Virus or Trojan Removal

Hello,

A few days ago I was infected with Security Shield. I also had my programs and icons hidden and browser hijacking.
My virus scan seemed to remove Security Shield and unhide.exe recovered my programs. Since then I had a few more virus attacks. Some were stopped by Avira and some infected the system. The latest removed my desktop icons and popped up a fake FBI warning demanding that I pay a fine to unlock my system. This also disabled my task manager.
Currently task manager is functioning but my icons are still missing and my browser is still being hijacked. Also, every Malware scan seems to turn up new infections.

I followed the instructions for posting but ran into trouble with disabling UAC. When I got to step 3 there was no "user account" option.

Attached is my log files.

Thanks!

 

Welcome to MajorGeeks, turtles

http://img805.imageshack.us/img805/9659/rktigzy.gif Open RogueKiller again.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
When the scan is finished, press the Delete button.
When deleting is finished, press the Fix Shortcuts button.
Be patient as this should restore your missing shortcuts.
Once both tasks are finished, attach the two latest RogueKiller logs on your desktop. How to attach)

__

http://img196.imageshack.us/img196/3557/tdsskiller.gif Please download and scan with TDSSKiller

• Do not use the Change Parameters button
• When the scan is finished, a log will be created in the root of your C: drive
• Example: C:\TDSSKiller.2.7.47.0_25.07.2012_15.06.22_log.txt
• Attach this to your next message. (How to attach)

 

Hi,

My shortcuts are back and my 2 latest logs from RogueKiller are attached. I was able to download TDSSKiller but it will not run, basically nothing happens when I try to launch it.(downloaded it a second time with the same results).

Thanks

 

http://img827.imageshack.us/img827/1263/frst.gif Please download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Thanks for the reply.

Under the F8 options, I don't have an option to "repair your computer" and I cant seem to find my installation disk.

Thanks

 

My apologies, I did not realize you were on Windows XP.

Hang tight while I prepare some alternative fixes for you

 

Ok let's do this first:

http://img268.imageshack.us/img268/8606/fixtdss.gif Please download FixTDSS to your desktop.

• Double-click it to run.
• Follow the prompts.
• After it has finished, retry running TDSSKiller and attaching the TDSSKiller log.

 

Hello,

I downloaded and tried to run fixTDSS but, similar to TDSSkiller, it will not launch.

 

Hi, can you rescan with HitmanPro and let me know what repair options you get for the following detections:

• Master Boot Record (sector 0)
• C:$VBR_312576705

__

Also let me know if you have CD/DVD burner and a blank CD-R.

 

Hello,

I get the repair option "replace" for both.

I do have a burner and should have a blank cd-r somewhere around here.

Thanks!

 

Ok, let's give HitmanPro a chance to try to "Replace" both of those detections.
It may take a couple of tries to do so, so you may need to scan and "Replace" again.
Either way, attach a log from HitmanPro of its latest scan and then try to run TDSSKiller.

 

Hi,

HitmanPro also found 4 Trojans and 2 Malwares that it wants to "Delete"

Should I take any action on these as well?

 

You can let it delete the below items:

• C:\Documents and Settings\Administrator\Local Settings\Application Data\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\@ (ZeroAccess)
• C:\Documents and Settings\Administrator\Local Settings\Application Data\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\L\ (ZeroAccess)
• C:\Documents and Settings\Administrator\Local Settings\Application Data\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\U\ (ZeroAccess)
• C:\windows\Installer\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\@ (ZeroAccess)
• C:\WINDOWS\Installer\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\L\ (ZeroAccess)
• C:\WINDOWS\Installer\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}\U\ (ZeroAccess)
• C:\Documents and Settings\Administrator\Local Settings\Temp\mzyitcylscgyexywtgtocu.exe

Just make sure you select to Replace these two as they are most important:

• Master Boot Record (sector 0)
• C:$VBR_312576705

Ignore any other findings for the time being.

 

Hello,

So TDSSKiller finally was able to run! I attached the logs from TDSSKiller and HitmanPro.

Thanks

 

That's a good sign

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
PnkbstrO
[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\Administrator\Application Data\0PXnnEUH.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\53zPevM.exe
C:\Documents and Settings\Administrator\Application Data\qN7tevvD.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\JBdT3hV.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\vohigzkbcn.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}
C:\windows\Installer\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}
C:\Documents and Settings\Administrator\Local Settings\Application Data\bb7270ia2v8c2uw
C:\Documents and Settings\Administrator\Templates\bb7270ia2v8c2uw
C:\WINDOWS\system32\drivers\brusu.sys
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img205.imageshack.us/img205/1894/otl.gif Scan with OTL by OldTimer

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as administrator)
• Leave all the options and configurations alone and just press the http://img683.imageshack.us/img683/4483/quickscanotl.png button.
• When the scan is complete, Notepad will open with the results of the OTL scan.
• Close Notepad.
• There will be a log file on your desktop entitled OTL.txt.
• Attach OTL.txt to your next message. (How to attach)

 

I can't seem to download OTL from the download site . Is there another site I could get it from?

Thanks

 

Yes, try this: http://www.itxassociates.com/OT-Tools/OTL.exe

 

Thanks for the reply.

I have 2 logs, the one before I forgot to disable the virus protection rolleyes and it blocked the host file access and the second after I disabled the protection and re-ran the scan .

 

And here is the OTL quickscan

 

There also was a file generated named Extras.txt. I can attach it if you need it.

Thanks!

 

Your OTL log looks fine. I do not need the Extras.txt.

Let me know what malware related issues you are still experiencing, if any.

 

Actually I'd like to review an updated set of logs from MGtools, follow the below:

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Here is the updated logs

 

So far everything seems to be running smooth. No recent hijacking and Avira has not detected anything.

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• PC MightyMax 2011

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you for the reply,

I was able to remove Windows Messenger, but I do not see PC MightyMax 2011 on my programs list under Add/Remove Programs.

 

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:dir[/COLOR]
C:\Program Files\PC MightyMax 2011 /s

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

 

Hello,

I attached the Systemlook file.

Also an Avira warning came up for something called 'TR/Trash.Gen' found in the file C:\System Volume Information\...\A0055424.ini

Should I move it to quarantine?

Thanks

 

Ok that looks fine.

You can either quarantine Avira's findings but it's in System Restore (old infected restore points) which we are about to clear now:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Everything seems to be working great.

Thank you for all your help!!!

 

Hello again, I might have spoke too soon!

I followed the final cleanup steps listed and I havent used the computer much since my last post but when I turned it on yesterday I had a program that prompted me to install new drivers for program "unknown". I ignored it, but when I turned the computer on today it prompted me again. I ignored it and didnt install any drivers but it seemed unusual so I ran Malwarebytes just to be safe and Malwarebytes returned 9 items and during the scan Avira detected 2 viruses or unwanted programs.

I took no further action on the viruses and attached is my Malwarebytes log.

Thanks again

 

Hi,

Unfortunately it looks like you are infected again by something different than before.

I would recommend letting MBAM fix the items it found.

 

Hi and thanks for the reply.

I let MBAM fix the problems and that popup did not come back. However the next day I turned the system on and my toolbar at the bottom of the screen was grey (usually blue). Ran MBAM and it found a trojan which it cleared. My bar is back to blue now.

I am currently running Avast with Sygate firewall and Malwarebytes for protection. Avast is alerting me every few minutes that it is blocking attacks (even when I am not trying to connect to the internet), but when I do a system scan with Avast and Malwarebytes they are coming up clean. When I try to connect to the internet the page will partially load and stop.

Any advice? Should I try a different virus scan?

Thanks!

 

Hi,

Please go through this once again: Windows XP Malware Removal/Cleaning Procedure

You can attach your logs here in this topic when you are finished. There should be 5 logs that you attach in your next post (RogueKiller, Malwarebytes Anti-Malware, TDSSKiller, HitmanPro, MGtools)

 

Hello,

Attached are my logs for MBAM, Hitman, and TDSS.

Each time I tried to run RogueKiller and MGTools I ended up with a blue screen with the message "A problem has been detected and windows has been shut down to protect your computer"

Thanks

 

Hello,

Please update TDSSKiller and rescan and attach the newest log.

 

Here is the newest log.

Thanks

 

Good

Now re-open TDSSKiller but this time before scanning, click the Change parameters link.

• A Settings window should open
• From here, leave all the settings alone, except add one checkmark in the "Detect TDLFS file system" section.
• Then press OK to leave Settings.
• Then press the Start Scan button, and if TDSSKiller finds "TDSS File System" opt to Delete it.
• Attach the newest log when finished.

If successful with the above, retry scanning with both RogueKiller and MGtools.

 

I was able to get MGTools to run but RogueKiller still went to blue screen. Here are the new logs

Thanks

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 30
• Java(TM) 7 Update 5

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:files[/COLOR]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\DY1DRTOJ /d
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\GBCLIPPF /d
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\IYYFG8R3 /d
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\Q00OBFRP /d
C:\Program Files\PC MightyMax 2011 /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{0a6deeee-2d61-4d3d-b10c-ccb2db185bcf}
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\GDDZKP81 /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\LJWIUO5Z /d
c:\windows\svchost.exe /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\NOIO4CRA /d
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\T043S9F9 /d
C:\Documents and Settings\Administrator\Local Settings\Temp\*.tmp /d
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FA1B14B7-C40D-47FE-BBEF-28AFD368030B}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Dell QuickSet"=-
"PDVDDXSrv"=-
"DiskeeperSystray"=-
"Sprint SmartView"=-
"RDVCHG"=-
"ConnectionCenter"=-
"LogitechCommunicationsManager"=-
"APSDaemon"=-
"iTunesHelper"=-
"PC MightyMax 2011 Tray Icon"=-
"Adobe Reader Speed Launcher"=-
"Adobe ARM"=-
[HKEY_USERS\S-1-5-21-854245398-2049760794-1417001333-500\Software\Microsoft\Windows\CurrentVersion\run]
"EA Core"=-
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]
[clearallrestorepoints]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know how the computer is running after you have completed these steps.

 

Computer seems to be running great right now. Avast did find and delete a rootkit while I was doing these steps.

Attached are the logs, I'm not sure MGTools updated. I followed the instructions and the dos box came up, but it only showed a blinking cursor.

 

Try this but make sure Avast is disabled before doing so. Avast falsely flags certain programs used in MGtools.

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Here is the new log

Thanks

 

Good job

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

Thank you once again for your excellent help!