Malware Suspected

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by AureolusV, Dec 16, 2012.

  1. AureolusV

    AureolusV Private E-2

    Hello MajorGeeks.com,

    I just discovered today that I was unable to start up my Windows Firewall (seems to have been deleted?), and through some internet browsing I realised that I could not visit any anti-virus website. I tried to install Nod32 antivirus which I somehow was able to get my hands on but failed to install it. Google Chrome won't start too.

    Anyway, I stumbled upon this website and followed the step by step instructions in the Malware Removal section and had some log files so I was wondering if I could get some advice and help on which would be greatly appreciated.

    One problem I came upon while following the steps is that I could not download "Malwarebytes Anti-Malware". As I said, something is blocking me from accessing all the anti-virus websites. It won't let me download TDSSKiller too but I managed to used a program called Internet Download Manager to bypass that problem, but not for Malwarebytes Anti-Malware unfortunately. It seems to be causing spikes throughout my internet browsing experience too, slowing my connection down.

    As to what I have been doing lately, I have just moved out from my on-campus accomodation (which is protected by proxy, which is why maybe my computer was safe there? I have been without anti-virus for 2 years without a problem there). Haven't been doing anything out of the ordinary here lately which I can think of...

    Anyway, the logs requested are as attached. Seems like there's a few Trojans.

    Hope to hear from you soon.

    Thank you :)
     

    Attached Files:

    Last edited: Dec 16, 2012
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKCU\[...]\Run : CenYcqmi (C:\Users\Skywalker\AppData\Local\tbvmrndu\cenycqmi.exe) -> FOUND
      [RUN][SUSP PATH] HKUS\S-1-5-21-2782316689-708073106-3171101751-1001[...]\Run : CenYcqmi (C:\Users\Skywalker\AppData\Local\tbvmrndu\cenycqmi.exe) -> FOUND
      [SHELL][SUSP PATH] HKLM\[...]\Wow6432Node\Winlogon : Userinit (userinit.exe,C:\Users\Skywalker\AppData\Local\tbvmrndu\cenycqmi.exe) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.

    Rescan with HitmanPro.
    Choose to Delete these files if they are detected:

    • C:\Users\Skywalker\AppData\Local\tbvmrndu\cenycqmi.exe
      C:\Users\Skywalker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cenycqmi.exe
      C:\Users\Skywalker\Desktop\One Piece\Delay Reducer\W3DR.exe
      C:\Users\Skywalker\wgsdgsdgdsgsd.exe
    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
    After clicking Fix, exit HJT.
    It may not be there now.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Download OTL to your desktop.

    Double-click OTL.exe to start the program.
    • Copy and Paste the following code into the Custom Scans/Fixes textbox. Do not include the word Code
    Code:
    :processes
    :killallprocesses
    :file
    C:\Users\Skywalker\AppData\Local\tbvmrndu\cenycqmi.exe
    C:\Users\Skywalker\AppData\Local\itupaixw.log
    C:\Users\Skywalker\AppData\Local\pyptqydm.log
    C:\Users\Skywalker\AppData\Local\rvrsbetv.log
    C:\Users\Skywalker\AppData\Local\vkkigntt.log
    C:\Users\Skywalker\AppData\Local\yndtjmny.log
    C:\Users\Skywalker\AppData\Local\dkaruphf.log
    C:\Users\Skywalker\AppData\Local\ebhfqmoc.log
    C:\Users\Skywalker\AppData\Local\fbwxotos.log
    C:\Users\Skywalker\AppData\Local\fslehpaq.log
    C:\Users\Skywalker\AppData\Local\bcmnjmfr.log
    C:\Users\Skywalker\AppData\Local\tbvmrndu
    :commands
    [PURITY]
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    
    • Then click the Run Fix button at the top.
    • Click the OK button.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. Just close notepad and attach this log form OTL to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!

    Now install an AV program!!
     
  3. AureolusV

    AureolusV Private E-2

    Hello fellow Jedi,

    Thanks for your reply. I really appreciate it. Before I go into the details, may I ask, is running this forum some kind of your pass time, part of your passion? Or do you get paid doing it? I mean, it would take up quite a chunk of your time fixing up the problems right? And I can see that there is quite a number of people asking for help here. Not that I'm complaining lol, just curious....

    Anyway, the results of the scans is a bit unexpected on my part (probably cause I'm clueless when it comes to these sort of things), so I have attached some images as well as the logs to explain the situation. After deleting the registries as directed of me using RogueKiller, one of the [SHELL]CenYcqmi REGISTRY got a status of being "replaced" instead of "deleted" which worries me.

    As for after running HitmanPro, I have attached an image of what I decided to do with the detected Trojans before pressing Next. I chose to ignore C:\Users\Skywalker\Desktop\One Piece\Delay Reducer\W3DR.exe because I know it's not a threat. It's for a game called Warcraft 3 to cut down the countdown of 5 seconds to choice of user. There's also a trojan called tmltesor.exe. I don't remember seeing it on the previous scan so it might have escaped our noticing, so I chose to quarantine to until you take a look at it 1st.

    And then there's the running of C:\MGtools\analyse.exe. The line quoted (O4.....) was missing in the scan, so I attached an image for you to have a look.

    Running of the fixME.reg was successful. But running of the OTL.exe didn't seemed to do much it seems from the log. Something about "unable to interpret". The log for it is as attached anyway.

    Anyway, it seems successful :) I can enter antivirus websites now! Time to find one to use as you said.

    Thanks heaps!

    May the Force be with you xD
     

    Attached Files:

  4. AureolusV

    AureolusV Private E-2

    Hello fellow Jedi,

    Thanks for the reply. I really appreciate it. Before I go into the details, may I ask, is running this forum part of your past time, your passion? Or do you get paid? 'Cause I would imagine helping others would take up quite a bit of your time, and it seems that there's quite a lot of people visiting here too. Not that I'm complaining lol, just curious...

    Anyway, the results are a bit unexpected on my part (probably cause I don't know much when it comes to these things), so I have attached some images and logs as you can see. After running RogueKiller and deleting the registries as directed, the status for the registry [SHELL]CenYcqmi seems to have been 'replaced' instead of 'deleted'.

    As for HitmanPro, I chose to ignore C:\Users\Skywalker\Desktop\One Piece\Delay Reducer\W3DR.exe because I know it's not a threat. It for a game called Warcraft 3 to reduce delays while playing with others in-game as well as reducing the countdown before game starts if you know what I mean... I have attached an image of what I chose to do for the trojans detected. There was an unexpected file called tmltesor.exe which I don't remember seeing on my last scan (I could be wrong), so I chose to quarantine it instead of ignoring it. I will wait till you have a look at it 1st I guess.

    The quoted O4 line was found to be missing after running C:\MGtools\analyse.exe. So nothing can be done there. The fixME.reg was a success (it seems). Lastly, OTL.exe didn't seem to have done much after having a look at the log. Something about unable to interpret. I have attached the log for it anyway.

    Anyway, they seem to have worked. I can now access anti-virus websites :) Time to look for an anti-virus as you said lol...

    Thank you!

    May the Force be with you

    ps. So should I get one antivirus AND an antispyware? I realise that both programs nowadays does the job of one another too but it's not optimal is it? What's recommended? Is it really neccessary to get both individual programs? Or an all-in-one is sufficient?
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are all volunteers here. And yes, it does take a fair amount of time that we freely give.

    Re-run RogueKiller and attach the new log. Also, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Attach the new C:\MGlogs.zip.
     
  6. AureolusV

    AureolusV Private E-2

    All done. Are these steps to double check if I'm still infected?

    What should I do to the tmltesor.exe that I quaratined?
     

    Attached Files:

  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can leave it in quarantine. But re-run RogueKiller and have it fix the softonic item.

    Then manually delete these items:
    C:\Users\Skywalker\AppData\Local\bcmnjmfr.log
    C:\Users\Skywalker\AppData\Local\dkaruphf.log
    C:\Users\Skywalker\AppData\Local\ebhfqmoc.log
    C:\Users\Skywalker\AppData\Local\fbwxotos.log
    C:\Users\Skywalker\AppData\Local\fslehpaq.log
    C:\Users\Skywalker\AppData\Local\itupaixw.log
    C:\Users\Skywalker\AppData\Local\pyptqydm.log
    C:\Users\Skywalker\AppData\Local\rvrsbetv.log
    C:\Users\Skywalker\AppData\Local\vkkigntt.log
    C:\Users\Skywalker\AppData\Local\yndtjmny.log

    Now tell me how things are running and if you are having any other issues.
     
  8. AureolusV

    AureolusV Private E-2

    hmmm I don't understand how to fix the softonic item. I don't see it in the registry section nor the other sections in RogueKiller. And which fix if I find it? There is no "fix registry" button as far as I can tell...

    Sorry about that...
     
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If it is not showing up in the log, then don't worry about it. What issues remain?
     
  10. AureolusV

    AureolusV Private E-2

    I assume that my PC is now clean :)

    Thank you very much!
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are very welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link
    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
  12. AureolusV

    AureolusV Private E-2

    Hello again,

    As advised, I followed the instructions and installed Avira Anti-virus and Private Firewall, as well as Spyware Blaster and Spybot.

    However, just earlier, I got another virus detailed "Australian Federal Police Ukash Virus Scam". You can have a look at it through Google. I used RogueKiller to delete the registry earlier and ran HitmanPro.

    Anyway, my question was, why, or how did I get infected lol? I mean, I didn't use torrent or download any files. All I did was stream anime lately that's all. I don't remember doing anything else at all. Could it be that Flashplayer plugins causes vunerability in my computer? Because to stream videos, Flash is used.

    Do you have any idea?

    Sorry for the trouble again :s

    I'll post the log files if the virus appears again. But as of now it seems fine...

    Thanks!
     
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's hard to say where you got it from. Sometimes it is just the act of visiting a web site that is infected.

    If you have any more issues, let me know. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds