another malware infection!

Discussion in 'Malware Help (A Specialist Will Reply)' started by vale, Jun 1, 2009.

  1. vale

    vale Private E-2

    Ok, I've spent hours today trying to fix what's wrong with my computer but had no luck. I'm usually able to get rid of these things by myself but this one - I just can't seem to find it.

    I had some kind of malware last week that kept showing messages to download WinBlueSoft to get rid of an infection. Of course I did NOT click on anything. My father's friend came here and was able to temporarily fix the problem. No more signs of infection, except that I still cannot run any protection softwares (at least without renaming them). I can run any kind of programs, but those to protect my computer. I also cannot update McAfee, MBAM, SAS... I did get the latest definitions files by downloading them manually though.

    I already ran MBAM and SAS and they found nothing. I downloaded ComboFix but whatever malware is infecting my computer blocks it from running - even when I rename it.

    Also, I have a blank box at the bottom right of my desktop... It disappears when I'm on the Internet but as soon as I close the windows, it's there again, right on the desktop. I cannot close this thing, cannot move it, cannot do anything about it.

    When using I.E.6, I'm also redirected to egotvonline, for some reason. Now, every computer in my house does this - not only mine - and I'm pretty sure it all started on my computer. rolleyes This doesn't happen with FireFox though.

    I really need some help I'm afraid! rolleyes
     

    Attached Files:

    vale, Jun 1, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs are clean. You may not be having malware problems

    This may just be due to McAfee. Unless you stop McAfee from running it can prevent you from being able to run ComboFix properly thru to completion.

    Did you check to see what new tasks/processes load when you close all of your browsers?


    Attach the below two logs which are more important than the ones you already attached
    Code:
    "C:\Documents and Settings\admin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
2009-06-01        1797  "SUPERAntiSpyware Scan Log - 06-01-2009 - 12-31-32.log"
 
"C:\Documents and Settings\admin\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\"
2009-05-31        3549  "mbam-log-2009-05-31 (21-47-55).txt"
    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Delete the below file:
    C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 3, 2009
    #2
  3. vale

    vale Private E-2

    Hi Chaslang, and thanks for your answer :) Sorry it took some time to write back, I was away for business.

    So I followed everything you said. I tried to run ComboFix by shuting McAfee down, but it still does not work. I can see that the program is loading, then it finishes and disappears. The nothing happens. I try to do something - anything - and nothing works, I have to restart my computer.

    As for the blank box at the bottom of my desktop, I realized it was something from SuperAntiSpyware. It doesn't show anything but a small red X at the top of the box (like the image didn't load). When I exit SAS by clicking on the bug icon (next to the clock) it disappears. Not sure why I get this blank box though, but now I know where it comes from.

    I downloaded CounterSpy the other day, before I got an answer from you. I cannot seem to find any kind of logs on my computer but it did find a few bad things. I try to update and run it everyday. So far it's found:

    - Trojan.DNSChanger.Gen
    - Trojan-Win32/Alureon.gen!J
    - Trojan.Crypt.Krap (v)
    - Trojan.Win32/tdss.aexu
    - Trojan.Downloader.Win32.FraudLoad.wbkw
    - Trojan.Win32.TDSS.aexz

    ... And I'm sure there is STILL something in my computer, because I still cannot update my definition files for any programs to remove spyware/malware/virus. Also, I found out that I cannot create a restore point, and cannot boot in safe mode.

    Regarding the fixme thing, I had a message stating that it had been entered in the registry.

    I hope you can find what's wrong with my computer! rolleyes I've attached what you asked for (also deleted the Speedupmypc thing). Thank you so much for your help, I greatly appreciate it!!!
     

    Attached Files:

    vale, Jun 4, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also how long did you wait? I have seen it take up to 15 or 20 minutes before ComboFix even pops up a blue command prompt type window to start running its scan.

    Did you shutdown WinPatrol, Ad-Aware and CounterSpy too? ALL protection software must be shutdown or uninstalled before running ComboFix. It may be a good idea for you to uninstall Ad-Aware, McAfee, WinPatrol, and definitely CounterSpy as stated below to make sure that:
    1. They are not interferring with running ComboFix
    2. They are not responsible for any of your problems
    3. Ad-Aware is not effective enough to waste resources on it anyway
    After uninstalling everything, redownloaded the current version of ComboFix and leave it named combofix.exe and save it to your Desktop

    Unless you give us a log, this info is not helpful since it could just be things we have already removed and/or that are in quarantines or system restore and those would not be issues. Did you purchase CounterSpy? If not, uninstall and please follow the instructions given in the READ & RUN ME which state not to do anything unless we ask you to.


    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program

    Uninstall the below old versions of software:
    Java(TM) 6 Update 4


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now install the current version of Sun Java from: Sun Java Runtime Environment
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 6, 2009
    #4
  5. vale

    vale Private E-2

    Ok, I just finished doing everything in your last post.

    Regarding ComboFix, it still would not run. I tried without renaming it (as you said) but I would not even see the little box with green bars progressing. I renamed it and then I saw the bars and everything, but after 25-30 minutes nothing had happened. I deleted it, redownloaded it, and put it on my desktop again - but did not rename it or try to run it since.

    I ran HostsXpert.exe and restored MS Hosts Files. I uninstalled Java 6 update 4 and downloaded the one you directed me to - Update 14.

    What's good: I am able to update SuperAntiSpyware AND Malwarebytes' Anti-Malware without doing so manually!!! I can also create a Restore Point now.

    What's still there: whenever I use Internet Explorer, I still get redirected to any kind of ad page. What happens is when I search something (ie "facebook", "yellow pages", or anything) in Google and I click on a link, I get redirected to the Ad page. At first I would land on egotvonline.com, now it's findstuff.com, abcjmp.com, and many, many more. This does not always happen, and the second time you click on the link it usually gets you on the right website, but I'd say I get redirected about 80% of the time. It is not a problem with FireFox though.

    Now, I was thinking that I should try and run ComboFix now that my computer seems to run better, as well as do other scans with SAS and MBAM... but I thought I'd ask you first and wait for approval.

    I attached the files you've asked for.
    Thanks again!!
     

    Attached Files:

    vale, Jun 7, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not directly address part of my question which was the below
    I have another fix for your to run to remove some additional problems that are starting to show up. Make sure that you shutdown CounterSpy and McAfee before doing the below.

    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now make sure you update these programs first and then run full scans with SUPERAntiSpyware and Malwarebytes. Fix what they find and save logs.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • the SUPERAntiSpyware log
    • the Malwarebytes log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 10, 2009
    #6
  7. vale

    vale Private E-2

    I'm sorry I did not answered your question correctly. Yes, I had shut down WinPatrol, Ad-Aware (these 2 were actually uninstalled and deleted) as well as McAfee, SAS and CounterSpy.

    Internet is running A LOT faster here. It used to take up to 1 minute for loading the homepage (in FireFox and IE) and now it only takes a few seconds!

    I restarted my computer to see if by pressing the F8 key my boot menu would look like it used to (with the black background) and it does!!! Before this I had a blue window - which was unusual.

    I googled lots of things from IE and Firefox (as it had started to redirect me to ad pages as well) and EVERY link I clicked got me on the right page!! :)

    Overall everything seems to be fixed!!! And I'm so grateful for your help!! I quickly searched on the forums if I could donate some money but haven't found anything, is there a program of yours or anything where I can make a donation? I really appreciate you help.

    I've attached the logs you requested.

    Also, I was wondering... since the other computers in my house (we've got 3 more) all do the redirecting thing, should I be concerned? I mean, do I have a chance of being reinfected because we're all on the same wireless network, or does it have nothing to do with it? I don't know whether my computer was the first infected or not, but I know that all the other 3 came up with the same issue (google redirecting to ad pages) the same day.

    Again, thank you so much!
     

    Attached Files:

    vale, Jun 10, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. We have another fix to run on this PC which I will give down below.

    Only via PayPal if you wish.

    Yes. You should run the cleaning procedure on each PC. Each belongs in its own thread. Be sure to state it is another PC (like PC2, PC3, & PC4) to avoid having anyone think it is related to PC1 in this thread.

    Now let's continue with this current PC.
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 12, 2009
    #8
  9. vale

    vale Private E-2

    Ok, I allowed private messages to be sent to me so you can give me your email address for paypal.

    As for the other computers, my parents left with one laptop and won't come back before september, meaning I won't be able to do anything with this one before they're back. I'll post threads for the 2 others.

    I ran Avenger, CCleaner and MGtools. I've attached the logs.

    Everything seems fine. No more redirecting, boot menu looks normal again, I can create restore points with no problems, I can update SAS/MBAM and everything without doing it manually (download from the programs). Internet also seems faster.

    Thank you so much!
     

    Attached Files:

    vale, Jun 15, 2009
    #9
  10. vale

    vale Private E-2

    Sorry I have to "bump". I ran SAS and MBAM since I hadn't been here for a few days and SAS found nothing, but MBAM found something while doing a quick scan. I then decided to run a full scan and it found something else. Here are the logs.
     

    Attached Files:

    vale, Jun 15, 2009
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just an additional item related to what we have been removing. As we slowly removed each layer of the onion, more items were able to show. As long as this gxsx.... key no longer shows after a reboot and another scan, then you are okay.

    Obviously Avenger being detected is a false positive. And anything in System Restore will be removed when you complete my final instructions below.

    Since your logs are clean and if you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    4. If we had you run Avenger, you can delete all files related to Avenger now.
    5. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    8. Go to add/remove programs and uninstall HijackThis.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
     
    chaslang, Jun 16, 2009
    #11
  12. vale

    vale Private E-2

    It's good to know that it's part of the things we deleted. I was a little scared for a few minutes!

    I'm going to follow the advice in "how to protect yourself from malware" and will download some programs tonight when I have some time to do it.

    Should I consider getting rid of McAfee (to replace it with another antivirus) or is it good enough? It obviously has not been that great at preventing/finding anything on my computer when it was infected.
     
    vale, Jun 16, 2009
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You will find that no antivirus program provides perfect or even near perfect protection. They are far from it. That is why the How to protect yourself thread is giving you multiple layers of protection which is necessary. However no protection solution will protect you from yourself which is also emphasized in that link. If you like McAfee and don't mind the performance hit nor mind paying for it each year then stick with. But in reality, the free multi-layered protection along with smarter surfing are quite sufficient.
     
    Last edited: Jun 22, 2009
    chaslang, Jun 18, 2009
    #13
  14. vale

    vale Private E-2

    Ok! Well, thanks again for your help!!
     
    vale, Jun 22, 2009
    #14
  15. vale

    vale Private E-2

    Just wanted to add that I performed a quick scan with SAS and it found 6 other items. I know they'll keep coming up and everything, but I'm attaching the log just in case.
     

    Attached Files:

    vale, Jun 22, 2009
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They are not problems. They are false detections by SUPERAntiSpyware. Those are left overs from ComboFix. You can simply delete the C:\32788R22FWJFW folder if it still exists and look in the C:\windows folder for pev.exe and nircmd.exe and delete them if found. After deleting that folder and the files:
    • Empty your Recycle Bin
    • And toggle System Restore again.
     
    chaslang, Jun 25, 2009
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds