After affects of malware

vusykirby · Feb 5, 2010

Hi there, recently I somehow got the malware Internet Security 2010 on my computer. I went through all kinds of procedures from tech websites to get rid of it, and for the most part it seemed to work. Only, whenever I click on a google link I often get redirected to some random site. Also, random advertisement/movie trailer sounds start playing out of no where and when I try to run WoW, eventually (usually around 10-20 minutes) my computer shuts down (no restarting, just a complete shut down). Don't know if the last thing is related, but it's a problem nonetheless because WoW worked just fine before Internet Security 2010 started acting up. I've read the cleanup guides for vista on this forum, and have attached a HijackThis log and RootAppeal log (I also attached a log for mgtools but I'm not sure if it's the right one).

Just some other tidbits that might help...everyday I run malware once or twice and the same infected file keeps showing up, no matter how many times I delete it. It's been about 3-4 days since Internet Security 2010 last started making trouble, so I don't know if the random ad sounds and redirection of google links is related to it. Also, I can't seem to access bleepingcomputer.com, and therefore can't get a hold of downloads for apps like ComboFix. Whenever I click any link to that site it tells me (on both firefox and IE) that the server can't be found. On another laptop however, I can access the site just fine. I'm pretty sure malware is somehow blocking me from sites with specific malware tools, but I have no idea where or how it's doing this. Lastly, I've been getting a ton of errors saying things like Windows Defender and many other programs like SUPERAntiSpyware or Itunes have been stopped.

Any and all help will be greatly appreciated :]

vusykirby · Feb 5, 2010

Also, the file that keeps coming back and getting deleted by Malware is: HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS)

TimW · Feb 7, 2010

Please attach:
C:\MGLogs.zip ( not the individual logs within the C:\MGLogs.zip
SAS
MBAM

And you should be able to download Combo onto a different computer and transfer it to your desktop via either CD or thumb drive. I would like that log as well.

vusykirby · Feb 7, 2010

Alright, sure thing.

TimW · Feb 9, 2010

Getting there. Please take ComboFix out of your downloads folder and move it directly to your desktop.
It should not be here:
c:\users\jinling\Downloads\CF.exe it should be here: c:\users\jinling\Desktop\CF.exe

Please use add/remove programs to uninstall:
Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
* Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
* If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

Driver::
Viewpoint Manager Service

File::
c:\users\jinling\AppData\Local\Xkajubijamehig.dat
c:\users\jinling\AppData\Local\Rqiyoziqipuzim.bin
C:\ProgramData\sysReserve.ini

Folder::
c:\program files\Viewpoint
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

vusykirby · Feb 9, 2010

Okay, I think (and hope) I did everything right =)

I tried to uninstall Viewpoint earlier, but it didn't show up on my programs list so I deleted the entire folder instead.

TimW · Feb 11, 2010

Nothing was removed. Apparently Combo had a problem. Please rename it to ComboFix.exe instead of just CF.exe.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

* Delete on Reboot
* then Click on the All Files button.*(or on the folders option)*
* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\users\jinling\AppData\Local\Xkajubijamehig.dat
c:\users\jinling\AppData\Local\Rqiyoziqipuzim.bin
c:\program files\Viewpoint\Common\ViewpointService.exe

* Return to Killbox, go to the File menu, and choose Paste from Clipboard.
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

vusykirby · Feb 12, 2010

I will get on that as soon as my hard drive works again...I left my iphone plugged in when I turned the computer on, and it chose then of all times to update vista. Somehow it didn't like what it updated, so everytime I try to turn on the laptop it goes to the blue screen of death and restarts. I switched laptops using the same hard drive and the same thing happened, so I'm pretty sure the drivers are malfunctioning. I'm also sure it's not a virus because the error code I got is apparently quite common when the drivers fail after updates. Sigh =(

TimW · Feb 14, 2010

Bummer. Perhaps you should post in the software forum to get assistance with getting you back up and running again.

Log in or Sign up

After affects of malware

vusykirby Private E-2

Attached Files:

hijackthis.log

newfiles.txt

RRlog.txt

vusykirby Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

vusykirby Private E-2

Attached Files:

COMBlog.txt

SUPERAntiSpyware Scan Log - 02-07-2010 - 17-01-11.log

mbam-log-2010-02-07 (15-45-25).txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

vusykirby Private E-2

Attached Files:

CFlog.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

vusykirby Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member