Virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by panthertooth, Jun 16, 2011.

  1. panthertooth

    panthertooth Private E-2

    Scanning a friends computer after he got a virus, could you have a look at my scans and tell me what you think (all scans was run in safe mode)

    Thanks in advance

    Panthertooth
     

    Attached Files:

    panthertooth, Jun 16, 2011
    #1
  2. panthertooth

    panthertooth Private E-2

    and the last one
     

    Attached Files:

    panthertooth, Jun 16, 2011
    #2
  3. satrow

    satrow Major Geek Extraordinaire

    Hi Panthertooth,

    I am currently reviewing your logs and will post back with a response as soon as possible. This takes time so your patience is appreciated.
     
    satrow, Jun 16, 2011
    #3
  4. panthertooth

    panthertooth Private E-2

    Thank You for the response, been through this process before so i am aware of the wait time and have lots of patients :))
     
    panthertooth, Jun 16, 2011
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Satrow is in training so it will take a slightly longer time for a reply. I hope this is not an issue, though if it is, we can speed up the process. ;)
     
    TimW, Jun 17, 2011
    #5
  6. panthertooth

    panthertooth Private E-2

    Not an issue at all, have to start somewhere
     
    panthertooth, Jun 17, 2011
    #6
  7. panthertooth

    panthertooth Private E-2

    How does one become "in training" if interested??
     
    panthertooth, Jun 17, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member


    Becoming A Malware Forum Helper

    However, much also depends on one's history with MG's. If you have a good history with giving proper help within the other forums, and if we are not really busy with malware removal, one can be asked to train if there is a strong desire and a proven track record. ;)
     
    TimW, Jun 17, 2011
    #8
  9. satrow

    satrow Major Geek Extraordinaire

    Sorry about the delay.

    There are a few things that need to be done before moving to the next stage; the following need to be uninstalled:
    AVG Free 9.0
    Java 6 Update 24
    Java 6 Update 5

    I recommend that the below be uninstalled:
    NetAssistant
    Uniblue RegistryBooster 2010

    Has the below been purchased? It's a program I wouldn't use:
    Error Expert 1.5


    The infection has the ability to hide items.
    Do you see the full range of Start Menu items?
    Are any missing?
    Is everything showing as expected in the Program Files?
    No reports from the owner of programs not being found since the infection?



    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: the lowest 3 entries only are not malware but entries I wouldn't run at boot time, it's your choice whether to remove them or not.
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Updater For My.Freeze.com Toolbar - {C26CD490-5F01-41E3-B150-EB29F19DA056} - C:\Program Files\myfreezetoolbar\auxi\myfreezetoolbAu.dll (file missing)
    O4 - HKCU\..\Run: [gkXdirORACMUlO] C:\ProgramData\gkXdirORACMUlO.exe
    O4 - HKCU\..\Run: [KB569953.exe] "C:\Users\Robert Cavill\AppData\Roaming\KB569953.exe"

    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [Singlesnet] C:\Program Files\Singlesnet\Singlesnet\Singlesnet.exe

    After clicking Fix, exit HJT.


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://forums.majorgeeks.com/chaslang/images/CFScriptB-4.gif
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    satrow, Jun 18, 2011
    #9
  10. panthertooth

    panthertooth Private E-2

    Hi satrow,

    Don't worry about the delay timw informed me that you was in training :)

    When i click start the page is blank until i click all programs, not sure if it was like that before or not, recycle bin seems to be missing other than that everything seems to be running ok

    I did notice that one file was not in in the hjt commands when i ran it , it was the
    02-bho updater for my freeze.com
    but i did notice a file not sure if it is anything but it was wormradar looked like it was maybe part of avg's virus vault

    All my previes scans had been run under safe mode, should i re-run them under normal mode ??

    here are my newest log files
     

    Attached Files:

    panthertooth, Jun 18, 2011
    #10
  11. satrow

    satrow Major Geek Extraordinaire

    You must boot into normal Windows mode at this point. There may be other things that the scans cannot detect in Safe mode.



    There are some files remaining from the uninstalls, can you delete the following if they still exist:
    c:\program files\Free Offers from Freeze.com
    C:\Users\Robert Cavill\AppData\Roaming\ErrorExpert


    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Jun 18, 2011
    satrow, Jun 18, 2011
    #11
  12. panthertooth

    panthertooth Private E-2

    Hi satrow,

    Things seem to be running ok although still can"t find the recycle bin

    here is the mgtools file
     

    Attached Files:

    panthertooth, Jun 18, 2011
    #12
  13. satrow

    satrow Major Geek Extraordinaire

    That's not a good sign. As far as I'm aware, default Windows behaviour is to recreate a missing Recycle bin during bootup. You've just rebooted into normal Windows mode, yes?

    Have you checked in the display properties settings that the RB is set to show on the Desktop?

    Can you see the Recycle bin or Recycler using Windows Explorer?

    I see that there is CCleaner installed, when was the last time it was run, since this infection occurred?
     
    satrow, Jun 18, 2011
    #13
  14. satrow

    satrow Major Geek Extraordinaire

    Some clarification on the previous Post:
    I do not want you to run CCleaner. I just want to know if it has been run since the infection was noticed.

    Also, you did not tell me if the files below existed and if you deleted them:
    c:\program files\Free Offers from Freeze.com
    C:\Users\Robert Cavill\AppData\Roaming\ErrorExpert

    You also did not tell me if the registry merge was successful, was it? Did you see any message?


    Now do the following:
    Please download and save the below to your Desktop:
    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it. Can you now see the Recycle bin and can you test to see if there are any programs missing or failing to start?


    You now have a lot of questions to discover answers to. Until we receive the answers, we cannot make a safe decision on how to proceed with this.
     
    satrow, Jun 18, 2011
    #14
  15. panthertooth

    panthertooth Private E-2

    Hi satrow,

    OK i went into the display properties and there was recycle bin so we now have it on the desktop.

    CCleaner was run with all the other scans in safe mode

    c:\program files\Free Offers from Freeze.com
    C:\Users\Robert Cavill\AppData\Roaming\ErrorExpert

    did exist and was deleted and the registry merge was successful

    i also downloaded and ran the unhide program

    hope i didn't miss anything that time, sorry about that
     
    panthertooth, Jun 19, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hello there. Andy is currently having a hardware issue and I will be taking over your thread as much as possible. Other may get involved. Let's do this for now.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Singlesnet"=-
"Weather"=-
"gkXdirORACMUlO"=-
"KB569953.exe"=-
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jun 20, 2011
    #16
  17. panthertooth

    panthertooth Private E-2

    Hello kestrel.

    when i ran otm the file was was waiting for me after the reboot

    here are the two files
     

    Attached Files:

    panthertooth, Jun 20, 2011
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Jun 20, 2011
    #18
  19. panthertooth

    panthertooth Private E-2

    Here is the log file for tdsskiller
     

    Attached Files:

    panthertooth, Jun 20, 2011
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have been very patient so far, but hang in there a little while longer please. Something is blocking the fixes and at the moment I am unsure as to what. Will post back ASAP.
     
    Kestrel13!, Jun 20, 2011
    #20
  21. panthertooth

    panthertooth Private E-2

    would you like me to run through the read and run me first scans again? . they was all run in safe mode maybe that will make a difference ?
     
    panthertooth, Jun 20, 2011
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes please.
     
    Kestrel13!, Jun 20, 2011
    #22
  23. panthertooth

    panthertooth Private E-2

    I'm on it, get back to you in a few :)
     
    panthertooth, Jun 20, 2011
    #23
  24. panthertooth

    panthertooth Private E-2

    OK so i am running combofix and i got a warning window stating that PEV.exe has stopped working, i didnt close it and let combofix continue

    Just thought i would let you know
     
    panthertooth, Jun 20, 2011
    #24
  25. panthertooth

    panthertooth Private E-2

    ok here are my logs ran under normal mode, hope this helps
     

    Attached Files:

    panthertooth, Jun 20, 2011
    #25
  26. panthertooth

    panthertooth Private E-2

    And last but not least
     

    Attached Files:

    panthertooth, Jun 20, 2011
    #26
  27. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
Weather*
gkXdirORACMUlO*
KB569953.exe* 
KB569953*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    Kestrel13!, Jun 21, 2011
    #27
  28. panthertooth

    panthertooth Private E-2

    hi kestrel,

    here is the systemlook file
     

    Attached Files:

    panthertooth, Jun 21, 2011
    #28
  29. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Error in my syntax, my apologies, let's do that again.

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :regfind
Singlesnet
Weather
gkXdirORACMUlO
KB569953.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    Kestrel13!, Jun 21, 2011
    #29
  30. panthertooth

    panthertooth Private E-2

    No worries, here you go
     

    Attached Files:

    panthertooth, Jun 21, 2011
    #30
  31. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Singlesnet"=-
[-HKEY_CURRENT_USER\Software\Singlesnet.com]
[-HKEY_CURRENT_USER\Software\Singlesnet.com\Singlesnet]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.4\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files\Singlesnet]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.4\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files\Singlesnet\Singlesnet]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.4.false\C:\Program Files\Singlesnet]
[-HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.4.false\C:\Program Files\Singlesnet\Singlesnet]
[HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Singlesnet"=-
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Singlesnet.com]
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Singlesnet.com\Singlesnet]
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.4\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files\Singlesnet]
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.4\com.trolltech.Qt.QImageIOHandlerFactoryInterface:\C:\Program Files\Singlesnet\Singlesnet]
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.4.false\C:\Program Files\Singlesnet]
[-HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Trolltech\OrganizationDefaults\Qt Plugin Cache 4.4.false\C:\Program Files\Singlesnet\Singlesnet]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Weather"=-
[HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"Weather"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"gkXdirORACMUlO"=-
[HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"gkXdirORACMUlO"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"KB569953.exe"=-
[HKEY_USERS\S-1-5-21-2898449579-3988547975-2668928430-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"KB569953.exe"=-
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Jun 21, 2011
    #31
  32. panthertooth

    panthertooth Private E-2

    here is the latest scans, hope its the right cf log
     

    Attached Files:

    panthertooth, Jun 21, 2011
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks good now. Are you having any remaining malware problems now?
     
    chaslang, Jun 21, 2011
    #33
  34. panthertooth

    panthertooth Private E-2

    not that i am aware of it seems to be running better
     
    panthertooth, Jun 21, 2011
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Excellent. Then to keep you moving along while Satrow, TimW and Kestrel13! are sleeping.;) You can now start on the below.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 21, 2011
    #35
  36. panthertooth

    panthertooth Private E-2

    Thanks chaslang and timw

    Thanks kestrel, sorry i made your brain hurt with this one ;)

    Keep up the good work satrow

    Panthertooth
     
    panthertooth, Jun 21, 2011
    #36
  37. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I was determined to get to the bottom of it LOL but I did have Chas to guide me, so glad all ended well. ;)
     
    Kestrel13!, Jun 22, 2011
    #37
  38. satrow

    satrow Major Geek Extraordinaire

    ... and I was keeping an eye on progress too! I've got some new hardware and sorted out a couple software bugs so I can keep learning as well :)

    Stay safe.
     
    satrow, Jun 22, 2011
    #38

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds