see any errors ..... bad sectors? That would indicate a problem with the Hard Drive.

Can you run the getlogs.bat now or is it still not working?

 

While I look over your logs, please go to C:\MGTools\analyse.exe and run it. Then attach the HJT log that will be produced.

Also, tell me what issues still exist.

 

You currently have the Administrator account disabled. I would like you to enable it. Then you can log into that account and see if you can run MBAM.

First you need to go to start / accessories / right click command prompt and choose run as administrator.

* Now type the following command:
net user administrator /active:yes

Reboot and you will have the choice for the Administrator account. Log in ( you won't need a password thought you should create a password at some point ). Download and install MBAM and see if it will run.

 

What I am thinking is that there is some corruption in the other user account. Since you have backed up all the data and files from that account, maybe what you should do is to create a new user account ( with admin. privileges ) and then transfer the data back over to the new account. Then you could delete the old account.

I am thinking that the old account was compromised by the infection. Which I believe is now taken care of.

This would be a lot simpler than trying to fix the corrupt account, esp. if you have things backed up.

( Do not forget to add a password to the new account as well as the Administrator account ).

 

The infection is gone. And you should be able to use windows explorer to "see" any files / program / data that you want to move to the new user account. If you have problems with that, you can post in the software forum. ( I am not trying to brush you off, just want to make sure you get answers that may come up for you. ) You can be confident that the system is clean now.

I don't recall what programs you have, but it should be no problem to redownload them. Plus the backups can be re-installed to the new user account without issue.

I will give you the final cleanup instructions for you to do when you feel confident ( though if you delete the old account, there is no reason to do them other than creating a new system restore point ).

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
     
     
   
   
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
   
   
10. After doing the above, you should work thru the below link:
    
    • How to Protect yourself from malware!
    
    

Support MajorGeeks with Geek Wear!

 

You are very welcome. Do scan the backup drive with both SAS and MBAM. Once you are confident that all is well, create the new user account and transfer to that account. Then, let me know if there is a problem. I am mainly concerned about your time deadline for returning the computer. I just want to know that all things are straightened out before you give it back.