Persistent Infection! Need expert assistance asap!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Chess, Feb 15, 2012.

  1. Chess

    Chess Private E-2

    I lent out my laptop, and it has been returned with viruses! I've gone through the steps in your antivirus procedure post, and it has not worked. I'll list all the problems I have noticed so far.

    1. IE and FFox redirect from search engine results.
    2. Strange processes appear in task manager.
    3. System performance seems slower (still tolerable though)
    4. The no cd system restore feature seems to be blocked by the virus. (I have no cds)
    5. Some malware scanners tend to freeze my entire computer at some point during scans. Specifically, malwarebytes, and eset online scanner. Spybot SD can complete its scan though.

    I'd definitely prefer to solve these problems without reformatting, but I'm willing to if necessary. I'll check here frequently for any instruction.
     
    Chess, Feb 15, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So you have completed this:

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    And also you have been through all of this? READ & RUN ME FIRST. Malware Removal Guide If so then attach all of the requested logs. :)
     
    Kestrel13!, Feb 15, 2012
    #2
  3. Chess

    Chess Private E-2

    The TDss killer found a rootkit. I removed it using the cure option on the program.

    Next, I ran MBR. Here's the log.
     

    Attached Files:

    Last edited by a moderator: Feb 15, 2012
    Chess, Feb 15, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Can you please run the rest of my instructions which I gave you a link to, and attach the rest of the requested logs. Thanks.
     
    Kestrel13!, Feb 15, 2012
    #4
  5. Chess

    Chess Private E-2

    Alright, malwarebytes and superantispyware still freeze my computer a few minutes into the scan in regular and safe mode. Here's my other logs. I have a 64 system, so the other program which only supports 32 systems will not run.
     

    Attached Files:

    Chess, Feb 16, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Java(TM) 6 Update 24 <--- uninstall this outdated java.
    Conduit Engine <--- Uninstall this.

    C:\Users\Swirly Happy Rainbow\Desktop\q5C2E50.exe <--- What is this?

    Now we need to use ComboFix by sUBs

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
c:\program files (x86)\Mbahtsantimalwayre 
Folder::
c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
File::
C:\ProgramData\PDwSqfSYc72dQq
C:\ProgramData\rdy0na2kn31774s2j352k0
C:\ProgramData\882146l3n571m668j688e0tvj7p3
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\882146l3n571m668j688e0tvj7p3
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\rdy0na2kn31774s2j352k0
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\x5352fa58x67c0074ec46vdlhqk2k6ryji31dk05bs0kk
C:\ProgramData\x5352fa58x67c0074ec46vdlhqk2k6ryji31dk05bs0kk
C:\ProgramData\~PDwSqfSYc72dQq
C:\ProgramData\~PDwSqfSYc72dQqr
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{7DAEFC71-D36D-43A5-BCFF-3B40D880F98B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7DAEFC71-D36D-43A5-BCFF-3B40D880F98B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{85889576-38F4-4F7F-8A01-4DC9C976A3E1}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.


    Rerun TDSSKiller again. Attach the new log.


    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 16, 2012
    #6
  7. Chess

    Chess Private E-2

    I uninstalled Java, and reinstalled the version you said. Conduit Engine wouldn't seem to uninstall, despite having selected that option. I have no recollection of what C:\Users\Swirly Happy Rainbow\Desktop\q5C2E50.exe might be. I dragged the text file you had me save onto the combofix program, and it ran. Here are the logs you asked for.
     

    Attached Files:

    Last edited: Feb 17, 2012
    Chess, Feb 17, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do the above.
     
    TimW, Feb 18, 2012
    #8
  9. Chess

    Chess Private E-2

    My computer froze when I ran the getlogs.bat, so I gave it a shot in safe mode with networking. That worked. Regarding your question, the computer seems to be freezing more often. This leads me to think maybe that overheating might be causing the freezes, particularly when it's being called to perform operations that involve high cpu usage. Search engines are still highjacked.
     

    Attached Files:

    Chess, Feb 20, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
File::
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\882146l3n571m668j688e0tvj7p3
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\rdy0na2kn31774s2j352k0
C:\Users\Swirly Happy Rainbow\AppData\Roaming\Microsoft\Windows\Templates\x5352fa58x67c0074ec46vdlhqk2k6ryji31dk05bs0kk
C:\Users\Swirly Happy Rainbow\Documents\gfkg.txt
C:\ProgramData\882146l3n571m668j688e0tvj7p3
C:\ProgramData\~PDwSqfSYc72dQq
C:\ProgramData\~PDwSqfSYc72dQqr
C:\ProgramData\x5352fa58x67c0074ec46vdlhqk2k6ryji31dk05bs0kk
C:\Users\Swirly Happy Rainbow\AppData\Local\Temp\8AB1.tmp
C:\Users\Swirly Happy Rainbow\AppData\Local\Temp\8CB4.tmp
C:\Users\Swirly Happy Rainbow\AppData\Local\Temp\A227.tmp
C:\Users\Swirly Happy Rainbow\AppData\Local\Temp\A4D6.tmp
C:\Users\Swirly Happy Rainbow\AppData\Local\Temp\ECED.tmp
C:\Fonts\6DFBBA77C26.exe
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\1Y5U7AYUZGXY2B8WRLQVHAJPCSR]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 20, 2012
    #10
  11. Chess

    Chess Private E-2

    "Make sure that combofix.exe that you downloaded while doing the READ & RUN
    ME is on your Desktop but Do not run it!"

    I don't know what you mean by that. I have no idea where the one I downloaded while doing "read and run" is. Should I download a new one?
     
    Chess, Feb 20, 2012
    #11
  12. satrow

    satrow Major Geek Extraordinaire

    Post #2:
    You have already run Combofix 2x as you have attached the resulting logs here in #5 and #7.
    It was on your Desktop.
     
    satrow, Feb 20, 2012
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Running from: c:\users\Swirly Happy Rainbow\Desktop\ComboFix.exe
     
    TimW, Feb 21, 2012
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds