MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 01-22-13, 14:06
Quelthias Quelthias is offline
Private E-2
 
Join Date: Jan 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default TornTV Infection

I have windows XP service pack 2 32bit system.

I was downloading a torrent
Immediately a file called TornTV requested to be downloaded.
I clicked Close, it installed it anyway.

Next I knew I had a virus thus I went to MajorGeeks.com and followed all of the steps.
After I downloaded a program to remove disk emulation software (Defogger.exe) I disabled disk emulation software and it asked me to restart the computer.
After the computer restarted a window appeared when Windows XP was loading which states: "This copy of windows is not activated"
Next I cleaned the temporary files using CCleaner on every profile from this computer
I proced to follow the steps and downloaded all of the tools (Rogue,Malwarebytes,TDSS,Hitman,MG)

I then loaded the page detailing about WindowsXP removal steps

I first ran RogueKilller, saved the log.
Next I ran Malwarebytes, ran the scan, removed the files, restarted, then ran it again 2 more times each time saving the log after removing the malicious programs. After the 3rd time, Malwarebytes did not request to restart however it continued to find a malicious program.
Next I scanned with TDSSKiller and had no results.
Next I scanned with HitmanPro which had 3 results, clicked ignore on all and saved the logs.

After running MGtools, an error screen popped up:

Please help us improve HijackThis by reporting this error
Click Yes to submit
Error Details:
An Unexpected error has occured at procedure: modRegistry_IniGetString(sFile==system.ini,sSection==boot, sValue==Shell)
Error #5 - Invalid procedure call or argument
WindowsVersion: Windows NT 5.01.2600
MSIE version: 8.0.6001.18702
HijackThis version: 2.0.4

I disabled AVG and then MGtools finished without errors.

Finally, I ran the scans from each program again starting with Rogueskiller, then Malwarebytes, TDSS, Hitman and MGtools.
(Let me know if you want the old reports as well)

Below are my attached reports.
Attached Files
File Type: zip MGlogs.zip (509.6 KB, 3 views)
File Type: log HitmanPro_20130122_1152.log (2.1 KB, 3 views)
File Type: txt TDSSKIller-1145AM-Jan22-2013.txt (49.7 KB, 2 views)
File Type: txt mbam-log-2013-01-22 (11-33-50).txt (2.1 KB, 2 views)
File Type: txt RKreport[2]_S_01222013_02d1121.txt (2.5 KB, 4 views)
Reply With Quote
Sponsored links
  #2  
Old 01-22-13, 17:07
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,833
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: TornTV Infection

Re run Hitman and have it delete Malware remnants and Potential Unwanted Programs.

Uninstall the below with Revo Uninstaller.
  • Ask Toolbar (OEM1002) for Internet Explorer
  • TornTV

Are you aware of this from the HJT log?
  • O1 - Hosts: 64.24.234.120 swirve.com # Added by Utopia Angel

Delete this if present:
C:\Program Files\TornTV.com

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
  #3  
Old 01-23-13, 02:01
Quelthias Quelthias is offline
Private E-2
 
Join Date: Jan 2013
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: TornTV Infection

Wow thank you very much Kestral!
Can I call the medic from Team Fortress 2 (because you heal people so quickly), thanks dock!

I used Hitman and deleted the three things it found.

Next I installed Revo-Uninstaller.
I uninstalled the ask toolbar using moderate
The toolbar uninstalled the program and asked me if I wanted to get rid of the 4 registry entries I said yes and only deleted the 4 files related to AskToolbar
// I don't like messing with the registry//

Next I ran an advanced scan for torn and deleted the registry values as well as the torn files located across the hardrive (including my documents, program files/torn, etc.)


O1 - Hosts: 64.24.234.120 swirve.com # Added by Utopia Angel
Oh this brings back memories...
Have you ever heard of the game called Utopia from swirve.com?
Utopia Angel is a calculation program to help people determine if their attack will be successful.
While it runs it modifies your computers ability to copy/cut a block of text.

I doubleclicked on C:\Mgtools\getlogs.bat file.
(Hitman and MGlogs.zip are attached below)

Next I restarted the computer


The popup "Windows Genuine Advantage: This copy of windows is not activated." continues to show on my system tray and when I start windows.

Is this malware?
Or is this from using the Defogger to cancel the emulation?
Attached Files
File Type: log HitmanPro_20130122_2330.log (2.1 KB, 2 views)
File Type: zip MGlogs.zip (510.7 KB, 2 views)
Reply With Quote
  #4  
Old 01-23-13, 09:15
Kestrel13!'s Avatar
Kestrel13! Kestrel13! is offline
Super Malware Fighter - Major Dilemma
 
Join Date: Apr 2007
Location: cloud cuckoo land
Posts: 28,833
Thanks: 965
Thanked 3,716 Times in 3,619 Posts
Default Re: TornTV Infection

Quote:
The popup "Windows Genuine Advantage: This copy of windows is not activated." continues to show on my system tray and when I start windows
. I am not sure about that, you would have to ask about it in the software forum.

Glad all is running well. Ready for final steps?

If you are not having any other malware problems, it is time to do our final steps:
  1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
  2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
    • Press and hold the Windows key and then press the letter R on your keyboard. This opens the Run dialog box.
    • Copy and paste the below into the Run box and then click OK. Note the quotes are required
    • "%userprofile%\Desktop\combofix" /uninstall
      • Notes: The space between the combofix" and the /uninstall, it must be there.
      • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
  3. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
  4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
  5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
  6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
  7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
  8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
  9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
    • Refer to the cleaning procedures pointed to by step 6 of the READ ME
      for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
  10. After doing the above, you should work thru the below link:
__________________
Have we been helpful? Did our services here at MajorGeeks save you a whole lot of cash? If you would like to bequest a small amount as a token of your appreciation, please look out for the yellow 'Donate' button on the top right of any page. Thanks!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
torntv.exe somae Malware Removal 3 11-16-12 23:16
Is the infection gone? xSquallx Malware Removal 4 12-23-10 10:50
Infection help ivanputz Malware Removal 5 02-14-09 16:30
windows has detected a virus infection! Please use macrovirus to remove the infection frenchtreelover Malware Removal 8 03-15-08 00:43
Possible infection...need a little help fuzzydi Malware Removal 4 09-21-06 10:47


All times are GMT -5. The time now is 11:27.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


All content Copyright MajorGeeks.com source code Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger