General redirection problems + malware cleared desktop and mydocuments

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by quatfro, Jun 28, 2011.

  1. quatfro

    quatfro Private E-2

    Hello there,

    Trying to fix a friend of mines laptop.

    Recently every internet search redirects to some random sites and just prior to my coming along, something has apparently wiped the desktop and has left mydocuments clear too.

    The harddrive still has a lot of stuff in it judged by looking at the diskspace still in use so I suspect something has hidden everything from view. Any suggestions? Not gone through the whole Malware removal process just yet...

    Laptop is a compaq thingy on Vista basic.

    Back to the redicrection thing, I have attached the log file from running goored, strangely, after running that, firefox instantly brings up the error window saying it had to shut down and would I like to send a crash report!!

    Have I odne something stupid?

    Any help much appreciated.

    Cheers.
    Tom.
     

    Attached Files:

    quatfro, Jun 28, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jun 28, 2011
    #2
  3. quatfro

    quatfro Private E-2

    Hi,
    Cheers for the rapid response. I've since gone through the anti malware procedure as laid out in the majorgeeks guide pages. The logs are as follows...I'm off to bed and Imola for a week so may not get around to finishing off the process properly for over a week, but if there is anything obvious found in these, do please let me know and I'll get back on the case ASAP!!
    Cheers,
    Tom.
     

    Attached Files:

    quatfro, Jun 28, 2011
    #3
  4. quatfro

    quatfro Private E-2

    And the last of my logs are as follows...

    P.S. Thanks for the program suggestions, as previously, I'll get back on the case soon. The anti malware procedure found a couple of gems, mydocuments is still looking empty or inaccessible but the dektop files have been found and changed back to unhidden files, so some progress at least!

    Cheers,

    Will report back soon.

    Tom.
     

    Attached Files:

    quatfro, Jun 28, 2011
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I still need you to run TDSSKiller and attach that log.
     
    TimW, Jun 28, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\ProgramData\43964780
C:\ProgramData\47109932    
C:\ProgramData\~43964780
C:\ProgramData\~43964780r
C:\ProgramData\~47109932
C:\ProgramData\~47109932r
C:\Users\Roger\AppData\Roaming\Aqhuez\peiz.exe
C:\Users\Roger\AppData\Local\Qjicoves.dat
C:\Users\Roger\AppData\Local\Xsopotetacoy.bin

Folder::
C:\Users\Roger\AppData\Roaming\Heequc
C:\Users\Roger\AppData\Roaming\Oxxyka
C:\Users\Roger\AppData\Roaming\Pumuil
C:\Program Files\wadrbykl
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jun 28, 2011
    #6
  7. quatfro

    quatfro Private E-2

    Hi Tim,

    After a hectic very long weekend at Imola I've managed to get back to the dodgy laptop and finish the process off.

    When I looked for "...Roaming\Aqhuez\peiz.exe" when running hijackthis, it wasn't there, but it since came up when I ran one of the other programs...

    The extra logs are as follows...everything worked smoothly I'm pleased to say and no redirects have occurred today - hoorah!

    If I've missed something then do let me know, I'm still feeling very tired and forgetful after a long weekend...
     

    Attached Files:

    quatfro, Jul 4, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please Disable Spybot's TeaTimer --> Should have been done as per the R&R instructions!

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!


    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
c:\users\Roger\AppData\Roaming\Pumuil\esha.exe

Folder::
c:\users\Roger\AppData\Roaming\Pumuil

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{DC53DCFC-C221-D79A-4E1A-C993EEF8F614}"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]

"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Jul 4, 2011
    TimW, Jul 4, 2011
    #8
  9. quatfro

    quatfro Private E-2

    Thanks Tim,
    Don't know how I managed to miss that step, though there is still one strange thing left it sems as apparently according to spybot I didn't have administrator rights to delve into those pages to disable tea timer, so I've uninstalled it for now to crack on with hopefully the last part of this process.

    I'm really chuffed to say, after all this work ALL of the missing files and folders have now reappeared and are accessible. Prior to yesterday afternoon, the main folders (pictures, music and mydocuments) were visible but also claimed that I didn't have the right to access them, very odd indeed.

    Anyway, I will do as instructed and get back to you this afternoon sometime.

    cheers,

    Tom.
     
    quatfro, Jul 5, 2011
    #9
  10. quatfro

    quatfro Private E-2

    Yo,

    After a short work break I'm back and have run the .bat file to produce the attached logs.

    Please have a gander and let me know what you think.

    Annoyingly, despite my pleas, this laptop has been used in my absence and there was one report of a redirection and some strange warnings so I'm not entirely sure it's 100%, it's definitely 98%+ fixed though!

    Anyway, please advise whether I should start from scratch again or otherwise when you get the time and I'll try and do it all in one hit if need be.

    Cheers,
    Tom.
     

    Attached Files:

    quatfro, Jul 6, 2011
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you have become more infected.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Users\Roger\AppData\Local\temp\3DDB.tmp
C:\Users\Roger\AppData\Local\temp\46FF.tmp
C:\Users\Roger\AppData\Local\temp\8171.tmp
C:\Users\Roger\AppData\Local\temp\B720.tmp
C:\Users\Roger\AppData\Local\temp\esowrnamxc.exe
C:\Users\Roger\AppData\Local\temp\mrwnxeocas.exe
C:\Users\Roger\AppData\Local\temp\setup1824649416.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup1887156168.exe
C:\Users\Roger\AppData\Local\temp\setup1887156168.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup1268171784.exe
C:\Users\Roger\AppData\Local\temp\setup1268171784.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup106510920.exe
C:\Users\Roger\AppData\Local\temp\setup106510920.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup1990231368.exe
C:\Users\Roger\AppData\Local\temp\setup1990231368.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup2445374680.exe
C:\Users\Roger\AppData\Local\temp\setup2445374680.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup2813781640.exe
C:\Users\Roger\AppData\Local\temp\setup2813781640.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup2845237064.exe
C:\Users\Roger\AppData\Local\temp\setup2845237064.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup3857992712.exe
C:\Users\Roger\AppData\Local\temp\setup3857992712.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup3897895496.exe
C:\Users\Roger\AppData\Local\temp\setup3897895496.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup3064312520.exe
C:\Users\Roger\AppData\Local\temp\setup3064312520.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup4001805704.exe
C:\Users\Roger\AppData\Local\temp\setup4001805704.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup677709384.exe
C:\Users\Roger\AppData\Local\temp\setup677709384.exe.manifest
C:\Users\Roger\AppData\Local\temp\setup863606440.exe
C:\Users\Roger\AppData\Local\temp\setup863606440.exe.manifest
C:\Users\Roger\AppData\Local\temp\xrmoecwnsa.exe
C:\Users\Roger\AppData\\Roaming\7pvdz9u.exe
C:\Users\Roger\AppData\Local\Fimofe.dll

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Izawegayuxoxot"=-
"torprn"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters]
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset001\services\tcpip\parameters]
"DhcpNameServer"=""

[HKEY_LOCAL_MACHINE\system\controlset002\services\tcpip\parameters]
"DhcpNameServer"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 6, 2011
    #11
  12. quatfro

    quatfro Private E-2

    Hi Tim,

    Anf thanks for your patience. I've finally confiscated the laptop so it cannot be used and finished the process, please have a peek at the attached logs.
    Cheers,
    Tom.
     

    Attached Files:

    quatfro, Jul 7, 2011
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jul 7, 2011
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds