Help with malicious software being malicious

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mdk5000000, Sep 14, 2009.

  1. mdk5000000

    mdk5000000 Private E-2

    So problems started about a month ago for this laptop, when i noticed a virus scanner running in the toolbar (I had never seen nor installed this scanner). Suspected it was malware, so ran a virus scan and it got rid of this scanner. couple weeks later, we've got problems. With web browsing, clicking on links from a web browser like google leads to a completely unrelated site. I have to type the actual site into the address bar. Also, periodically the computer will start playing an ad (sound only). Nothing will pop up on screen, but if I open up the task manager, iexplorer.exe will be running when it previously wasn't. Ending this program stops the ad. and lastly, sometimes on startup, the screen will hang on the "hp screen." not sure what it's called, but it's a screen that's displayed before showing the various users to log into on this laptop.

    I've taken a go at running through the "run and read me first" thread. I've gotten through all the steps up to step 6, which involves actual cleaning procedures. The only thing I could get to run for this series of steps was the MGtools program, from which I've attached a log. All the other ones I either can't install, or I can install them but when I try to run them nothing pops up and they don't show up in the task manager. I've tried renaming the SAS file in order to install it, and no dice. Not sure what course of action I should take at this point. And. . .yeah. Hopin to get some help, t'would be appreciated!
     

    Attached Files:

  2. mdk5000000

    mdk5000000 Private E-2

    One more thing to add. I recently did an online scan with Trend Micro Housecall 6.5. It detected TROJ_VUNDOINI.A and MAL_VUNDOG, along with vulnerabilities in MS09-011 through MS09-015, MS09-026, and MS09-029.
    An attempt at cleaning the infections with the scanner resulted in. . . nothing? The scanner proceeds with the cleaning, hits 0 on the timer, and goes idle. But nothing on the page changed, it still listed the infections (this hasn't happened in past uses of the scanner). Just seeing if this is information I can follow up on.
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why did you put MGtools in the below folder?
    C:\04b9ac26bb7679adda7624be7e\MGtools.exe

    It does not belong there. Please delete this immediately.


    Now you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: {945f4813-f99e-9abb-07e4-6340be181561} - {165181eb-0436-4e70-bba9-e99f3184f549} - C:\WINDOWS\system32\kwatkd.dll (file missing)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: (no name) - {79f5dcb7-9097-4e2c-ac45-ef6e8108142f} - C:\WINDOWS\system32\movanama.dll (file missing)
    O4 - HKLM\..\Run: [hidedufeze] Rundll32.exe "C:\WINDOWS\system32\dahogemu.dll",s
    O4 - HKLM\..\Run: [CPM16129632] Rundll32.exe "c:\windows\system32\yijokuwu.dll",a
    O4 - HKLM\..\Run: [1521a5ae] rundll32.exe "C:\WINDOWS\system32\firovopa.dll",b
    O4 - HKLM\..\Run: [PersonalAV] C:\Program Files\PersonalAV\pav.exe
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\gotipoko.dll c:\windows\system32\juruzuhu.dll veljcj.dll c:\windows\system32\rejanote.dll tykxgw.dll c:\windows\system32\yijokuwu.dll kwatkd.dll c:\windows\system32\fogokili.dll c:\windows\system32\fuyopeyu.dll
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now see if you can run SUPERAntiSpyware, Malwarebytes, ComboFix, and RootRepeal per the READ & RUN ME.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPERAntiSpyware, Malwarebytes, ComboFix, and RootRepeal if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds