Help have ping.exe virus

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by leeleebb1, Feb 27, 2012.

  1. leeleebb1

    leeleebb1 Private E-2

    I need help removing this virus. I currently have Kasperky and just ran Superantispyware as well as malwarebytes yesterday. all three programs removed a ton of viruses but I'm still getting alerts from Kasperky that the ping virus is still here.

    Need help

    Thanks
     
    leeleebb1, Feb 27, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.
    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:
    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    chaslang, Feb 27, 2012
    #2
  3. leeleebb1

    leeleebb1 Private E-2

    hope i did this right been working on this all day. couldn't get root repeal to work
     

    Attached Files:

    leeleebb1, Feb 28, 2012
    #3
  4. leeleebb1

    leeleebb1 Private E-2

    here are the logs for malwarebytes anti-malware and superantispyware. also when running combofix it did say I had the rootkit.zeroaccess virus but not sure if it cleaned it or not.
     

    Attached Files:

    leeleebb1, Feb 28, 2012
    #4
  5. leeleebb1

    leeleebb1 Private E-2

    Finally got Routerepeal to work. Also lost my audio
     

    Attached Files:

    leeleebb1, Feb 29, 2012
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's correct and we have some more work to do in removing this.

    First rerun TDSSkiller and this time if the below two lines show up, don't skip them. Delete them. They are part of the infection
    Code:
    12:17:22.0109 0212 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
12:17:22.0109 0212 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:55414
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: AOL Toolbar Loader - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL Toolbar\aoltb.dll (file missing)
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL Toolbar\aoltb.dll (file missing)

    After clicking Fix, exit HJT.

    Now uninstall the below software:
    Ask Toolbar

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 29, 2012
    #6
  7. leeleebb1

    leeleebb1 Private E-2

    I want to thank you for helping me. I did everything on your "to-do list last night.
    I ran two logs for TDS killer by accident. Also not sure if MFtools/getlogs.bat log is in MGlogs.zip. Had to run file from MGtools folder on C. When it finished the log went automatically to MGlogs.zip but when I try to open MGlogs.zip it always opens with Itunes dont know what that is about?? Im attaching Mglogs.zip anyway.

    Now all day yesterday when I would excute one of your action items and reboot I would not get any redirect or warning messages . But this morning when I turn the computer on it starts to redirect again and I resume kaaspersky back on I get warning messages saying I have the virus again.

    Do you think its in my startup?
     

    Attached Files:

    leeleebb1, Mar 1, 2012
    #7
  8. leeleebb1

    leeleebb1 Private E-2

    Hi after I did my last post. I was looking at my kaspersky reports and I thought I saw a fleeting image on the bottom rightside of the computer saying that someone was logged on. It was very fast and I had never seen that before and couldnt see the user name. Not sure if I'm being paranoid. Could someone be logging on with this dam virus?? OMG (I'm posting this comment from a different computer.):(:(
     
    leeleebb1, Mar 1, 2012
    #8
  9. leeleebb1

    leeleebb1 Private E-2

    Oh Boy! things keep going downward. Now it say correct local user profile after I logged into my Userid. Windows then created a new log-on page as if I'm new. My OS is Windows XP Home edition.

    Still no sound on PC.
     
    leeleebb1, Mar 1, 2012
    #9
  10. leeleebb1

    leeleebb1 Private E-2

    my original user profile is back:confused
     
    leeleebb1, Mar 2, 2012
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is what my instructions said to do.

    You don't need to open it. ;) You just need to attach it here. You did not attach it. However is iTunes open, you have something wrong with your File Associations that associated ZIP file extensions to iTunes which is completely useless.


    It seems each time you run TDSSkiller it finds more issues from ZeroAccess. Is it still detecting problems if you run it again?
     
    chaslang, Mar 2, 2012
    #11
  12. leeleebb1

    leeleebb1 Private E-2

    yes just ran it shows zeroaccess threat
     

    Attached Files:

    leeleebb1, Mar 3, 2012
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! You may have quite a few system files infected then.

    Please redownload a new version of combofix.exe and save it to your Desktop overwriting the previous version.

    Then shutdown Kaspersky and run ComboFix. Attach the new log.

    Do you have your Windows XP boot CD?


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
/md5start
afd.sys
atapi.sys
csrss.exe
dhcpcsvc.dll
explorer.exe
lsass.exe
nsiproxy.sys
regedit.exe
services.exe
svchost.exe
tcpip.sys
tdx.sys
userinit.exe
winlogon.exe
/md5stop
%systemdrive%\*.*
%systemdrive%\MGtools\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.sys /90
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%windir%\assembly\GAC\*.ini
%windir%\assembly\GAC_MSIL\*.ini
%windir%\assembly\gac_32\*.ini
%windir%\assembly\gac_64\*.ini
%windir%\assembly\temp\*.ini
%windir%\assembly\tmp\u /s
%allusersprofile%\application data\*.exe
hklm\system\currentcontrolset\services\dhcp
hklm\system\currentcontrolset\services\afd
hklm\system\currentcontrolset\services\tdx
hklm\system\currentcontrolset\services\tcpip
hklm\system\currentcontrolset\services\nsiproxy
hklm\software\microsoft\windows\currentversion\run
hklm\software\microsoft\windows\currentversion\runonce
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
    chaslang, Mar 4, 2012
    #13
  14. leeleebb1

    leeleebb1 Private E-2

    Thanks
     
    Last edited by a moderator: Mar 5, 2012
    leeleebb1, Mar 5, 2012
    #14
  15. leeleebb1

    leeleebb1 Private E-2

    Ran ComboFix, after it rebooted no longer can use the keyboard. The mouse still works but I can't type anything (its a laptop). Leaving this message from another PC.

    I have the original CD from Dell that says Operating System Reinstallation CD Windows XP Home Edition Service Pack 3.

    Tried to leave this update twice before. If they appear as separate post or threads please disregard.
     
    leeleebb1, Mar 5, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If your PC boots up and you can use the mouse, open Windows Explorer using the mouse by right clicking on the Start button and select Explore.

    Then navigate to C:\WINDOWS\system32\osk.exe and double click on this file to run it. This is an on screen keyboard. See if this keyboard allows you to click on keys using your mouse to emulate typing from the keyboard. It will be a little slow but we need to do this to see the get the logs from the last fix. Combofix probably found one or more infected .sys files and removing or fixing them probably caused the problem with your keyboard or a service that is needed.
     
    chaslang, Mar 5, 2012
    #16
  17. leeleebb1

    leeleebb1 Private E-2

    Ok, using onscreen keyboard able to post logs
     

    Attached Files:

    leeleebb1, Mar 5, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure this is from anything ComboFix did specifically. All it did was remove some files related to the ZeroAccess infection. Nothing related to your keyboard was touched.

    However previous scans with TDSSkiller have been showing many or your .SYS files have been infected, and one of these file is list below in a partial snippet of what TDSSkiller found and attempted to repair
    Code:
    20:06:56.0718 3300 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - copied to quarantine
20:06:56.0937 3300 Backup copy found, using it..
20:06:56.0937 3300 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured on reboot
20:07:01.0750 3300 i8042prt ( Virus.Win32.ZAccess.c ) - User select action: Cure
    This file is related to your keyboard and mouse. So the problem could be related to what happened here.

    I also noticed some strange partitioning on your hard disk and these infections have been known to add infected partitions to hard drives. Do you have any idea why the below small partitions highlighted in red are there?
    Code:
    Partition Disk #0, Partition #0 
Partition Size 78.41 MB (82,220,544 bytes) 
Partition Starting Offset 32,256 bytes 
Partition Disk #0, Partition #1 
Partition Size 143.26 GB (153,820,961,280 bytes) 
Partition Starting Offset 82,252,800 bytes 
[COLOR=red]Partition Disk #0, Partition #2 
Partition Size 2.50 GB (2,681,441,280 bytes) 
Partition Starting Offset 153,911,439,360 bytes 
Partition Disk #0, Partition #3 
Partition Size 3.21 GB (3,446,392,320 bytes) 
Partition Starting Offset 156,592,880,640 bytes 
[/COLOR]
     
    chaslang, Mar 7, 2012
    #18
  19. leeleebb1

    leeleebb1 Private E-2

    Hi I have no idea why the partitions are there. This laptop had a bad redirect virus about a year ago. We gave it to my brother-in-law to fix, which he did by downloading SuperAntiSpyware in safemode. Not sure if that has anything to do with it. Probably not.

    So what do you think, do we need to get rid of the extra partitions?
     
    leeleebb1, Mar 7, 2012
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since there are many cases of recent infection that add infected partitions, yes it would be good idea. You could first check to see if these partitions actually show up in Windows as actual drive letters and if they do, see if there is any data on them that is needed. I'm betting they do not show up as drive letters and hence would really be questionable.
     
    chaslang, Mar 7, 2012
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Note: In preparation to delete these partitions, you can make the G-Parted boot disk mentioned in the below procedure.

    Using G-Parted to Repair Windows Partition Infections

    Don't run the whole procedure, just make the disk and then I will tell you how to use. That is unless you totally understand what is being done in those instructions and can follow them to remove the two red highlighted partitions in my previous message.
     
    chaslang, Mar 7, 2012
    #21
  22. leeleebb1

    leeleebb1 Private E-2

    I only have the C Drive and the DVD drive. I will make the disc tomorrow and post when it's done thanks.
     
    leeleebb1, Mar 8, 2012
    #22
  23. leeleebb1

    leeleebb1 Private E-2

    Double click ARCDC.exe
    Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
    made mistake and picked the pc's os - windows home editon sp3 instead of window professional:-o

    You will be prompted with a Terms of Use by Microsoft, please accept.
    You will see a few dos screens flash by, this is normal.
    Next you will be able to choose to add extra files. Select the Default Files.
    The last window will allow you to burn the disk using BurnCDCC
    The ISO (image) you need to burn is located on your Desktop.
    Note 1: You need to burn the ISO (image) to a CD, which is not the same as just copying it to a CD. Please use the BurnCDCC program and follow its instructions. this part work as stated

    Now Test to make sure you can boot from this CD you created.
    Now insert the CD-ROM you just created into the CD-ROM drive, and then restart the computer.
    If your PC is not booting from the CD, you need to change the boot order:
    Restart your PC
    As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key. my key is f12
    Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    The tab should now show your current boot order.
    If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    Your PC should now boot from your CD.
    Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted. When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

    Was at the window setup then a blue screen came up saying 'a problem has been detected have to shut down technical info ox0000007b, coxf78b2524, ox00000034, ox00000000 and thats as far as i got.
    should i redue it?
    sorry thanks for your patience
     
    leeleebb1, Mar 8, 2012
    #23
  24. leeleebb1

    leeleebb1 Private E-2

    Hi I notice that the browser was not redirecting so while waiting for you to response to my last post I decided to run TDSKiller - got the same error message (see below) but the keyboard function came back after rebooting this time! 21:53:19.0687 0532 Detected object count: 1
    21:53:19.0687 0532 Actual detected object count: 1
    21:53:58.0625 0532 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - copied to quarantine
    21:53:58.0625 0532 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\i8042prt.sys) error 1813
    21:53:59.0671 0532 Backup copy found, using it..
    21:53:59.0687 0532 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured on reboot
    21:54:04.0562 0532 i8042prt ( Virus.Win32.ZAccess.c ) - User select action: Cure


    Also in one of the earlier TDSkiller logs I found this : could this be causing the problem with making the boot disc?
    20:16:05.0171 3248 Detected object count: 1
    20:16:05.0171 3248 Actual detected object count: 1
    20:16:14.0468 3248 C:\WINDOWS\system32\DRIVERS\cdrom.sys - copied to quarantine
    20:16:14.0656 3248 Backup copy found, using it..
    20:16:14.0718 3248 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured on reboot
    20:16:19.0671 3248 Cdrom ( Virus.Win32.ZAccess.c ) - User select action: Cure     20:17:56.0890 0460 Deinitialize success

    Hope we are making progress
     
    leeleebb1, Mar 9, 2012
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try making the CD using the Windows Professional SP2 & SP3 selection as requested and see if you can get to the Command Prompt with it. If it does not seem to work on your PC, try it on another PC. You are just trying to make sure you can get it to boot properly. You will not be making any changes to the PC you test it on other than perhaps the BIOS boot order to get the CD drive to boot first.
     
    chaslang, Mar 11, 2012
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It may potentially be part of the problem, but I don't think so. This driver is needed under normal operation for sure but when booting from the ARC CD or any regular Windows XP boot CD, everything you need should be self contained on the CD otherwise it defeats the purposed of making/using the CD to begin with.
     
    chaslang, Mar 11, 2012
    #26
  27. leeleebb1

    leeleebb1 Private E-2

    Not able to test boot cd. Still getting same error in blue screen during windows setup. Tried creating cd selecting windows professional on both computers. Now Im getting new messages on both pc's from kaspersky of pdm keylogger. Hope I didnt infect my desktop computer with anything from this laptop (infected computer)
     
    leeleebb1, Mar 12, 2012
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you saying it does not run / does not work in any PC you try to boot it with? What about a friends PC?

    Can you get a friend to make the CD for you and test to see if it is bootable before you try to use it? You need to get your PC to be able to boot from a CD into the Recovery Console, this may be your only hope to fix your PC. If you cannot even boot any CD, you will not even be able to reinstall if that becomes necessary.

    Doubt it would be from a boot CD made with ARC CD


    Have you made the G-Parted CD yet? If not, try making it and see if you can boot your CD with it. Don't fix anything, just see if it boots up properly into G-Parted.
     
    chaslang, Mar 13, 2012
    #28
  29. leeleebb1

    leeleebb1 Private E-2

    Get a friend to make the CD for you and test to see if it is bootable.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    When prompted to choose a windows installation, type 1 and press enter.
    When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
    Now a command prompt will open and you should see the below:
    C:\WINDOWS>

    For now just type exit and press enter which will reboot your PC. Remove the CD
    Windows XP boot CD is done and bootable on my infected laptop:).

    Have you made the G-Parted CD yet? If not, try making it and see if you can boot your CD with it. Don't fix anything, just see if it boots up properly into G-Parted.
    Created G-Parted CD. Got to the config screen and selected cancel to exit without fixing anything but the program just keep running so I had to unplug to reboot and take the cd out. Hope that's ok ready for the next step thanks again for your patience
     
    leeleebb1, Mar 14, 2012
    #29
  30. leeleebb1

    leeleebb1 Private E-2

    find this in my auto scan of superantispyware today

    Trojan.Agent/Gen-InstallIQ
    C:\PROGRAM FILES\7ZIP.EXE

    Trojan.Agent/Gen-FakeLoad
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B9B4058C-9F45-4958-80C5-BB788AD67334}\RP507\A0181331.EXE

    Trojan.Agent/Gen-Sirefef
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{B9B4058C-9F45-4958-80C5-BB788AD67334}\RP510\A0184957.DLL
     
    leeleebb1, Mar 15, 2012
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now boot off of the newly created GParted CD.
    http://img717.imageshack.us/img717/6546/gpartedsplash01107.th.png
    You should be here...
    Press ENTER
    http://img819.imageshack.us/img819/7286/gpartedkeymaps.th.png
    By default, do not touch keymap is highlighted. Leave this setting alone and just press ENTER.
    http://img404.imageshack.us/img404/9840/gpartedlanguage.th.png
    Choose your language and press ENTER. English is default [33]
    http://img140.imageshack.us/img140/7958/gpartedgui.th.png
    Once again, at this prompt, press ENTER
    You will now be taken to the main GUI screen below
    http://img32.imageshack.us/img32/1122/gpartedo.th.png
    According to your logs, the two partitions that you want to delete are 2.50 GiB (2.50 GB) and also 3.21 GiB ( 3.21 GB ).
    Click the trash can icon to delete each and then click Apply.
    You should now be here confirming your actions:
    http://img233.imageshack.us/img233/1533/gpartedsteps.th.png
    Now you should be here:
    http://img696.imageshack.us/img696/8471/gpartedsuccessclose.th.png
    Is boot next to your OS drive? According to your logs, your OS drive is the 143.26 GB sized partition.
    http://img194.imageshack.us/img194/7753/gpartedboot.th.png
    If boot is not next to your OS drive under Flags, right-mouse click the OS drive while in Gparted and select Manage Flags

    In the menu that pops up, place a checkmark in boot like the picture below:
    http://img196.imageshack.us/img196/3483/gpartedmanageflagsboot.th.png
    Now press the Close button to save these changes.
    Now double-click the http://img822.imageshack.us/img822/641/gpartedexit.png button.
    You should receive a small pop up like this:
    http://img88.imageshack.us/img88/8986/gpartedexitreboot.png
    Choose reboot and then press OK.



    Now reboot from the Windows XP boot CD ( ARC DC ) into the Recovery Console and execute the following commands pressing ENTER after each:
    • fixmbr
    • fixboot
    • exit
    Once back in Windows...
    http://img707.imageshack.us/img707/6703/generalxpicon.gif Re-run another scan with MBRCheckand attach its latest log. (How to attach)

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 15, 2012
    #31
  32. leeleebb1

    leeleebb1 Private E-2

    Now reboot from the Windows XP boot CD ( ARC DC ) into the Recovery Console and execute the following commands pressing ENTER after each:

    [*]fixmbr
    [*]fixboot
    [*]exit

    after exit should I take out the Windows XP Boot CD at
    this point and restart?

    Once back in Windows
    may be dumb question but not sure which Windows-boot windows or regular Windows
     
    leeleebb1, Mar 16, 2012
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes take out the CD and just boot back up into regular Windows!
     
    chaslang, Mar 17, 2012
    #33
  34. leeleebb1

    leeleebb1 Private E-2

    Chas

    I'm attaching a modified picture of what the G-Part screen on my pc says.

    As you can see the partitions have labels. The 3.21GiB is labeled "Dell Restore" and there are two 2.50GiB one has a blank label and the other says "Media Direct"

    so you want me to delete the Dell Restore and which one of the 2.50GiB's?

    I'm sending you this message from my other PC I left the laptop open with this screen showing waiting for your reply.

    Thanks
     

    Attached Files:

    leeleebb1, Mar 17, 2012
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then it maybe that these partitions are not problems in your case. Even though one showed up as an unknown type when booting into Windows normally, it seems they are just special partitions added by Dell. This is the first time I have seen Dell add these to the end of the list rather than at the beginning. The Media Direct partition seems to be their's too. See >> http://en.wikipedia.org/wiki/Dell_MediaDirect

    So the question now is are you having any remaining malware problems?
     
    chaslang, Mar 18, 2012
    #35
  36. leeleebb1

    leeleebb1 Private E-2

    The redirect has stopped. See the kaspersky screen which shows up daily.

    My questions are:

    1. Are these threats I need to worry about?

    2. Is there any final logs I should run for you to check out to make sure there are no hidden problems with ZeroAccess threat?

    and
    3. Of all the different aid programs I have downloaded over the past month should I be deleting/uninstalling them? I.E. Combfix, TDSkiller, OTL, Gpartd, etc.

    Your help has been so qreatly appreciated.
     

    Attached Files:

    leeleebb1, Mar 18, 2012
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It appears that you have infections in your other user accounts. Please reboot your PC ( make sure you reboot!!!! DO NOT just switch users. ) and login to the other user accounts. Then run each of the below and attach the new logs:
    • SUPERAntiSpyware
    • Malwarebytes
    • MGtools
    Do this for each other admin account shown below and label the logs with a preceding user account name.
    Code:
    Is Admin? | Username
------------------
   Yes    | A. Barrett
   Yes    | admin2
   Yes    | Administrator
     
    chaslang, Mar 19, 2012
    #37
  38. leeleebb1

    leeleebb1 Private E-2

    here are the logs
     

    Attached Files:

    leeleebb1, Mar 20, 2012
    #38
  39. leeleebb1

    leeleebb1 Private E-2

    here is mgtools

    note: under user account there is no profile for Administrator only Admin 2. I see it in the c directory but there are no files in it
     

    Attached Files:

    leeleebb1, Mar 20, 2012
    #39
  40. leeleebb1

    leeleebb1 Private E-2

    and don't how to access it
     
    leeleebb1, Mar 20, 2012
    #40
  41. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The Administrator account is normally only accessible from safe boot mode unless you force it to be accessible in normal mode by modifying the registry.

    If you don't have any folders for the admin2 account, then perhaps you don't even need it for anything and if that is the case then you should delete it. PCs really should only have one user account with administrator priviledges anyway for security reasons.

    These last logs look clean. Are you still seeing things being reported by Kaspersky? If yes, please run the below:

    Using ESET's Online Scanner
     
    chaslang, Mar 21, 2012
    #41
  42. leeleebb1

    leeleebb1 Private E-2

    Will correct administrator profiles

    3/20/2012 12:37:10 AM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 12:37:10 AM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 12:37:11 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 12:37:12 AM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 12:37:13 AM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 2:54:23 AM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 2:54:24 AM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 2:54:24 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 2:54:29 AM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 2:54:31 AM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 3:28:19 AM Protection is not running Kaspersky Internet Security
    3/20/2012 5:46:47 AM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 5:46:48 AM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 5:46:49 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 5:46:50 AM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 5:46:52 AM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 6:00:44 AM Protection is not running Kaspersky Internet Security
    3/20/2012 9:29:53 AM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 9:29:53 AM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 9:29:54 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 9:29:54 AM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 9:29:55 AM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 10:55:08 AM Some components are disabled Kaspersky Internet Security
    3/20/2012 10:55:08 AM Protection is disabled Kaspersky Internet Security
    3/20/2012 11:51:13 AM Protection is not running Kaspersky Internet Security
    3/20/2012 11:51:58 AM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 11:51:58 AM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 11:51:58 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 11:51:59 AM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 11:51:59 AM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 4:00:02 PM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 4:00:02 PM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 4:00:02 PM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 4:00:02 PM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 4:00:02 PM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 6:20:20 PM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 6:20:20 PM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 6:20:20 PM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 6:20:20 PM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 6:20:21 PM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 9:30:02 PM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 9:30:02 PM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 9:30:02 PM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 9:30:02 PM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 9:30:03 PM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
    3/20/2012 9:33:56 PM Protection is not running Kaspersky Internet Security
    3/20/2012 11:32:04 PM Detected: Packed.Win32.Krap.ao Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\BRANDON\LOCAL SETTINGS\TEMP\0.7225416715750715.EXE
    3/20/2012 11:32:04 PM Detected: Trojan.Win32.FakeAV.kloa Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\APPLICATION DATA\QKM.EXE
    3/20/2012 11:32:04 PM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com
    3/20/2012 11:32:04 PM Detected: HEUR:Trojan.Script.Generic Kaspersky Internet Security C:\DOCUMENTS AND SETTINGS\A. BARRETT\LOCAL SETTINGS\Temporary Internet Files\Content.IE5\JMPEH0M7\greatpethealth_com[1].txt
    3/20/2012 11:32:05 PM Detected: HEUR:Trojan.Win32.Generic Kaspersky Internet Security C:\TDSSKiller_Quarantine\29.02.2012_20.05.35\tdlfs0000\tsk0006.dta
     

    Attached Files:

    leeleebb1, Mar 22, 2012
    #42
  43. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You may have some form of a PE file infector ( that is an infection that gets into all executable type files ). If this proves to be true, a reinstall will be the only real fix. But let's try a few things before going that route.

    Let's first remove all of our quarantined files and tools to avoid having them picked up in scans.

    1. Uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    2. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    3. Now we will disable system restore to remove infected restore points:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot
      • After reboot do not reenable System Restore yet.
    Now download The Avenger by Swandog46, and save it to your Desktop.


    See the download links under this icon http://www.majorgeeks.com/images/dll.gif
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\TEMP
    C:\Documents and Settings\A. Barrett\Local Settings\Temp

    Now rerun scans with ESET Online and also run a full scan with Kaspersky. Fix anything they find and attach logs from them.
     
    chaslang, Mar 22, 2012
    #43
  44. leeleebb1

    leeleebb1 Private E-2

    I think we are making progress want to run new scans tomorrow and will post
    thanks so much
     
    leeleebb1, Mar 24, 2012
    #44
  45. leeleebb1

    leeleebb1 Private E-2

    Chas
    Ran full Kaspersky scan today nothing to report.

    I cleared out all the quarantine except one the 3/20/2012 2:54:24 AM Detected: Trojan-Spy.Win32.Zbot.dlyo Kaspersky Internet Security C:\WINDOWS\system32\l0F418g0n.com

    was nervous because it is windows system 32 file.

    I'm attaching the other scans. I am getting a new error message in Internet Explorer Script error 53. It's coming up on all users doesnt matter what site.

    OMG OMG OMG could we possible be done? what do you think?
     

    Attached Files:

    leeleebb1, Mar 25, 2012
    #45
  46. leeleebb1

    leeleebb1 Private E-2

    I am getting a new error message in Internet Explorer Script error 53. It's coming up on all users doesnt matter what site.

    found this off of Wiki-Errors called: (Error 53) Repair Tool is it safe to fix this script problem
     
    leeleebb1, Mar 25, 2012
    #46
  47. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is not a system file. Remove this from the quarantine too. It was part of your infection.

    Now delete the C:\Avenger folder
    Also delete the avenger.exe and zip file from your Desktop.

    See if anything in the below helps:

    http://support.microsoft.com/kb/308260

    If not, then try uninstalling things like Google Toolbar ir still installed. Also try running Internet Explorer with no Addons. You can do this by right clicking on the IE icon and selecting Start without Add-ons.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Mar 25, 2012
    #47
  48. leeleebb1

    leeleebb1 Private E-2

    I completed everything. I have learned alot your a great teacher!! I've passed on your paper on how to prevent malware to friends and family. If I have anymore problems I hope I get you. Thank you so much for all your help. You have the patience of a saint. This is my college age son's laptop which I was determined to clean out because he was using my desktop. Now I can kick him off mine:-D
     
    leeleebb1, Mar 26, 2012
    #48
  49. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     
    chaslang, Mar 27, 2012
    #49

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds