Have a BAD virus - maybe rootkit - need help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ken_in_dfw, Jul 3, 2010.

  1. ken_in_dfw

    ken_in_dfw Private E-2

    I'm hoping you folks can help me out. As it stands now, I'm ready to either rewrite the hard drive or set this thing on the curb.

    I started noticing performance issues about 3 months ago - slow booting up, slow loading pages on the browser, slow opening applications. Then I noticed that something was repeatedly disabling McAfee and Windows Security Center firewall. I have also been running MalwareBytes Anti-Malware since about February after my work laptop got a nasty rootkit virus. Something apparently got past McAfee, MBAM and me.

    As time has gone on, performance has deteriorated. I'm not getting any weird pop-ups or browser redirects, thank G-d. But the final confirmation was that when I tried to open this site or bleepingcomputer.com, the fricking virus wouldn't let me get to the sites.

    I am able to run things in Safe Mode with Networking. I have Win XP SP3. I have run through EVERY thing on the READ & RUN ME FIRST sticky. I considered running one of the rootkit removal tools you list, but thought I'd better start with you guys first. First set of logs are attached here and second set follow in reply. Thanks for your help.
     

    Attached Files:

  2. ken_in_dfw

    ken_in_dfw Private E-2

    Second set of attachments

    Here are the MGLogs. Again, thanks for the help.
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you planning on replacing McAfee? You need to have an AV program installed!!

    Let's do this:
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  4. ken_in_dfw

    ken_in_dfw Private E-2

    Tim,

    Thanks so much for the information. First, to clear something up. Yes, of course, I am keeping McAfee. As a matter of fact, it was because I upgraded to the new Total Protection product that my computer reached a point where I knew I HAD to do something. Basically, the virus was fighting with the upgraded McAfee software to the point that the PC would stop working. Or, more precisely, work very slowly. As in: click to open a folder, wait 20 minutes until the folder opened. Or click to shut down the PC, wait another 30 minutes for the PC to display the "log off, shut down or restart" dialog. So I uninstalled McAfee for the purpose of simply being able to run the tests and programs that the MajorGeeks malware removal sticky listed.

    As I mentioned earlier, the virus prevents me from accessing the MajorGeeks forum or any other antivirus site while operating normally. SafeMode seems to disable the virus from operating normally. Unfortunately, the virus seems to be "learning" and has begun to run some sort of script this morning that prevents me from selecting SafeMode when pressing F8 during PC boot-up. I was finally able to circumvent this by pressing F11 and going into system configuration and then exiting and selecting SafeMode with Networking.

    Because of the increasing control that the virus is exerting over my PC, I executed the MGtools\analyse.exe program and edited the registry successfully in SafeMode. I hope that doesn't make a difference. I was able to do both as you instructed and got a message that the PC's registry had been edited successfully.

    I ran the GetLogs batch file and have attached the zip file below. I haven't rebooted the PC as I'm afraid of what will happen. So I'll just keep it running and wait for your reply. Thanks again.
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing any malware in your logs. No indication of any rootkit activity. Just to be certain, if you are using a router, reset it to factory settings and then re-configure it if you have configured it yourself for any reason.

    Then boot to normal mode and run both ComboFix and the C:\MGtools\GetLogs.bat file.

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds