MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 08-07-11, 16:40
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Malware removal steps complete, still have problems

Infected by viruses, ran Spybot and Malwarebytes, MWB had been turned off, not normal. Still had problems, so Completed Read Me steps, Still have problems

Computer would not operate in std mode, so steps up to combofix were done in safe mode. Safe mode did not allow uninstall of Java, so this step was skipped.

Running Vista 64 so RootRepeal was not done.

Everything was fine for a few minutes. Browsed major geeks for a moment and start-up programs seemed fine.

When re-enabling user account control, double clicking the EnableUAC.reg brought up the windows does not recognize this file extension, browse to find the correct program. Tried twice, same result. So i did it manually through control panel and rebooted. Everything fine.

After re-start, step 6 of Vista instructions, right clicked Computer and things went bad. Computer locked. Tried a few times rebooting and problems got worse. Now in STD mode computer locks or screen goes black. Task manager will not come up to see what apps and processes are running. Sometimes desktop or startmenu will fade to grey and everything locks.

Also of note, in STD mode, I get a pop-up window titled Security Alert: You are about to view pages over a secure connection... no one will be able to see pages etc. I closed the window clicked google chrome to nav to Majorgeeks and all seemed well enough. Clicked restore pages, then naving MajorGeeks the browser locked with the message waiting on cache.

Now computer boots in STD mode, but erratically. Safe mode with networking is all I can do and still have access to MG.

Attaching logs.
Also attaching log from Malware Bytes std operation, and then log from first run before Read Me steps. In next post...
Attached Files
File Type: txt SASlog.txt (591 Bytes, 7 views)
File Type: txt MWB protection-log-2011-08-07.txt (228 Bytes, 6 views)
File Type: txt combofix log 8-7-11.txt (15.9 KB, 9 views)
File Type: zip MGlogs.zip (191.6 KB, 7 views)
Reply With Quote
Sponsored links
  #2  
Old 08-07-11, 16:41
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

Other MWB logs attached...
Attached Files
File Type: txt MWB protection-log-2011-08-05.txt (510 Bytes, 4 views)
File Type: txt MWB protection-log-2011-08-06.txt (972 Bytes, 3 views)
Reply With Quote
  #3  
Old 08-07-11, 20:03
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,179
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Malware removal steps complete, still have problems

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky
Please also download MBRCheck to your Desktop.
See the download links under this icon
  • Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    • Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    • Found non-standard or infected MBR.
    • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Attach this log to your next message. (How to attach items to your post)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
Quote:
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
After clicking Fix, exit HJT.


Now we need to use ComboFix
  • Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
  • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
  • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
  • Open Notepad and copy/paste the text in the below quote box into it:
Quote:
KILLALL::

File::
C:\Users\Kirk\AppData\Local\Temp\Crb4AD5.tmp.mht

DirLook::
C:\Users\Kirk\AppData\Local\temp
C:\TABC

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
  • Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
  • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
  • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
  • Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  • Follow the prompts.
  • When it finishes, a log will be produced named C:\ComboFix.txt
  • Attach this log to your next message. (How to attach items to your post)
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
pazzoduc (08-10-11)
  #4  
Old 08-08-11, 11:11
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

OK, next steps completed.

TDSSKiller found nothing....
MBRCheck Found the Non-std/infected MBR

Logs attached.
Attached Files
File Type: txt TDSSKiller.2.5.14.0_08.08.2011_08.11.53_log.txt (57.8 KB, 4 views)
File Type: txt MBRCheck_08.08.11_08.36.41.txt (8.3 KB, 7 views)
File Type: txt ComboFix.txt (12.2 KB, 4 views)
File Type: zip MGlogs.zip (201.7 KB, 4 views)
Reply With Quote
  #5  
Old 08-09-11, 02:40
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,179
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Malware removal steps complete, still have problems

You have an infected Master Boot Record (MBR). Since MBR infections are only worsening, we recommend that you make sure you have any important data backed up before proceeding with the below.

Do you have your Windows Vista install DVD? If so,
  1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
  4. Click Repair your computer.
  5. Click the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type bootrec /fixmbr , and then press ENTER.
If warned that replacing the MBR may be risky, press Y to continue
Now type Exit to exit the Recovery Environment.

Note: There is a SPACE AFTER bootrec
Note: To start the computer from the Windows Vista DVD, the computer must be configured to start from the DVD drive. For more information about how to configure the computer to start from the DVD drive, see the documentation that is included with the computer or contact the computer manufacturer.

You can also view this page for more information on using Bootrec /fixmbr:
http://support.microsoft.com/kb/927392

After using the bootrec /fixmbr command, please reboot into Windows Vista and rerun MBRCheck and attach its new log here

Also let me know what malware problems you are still experiencing.
Reply With Quote
The Following User Says Thank You to thisisu For This Useful Post:
pazzoduc (08-10-11)
Sponsored links
  #6  
Old 08-09-11, 15:49
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

I can't seem to get to the System Recovery options on the Vista disc.

I located the instructions and I am booting from the Cd drive. But vista boots completely, no system recovery option dialog box appears.

I checked the Dell support site and found an alternate method to do the MBR repair, but it is only compatible with 32bit systems. This box is 64bit.

Any Ideas? Anyone?
Reply With Quote
  #7  
Old 02-14-12, 18:12
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

OK, A bit of an update while I have some renewed enthusiasm.

I have been running various killer programs and fixing the registry when needed after killing off recurring viruses. A quick recap:
Downloaded and ran Roguekiller. Seems to have found a few prickly issues that Malwarebytes, Superantispyware, Spybot and Security Essentials all failed to find. But in removal, the registry was corrupted. So I downloaded AVG Recovery as suggested here: Linky. Ran every possible test and fix the program offered. After the MBR fix portion the CPU would not boot, it only cycled on and off just before the MS start screen. So I rebooted from the Dell/OEM Vista disc and went through the Start-up repair in System Recovery.

All seems well except MBRCheck still reports a Faked MBR.

At this moment I am confident that there are no active viruses on the machine. If there are, WOW. More power to them I guess. I have run and checked a huge number of diagnostic, fix, kill programs over the past few days.

I have attached the MBRCheck log. Is there anyone out there that can read the log to see if it is a true Rootkit problem or just a false negative? (see next post)

And if it is an isssue, should I do something like this? Linky

At this point I have enough enthusiasm to try to be successful. Rather than just formatting and starting over!
Reply With Quote
  #8  
Old 02-14-12, 18:15
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

Log attached
Attached Files
File Type: txt MBRCheck_02.14.12_16.46.55.txt (13.1 KB, 4 views)
Reply With Quote
  #9  
Old 02-14-12, 21:54
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,179
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Malware removal steps complete, still have problems

Quote:
Originally Posted by pazzoduc View Post
All seems well except MBRCheck still reports a Faked MBR.
Maybe it was a fluke with MBRCheck. We have another tool to get a second opinion now.

Please download aswMBR to your desktop.
  • Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
  • Select No when asked "Would you like to download latest Avast! virus definitions?"
  • Click the [Scan] button.
  • On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)
Quote:
Originally Posted by pazzoduc View Post
And if it is an isssue, should I do something like this? Linky
The last MGlogs.zip you attached show no indication of a hidden partition, plus these types of infections didn't start surfacing until late November 2011.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #10  
Old 02-15-12, 11:54
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

Log Attached

Unknown MBR code reported
Attached Files
File Type: txt aswMBR 2-25-12.txt (1.4 KB, 1 views)
Reply With Quote
Sponsored links
  #11  
Old 02-15-12, 14:31
thisisu's Avatar
thisisu thisisu is offline
Malware Consultant
 
Join Date: Apr 2006
Location: Houston, TX
Posts: 8,179
Thanks: 270
Thanked 1,437 Times in 1,356 Posts
Default Re: Malware removal steps complete, still have problems

Quote:
Originally Posted by pazzoduc View Post
Log Attached

Unknown MBR code reported
I do not think this is a problem. Especially if you are saying you are not experiencing any problems. Normally with an infected MBR, you'll notice it pretty much right away and in most cases it will prevent you from being able to run tools like ComboFix / TDSSKiller / aswMBR. Anything that checks the MBR basically.

I do not think you have anything to worry about.
__________________
Facebook . Twitter . Blog . VirusTotal
Reply With Quote
  #12  
Old 02-15-12, 16:37
pazzoduc pazzoduc is offline
Private First Class
 
Join Date: Feb 2008
Posts: 83
Thanks: 11
Thanked 0 Times in 0 Posts
Default Re: Malware removal steps complete, still have problems

Quote:
Originally Posted by thisisu View Post
it will prevent you from being able to run tools like ComboFix
Can I run ComboFix? I have a 64bit OS. I was under the impression it would only work for 32b systems?

Is there a similar program that will work on 64b OS's?

My only issue with the MBR code is the recurring frequency of viruses even with Malwarebytes and Security Essentials running. I'm curious if it is opening the door?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Removal Instructions Complete... Problems still exist marine43302 Malware Removal 11 07-16-10 06:43
Malware Removal Help-I did all the steps and still have problems ccml118 Malware Removal 6 06-05-08 15:32
Malware removal steps completed, problems still around... Fuelman Malware Removal 11 11-02-07 22:12
Steps Complete...Need to check logs (Vundo Removal Content) StuckinaGroove Malware Removal 10 06-06-07 00:31
Unable to complete steps in removal guide, HELP captain_justin Malware Removal 7 11-16-06 03:33


All times are GMT -5. The time now is 08:52.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger