Malware removal steps complete, still have problems

[pazzoduc]

Infected by viruses, ran Spybot and Malwarebytes, MWB had been turned off, not normal. Still had problems, so Completed Read Me steps, Still have problems

Computer would not operate in std mode, so steps up to combofix were done in safe mode. Safe mode did not allow uninstall of Java, so this step was skipped.

Running Vista 64 so RootRepeal was not done.

Everything was fine for a few minutes. Browsed major geeks for a moment and start-up programs seemed fine.

When re-enabling user account control, double clicking the EnableUAC.reg brought up the windows does not recognize this file extension, browse to find the correct program. Tried twice, same result. So i did it manually through control panel and rebooted. Everything fine.

After re-start, step 6 of Vista instructions, right clicked Computer and things went bad. Computer locked. Tried a few times rebooting and problems got worse. Now in STD mode computer locks or screen goes black. Task manager will not come up to see what apps and processes are running. Sometimes desktop or startmenu will fade to grey and everything locks.

Also of note, in STD mode, I get a pop-up window titled Security Alert: You are about to view pages over a secure connection... no one will be able to see pages etc. I closed the window clicked google chrome to nav to Majorgeeks and all seemed well enough. Clicked restore pages, then naving MajorGeeks the browser locked with the message waiting on cache.

Now computer boots in STD mode, but erratically. Safe mode with networking is all I can do and still have access to MG.

Attaching logs.
Also attaching log from Malware Bytes std operation, and then log from first run before Read Me steps. In next post...

[pazzoduc]

Other MWB logs attached...

[thisisu]

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• TDSSKiller - How to run
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also download MBRCheck to your Desktop.
See the download links under this icon

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)

After clicking Fix, exit HJT.


Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

KILLALL::

File::
C:\Users\Kirk\AppData\Local\Temp\Crb4AD5.tmp.mht

DirLook::
C:\Users\Kirk\AppData\Local\temp
C:\TABC

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10h.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

[pazzoduc]

OK, next steps completed.

TDSSKiller found nothing....
MBRCheck Found the Non-std/infected MBR

Logs attached.

[thisisu]

You have an infected Master Boot Record (MBR). Since MBR infections are only worsening, we recommend that you make sure you have any important data backed up before proceeding with the below.

Do you have your Windows Vista install DVD? If so,

1. Put the Windows Vista installation disc in the disc drive, and then start the computer.
2. Press a key when you are prompted.
3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
4. Click Repair your computer.
5. Click the operating system that you want to repair, and then click Next.
6. In the System Recovery Options dialog box, click Command Prompt.
7. Type bootrec /fixmbr , and then press ENTER.

If warned that replacing the MBR may be risky, press Y to continue
Now type Exit to exit the Recovery Environment.

Note: There is a SPACE AFTER bootrec
Note: To start the computer from the Windows Vista DVD, the computer must be configured to start from the DVD drive. For more information about how to configure the computer to start from the DVD drive, see the documentation that is included with the computer or contact the computer manufacturer.

You can also view this page for more information on using Bootrec /fixmbr:
http://support.microsoft.com/kb/927392

After using the bootrec /fixmbr command, please reboot into Windows Vista and rerun MBRCheck and attach its new log here

Also let me know what malware problems you are still experiencing.

[pazzoduc]

I can't seem to get to the System Recovery options on the Vista disc.

I located the instructions and I am booting from the Cd drive. But vista boots completely, no system recovery option dialog box appears.

I checked the Dell support site and found an alternate method to do the MBR repair, but it is only compatible with 32bit systems. This box is 64bit.

Any Ideas? Anyone?

[pazzoduc]

OK, A bit of an update while I have some renewed enthusiasm.

I have been running various killer programs and fixing the registry when needed after killing off recurring viruses. A quick recap:
Downloaded and ran Roguekiller. Seems to have found a few prickly issues that Malwarebytes, Superantispyware, Spybot and Security Essentials all failed to find. But in removal, the registry was corrupted. So I downloaded AVG Recovery as suggested here: Linky. Ran every possible test and fix the program offered. After the MBR fix portion the CPU would not boot, it only cycled on and off just before the MS start screen. So I rebooted from the Dell/OEM Vista disc and went through the Start-up repair in System Recovery.

All seems well except MBRCheck still reports a Faked MBR.

At this moment I am confident that there are no active viruses on the machine. If there are, WOW. More power to them I guess. I have run and checked a huge number of diagnostic, fix, kill programs over the past few days.

I have attached the MBRCheck log. Is there anyone out there that can read the log to see if it is a true Rootkit problem or just a false negative? (see next post)

And if it is an isssue, should I do something like this? Linky

At this point I have enough enthusiasm to try to be successful. Rather than just formatting and starting over!

[pazzoduc]

Log attached

[thisisu]

Quote:

Originally Posted by pazzoduc

All seems well except MBRCheck still reports a Faked MBR.

Maybe it was a fluke with MBRCheck. We have another tool to get a second opinion now.

Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

Quote:

Originally Posted by pazzoduc

And if it is an isssue, should I do something like this? Linky

The last MGlogs.zip you attached show no indication of a hidden partition, plus these types of infections didn't start surfacing until late November 2011.

[pazzoduc]

Log Attached

Unknown MBR code reported

[thisisu]

Quote:

Originally Posted by pazzoduc

Log Attached

Unknown MBR code reported

I do not think this is a problem. Especially if you are saying you are not experiencing any problems. Normally with an infected MBR, you'll notice it pretty much right away and in most cases it will prevent you from being able to run tools like ComboFix / TDSSKiller / aswMBR. Anything that checks the MBR basically.

I do not think you have anything to worry about.

[pazzoduc]

Quote:

Originally Posted by thisisu

it will prevent you from being able to run tools like ComboFix

Can I run ComboFix? I have a 64bit OS. I was under the impression it would only work for 32b systems?

Is there a similar program that will work on 64b OS's?

My only issue with the MBR code is the recurring frequency of viruses even with Malwarebytes and Security Essentials running. I'm curious if it is opening the door?