Virus with Green Screen and Black virus warning

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bowks, Jan 10, 2010.

  1. bowks

    bowks Private First Class

    Hi, I am tryng to clean a virus from my computer - spent the whole day and now I'm a bit stuck. Last night I was searching and got a message that the computer was infected, so I ran my Vipre Virus Checker. Partway through it said it had found about 4 or 5 trojans, but this morning when I checked the log it said it only found a webpage hijaker. Then I got a big green screen with a message in a black box saying "Your computer has been infected by a Virus". I started working through the Read and Run this First and downloaded and ran SuperAntiSpyware, which found a lot of stuff, and I thought repaired it. I shut down as per instructions, and rebooted.

    The PC (which runs Windows XP with SP2) started normally. The Windows splash screen appeared correctly and then the login prompt correctly loaded. I entered my user name and password like normal, but as soon as I tried to login I was IMMEDIATELY logged back out again. The desktop didn’t even load. It moved immediately back to the login window where you can then enter your user name and password again. No matter how many times you try to login you always experience this immediate logout.

    Some how I got passed this by repairing my computer with the repair in the Recovery Console and then Reinstalled Windows. But I still get the green screen with the Virus message and I think it is still trying to hijack my websites to another site.

    Also I cant do Alt-Cntrl-Del because it says the Administrator has disabled my task manager. I've shut down and now started up in Safe mode.

    But what to do next??
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run the scans as you did last time before you reformatted, you should do this if at all possible in normal mode, in safe mode if not. Attach logs and we'll work up a fix for you.
     
  3. bowks

    bowks Private First Class

    Thanks Kestrel13. I ended up running the programs in safe mode and the computer seems pretty good. Strange web pages pop up at times, and my desktop is back to normal except every file name is highlighted.

    Here are the logs from the scans yesterday.

    Cheers and thanks a lot!
     

    Attached Files:

  4. bowks

    bowks Private First Class

    And the other two
     

    Attached Files:

  5. bowks

    bowks Private First Class

    Do you know anything about Spice Traffic? That's the name of the thing hijacking my webpages.
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Your MBAM log shows that you took no action on the threats that it found. Did you indeed fix what it found after attaching the log? If you didn't you need to re-run MBAM and deal with what it finds.

    2. Important Notice: A new version of SUPERAntiSpyware is available.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this log later.

    3. You also did not attach logs from running MGTools.exe. And in order to give you a complete fix I will need to see the C:\Mglogs.zip

    4. In your next reply, attach logs from SAS (MBAM too if you took no prior action) and the Mglogs.zip

    Thanks
    Kes
     
    Last edited: Jan 12, 2010
  7. bowks

    bowks Private First Class

    OMG! You are right. I think I must have been so panicked I didn't concentrate.

    I've taken the action and attached the logs you requested.

    thanks again.
     

    Attached Files:

  8. bowks

    bowks Private First Class

    Grrr. I just tried to call up another website and Spicesearch was looking for the page again! I shut down and started up in Safe mode with Networking again.

    I'm wondering if I should run those programs again...but I will wait till I hear from you again.
     
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No, we specifically ask that scans are only to be run once. Just let me go thru the logs. I won't have chance this morning as I am off out shortly, but rest assured I will get back to you ASAP :)
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there :)

    I need you to now follow my next steps in normal mode please.

    1. Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    After clicking Fix exit HJT

    2. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    File::
    C:\Program Files\Internet Explorer\SET636.tmp
    c:\windows\inf\COM30E.tmp
    C:\tmp.bat
    C:\WINDOWS\pchealth\helpctr\binaries\SET16C.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET639.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET743.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET7FB.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SET8FA.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SETA29.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SETB0C.tmp
    C:\WINDOWS\pchealth\helpctr\binaries\SETC70.tmp
    C:\WINDOWS\system32\CF18470.exe
    
    Folder::
    c:\program files\Spyware Doctor
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    3. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix.

    4. Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now! :)

    Kes13!
     
  11. bowks

    bowks Private First Class

    Dear Kes13,

    Thanks for that. The computer is working much better. The screen on desktop still has all the file labels highlighted, but the laptop is much more responsive.

    I had a fair bit of trouble, firstly when I rang MGtools, after scanning the computer shut down, but then restarted and produced a log.

    I also must have had a previous version of ComboFix, because it said so and didn't work, so when I deleted it and tried to download another version, I couldn't connect to the internet, and had to restart in safe mode again. Then after quite a few attempts to connect, did download and complete the tasks.

    ComboFix gave an error message about an unexpected error, but finished eventually.

    Let me know if I've missed anything or not been clear.
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    May I also see the log from that then :)
     
  13. bowks

    bowks Private First Class

    Apologies....I thought I did attach it in a separate email. Mustn't have worked. Here it is.
     

    Attached Files:

  14. bowks

    bowks Private First Class

    :( I just tried to get on to google again, and couldn't so did it by safe mode again. And it went straight to Spicesearch.net again!!!
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    According to your last logs dated yesterday you have MGTools.exe on your desktop which is not where we need it to be. You need to move it directly onto your C Drive as requested.

    Still being redirected? Let's try this then:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
    KILLALL::
    
    Fcopy::
    C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Still getting redirected now?
     
  16. bowks

    bowks Private First Class

    Dear Kes13

    I don't know if that fixed it yet - it usually takes a little while, but - and this is very exciting - I just had a look at the log, and half way down under Supplementary Scan there are 2 lines that start with FF and they mention hxxp://spicesearch.net.......blah, blah. What do you think about that??
     

    Attached Files:

  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's do the below:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Firefox::
    FF - prefs.js: keyword.URL - hxxp://spicesearch.net/search.php?src=tops&q=
    FF - prefs.js: browser.search.defaulturl - hxxp://spicesearch.net/search.php?src=tops&q=
    
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    See if that ends the redirecting.
     
  18. bowks

    bowks Private First Class

    Hi Kes13

    I tried to do what you asked but combofix gave an error message "Unale to create all files". I still went through the steps and attached the log.

    Interestingly, Vipre had had a quick scan and picked up something called Backdoor and wanted to do a deep scan, but I terminated it to run Combofix.

    Cheers

    Gail
     

    Attached Files:

  19. bowks

    bowks Private First Class

    just for your info, I repeated the process. This time I didn't get the error message but the two FF lines are still in the completed log.
     

    Attached Files:

  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run a deep scan with Vipre and let me know the results, attach a log if possible, or give me the full file path of where the threat is being found.
     
  21. bowks

    bowks Private First Class

    Hi Kes13

    I did end up running a deep scan on the 17/1/10 but I can't seem to copy the log for you, but this was what was reported in that log.

    Registry HKEY_USERS\S-1-5-21-1674509373-1791586265-1786554769-1005\Software\Wget-1



    cheers

    Gail
     
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So Vipre didn't report a backdoor this time round then? Let's try the below:

    Now download Registry Search (see the link titled RegSearch Download Link )

    • Extract the files from Regsearch.zip into a folder.
    • Doubleclick regsearch.exe to start the program.
    • See the top 3 boxes under the Enter search strings (case independent) and click Ok... option, enter the below bold string (use copy and paste)

    • spicesearch
    • Then click "OK".
    • Notepad will be opened with text in it (the file named RegSearch.txt will be saved in the program's folder as well).
    • Attach this RegSearch.txt file.
     
  23. bowks

    bowks Private First Class

    OK. - Had to do that in Safe Mode. Log attached.
     

    Attached Files:

  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try this please:

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::
    
    Firefox::
    FF - ProfilePath - c:\users\Wazootyman\AppData\Roaming\Mozilla\Firefox\Profiles\1hwbg928.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://spicesearch.net/search.php?src=tops&q=
    FF - prefs.js: keyword.URL - hxxp://spicesearch.net/search.php?src=tops&q=
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
     
  25. bowks

    bowks Private First Class

    Done! But I think its still friggin' there.
     

    Attached Files:

  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am in the process of speaking to Chaslang about this so bear with us please as we are both on different time zones.

    Try this just for the hell of it:

    Using GooRedFix
     
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let us know if the redirects persist.
     
  28. bowks

    bowks Private First Class

    Hi Kes13

    I'm not sure I did the GooRedFix right. I did it in safemode (because I couldn't search for it and connect any other way) and it seemed to take off automatically and I didn't get a choice of 1 or 2.

    The log is attached.

    Also, before I did that - when I checked my computer to see if you had replied, Vipre had done another deep scan and had found Backdoor.Bifrost again.

    I'll have a little play with searches now and see if I start getting redirected - didn't want to do it before because it jams the computer and I have to restart and reset the router - sometimes it takes 20-30 mins before I can get back on line.

    cheers

    Gail
     

    Attached Files:

  29. bowks

    bowks Private First Class

    Been searching for about 10 mins and haven't been redirected yet - that's pretty unusual. I have to get ready for work now. Be back later today.

    Cheers

    Gail
     
  30. bowks

    bowks Private First Class

    Spicesearch is still redirecting.:(
     
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Entirely my fault. an error in my script.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    
    KILLALL::
    
    Firefox::
    FF - ProfilePath - c:\documents and settings\Gail Bowker\Application Data\Mozilla\Firefox\Profiles\l45uunna.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://spicesearch.net/search.php?src=tops&q=
    FF - prefs.js: keyword.URL - hxxp://spicesearch.net/search.php?src=tops&q=
    
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    How are things running now? This really ought to shift it this time.
     
  32. bowks

    bowks Private First Class

    This is looking promising.

    Log attached.

    regards

    Gail
     

    Attached Files:

  33. bowks

    bowks Private First Class

    spicesearch is still there....but something different happened this time.

    I shut down and booted up and when I went clicked on Mozilla, I got a blank page with just the address bar at the top (jar...... spicesearch) and an error message in a box in the middle of the page saying:

    FILE NOT FOUND

    Firefox can't find the file at jar:file:///C:/Program Files/Mozilla Firefox/chrome/en-US.jar!/locale/browser-region/region propertiesspicesearch.net


    What do you reckon now? (Glad you are a guy that likes a challenge)
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running the below but make sure that FireFox is shutdown before running it.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.
    If ComboFix does not reboot your PC, reboot it yourself and after reboot, continue with the below.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  35. bowks

    bowks Private First Class

    Hello

    Thanks for your help. I will have a play around and see how things go, but in the mean time, please find attached logs as requested.
     

    Attached Files:

  36. bowks

    bowks Private First Class

    it's running great. The only thing that is still a little weird is that the text on the desktop under every icon is highlighted still. But other than that, its fine.

    Thank you very much.

    Gail
     
  37. bowks

    bowks Private First Class

    I don't know how or why, but I logged on tonight - and no highlighted text. Everything is back to normal. I can't thank you guys enough. You are awesome! :-D
     
  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Great! :)

    Now, is everything running okay since you followed Chaslang's instructions? I assume so, but I want to hear from you before I give you final steps.
     
  39. bowks

    bowks Private First Class

    Yes its running great! Absolutely back to normal. Doing everything it should and nothing that it shouldn't. I LOVE you guys. I am so grateful. I love my laptop. Spend every bit of my spare time on it. Thank you, thank you, thank you. (can't thank you enough)!
     
  40. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're very welcome :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  41. bowks

    bowks Private First Class

    Hi Kes13

    Are you sure about those instructions. I tried to uninstall ComboFix, but it updated, and then ran ComboFix and ran a log. Is that right??
     
  42. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    My apologies, I work on different machines and that boilerp;late wasn't updated to reflect a change in the uninstall commands... try this:

     
  43. bowks

    bowks Private First Class

    All done! Feel like my laptop is squeeky clean :) I'm over the moon. Thank you again.

    regards

    Gail
     
  44. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're very welcome! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds