Malware, virus, I need serious help please!

Ok here's the scoop. I noticed my computer had been running slow sometime ago and began looking around on the harddrive and other places. Since then, I discovered a complete mirror of my hard disk, and mailing logs of Excel files of each and every process and task I undertook on my computer. (like my taxes!! ouch!)

Anyway, I was quite frustrated and began deleting files, and in true virus form, alot of them would come back. Well needless to say, I finally rendered the hard disk useless, and had to purchase a new one. I thought well, problem solved, new hard disk, clean install, good to go.... You probably won't believe this, because I still don't, but after reinstalling windows approx. 16 times, somehow the virus is on the hard drive before I connect to the internet. I changed out the DVD drive with a new one, that didn't work, flashed the bios, that didn't work, tried another new harddrive, nope....then tried a different Windows CD, just in case I had a bootleg copy. Still no! The virus moves faster now and is more noticeable than before. It has infected several computers at my house, and my work. I'm at a loss, and need some help please. Oh and they took over my router that was WPA2 secured, so I got a new one of those as well. Also did installs of windows with the USBs disabled, but to no avail. I'm going to post the logs of what was going on before the HD crash from to give you an idea of what there was. Then if you need current logs, please let me know. THANK YOU in advance!


Here is a game log:


Thanks!

 

Welcome to Major Geeks!


Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions. The reason we're needing new logs is because of the fact that you have replaced the hard disk, DVD drive, and as you mentioned multiple other things.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.
  • TDSSserv Non-Plug & Play Driver Disable

READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

Thanks.

 

Okay, will do. I'm at work right now until about midnight CST. Thanks for the quick reply!

 

Okay, here are all of the logs, plus two. I ran the a2scan which picked several traces, which were all from Gamespy.

Then Stinger picked up three and deleted two of them, one of the was PEV.exe if I am reading it correctly.

Mbam and SAS didn't find anything, but before I lost my hard drive, they weren't finding anything either because of the mirror copies of all programs, and I was removed as the Administrator, and was replaced by "Administrators." And again, this was before I lost my hard drive.

Thank you for your time, energy, and devotion to helping noobs like me try to figure out what's up with their computer.....you have no idea how much I appreciate it! I was about ready to throw my computer in the yard and turn on the sprinklers.... :boxing

The hard disk still spins at strange times....really almost all the time, and it seems that the program that is usually running in task manager is update.exe when I can catch it.

Let me know what else you need from me please. BTW, my name is not bennie, lol I was just trying to entertain myself after installing windows approx. 30 times in a week. So far this copy seems to be somewhat stable. More so that any previous installs.

And superdooper is superantispyware, I had renamed it as well when I installed it a couple of days trying to thwart any detection by malware.

Then on Stinger log, a copy was pasted to my desktop in .opt form. I found it to be odd so I am uploading it as well. Probably nothing, but thought I would let you take a look at it.

 

and here are the rest of the logs....

okay, it won't let me upload the .opt file from stinger, I try to copy and paste. On second thought, I'll wait until I hear from you on what to do with that file.

 

Hello SuperSlo.

Thanks for all the log postings. I'm currently in the process of looking over your logs, and will get back to you shortly.

Thanks

 

Okay, thank you for your time!​

 

I did one more alternate scan to give you some more information....I think this one will be the most informative so far...it's the kaspersky stand alone scanner.


here are the logs...thanks again!

 

Hello Superslo,

I appreciate the logs that you have given. Are you still having existing issues, if not, can you please explain what exactly s going on. Thanks

 

Hello Elder_User,

Yes I am still having issues. Windows is still stable, but there is something still in the background that has taken control of the Administrator account. Instead of Administrator, it has been changed to "Administrators."

In Avast, the ignore file list has been updated to include the following:

avast4\UNP*.TMP
windows\temp\*imp
windows\winsxs\*cat
windows\winsxs\*policy
windows\CSC\tmp
edb.chk
windows\winscst*

I searched the hard drive for all files containing CSC and it seemed rather interesting what came up. Of course the owner was listed as "Administrators." I copied the icons of the files because it wouldn't let me copy the text names of the files and pasted them to a wordpad document. I will attach it. I know you probably think I am crazy Elder_Usr, but I know something is not right.....I'm just not smart enough to figure out what, lol

When I click on search and hit the drop down box of where to search, there is a main HDD ( c: ) listed and also local disk ( c: ) listed....i don't know if that is normal or not. Seems odd though. There are also recyclers that look like the recycle bin buy have long number and letter names (md5?) and any time I try to delete one of the files that comes with CSC.tmp or others, it always goes to the Recycler according to Avast On access scanner message.

There are also a LOT of files named rcscreen(number).htm in the windows\pchealth\helpctr\packagestore\package_3.cab
and one other strange file that belongs to the "Administrators"
windows\$hf_mig$KB951978\sp3QFE

the hard drive is still constant and in the task manager under user name in the process list and under user, it is blank......I'm also including the AVAST logs....

Thanks for the help and your patience with my sheer ignorance!

It will not let me attach the CSC logs with the questionable files.....any ideas? (Nevermind, converted it to a txt file and go it posted.)

Thanks again Elder!

 

Also Elder_usr I was looking at your blog page and saw the Autoruns program. I hope it was alright I downloaded it and saved the results for the Admin, Bennie, and NT Authority user. That shows ALL of it! But the files are too big to post here and I can't pm you until I have 50 posts. It shows how they (I think) are recording videos, pics, and files and then saving/sending it to themselves.....but the files are between 4 and 5 meg...wait a second, I'll just post some screenies of it.. ok that's frustrating, even saving them as monochrome 16 bit, they are still too big 217kb.....any ideas?

Well I resized them....wow that was a crash course in Irfanview!

I still have three more registry screens if you decide you want them as well after looking at these autoruns and one registry screenie.

I'll post it next....

 

sorry for bumping this three times! I know it only hurts me and the response time, but I wanted to make sure you got these...

Promise not to post anymore unless you ask me too, lol


Thanks! :clap

 

okay, I lied, sorry one more....Avast resident protection had been removed from my computer somehow, I guess by the infection, so I installed ESET by renaming it and installing it after I disconnected from the internet. It found 6 infections....Doctor Web, and SmitFraud I believe were two or more of them. Then there were a couple of files it couldn't read, and I deleted those with File Assassin from Malwarebytes.

Here is the log. Sorry to bump it again, but I'm pumped up!!!!! :-D

 

Hello Superslo,

Please do not bump any further, as mentioned before, bumping will only hurt you. I am currently looking through your provided logs to see what is required for a fix.

Thanks,

 

Hello Superslo.

After looking over your logs, it seems that your computer may be fine, are you experiencing any direct malware, or is your computer seem to be infected in any way? Such as Weird Windows or pop-ups, or are you only noticing them when your running your Scans?

Thanks,

 

hey Elder,

There is something here, I found a hidden file on the mbr that has uneraser built into it. the only reason I know that is because i lost my hard drive again!@! Also if I load process explorer, it shows that one of my svchost's is going nuts, maybe spamming? I don't know. My pagefile is locked and that was in the mbr file I was telling you about. Is it suppose to be locked? Sorry I'm not more help...the hard disk light will just flash on and off constant now. Also if I find a file in the virus and it actually deletes it, it will not let me boot windows. it says error, can not load nvram, or sumthing along those lines. that's when I know I've lost my HD...then I've tried to repair, but it just sits idle. I'm at a loss, but not a loss for words when I lose my hard drive. That's why it took me so long to respond...sorry about that, and thank you for taking time to look at this. BTW I ran a disk killer and everytime I would finish writing all zeros (I got the free version, it only writes zeros, no ones) the file would still be on my HD somehow. I don't get it. I'm at a loss....Thanks again Elder!

 

okay, just got my computer back up and malware bytes installed and it actually found something this time....here are the logs....from what I understand, whatever this thing is, it makes my antivirus, anit-spyware, etc look like its running but they are running in a benign state....Anyway, here ya go....

 

Okay thanks Chaslang,

Do you know why i would have so many duplicate files? I am currently running Advanced System Care Free, because each time I lose my hard drive, I try to change up the AVs and firewalls. Well Advanced system care will actually do a scan to see how many duplicates there are. Most of them are in system32 and copied in dllcache or vice versa. Sorry I'm such a noob, and am prolly asking dumb questions. I just don't understand why I keep losing my hard drive. It will either blue screen on me or simply will freeze up and windows won't load. I even tried wiping the hard drives using drive scrubber. I have tried 5 new hard drives, all brand new out of the box, and I don't attach to the internet until the clean install is completed. Even flashed my bios, just in case. Nothing! It is VERY frustrating.

Thank you guys and gals for all of your help and patience with me and my rookie computer level!

 

I am using drive scrubber and formating the HD between installs and leaving the ethernet unplugged. when I say I have duplicate files, I mean something has made an ENTIRE mirror of my hardrive.

Yes I know what a BSOD is, I usually O/C my Intel Q9450 to 3.2 from 2.8ghz but I have been running it stock since I have been having problems. Also I usually have my vid card OCed but I have been leaving it set @ default as well. By lose my hard drive, I should say, Windows becomes corrupt and will not repair itself even with the windows disk and booting from the windows disc. When this happens it either blue screens on me, or simply tries to reboot over and over again.

I really don't think I am doing anything wrong with the reinstalls or software....could be cuz I know I'm not that smart and I'm not by any means trying to say I'm smarter than you. I just know that all of my files have been duplicated and it removes me as the Administrator and makes the new Admin's name Administrators.

And windows update has been disabled. It looks as if it disables SP3 and reverts me to SP2 according to hijack this. Hijack this also states that I do not have any firewall or anti virus running even though I have Norton downloaded along with MBAM. I have tried repeatedly to install Online Armor firewall, but it errors and will not let me install it, even with clean installs each time.

PLEASE understand I'm not trying to say I know more than you, but there really is something not right with my computer.....please help me or I'm going to have to buy a new computer, and this one is only a year old. I even flashed the bios thinking perhaps the virus had metastasized in the flash memory of the MB, but nope! Thank you for hearing me out and for all of your and the Elder's help!

 

Here is a hijack this log. maybe it can or will help. I'm at a loss!

 

okay, thanks for all of your help...I'll just post one more attachment. Thanks for all of your help guys/gals for the super noob, lol.

If it means anything I'm now getting pop ups were Eset will block pages like to SDfix and other anti-malware sites, so i uninstalled it.


Really chaslang you guys are the bomb, and I can't thank you enough for the services you provide for FREE!

Thank you again!