Need help removing Malware & Hijacker

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by paws26, Feb 13, 2010.

  1. paws26

    paws26 Private E-2

    I picked up some malware about 1 week ago while using my netbook at home with a wireless router. My browser was taken over and new pages started opening up, mostly porn sites. Then fake anti-virus messages started popping up. I couldn't get the browsers to close so I shut off my wireless service. Reconnecting to my wireless router immediately started browsers popping up, so I disconnected again. I used my other computer to download executable virus removal tools to a flash drive. I started my netbook in safemode. Stinger & RemoveFakeVirus sw found malware and did some clean up. I then used my flash drive to install SuperAntiSpyware and ran that. That also found some malware and deleted it. I turned my wireless back on but was unable to connect to the internet. Found that some of my settings had been changed, fixed that and was able to connect again. Thought I was ok, but then my browser was hijacked again, first to another porn site, then rerouting google searches. Came to your site and have run through all of the guidelines for cleaning my system and getting help. Was able to run SuperAntiSpyware, was able to download and install MalwareMalbytes but it will not execute. Was not able to download combofix - Got error code of 'Couldn't find server at bleepingcomputer.com' . Downloaded and ran Rootrepeal and MGTools. I am still having problems. My browser will still not connect to certain sites and I am still be re-routed from google and wikipedia to ad pages and porn. Your help would be greatly appreciated. I have attached the files from the programs I was able to run. Thank you.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do this:

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    * Please download TDSSKiller to your Desktop
    * Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    * Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -v

    * Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    * When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now see if you can run both MBAM and ComboFix.....attach those logs if you can.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\TDSSKiller.txt
    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  3. paws26

    paws26 Private E-2

    Re: Need help removing Malware & Hijacker - Update

    Hi TimW, Thank you for taking on my case. I have gone through all of your suggestions and attached the new logs. However I did have some problems starting with the TDSSKiller run. When it was finished running it did not ask me if I wanted to delete, but it did say hit Y to restart or N to continue and errors would be deleted on reboot. I hit Y to reboot. (Possible mistake!) Upon rebooting I went to a blue screen with the following error:

    A problem has been detected and windows has been shut down to prevent damage to your computer.
    IRQL_NOT_LESS_OR_EQUAL
    (and a lot more..... let me know if you need more detail)

    I restarted my computer in safe mode and finished the rest of the runs.

    I did receive a success message when I ran the REGEDIT4.

    Next I ran avenger.exe. Ran CCcleaner. Was able to finally run malwarebytes - said it found Trojan.banker.

    Ran combofix - once it rebooted I got the same blue screen error. I am attaching the files that I have transferred to a different computer.
    Also I ended up with 2 TDSS logfiles, not sure how - I don't think I reran it - maybe it reran after I rebooted. (?) I will attach both.

    Right now I can only start my netbook in safemode - still getting the blue screen error message.
     

    Attached Files:

  4. paws26

    paws26 Private E-2

    Here is the 2nd TDSS log file.
     

    Attached Files:

  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am hoping that it did remove what it said it did!

    One more to remove, which you can do manually. Use windows explorer to find and delete:
    C:\Documents and Settings\All Users\Application Data\mswintmp.dat

    Now see if you can run ComboFix.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    @TimW, you should use Avenger to remove the hidden driver: _VOIDd.sys just incase TDSSkiller did not get it removed.
     
  7. paws26

    paws26 Private E-2

    As an FYI, all of the following were run in safe mode as I still can't get my netbook to boot up normally.

    Ok, I have deleted mswintmp.dat

    I have run combofix again and am attaching the log - I named it combofix2_16.txt

    I ran MGTOOLS.bat and am attaching the zip file.

    I tried to restart my netbook again, I get the following error msg on a blue screen.

    IRQL_NOT_LESS_OR_EQUAL

    STOP: 0x0000000A (0x00000201, 0x00000002, 0x00000001, 0x806E6A2A

    While MGTOOLS was running I saw the the file iastor.sys could not be found. Perhaps that's causing my latest error? Have I gone from a virus/malware problem to a missing software problem?

    Thanks for your continued assistance, you guys are great.
     

    Attached Files:

  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Things look good, but let's do as Chas suggested and make sure the driver is gone.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  9. paws26

    paws26 Private E-2

    Ok, avenger.exe run per your instructions.
    MGTOOLS run. Logs are attached for both.

    As for how things are - not so good yet, my netbook will still not boot up normally, still getting blue screen error. I'm hoping that gets fixed next! :)

    Thanks a lot for your continued help.
     

    Attached Files:

  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One more item to remove and then you will need to tell me exactly what happens when you try to boot into normal startup.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
  11. paws26

    paws26 Private E-2

    I've run the steps requested and the logs are attached.

    When I restarted my netbook this is what happens:

    The Dell symbol comes up with Inspiron - it looks like it's booting up, then it goes to the Windows screen, looks like it's starting normally, then jumps to a completely blue screen with the following text:

    A problem has been detected and windows has been shut down to prevent damage to your computer.
    IRQL_NOT_LESS_OR_EQUAL
    (More info about errors msgs, restarting, disable newly installed hw or sw and the following...)
    Technical Information:
    *** STOP: 0x0000000A (0x00000201,0x00000002,0x00000001,0x806E6A2A)

    And that's it. Thanks for your continued help.
     

    Attached Files:

  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. The fact that it only happens in normal startup gives me the impression it may be a driver conflict. You will need to post in the software forum to try to further track this issue down.

    Since you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to tahe cleaning procedures ian step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
  13. paws26

    paws26 Private E-2

    Thank you TimW. I will now throw myself on the mercy of the sw group and see if they can get my computer back to normal. Thanks for all of your help and I will not be so silly as to not have AV sw on my computer in the future. Hopefully I will not have to return here.
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Do first check in device manager for any errors there ( ? ! X, etc ).
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds