TornTV Infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Quelthias, Jan 22, 2013.

  1. Quelthias

    Quelthias Private E-2

    I have windows XP service pack 2 32bit system.

    I was downloading a torrent
    Immediately a file called TornTV requested to be downloaded.
    I clicked Close, it installed it anyway.

    Next I knew I had a virus thus I went to MajorGeeks.com and followed all of the steps.
    After I downloaded a program to remove disk emulation software (Defogger.exe) I disabled disk emulation software and it asked me to restart the computer.
    After the computer restarted a window appeared when Windows XP was loading which states: "This copy of windows is not activated"
    Next I cleaned the temporary files using CCleaner on every profile from this computer
    I proced to follow the steps and downloaded all of the tools (Rogue,Malwarebytes,TDSS,Hitman,MG)

    I then loaded the page detailing about WindowsXP removal steps

    I first ran RogueKilller, saved the log.
    Next I ran Malwarebytes, ran the scan, removed the files, restarted, then ran it again 2 more times each time saving the log after removing the malicious programs. After the 3rd time, Malwarebytes did not request to restart however it continued to find a malicious program.
    Next I scanned with TDSSKiller and had no results.
    Next I scanned with HitmanPro which had 3 results, clicked ignore on all and saved the logs.

    After running MGtools, an error screen popped up:

    Please help us improve HijackThis by reporting this error
    Click Yes to submit
    Error Details:
    An Unexpected error has occured at procedure: modRegistry_IniGetString(sFile==system.ini,sSection==boot, sValue==Shell)
    Error #5 - Invalid procedure call or argument
    WindowsVersion: Windows NT 5.01.2600
    MSIE version: 8.0.6001.18702
    HijackThis version: 2.0.4

    I disabled AVG and then MGtools finished without errors.

    Finally, I ran the scans from each program again starting with Rogueskiller, then Malwarebytes, TDSS, Hitman and MGtools.
    (Let me know if you want the old reports as well)

    Below are my attached reports.
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Malware remnants and Potential Unwanted Programs.

    Uninstall the below with Revo Uninstaller.

    • Ask Toolbar (OEM1002) for Internet Explorer
      [*]TornTV

    Are you aware of this from the HJT log?
    • O1 - Hosts: 64.24.234.120 swirve.com # Added by Utopia Angel

    Delete this if present:
    C:\Program Files\TornTV.com

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  3. Quelthias

    Quelthias Private E-2

    Wow thank you very much Kestral!
    Can I call the medic from Team Fortress 2 (because you heal people so quickly), thanks dock!

    I used Hitman and deleted the three things it found.

    Next I installed Revo-Uninstaller.
    I uninstalled the ask toolbar using moderate
    The toolbar uninstalled the program and asked me if I wanted to get rid of the 4 registry entries I said yes and only deleted the 4 files related to AskToolbar
    // I don't like messing with the registry//

    Next I ran an advanced scan for torn and deleted the registry values as well as the torn files located across the hardrive (including my documents, program files/torn, etc.)


    O1 - Hosts: 64.24.234.120 swirve.com # Added by Utopia Angel
    Oh this brings back memories...
    Have you ever heard of the game called Utopia from swirve.com?
    Utopia Angel is a calculation program to help people determine if their attack will be successful.
    While it runs it modifies your computers ability to copy/cut a block of text.

    I doubleclicked on C:\Mgtools\getlogs.bat file.
    (Hitman and MGlogs.zip are attached below)

    Next I restarted the computer


    The popup "Windows Genuine Advantage: This copy of windows is not activated." continues to show on my system tray and when I start windows.

    Is this malware?
    Or is this from using the Defogger to cancel the emulation?
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    . I am not sure about that, you would have to ask about it in the software forum. :)

    Glad all is running well. Ready for final steps?

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key [​IMG] and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds