Trojans found, Firefox not working, google redirects

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dbs1, Oct 29, 2010.

  1. dbs1

    dbs1 Private E-2

    getting all of the above. very frustrating in deed.

    I cant get Firefox to work at all - it just gives me a window saying that I can restart firefox or quit. also gives me an option to 'send information' to Mozilla so they can fix it.

    I'm having to use IE which is also very slow (not usually like this)

    AVG found loads of stuff that I cleared down, ran the steps as requested and logs are here. help!
     

    Attached Files:

    Last edited: Oct 29, 2010
  2. dbs1

    dbs1 Private E-2

    forgot the SASlog.....
     

    Attached Files:

  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    First, please put ComboFix directly on your desktop, not where you have it:
    Running from: h:\documents and settings\Darren\My Documents\Downloads\ComboFix.exe

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
    
    File::
    h:\windows\Efazi.dat
    h:\windows\Ojoqesiqaquzuwo.bin
    h:\windows\system32\config\systemprofile\Application Data\vqdlkr.dat
    
    Folder::
    H:\WINDOWS\system32\config\systemprofile\Application Data\Emaf
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "{46649D7D-1E93-82F4-738C-25E4B1DA54A7}"=-
    
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run CCLeaner.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  4. dbs1

    dbs1 Private E-2

    Ok,

    I'm not entirely convinced it worked properly - I moved combofix to the desktop, follewed your instructions and let it do its thing, following the prompts.
    I got a blue cmd screen with a message saying it was preparing to run but then it didnt do anything for about an hour. I checked my C:/ drive and it showed a combofix.txt file that I have attached here. I also ran MG as well and thats attached here too.

    I'm going to see if it will run again and if it does I will make another post with the files attached.

    PC is still running very slowly, when I turn on it shows a box telling me thats its installing something but not what. I then get an error message saying that whatever it was couldnt be installed. Also I was getting alot of 'No disk' exceptions when running MG. I cancelled them which seemed to allow MG to continue with what it was doing.
    still cant run firefox - thats probably going to be a reinstall

    my lovely partner who is a software engineer has offered the following support: 'Of course we're not used to dealing with Viruses in Unix'. Every time I mention the possiblity of her helping me she laughs a little laugh and wanders off muttering things about gates and spawn of evil. <sigh>


    EDIT: Combofix.txt is not there. it wont attach itself to this message. I can see it in C:/ but it wont upload. gimme a mo
     

    Attached Files:

  5. dbs1

    dbs1 Private E-2

    ok im running though this again and will update this post as i go.

    deleted combofix and downloaded it again directly to the desktop.
    disabled AVG9.0 antivirus
    ran H:\MGTools\Analyse.exe

    could only find:

    O4 - Startup: sysqgv32.exe - deleted this

    could NOT find:

    O4 - HKCU\..\Run: [{46649D7D-1E93-82F4-738C-25E4B1DA54A7}] "H:\WINDOWS\system32\config\systemprofile\Application Data\Emaf\idagr.exe"

    made sure no browsers were up, clicked fix, selected yes when prompted. exited.

    dragged and dropped CFscript.txt to Combofix and let it run
    got a box titled disclaimer of warranty - clicked yes
    got a cmd window. background is blue, window is titled '.'
    states: 'please wait Combofix is preparing to run'

    waiting for 20mins now - nothing further from combofix. still say preparing to run. task manager states it is running ok.
     
  6. dbs1

    dbs1 Private E-2

    ok,

    the window for combofix hasnt changed any. however in task manager something is using 100% of my cpu and the combofix text file was last updated at 16:51 time is now 17:01 so im assuming its doing something

    if not please god someone let me know!

    EDIT: just realised that by posting these updates im inadvertantly bumping the thread which is not my intention - cant find an edit function if i log back in after logging out on my previous posts so im having to do it this way. sorry.
     
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Abort Combo if it is stuck. Please re-run MBAM and then get me a new MGLogs.zip by running the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * MBAM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  8. dbs1

    dbs1 Private E-2

    Right. I wasnt happy with what I had done so I went through this all again from the beginning. appropriate logs attached.

    after doing all of this, I rebooted the PC and a cmd box came up for watermark.exe
    I also kept on getting alot of 'no disk' exception errors throughout the entire process.
     

    Attached Files:

  9. dbs1

    dbs1 Private E-2

    final file

    firefox still doesnt work as well
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am seeing traces of Ramnit in your logs. Please run this online scan, at least three times, back to back. Save the logs and attach each one.
    eSet Online Scan.
     
  11. dbs1

    dbs1 Private E-2

    hope this is right
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and then clean out everything in this folder:

    H:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5

    Now go back an re-run eSet until it comes up clean. Attach the next set of logs.
     
  13. dbs1

    dbs1 Private E-2

    i couldnt find that.

    got as far as:

    H:\Documents and Settings\Darren\Local Settings\Temporary Internet Files

    so i cleared that out and am running ESET again
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's run eSet until it comes back virtually clean. Attach the logs so I can see what progress it is making.
     
  15. dbs1

    dbs1 Private E-2

    Ok, 2 more ESET scans attached. doing a third now which has found 31 threats so far

    will continue to post tomorrow with more.
     

    Attached Files:

  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Where you unable to find this folder:
    H:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5?

    That really needs to be cleaned out.

    You can try using Avenger to remove it.

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Continue with the eSet scans. We are making progress.
     
  17. dbs1

    dbs1 Private E-2

    file attached.

    continuing with ESET
     

    Attached Files:

  18. dbs1

    dbs1 Private E-2

    ESETSCan 7 just picked up Bamital.DZ Trojan

    will attach along with run 6 once this is done.
     
  19. dbs1

    dbs1 Private E-2

    scan 7 found the trojan.doing more scans
     

    Attached Files:

  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's getting much better.

    Please uninstall AVG. Use this tool:
    Please go here and download and run the AVG Removal Tool.

    Now:
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now uninstall Avenger.

    Do another eSet scan and attach that log.
     
  21. dbs1

    dbs1 Private E-2

    Not sure if this is right.

    I ran the AVG unistaller (32 bit version) but it seemed to hang - last thing it said was RESTART PLANNED. so I rebooted the pc - not sure I did it right so running it again and will run avenger again
     

    Attached Files:

  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Avenger couldn't find the desktoplayer file which is good. Just get me a new eSet scan and then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\MGlogs.zip
     
  23. dbs1

    dbs1 Private E-2

    ok, second time through I saw the uninstaller do more things so i think it ran ok.

    avenger file attached. to uninstall im assuming its just delete the avenger file o nthe desktop since i cant see it in add/remove.

    also when the machine rebooted after avenger I got a no disk exception error - just cancelled it and continued.

    running ESET now.

    I saw your response AFTER I posted this - sorry. will post ESET log and MBAT log when done.
     

    Attached Files:

  24. dbs1

    dbs1 Private E-2

    here you go - Eset is scanning faster.
    still getting No Disk exceptions when I run MGTOols
     

    Attached Files:

  25. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know why that reg key will not budge. Keep running the eSet scans thought I don't understand why it is still reporting the infections in the folder we removed ( H:\Documents and Settings\Darren\Local Settings\Temporary Internet Files\Content.IE5 ).

    We can try it again.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
  26. dbs1

    dbs1 Private E-2

    ok,

    done that succesfully. running ESET scans again.

    please note that I am currently running without ANY antivirus since I uninstalled AVG a couple of steps back. is this right or do i need to get it reinstalled? Im doing as much posting as possible from my partners macbook to save risking the internet on the infected pc


    EDIT - i cannot get ESET to work. first time it stated that it could not get an update and askled if the proxy was correctly configured, second time it said that another instance was already running.
     
    Last edited: Nov 2, 2010
  27. dbs1

    dbs1 Private E-2

    ok got ESET working after a reboot. will attach logs soon
     
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This infection has really become quit nasty and dangerous. We could attempt to remove and have had some success in the past, but recently it has become even more trouble to remove. It is really safer to just bite the bullet and do a clean reinstall.

    The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc are can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors, could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

    In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

    So all the above being said, and please do take serious note of the warnings, do you really wish to attempt cleaning even though the stability and security of your be cannot be guaranteed? And also, we could spend a lot of time trying to fix it and still fail due to the number of files that have been infected.
     
  29. dbs1

    dbs1 Private E-2

    oh dear.....

    ok so it looks like a full reinstall then..... thats not good - got alot of stuff here that I could lose
     

    Attached Files:

  30. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sadly, if it is caught in time it can be removed, but I am afraid that we are too far gone for that. Inspite of all the cleaning, you are still having it hooked into the ie5 cache and now it has infected MGTools. Save your personal data and files to an external drive or a cd. Once you have reformated and done a clean install, then with your computer well protected, scan the drive or cd before you reinstall the data files.
     
  31. dbs1

    dbs1 Private E-2

    actually i have suprisringly few files that are really important the rest is mostly programs such as teamspeak and ventrilo plus a few games - i have hard copy for XP and MS office so its just time really.

    one thing though - I have an external hard drive that is more than likely infected since ive been including it in the scans. theres ALOT of stuff on there such as movies and music. will that have to be reinstalled too?
     
  32. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I would unplug the external until after you have done a clean install and gotten the system well protected. Then run an eSet scan with it plugged back in. I don't recall seeing any malware files in the logs that would have been on the external drive.
     
  33. dbs1

    dbs1 Private E-2

    it would show as J:\

    ok, that will save me some agro. would you be kind enough to run me through the reinstall?

    its been a while since i did one and i would rather go through it step by step with an expert
     
  34. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Fairly simple. First you need to boot into the bios and change the boot order so that the cd-rom drive is the first device. Put the OS CD in the drive and reboot. It will give you a black screen and ask if you want to boot to the disc. Once into the reinstall, it will ask if you want to install or repair. You will want to install. Then it will ask about the drive partition. You will want to format the partition that Windows is one. Once that is done, it will begin the installation.
     
  35. dbs1

    dbs1 Private E-2

    um.... define 'partition'?

    (its questions like these that make people understand why my lovely gf is the software engineer and why i drive trucks for a living)
     
  36. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    A partition is a segment of your hard drive. You may have a C: drive only or there may be a D: drive that is a smaller space that holds your recovery files. If all there is ( other than the external drive ) is the C: drive, then you would reformat that drive. In you case, I seem to recall that it is not the C: drive but is the H: drive that you have windows on. So I don't know what partition / drives you have on this system. But you would reformat which ever one has your OS on it ( the H: drive).
     
  37. dbs1

    dbs1 Private E-2

    ah right got you.

    ok after unplugging the external drive the only other drive i have listed as a Hard Disk drive is H:\
     
  38. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That will be the drive you format and install on.
     
  39. dbs1

    dbs1 Private E-2

    do i use NTFS?
     
  40. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes.
     
  41. dbs1

    dbs1 Private E-2

    ok formatting now.

    Thanks for your help with this Tim - you have been a star even if, in the end, the infection proved to widespread to fix without a reinstall.

    i've learned a few lessons from this so there are positives.
     
  42. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds