Malware / Virus Really Working Over PC

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by millejef, Nov 23, 2012.

  1. millejef

    millejef Private E-2

    I am trying to help my Dad with his computer and this one has got me baffled. The malware or virus has made it so you cannot execute MSCONFIG, you cannot open an Internet Explorer browser, you cannot install a program from a thumb drive like a virus checker, etc. When I started workign on the computer yesterday I was able to do a few things but now it has taken over it seems. I am attaching the MGTools logs to see if someone out there has ideas for me.

    Thank you in advance for any help!

    Jeff
     

    Attached Files:

    millejef, Nov 23, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    What about the other scans requested in the READ & RUN ME? Are you not able to run the below?
    • RogueKiller
    • Malwarebytes
    • TDSSKiller
    • Hitman Pro
    If you ran the above, then please attach the logs that were requested. If you did not run them then please do so and attach the logs. If you could not run them, please explain what happens.

    See if you can also uninstall the below right now:
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 35
    Java(TM) 6 Update 7
    Knology Toolbar
    Produtools Manuals 2.1 Toolbar
    Spybot - Search & Destroy


    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
    R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: bSaving - {38791CF8-E87C-11E1-881B-7B83F6A1EC23} - C:\Program Files\bSaving\456bb6a8cd7f2e38c0bc920f20fdf0b6.dll (file missing)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (file missing)
    O2 - BHO: DefaultTabBHO - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Documents and Settings\HP_Administrator\Application Data\DefaultTab\DefaultTab\DefaultTabBHO.dll (file missing)
    O2 - BHO: DealPly - {A6174F27-1FFF-E1D6-A93F-BA48AD5DD448} - C:\Program Files\DealPly\DealPlyIE.dll (file missing)
    O2 - BHO: Produtools Manuals 2.1 - {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - C:\Program Files\Produtools_Manuals_2.1\prxtbProd.dll
    O2 - BHO: Freecause Shopping BHO - {DAC028C6-2A41-4730-B91F-DFBCB26C82B3} - C:\Program Files\Shop to Win 8\Shop to Win 8.dll
    O3 - Toolbar: Produtools Manuals 2.1 Toolbar - {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - C:\Program Files\Produtools_Manuals_2.1\prxtbProd.dll
    O4 - HKLM\..\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe
    O4 - HKLM\..\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12
    O4 - HKLM\..\Run: [ROC_ROC_NT] "C:\Program Files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
    O4 - HKLM\..\Run: [ROC_ROC_JULY_P1] "C:\Program Files\AVG Secure Search\ROC_ROC_JULY_P1.exe" / /PROMPT /CMPID=ROC_JULY_P1
    O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
    O4 - HKLM\..\Run: [InboxToolbar] "C:\PROGRA~1\INBOXT~1\Inbox.exe" /STARTUP
    O4 - HKLM\..\Run: [HF_G_Jul] "C:\Program Files\AVG Secure Search\HF_G_Jul.exe" /DoAction
    O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
    O4 - HKLM\..\Run: [ADVDriverUpdater] "C:\Program Files\Advanced Driver Updater\adu.exe" /schedule
    O4 - HKLM\..\Run: [Advanced System Protector_startup] "C:\Program Files\Advanced System Protector\AdvancedSystemProtector.exe" autolaunch
    O4 - HKCU\..\Run: [RebateInformer] C:\PROGRA~1\REBATE~1\REBATE~1.EXE /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Consumer Input Update] C:\Program Files\Consumer Input\dca-ua.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (file missing)

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\PROGRA~1\REBATE~1
C:\Program Files\Messenger
C:\Program Files\Consumer Input
C:\Program Files\SelectRebates
C:\Program Files\Advanced System Protector
C:\Documents and Settings\LocalService\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit
C:\Documents and Settings\LocalService\Local Settings\Application Data\Produtools_Manuals_2.1
C:\Documents and Settings\LocalService\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit
C:\Documents and Settings\LocalService\Local Settings\Application Data\Produtools_Manuals_2.1
C:\Documents and Settings\HP_Administrator\Application Data\AVG2013
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Avg2013
C:\Documents and Settings\All Users\Application Data\AVG2013
C:\Documents and Settings\All Users\Application Data\PC Optimizer Pro
C:\Documents and Settings\All Users\Start Menu\Programs\AVG Free Edition
C:\Documents and Settings\All Users\Start Menu\Programs\ShopAtHome.com Toolbar
C:\$AVG
C:\WINDOWS\system32\config\systemprofile\Application Data\AVG2013
C:\WINDOWS\system32\config\systemprofile\Application Data\Inbox Toolbar
C:\WINDOWS\system32\config\systemprofile\Application Data\RebateInformer
C:\WINDOWS\system32\config\systemprofile\Application Data\Symantec
C:\WINDOWS\Temp\avgdiag2
C:\WINDOWS\Temp\avg_a02544
C:\WINDOWS\Temp\avg_a07364
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\*.tmp
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\*.bin
C:\WINDOWS\Tasks\DealPlyUpdate.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\Tasks\RealUpgradeScheduledTaskS-1-5-21-2895489145-3065243499-2069883940-1007.job
C:\WINDOWS\Tasks\RealUpgradeLogonTaskS-1-5-21-2895489145-3065243499-2069883940-1007.job
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RebateInformer"=-
"MSMSGS"=-
"Consumer Input Update"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Share-to-Web Namespace Daemon"=-
"SelectRebates"=-
"ROC_roc_ssl_v12"=-
"ROC_ROC_NT"=-
"ROC_ROC_JULY_P1"=-
"ROC_roc_dec12"=-
"InboxToolbar"=-
"HP Software Update"=-
"HF_G_Jul"=-
"ApnUpdater"=-
"Advanced System Protector_startup"=-
"Adobe ARM"=-
[HKEY_USERS\S-1-5-21-2895489145-3065243499-2069883940-1007\Software\Microsoft\Windows\CurrentVersion\run]
"swg"=-
"RebateInformer"=-
"MSMSGS"=-
"Consumer Input Update"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1B44B249-EE75-4684-9F10-C89163B4985B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2C652D7F-71DE-447B-9310-2B9FDC08908F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{66D92927-410A-46FB-99F4-635C57BC6624}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D6BD046D-B24B-4E38-9F8E-FF2E05C1F8A2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Nov 23, 2012
    chaslang, Nov 23, 2012
    #2
  3. millejef

    millejef Private E-2

    chaslang,

    Thank you for the response! I have completed the tasks that you mentioned and am attaching the logs for your review. The computer is certainly better as now msconfig actually pops up. I noticed that Internet Exporer still won't open and some things like Firefox won't open unless I Right Click on them and click Open. I will try some other programs as well while you look at these logs.

    Thank you very much for the help!

    Jeff

    PS: I'll have to upload a couple of other logs in a separate reply.
     

    Attached Files:

    millejef, Nov 24, 2012
    #3
  4. millejef

    millejef Private E-2

    Here are the other logs.
     

    Attached Files:

    millejef, Nov 24, 2012
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please only attach the logs we request. You don't need to look in for anything in the MGtools folder unless we ask you to do so. The only log typically needed from MGtools is C:\MGlogs.zip. ;)
     
    chaslang, Nov 25, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I still see Spybot running. Did you uninstall it as requested? All of the below are running:

    C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
    C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

    Also I do not see ZoneAlarm installed but I do see the below in startup list:
    O4 - HKLM\..\Run: [ZoneAlarm Installer] "C:\Program Files\CheckPoint\Install\Launcher.exe" "C:\Program Files\CheckPoint\Install\Install.exe" /r /c "C:\Program Files\CheckPoint\Install\Install.xml"


    You may need to address these types of issues in the Software Forum once we finish here.


    You should only be doing what is requested while still working here as stated in the READ & RUN ME.
     
    chaslang, Nov 25, 2012
    #6
  7. millejef

    millejef Private E-2

    chaslang,

    Spybot - Search & Destroy actuall never installed correctly although it did allow me to run a scan. It is not in my list anymore under "Add & remove Programs" although it is still in the startup tab of the System Configuration Utility - SDCleaner and SDTray. I also see Spybot-S&D 2 Scanner Service, Updating Service and Security Center Service listed in the "Services" tab. Should I uncheck these and then do a reboot and rerun the tools?

    I do not have ZoneAlarm installed and I do not see it referenced in either of the two above areas in the System Configuration Utility either.

    Let me know what else you would like me to try and I will do so. Thank you again!

    Jeff
     
    millejef, Nov 25, 2012
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try reinstalling it from the below link:
    Spybot-Search & Destroy 2.0.12.0 Final

    Then after it is installed. Shutdown any other protection software, exist all browsers, and then attempt to uninstall Spybot. Reboot after uninstalling it.
    Then continue.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [ZoneAlarm Installer] "C:\Program Files\CheckPoint\Install\Launcher.exe" "C:\Program Files\CheckPoint\Install\Install.exe" /r /c "C:\Program Files\CheckPoint\Install\Install.xml"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    After clicking Fix, exit HJT.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Nov 25, 2012
    #8
  9. millejef

    millejef Private E-2

    Chaslang,

    When installing it I get a Setup Error Screen that states Class not Registered, ClassID: {00021401-0000-0000-C000-0000000000046}. After clicking OK about 10 times it completes and asks to restart the computer. When the computer restarts I can see that Spybot 2 is running in the task bar and I can start a scan from there, however, in the start menu the Spybot Search & Destroy entry is "Empty" (no executable). I am having the same "Class Not Registered" issue with any installs I try to do. I tried installing Norton Antivirus and it would not install either.

    When I go to Add and Remove Programs I clicked "Remove" for Spybot S&D it did uninstall this time though. When I rebooted it was no longer in the Task Bar, however, I did still find SDCleaner as a Startup Item in the System Configuration Utility. No services looked to be left over though.

    I finished the MGTools work and I am attaching the logs for your reference. I really appreciate your help! The computer is certainly doing much better already.

    Jeff
     

    Attached Files:

    millejef, Nov 25, 2012
    #9
  10. millejef

    millejef Private E-2

    chaslang,

    Something else that might be helpful in your review of the logs that I didn't mention before. After one of the initial changes that you had me do (the OTM item) I rebooted my PC and when it came back up it started poping up an installer window for HPDigital Media and in particular MYDVD. This cannot complete as it says it is missing files. You can cancel out of it but every 5 minutes or so it pops up again and starts over. I actually tried using the program and it seems to work fine. I am assuming that I may need to uninstall that program and then try to download a new one from the HP web site for this PC but I at least wanted you to be aware of the fact that it pops up every 5 minutes or so like I have seen some Malware do in the past.

    Thanks again!

    Jeff
     
    millejef, Nov 26, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if doing the below helps with the remaining issues you have mentioned.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [Spybot-S&D Cleaning] "C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
    O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"

    After clicking Fix, exit HJT.
     
    chaslang, Nov 27, 2012
    #11
  12. millejef

    millejef Private E-2

    Chaslang,

    That looks like it has removed all the Malware and I no longer have that install window popping up every 5 minutes.

    I still have an issue with installing programs and other operating system things but I am assuming that I will need to go over to the software forum for these. These seem to be remnants of what the Malware or Virus did to the OS. i.e. Classes not being registered, missing folders or ones that could not be created during the install, etc. Internet Exployer closes immediately when you try to open it and other programs like Microsoft Update will not run at all.

    Do I need to do any finish up activities for Malware yet? I REALLY appreciate all the help you have given me. You were great!

    Thanks,

    Jeff
     
    millejef, Nov 27, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    Yes and before doing so, just see if an uninstall, reboot, followed by reinstall of impacted programs helps.
    Yes see below.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Nov 29, 2012
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds