Need help

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by blueshots1, Apr 25, 2011.

  1. blueshots1

    blueshots1 Private E-2

    It all started 4 days ago when firefox closed on me when I clicked on the "Play" button on a video in an anime site called animefreak.tv, which I never had problems before.

    I reloaded Firefox again to check a different site, having google as homepage, but before I could do so, a new tab had opened and was loading an unknown webpage to me so I immediately closed it. I then believed my laptop got a virus so I ran AVG 2011 scan and found trojan horse agent_r.xj viruses and some with "\memory_..." on them which AVG can not remove somehow. Every so often during my usage of the virused laptop, I would have blue screen of deaths and sometimes get a pop up from AVG saying threats were found but when I try to remove them, they were inaccessible.

    Found this website earlier today, dugged the forums and did the READ & RUN ME FIRST procedure. I did the steps carefully but had problems running ComboFix. I only downloaded it but when I try to run it, it would load but nothing happens for 3 seconds then blue screen of death. I tried to run it again for several times but BSOD happens. The other scans seem to went smoothly. (I had also uninstalled AVG in the process).

    I am currently holding back on using programs especially the ones that uses internet. I fear the BSOD :cry, which usually happens while I'm using Firefox. (I had also uninstalled and reinstalled FF but the problem persists.

    One other thing, I had found a thread about TDSS killer, tried it but after downloading, it only loads 80% before having a pop up saying it had encountered a problem and needed to be closed.

    I hope someone can help me? :)

    Thanks in Advance.
    Mark
     

    Attached Files:

    blueshots1, Apr 25, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need your Windows Vista boot DVD so that you can boot up to the command prompt to run TDSSkiller. Do you have your boot DVD?
     
    chaslang, Apr 25, 2011
    #2
  3. blueshots1

    blueshots1 Private E-2

    I do not. But I actually just learned how to make one about 10 minutes ago when a friend told me the newer vista users had to create one. I was actually wondering why I never had the boot disk when I bought my laptop about a year ago.

    But right now, let me make the 3-DVD recovery disks.

    Thanks~!
    Mark
     
    blueshots1, Apr 25, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Recovery Disks are not going to give you a Windows Vista Boot DVD. You need to get this from your PC seller. Recovery Disks will just allow you to put a PC back into the same condition it was in when you took it out of the box which is not what most people want to do. You need a bootable CD to fix Windows problems and sometimes ( like your case ) recover from malware problems.

    You can try using the below to create a bootcd which only has the Recovery Environment. It will not be a full CD.

    Vista and Win7 Recovery disc
     
    chaslang, Apr 25, 2011
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just in case you do not know how to get to the command prompt. You will need to make sure you have set the boot options in your BIOS to choose to boot CD before booting from the hard disk.

    1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
     
    chaslang, Apr 26, 2011
    #5
  6. blueshots1

    blueshots1 Private E-2

    I had successfully rid of the pest. Though it had taken me some time understanding how to work with the command prompt. Once I had booted the system to "cure" it from the detected virus, I had opened TDSSKiller again in normal boot successfully with no problems. And this time, it had found no problems then.

    Is there anything else I should do?

    Thanks again~! :D
    Mark
     

    Attached Files:

    blueshots1, Apr 26, 2011
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
    O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\ConduitEngin1.dll
    O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)

    After clicking Fix, exit HJT.

    Now uninstall the below software:
    Java(TM) 6 Update 6
    Conduit Engine


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Users\Mark\AppData\Local\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Apr 26, 2011
    chaslang, Apr 26, 2011
    #7
  8. blueshots1

    blueshots1 Private E-2

    One thing I noticed is that the boot time is faster now.

    So far...The programs opens a lot faster just as when I didn't had the virus before. I never had the BSOD after the TDSSKiller scan. Not a single Firefox tab randomly opening to a weird site anymore.

    I also forgot to mention earlier that I had lost access to task manager and the buttons for Shut down, restart, sleep, etc. were missing. But I had found a fix on the net. That was also the indication to me that I had a virus then.

    The only things missing are the icons (Programs shortcuts) in start menu and All programs. There are several folders left but almost all of them are empty.

    But overall, I feel a lot better now about the performance of my Vista laptop. Thanks so much for all the help~!
     

    Attached Files:

    blueshots1, Apr 26, 2011
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some how this slipped by me unnoticed. I apologize for that.

    You likely just need to change the attribytes of your files and folders. They have probably been changed by your infection to be Hidden. You can right click on the folder and select Properties and then change the Hidden attribute. Make sure you apply this to all subfolders too when asked. You may have many folders ( if not all ) that you need to do this to.

    Also something else that may help could be doing the below.


    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.
    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.
    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.
    cd \ <-- this changes to the root folder and the prompt should change to C:\>
    attrib -h -s * /S /D <-- this will try to remove the hidden and system attributes on all files and folder. Note there are spaces before -h, before -s, before * and before each /
    attrib -h -s *.* /S /D <-- a redundant command match possibly other file names and folders due to using *.*

    Let me know if this helps.
     
    chaslang, May 3, 2011
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Almost forgot..... I had another fix to give you too. :)


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll (file missing)

    After clicking Fix, exit HJT.



    Now we need to use ComboFix again
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, May 3, 2011
    #10
  11. blueshots1

    blueshots1 Private E-2

    Everything's running smoothly now, thanks so much! Laptop's running smoothly and I haven't had the blue screen of death since. My firefox isn't loading random websites anymore. Plus, booting up and shutting down has been faster.

    I didn't get your instructions for showing the hidden folders in my all programs list in start up menu. Only several folders are here but empty: Accessories, Games, Startup(I don't remember seeing a startup folder before all of the disappeared though); and a few icons: Internet Explorer, Adobe Reader, Firefox, media player. But the newer programs installed such as MBAM and SuperAntiSpyware are in the list fine. Which folder was I suppose to right click?

    Also, I couldn't run the Admin command prompt since the accessory folder was empty. And the Search box, which I've been using to find my programs other than going to the C Drive, couldn't find the Command Prompt either.
     

    Attached Files:

    blueshots1, May 4, 2011
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that is because attributes are set to hidden. See if you can just directly open the command prompt from either entering cmd into the Start, Run box ( if you have the Run command enabled ). If not, then press CTRL-ALT-DEL and bring up Task Manager. Once in Task Manager, click File, New Task (Run...) and then enter cmd and click OK. Then try running the previous commands I gave to see if they will run and if they help.
     
    chaslang, May 6, 2011
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds