Malware Removal Help Needed - 26Apr13

Discussion in 'Malware Help (A Specialist Will Reply)' started by QuartetmanIA, Apr 27, 2013.

  1. QuartetmanIA

    QuartetmanIA Private E-2

    I recently purchased a refurbished Dell Computer running Windows 7. I had an XP and transferred my files to the new PC. After doing that, I installed Microsoft Security Essentials. Almost immediately, I received warnings from MSE that I had 5 viruses. I told MSE to cleanse my computer. It said it did, but shortly thereafter, the same 5 viruses popped up. Also, after "cleaning" the 5 viruses, it pops up with 2 more. I clean them and then it starts over with the 5 viruses it found, followed by the 2.

    I have run CCleaner, Spybot S&D, Computer Associates (CA Virus) scans and Malwarebytes. None of these scans found any virus, but MSE does, but doesn't kill them. My last resort is MajorGeeks. I followed the steps for malware removal by running scans and keeping logs. Of the 5 or so program I was to run, only MGlogs.zip failed to be created. I was unable to save the program to my C root, so I put it on my desktop as was alternatively suggested. I am attaching the logs that I have and request help in getting MGtools to create the log file. I don't think there was a log for TDSS. I couldn't find one and don't think it found viruses.

    If I need to provide additional information please let me know.

    Thanks.

    Dave
     

    Attached Files:

    QuartetmanIA, Apr 27, 2013
    #1
  2. QuartetmanIA

    QuartetmanIA Private E-2

    Edit to add to my original post. These are the 5 viruses MSE finds and doesn't fix:

    Adware:Wiin32/SideStep
    SoftwareBundler: Win32/Imesh
    Adware:Win32/Ezula.g
    Adware:Win32/NewDotNet
    Adware:Win32/Clariagain.B
    After MSE "doesn't" cleanse the above, the following two appear while MSE is "cleaning" the original 5 viruses:
    BrowserModifier:Win32/Favoriteman
    Trojan:Win32/Malat

    The Malat is marked: Severe.

    "Cleansing" doesn't remove those two either.
     
    QuartetmanIA, Apr 27, 2013
    #2
  3. QuartetmanIA

    QuartetmanIA Private E-2

    Question regarding Malware Help

    A few days ago I started a thread regarding malware on my Dell computer. After writing my post and providing the attachments requested, I thought it might help if I told you what viruses were on my computer. That created a 2nd posting.

    I read in your FAQs that we are not to bump threads that it would delay considerably any help. Even though my 2nd post was 15 or so minutes after the first, I realize that might be interpreted as a bump in order to keep my problem on the first page. That was never my intent. However, it has been a few days that I've reported this problem and no response yet. I note that other people's problems are being worked on, even though their posting date is after mine.

    I'm not asking to be helped next, but I just wanted to offer an explanation of why there are two posts in my thread, and both of them are mine and not that of one of you experts from Major Geeks.

    The URL of my thread is: http://forums.majorgeeks.com/showthread.php?t=275994 any help will be appreciated.

    BTW, I ran malwarebytes that one time and it came up "clean", but I can't run it anymore because I'm beyond the 14 day trial.

    After reading this and deciding to work on my problem, you can delete this thread.

    Thank you,

    Dave
     
    QuartetmanIA, Apr 28, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please attach the requested log from Malwarebytes and TDSSKiller. TDSSKiller always creates the log as specified in the instructions.

    Okay so what exactly happens when you ran it from your Desktop?
    Did you use Right Click and Run As Administrator?
    Did you disable UAC as requested and did you disable all protection software first?
     
    chaslang, Apr 29, 2013
    #4
  5. QuartetmanIA

    QuartetmanIA Private E-2

    Malwarebytes log is now attached.
    TDSSKiller when I start it, it gives a popup that says "Can't initialize log" and followed by "Can't Load Driver". But it still runs and doesn't have a log. It said that there are 0 Threats, etc. No viruses found. I ran as an administrator.
    UAC was and still is disabled.
    I put CA-Anti virus in the "snooze" status. I didn't see any other way to disable.

    As for MGtools, I am running it as the Administrator: I don't see any log file on my C drive, but there was a window opened up and dumping a bunch of messages...lots of them I/O errors: I've copied it here:

    [edit by chaslang] Inline log snipit removed.
     

    Attached Files:

    Last edited by a moderator: May 3, 2013
    QuartetmanIA, Apr 29, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Right click on C:\MGtools\ReZip.bat and select Run As Administrator, then look in the C:\MGtools folder for a slightly different zip file named MGlogsR.zip Attach it to your next message.
     
    chaslang, Apr 30, 2013
    #6
  7. QuartetmanIA

    QuartetmanIA Private E-2

    That seems to have worked. The MGlogsR.zip is attached.

    Dave
     

    Attached Files:

    QuartetmanIA, Apr 30, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have multiple antivirus and multiple antispyware protection programs running which youshould not be doing. Uninstalll Microsoft Security Essentials now to avoid conflicts and problems with the CA software you have running. Do this now while I look thru the rest of your logs.​
     
    chaslang, Apr 30, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure that you have already uninstall Microsoft Security Essentials as requested in my previous message before you do the below!!!!

    Uninstall the below program:
    Search Protect by conduit

    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Services
CltMngSvc
 
:Files
C:\Users\Dave\AppData\Local\Conduit
C:\Users\Dave\AppData\Roaming\SearchProtect
C:\Users\Dave\AppData\Roaming\SpeedyPC Software
C:\Program Files\Conduit
C:\Program Files\Enigma Software Group
C:\Program Files\SearchProtect
C:\ProgramData\SpeedyPC Software
C:\Windows\Temp\*.*
C:\Users\Dave\AppData\Local\Temp\*.*

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SearchProtectAll"=-
C:\Program Files\SearchProtect
C:\Users\Dave\AppData\Roaming\SearchProtect

[HKEY_USERS\S-1-5-21-2282707794-52558753-626861832-1001\Software\Microsoft\Windows\CurrentVersion\run]
"SearchProtect"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{099EF85B-3260-4b87-9239-33355EE6A548}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{099EF85B-3260-4b87-9239-33355EE6A548}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{3316068B-2BC1-470D-9108-C467B443CF26}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 30, 2013
    #9
  10. QuartetmanIA

    QuartetmanIA Private E-2

    Hello.

    1. I uninstalled Microsoft Security Essentials.
    2. I uninstalled Search Protect by conduit
    3. I downloaded OTM and pasted the code into its window.
    a. The program ran, but right after where it displayed === REGISTRY ==== followed by two lines of HKEY messages, the OTM went into a Not Responding Mode. I let it sit for 10-15 minutes until I finally ENDED the Task. It said it was using 50% of the CPU cycles, but still not doing anything.
    b. I had to reboot my machine as it was locked up because of this.
    c. On startup, OTM started again and produced a log.
    d. Assuming the LOCK OUT was typical for some, I continued with your instructions.

    4. I am attaching mmddyyyy_hhmmss.log from _OTM
    5. I downloaded JunkYard and did what I could to stop CA Anti-Virus. (It doesn't let me EXIT, all I could do was to put it into snooze status for 999 minutes. It said I would have no virus protection with the snooze status, so I figured I complied with your request to stop my anti-virus.
    6. I also exited malwarebytes too.
    7. I ran JunkYard and have attached the JRT.txt
    8. I ran GetLogs.bat and attached the MGlogs.zip
     
    QuartetmanIA, May 1, 2013
    #10
  11. QuartetmanIA

    QuartetmanIA Private E-2

    Hello.

    (I was in the middle of posting this and uploading my attachments, when it somehow got posted. so I went into Edit and tried to finished my message and Save. I got a message about Editing taking more than 10 minutes and told me to contact the administrator. I'm not sure how that works from reading the page. anyway, here is what I was trying to say and here are the attachments that got lost from my previous post. )

    1. I uninstalled Microsoft Security Essentials.
    2. I uninstalled Search Protect by conduit
    3. I downloaded OTM and pasted the code into its window.
    a. The program ran, but right after where it displayed === REGISTRY ==== followed by two lines of HKEY messages, the OTM went into a Not Responding Mode. I let it sit for 10-15 minutes until I finally ENDED the Task. It said it was using 50% of the CPU cycles, but still not doing anything.
    b. I had to reboot my machine as it was locked up because of this.
    c. On startup, OTM started again and produced a log.
    d. Assuming the LOCK OUT was typical for some, I continued with your instructions.

    4. I am attaching mmddyyyy_hhmmss.log from _OTM
    5. I downloaded JunkYard and did what I could to stop CA Anti-Virus. (It doesn't let me EXIT, all I could do was to put it into snooze status for 999 minutes. It said I would have no virus protection with the snooze status, so I figured I complied with your request to stop my anti-virus.
    6. I also exited malwarebytes too.
    7. I ran JunkYard and have attached the JRT.txt
    8. I ran GetLogs.bat and attached the MGlogs.zip

    How is it running?

    While it was not my original problem, I have noticed for the past couple of days, my keystrokes displaying were not keeping up with my typing. It was slow. Starting IE was slower than I expected for having a "new" refurbished computer.

    The only thing I wonder about is that Microsoft Security Essentials was the only program to identify the 5-7 viruses mentioned in my original post (#2). Since MSE is uninstalled, I don't know for sure if they are gone, because no other anti-virus found them. I was most worried about the one marked "serious" and wonder if it is now removed: MATVAR or something like that.

    I will wait for your next set of instructions to see where I go from here. (Don't say it!!! "Hell!" ha ha

    With appreciation for your help,

    Dave
     

    Attached Files:

    QuartetmanIA, May 1, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This may be due to all the stuff CA antivrius is running. You could try uninstalling it and then rebooting to see how performannce looks. All of the below would need to be removed. Hopefully just uninstalling the Internet Security Suite removed all of it.

    CA Anti-Spyware
    CA Anti-Virus
    CA Internet Security Suite
    CA Pest Patrol Realtime Protection
    CA Website Inspector
     
    chaslang, May 3, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds