Followed Read & Run this first, but still problems

About two weeks ago my antivirus and firewall (Windows Live Onecare) went down and I didn't notice it right away. By the time I realized it and fixed it my computer was acting odd. The main problem is that when I attempt to log into my online banking, credit cards or even ebay I get redirected to somewhat convincing pages asking me for all sorts of personal info, from my name and SS# to my bank account # and routing #. Each page is different depending on who I am trying to log into. Most have spelling or grammatical mistakes. The Ebay page threw me off the most because my toolbar went green and said verified by verisign and even the ebay toolbar said it was a legitimate site. I know its not, I even asked Ebay themselves. I can successfully log into my accounts from another computer so I am assuming this is some sort of malware. Before coming here I ran HouseCall and it said I had -Troj_vb.awz, and Troj_conhook.ad, but couldn't clean them. I had also run Malwarebytes and it seemed to have found and cleaned the vb.awz, but I can't be certain. I completed the Read & Run this First instructions. (I hope I did it all right.) Please help if you can and let me know if I screwed something up and need to redo it. Sorry for being longwinded. Thanks.

 

Second message for additional attachments

Here is the MGlogs.zip attachment.

 

I completely forgot to mention the other problem I was having. Internet Explorer keeps wanting to close. I constantly get the Internet Explorer has encountered a problem and must close message. I can ignore it and move it out of the way, but it is really annoying. I can only assume that this is related. I tried to follow microsofts advice by toggling add-ons, but to no avai.

 

Hi fmbp3,
Welcome to Major Geeks!

I don't see much in your logs, but there is one hidden entry in Combofix that might be worth looking into. It could be a file belonging to Counterstrike. Also, there's one browser hijacker object that I'll have you remove. Did you notice this problem with the installation of any new software, upgrades or updates?


1) What is the following? Is this something you installed?

C:\Program Files\BenefitBarIE

2) Please disable your guest account if this hasn't already been done.

3) Please go to the following folder in Windows Explorer and delete any of the files in it that you are allowed to delete. Windows will not allow you to delete files from the current date.

C:\WINDOWS\Temp\

4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)

If you're not using the following, fix it as well.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

After you click fix, just close hijackthis.

5) Reset Web Settings & Default Security Settings

For IE 7 users:

Open IE Explorer, select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

6) Now run CCleaner at the default setting with the Windows tab as the top one.

7) Finally, I would like for you to run the following rootkit scan to see if there might be anything hidden the other scans have missed. Go to Running GMER to detect rootkits


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the GMER log.


Let me know how things are running now?

abri

 

Ok, I followed your instructions and I have attached the logs you requested. BenefitBarIE is from the UFC toolbar that my husband downloaded. I uninstalled it but hadn't deleted the left over crap. Everything is still the same. I can't log onto my banking or ebay sites without those confirmation pages and Internet Explorer still wants to close all the time. Thank you so very much for your help, it is greatly appreciated. Let me know if there is anything else I should do.

 

Hi fmbp3,

I'm going to have you remove some of your active X components, including the one for Ebay. You may have to reinstall these later.

1) Did you empty the temporary folders I mentioned? Here they are again. They need to be emptied!

C:\Documents and Settings\Karen\Local Settings\temp\
C:\WINDOWS\Temp\

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://atlantis9.bigfishgames.com/Reef/en_trijinx/online/trijinx/TriJinx.1.0.0.55.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

After you click fix, just close hijackthis.


3) Download and install Erunt. Use it to create a backup of your registry.

4) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

5) Now run CCleaner at the default setting with the Windows tab as the top one.

6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip and let me know if you get a success message with the registry patch (REGEDIT4).

Let me know how things are running now?

abri

 

Everything is still running the same. I tried emptying both of those folders, but some files wouldn't let me. I would get a message: "Can't delete (file name) It is being used by another person or program" The dates on these files are not today. These are the filenames in Windows Temp: bca4e2da.$$$, fa56d7ec.$$$, and Perflib_Perfdata_a44.dat. The files in Local Settings Temp are: Acr799B.tmp, Acr7997.tmp, and WCESLog.log. I did get a success message for the registry patch. The log is attached like you asked. Thanks again.

 

Hi fmbp3,

I missed two entries. Let's remove them first and then I will work on getting rid of the temp files that don't want to be deleted. To begin with, please do the following:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files". Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

Let me know if you get a success message with the registry patch (REGEDIT4).

abri

 

I did it and I got a success message for the patch.

 

Hi fmbp3,

Next we're going to try getting rid of the temp files that don't want to be deleted. Please do the following:

1) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

Does the following belong to a program you've been using for awhile? If not, please fix it as well.

O16 - DPF: {CD9A128C-E43E-A5C9-B435-B31729B34C66} - http://fye.musicnet.com/download/PerformerSetup-sa.exe

After you click fix, just close hijackthis.



2) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
bca4e2da
a56d7ec
Acr7997
Acr799B

FILE::
C:\WINDOWS\Temp\bca4e2da.$$$
C:\WINDOWS\Temp\a56d7ec.$$$
C:\WINDOWS\Temp\Perflib_Perfdata_a44.dat
C:\Documents and Settings\Karen\Local Settings\temp\Acr7997.tmp
C:\Documents and Settings\Karen\Local Settings\temp\Acr799B.tmp
C:\Documents and Settings\Karen\Local Settings\temp\EPSLog.txt
C:\Documents and Settings\Karen\Local Settings\temp\WCESLog.log

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


3) Now run CCleaner at the default setting with the Windows tab as the top one.


4) After you've rebooted, if you are still having the same problems, I would like to look at some alternate scans. You mentioned that Internet Explorer shuts down, so this will exclude the scans which require Internet Explorer. I would like for you to try two different scans: the trial version of Counterspy and the rootkit scan GMER. The links for these can be found on the page Alternate Scans. If you run these two scans, please add these logs to your next post along with the MGlogs.zip and the Combofix log.

Let me know how things are running now?

abri

 

Hi abri,
I followed your instructions again. I also ran Gmer and Counterspy because things still aren't right. IE doesn't seem to want to close all the time anymore, but I still get those odd security confimation pages. Counterspy found a few things and I cleaned them all. I'm attaching all my logs. Once again I thank you for your help and patience. I'm about ready to torch this computer and start from scratch.

It wouldn't let me attach MGlogs.zip. It said I already posted that. I didn't want to mess it up so I just left it off. If there some trick to it please let me know. Should I just rename it, then attach it?

 

Hi fmbp3,

I don't have the best news for you. I'm very sorry. :cry

Your GMER scan shows that you have a rootkit infection in the Master Boot Record. This would explain why all our steps are not getting the malware out of your computer. If you were using your computer for gaming and homework, I would suggest an attempt to do a repair of the MBR, but because you are working with online accounts, I strongly advise you to reformat all your drives, repartition them and reinstall the operating system. I will give you some links to look at about this infection, but here is a quote from the Symantec site:

I don't know what the name is of the rootkit your computer has, but here are a few things to read about this type of rootkit in general:

http://www.sophos.com/security/blog/2008/01/987.html
http://www2.gmer.net/mbr/
https://forums.symantec.com/syment/board/print?board.id=malicious_code&message.id=190&format=one

Below is the Microsoft website which tells you how you can repair the MBR, but again, I don't recommend this in your case, because the repair is not likely to get rid of the problem altogether. In addition to reformating, repartitioning and reinstalling, I also recommend you talk to both your bank and Ebay and ask them how you should proceed with your accounts.

http://support.microsoft.com/kb/307654

I am very sorry to have to tell you this.

Please let me know how this turns out. If you need help with reformatting, I would like to ask you to start a thread in the Software Forum, as you will have more people who can help you there. You can place a reference to this thread for their information.

Thanks.
abri