Google Redirect/TR Sasfis 2.7 Trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mpizzo10, Jun 5, 2011.

  1. mpizzo10

    mpizzo10 Private E-2

    About a week and a half ago, my PC had shut down on its own. When I went to boot the machine, it would not allow me to access any of the choices for Windows. That may be a bit vague: I was automatically taken to the screen where it allows you to choose between the safe modes and starting Windows normally. No matter which option I picked, the PC would reboot and take me to the same screen. Eventually, I would turn the PC on, and nothing would appear on the screen.

    Not positive what the cause was, I took a can of compressed air to the inside of my tower to rid some dust. Nothing changed. After eventually getting the machine to boot into Windows (nothing special, but wound up waiting a few days due to a busy schedule), I ran a virus scan. Anti-Vir found several detections, mostly the same trojan called Sasfis 2.7. I also noticed in the task manager that svchost.exe was hogging resources, and when it continued after the AntiVir scan, I decided to come follow the malware removal steps.

    SAS was not able to update, but I ran a scan anyway. I was receiving some sort of error message in regards to updates, and I apologize for not writing down what it said.

    MBAM ran without any hitches.

    ComboFix: this is where some more issues started popping up. I turned off my firewall and disabled and closed AntiVir. However, when I went to run ComboFix, it said Antivir was still open. Abnormal part was that it had listed AntiVir to be open dozens of times. I do not mean that it prompted me dozens of times, I am saying in one prompt it had Antivir listed dozens of times. I may have made a mistake in doing so, but I continued with it anyway.

    Please note: throughout these scans and procedures, Antivir would pick up on viruses quite a bit. In regards to ComboFix, it picked up something after CF rebooted the machine. Antivir was not running in the pre-boot phase of CF, although CF begs to differ.

    Root Repeal: No good. After downloading root repeal and attempting to extract, some more issues starting occurring which hadnt been happening before. I was getting some kind of "Microsoft C++..." error for each program I tried to open and I wasnt able to open any programs. I was finally able to get root repeal to open (after some reboots and attempts in safe mode), but I did not scan because, when I went to go to the drive selection, nothing would appear.

    One other note: I have two hard drives on my machine. The master drive is my C:. The slave drive, D:, has not been present in "My Computer" throughout this process.

    Some other possible relevant information:
    -When I just opened SAS to obtain the log, Anvir Task Manager asked for permission to allow ctfmon.exe to start. I have not chosen anything.

    -Noticed some folders in C: I haven't seen before: "found.001", "found.000", and "cmdcons". The last one is a hidden folder, but I would have noticed it before because I have had hidden folders visible for quite some time prior to this.

    -Not sure of the repercussions, but I have been terminating the svchost.exe process whenever it reaches 50% of the cpu. It was really bogging down the scans.

    Thank you for your time.
     

    Attached Files:

    mpizzo10, Jun 5, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Still need the log from running C:\MGTools --- C:\MGLogs.zip.
     
    TimW, Jun 5, 2011
    #2
  3. mpizzo10

    mpizzo10 Private E-2

    Here ya go. Thank you for your time.
     

    Attached Files:

    mpizzo10, Jun 5, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\Administrator\03dlr.exe     
C:\Documents and Settings\Administrator\03se1.exe    
C:\Documents and Settings\Administrator\0461a.exe    
C:\Documents and Settings\Administrator\046s3.exe    
C:\Documents and Settings\Administrator\04e14.exe    
C:\Documents and Settings\Administrator\0l20y.exe     
C:\Documents and Settings\Administrator\0lfm2.exe    
C:\Documents and Settings\Administrator\0lr04.exe     
C:\Documents and Settings\Administrator\0lr0l.exe     
C:\Documents and Settings\Administrator\0lr0y.exe     
C:\Documents and Settings\Administrator\0lrg4.exe     
C:\Documents and Settings\Administrator\0lrgy.exe     
C:\Documents and Settings\Administrator\0y61a.exe    
C:\Documents and Settings\Administrator\0ye14.exe    
C:\Documents and Settings\Administrator\0ye1a.exe    
C:\Documents and Settings\Administrator\0yeg0.exe    
C:\Documents and Settings\Administrator\0yeg4.exe    
C:\Documents and Settings\Administrator\0yegy.exe    
C:\Documents and Settings\Administrator\0yesa.exe     
C:\Documents and Settings\Administrator\0yfm3.exe   
C:\Documents and Settings\Administrator\0yr14.exe    
C:\Documents and Settings\Administrator\0yrg4.exe    
C:\Documents and Settings\Administrator\0yrga.exe     
C:\Documents and Settings\Administrator\0yrgy.exe    
C:\Documents and Settings\Administrator\0yrm3.exe   
C:\Documents and Settings\Administrator\13dl2.exe
C:\Documents and Settings\Administrator\13dm3.exe   
C:\Documents and Settings\Administrator\13fm2.exe   
C:\Documents and Settings\Administrator\14614.exe    
C:\Documents and Settings\Administrator\1461a.exe    
C:\Documents and Settings\Administrator\146e1.exe    
C:\Documents and Settings\Administrator\146m3.exe   
C:\Documents and Settings\Administrator\146s3.exe    
C:\Documents and Settings\Administrator\146sa.exe    
C:\Documents and Settings\Administrator\14eg4.exe    
C:\Documents and Settings\Administrator\14fm2.exe   
C:\Documents and Settings\Administrator\14fm3.exe   
C:\Documents and Settings\Administrator\14fs3.exe     
C:\Documents and Settings\Administrator\14ye1.exe    
C:\Documents and Settings\Administrator\1a46s.exe    
C:\Documents and Settings\Administrator\1a61a.exe    
C:\Documents and Settings\Administrator\1a6e1.exe    
C:\Documents and Settings\Administrator\1a6lr.exe     
C:\Documents and Settings\Administrator\1a6m2.exe   
C:\Documents and Settings\Administrator\1a6s3.exe    
C:\Documents and Settings\Administrator\1a6sa.exe     
C:\Documents and Settings\Administrator\1afm2.exe    
C:\Documents and Settings\Administrator\1afm3.exe    
C:\Documents and Settings\Administrator\1afs1.exe     
C:\Documents and Settings\Administrator\1afs2.exe     
C:\Documents and Settings\Administrator\1afs3.exe     
C:\Documents and Settings\Administrator\1afsa.exe     
C:\Documents and Settings\Administrator\1g461.exe    
C:\Documents and Settings\Administrator\204e1.exe    
C:\Documents and Settings\Administrator\20dlr.exe     
C:\Documents and Settings\Administrator\20l20.exe     
C:\Documents and Settings\Administrator\20l2d.exe     
C:\Documents and Settings\Administrator\20l2g.exe     
C:\Documents and Settings\Administrator\20leg.exe     
C:\Documents and Settings\Administrator\20lr0.exe     
C:\Documents and Settings\Administrator\20lr1.exe     
C:\Documents and Settings\Administrator\20lrg.exe     
C:\Documents and Settings\Administrator\20ye1.exe    
C:\Documents and Settings\Administrator\20yeg.exe    
C:\Documents and Settings\Administrator\20yrg.exe    
C:\Documents and Settings\Administrator\214e1.exe    
C:\Documents and Settings\Administrator\21afm.exe    
C:\Documents and Settings\Administrator\2dl20.exe     
C:\Documents and Settings\Administrator\2dl2d.exe     
C:\Documents and Settings\Administrator\2dl2g.exe     
C:\Documents and Settings\Administrator\2dle1.exe     
C:\Documents and Settings\Administrator\2dlr0.exe     
C:\Documents and Settings\Administrator\2dlrg.exe     
C:\Documents and Settings\Administrator\2dm2g.exe   
C:\Documents and Settings\Administrator\2dm3d.exe   
C:\Documents and Settings\Administrator\2dyeg.exe    
C:\Documents and Settings\Administrator\2g461.exe    
C:\Documents and Settings\Administrator\2g4e1.exe    
C:\Documents and Settings\Administrator\2gyeg.exe    
C:\Documents and Settings\Administrator\2s31a.exe    
C:\Documents and Settings\Administrator\30lrg.exe     
C:\Documents and Settings\Administrator\30ye1.exe    
C:\Documents and Settings\Administrator\31afs.exe     
C:\Documents and Settings\Administrator\3dl20.exe     
C:\Documents and Settings\Administrator\3dl2g.exe     
C:\Documents and Settings\Administrator\3dleg.exe     
C:\Documents and Settings\Administrator\3dlr0.exe     
C:\Documents and Settings\Administrator\3dlrg.exe     
C:\Documents and Settings\Administrator\3dm20.exe   
C:\Documents and Settings\Administrator\3dm2d.exe   
C:\Documents and Settings\Administrator\3dmr0.exe   
C:\Documents and Settings\Administrator\3dms3.exe   
C:\Documents and Settings\Administrator\3fl20.exe     
C:\Documents and Settings\Administrator\3flrg.exe     
C:\Documents and Settings\Administrator\3fm20.exe   
C:\Documents and Settings\Administrator\3fm2d.exe   
C:\Documents and Settings\Administrator\3fm3d.exe   
C:\Documents and Settings\Administrator\3fm3f.exe    
C:\Documents and Settings\Administrator\3fs30.exe     
C:\Documents and Settings\Administrator\46146.exe    
C:\Documents and Settings\Administrator\461a6.exe    
C:\Documents and Settings\Administrator\461af.exe     
C:\Documents and Settings\Administrator\461g4.exe    
C:\Documents and Settings\Administrator\46le1.exe     
C:\Documents and Settings\Administrator\46s20.exe    
C:\Documents and Settings\Administrator\46s3d.exe    
C:\Documents and Settings\Administrator\46s3f.exe     
C:\Documents and Settings\Administrator\46sa4.exe    
C:\Documents and Settings\Administrator\46sa6.exe    
C:\Documents and Settings\Administrator\46sad.exe    
C:\Documents and Settings\Administrator\46saf.exe     
C:\Documents and Settings\Administrator\46ydl.exe     
C:\Documents and Settings\Administrator\4dlrg.exe     
C:\Documents and Settings\Administrator\4dye1.exe    
C:\Documents and Settings\Administrator\4e146.exe    
C:\Documents and Settings\Administrator\4e1a6.exe    
C:\Documents and Settings\Administrator\4e1af.exe     
C:\Documents and Settings\Administrator\4egye.exe    
C:\Documents and Settings\Administrator\4es3f.exe     
C:\Documents and Settings\Administrator\4fs3d.exe     
C:\Documents and Settings\Administrator\61a61.exe    
C:\Documents and Settings\Administrator\61afm.exe    
C:\Documents and Settings\Administrator\61afs.exe     
C:\Documents and Settings\Administrator\61ag4.exe    
C:\Documents and Settings\Administrator\61asr.exe     
C:\Documents and Settings\Administrator\6e1af.exe     
C:\Documents and Settings\Administrator\6m20l.exe    
C:\Documents and Settings\Administrator\6m20y.exe   
C:\Documents and Settings\Administrator\6m2dl.exe    
C:\Documents and Settings\Administrator\6m2g4.exe   
C:\Documents and Settings\Administrator\6m3dl.exe    
C:\Documents and Settings\Administrator\6s3dl.exe     
C:\Documents and Settings\Administrator\6s3dm.exe   
C:\Documents and Settings\Administrator\6s3fm.exe    
C:\Documents and Settings\Administrator\6s3fy.exe     
C:\Documents and Settings\Administrator\6sa0l.exe     
C:\Documents and Settings\Administrator\6sa0y.exe    
C:\Documents and Settings\Administrator\6sa61.exe    
C:\Documents and Settings\Administrator\6sa6s.exe     
C:\Documents and Settings\Administrator\6sadl.exe     
C:\Documents and Settings\Administrator\6sadm.exe   
C:\Documents and Settings\Administrator\6safl.exe     
C:\Documents and Settings\Administrator\6safm.exe    
C:\Documents and Settings\Administrator\6safs.exe     
C:\Documents and Settings\Administrator\6ye1a.exe    
C:\Documents and Settings\Administrator\a461a.exe    
C:\Documents and Settings\Administrator\a46s3.exe    
C:\Documents and Settings\Administrator\a61af.exe     
C:\Documents and Settings\Administrator\a6s3d.exe    
C:\Documents and Settings\Administrator\a6s3f.exe     
C:\Documents and Settings\Administrator\a6sad.exe     
C:\Documents and Settings\Administrator\a6saf.exe     
C:\Documents and Settings\Administrator\adl20.exe     
C:\Documents and Settings\Administrator\adlr0.exe     
C:\Documents and Settings\Administrator\adm20.exe   
C:\Documents and Settings\Administrator\adms3.exe   
C:\Documents and Settings\Administrator\af6s3.exe     
C:\Documents and Settings\Administrator\afl20.exe     
C:\Documents and Settings\Administrator\afm20.exe    
C:\Documents and Settings\Administrator\afm2d.exe    
C:\Documents and Settings\Administrator\afm2g.exe    
C:\Documents and Settings\Administrator\afm3d.exe    
C:\Documents and Settings\Administrator\afm3f.exe    
C:\Documents and Settings\Administrator\afs1a.exe     
C:\Documents and Settings\Administrator\afs2d.exe     
C:\Documents and Settings\Administrator\afs3d.exe     
C:\Documents and Settings\Administrator\afs3f.exe     
C:\Documents and Settings\Administrator\afsa6.exe    
C:\Documents and Settings\Administrator\afsaf.exe     
C:\Documents and Settings\Administrator\dl204.exe
C:\Documents and Settings\Administrator\dl20l.exe     
C:\Documents and Settings\Administrator\dl20y.exe     
C:\Documents and Settings\Administrator\dl21a.exe     
C:\Documents and Settings\Administrator\dl23d.exe     
C:\Documents and Settings\Administrator\dl2dl.exe     
C:\Documents and Settings\Administrator\dl2g4.exe     
C:\Documents and Settings\Administrator\dlr04.exe     
C:\Documents and Settings\Administrator\dlr0l.exe     
C:\Documents and Settings\Administrator\dlr0y.exe     
C:\Documents and Settings\Administrator\dlr1a.exe     
C:\Documents and Settings\Administrator\dlrg4.exe     
C:\Documents and Settings\Administrator\dlrga.exe     
C:\Documents and Settings\Administrator\dlrgy.exe     
C:\Documents and Settings\Administrator\dlrm2.exe    
C:\Documents and Settings\Administrator\dm204.exe   
C:\Documents and Settings\Administrator\dm20l.exe    
C:\Documents and Settings\Administrator\dm20y.exe   
C:\Documents and Settings\Administrator\dm21a.exe   
C:\Documents and Settings\Administrator\dm2dl.exe    
C:\Documents and Settings\Administrator\dm2dm.exe  
C:\Documents and Settings\Administrator\dm2g4.exe   
C:\Documents and Settings\Administrator\dm3dl.exe    
C:\Documents and Settings\Administrator\dm3fm.exe  
C:\Documents and Settings\Administrator\dm6ye.exe   
C:\Documents and Settings\Administrator\dmr0l.exe    
C:\Documents and Settings\Administrator\dmr0y.exe   
C:\Documents and Settings\Administrator\dmrg4.exe   
C:\Documents and Settings\Administrator\dye1a.exe    
C:\Documents and Settings\Administrator\dyrg4.exe    
C:\Documents and Settings\Administrator\dyrgy.exe    
C:\Documents and Settings\Administrator\e1461.exe    
C:\Documents and Settings\Administrator\e146s.exe    
C:\Documents and Settings\Administrator\e14e1.exe    
C:\Documents and Settings\Administrator\e14eg.exe    
C:\Documents and Settings\Administrator\e14fm.exe    
C:\Documents and Settings\Administrator\e14fs.exe     
C:\Documents and Settings\Administrator\e14ye.exe    
C:\Documents and Settings\Administrator\e1a04.exe    
C:\Documents and Settings\Administrator\e1a6s.exe     
C:\Documents and Settings\Administrator\e1afl.exe     
C:\Documents and Settings\Administrator\e1afm.exe    
C:\Documents and Settings\Administrator\e1afs.exe     
C:\Documents and Settings\Administrator\eg413.exe    
C:\Documents and Settings\Administrator\eg461.exe    
C:\Documents and Settings\Administrator\eg46s.exe    
C:\Documents and Settings\Administrator\eg4e1.exe    
C:\Documents and Settings\Administrator\eg4fs.exe     
C:\Documents and Settings\Administrator\ega6s.exe     
C:\Documents and Settings\Administrator\egy6s.exe    
C:\Documents and Settings\Administrator\egye1.exe    
C:\Documents and Settings\Administrator\erg46.exe
C:\Documents and Settings\Administrator\es3dm.exe   
C:\Documents and Settings\Administrator\esafm.exe    
C:\Documents and Settings\Administrator\esr0y.exe     
C:\Documents and Settings\Administrator\f4e1a.exe     
C:\Documents and Settings\Administrator\fl20l.exe     
C:\Documents and Settings\Administrator\fle14.exe     
C:\Documents and Settings\Administrator\fm204.exe   
C:\Documents and Settings\Administrator\fm20l.exe    
C:\Documents and Settings\Administrator\fm20y.exe   
C:\Documents and Settings\Administrator\fm2dl.exe    
C:\Documents and Settings\Administrator\fm2g4.exe   
C:\Documents and Settings\Administrator\fm2gy.exe   
C:\Documents and Settings\Administrator\fm3af.exe    
C:\Documents and Settings\Administrator\fm3dl.exe    
C:\Documents and Settings\Administrator\fm3dm.exe  
C:\Documents and Settings\Administrator\fm3fm.exe   
C:\Documents and Settings\Administrator\fm3fs.exe    
C:\Documents and Settings\Administrator\fm6m2.exe  
C:\Documents and Settings\Administrator\fmr0y.exe    
C:\Documents and Settings\Administrator\fmrg4.exe    
C:\Documents and Settings\Administrator\fs3af.exe     
C:\Documents and Settings\Administrator\fs3dl.exe     
C:\Documents and Settings\Administrator\fs3dm.exe    
C:\Documents and Settings\Administrator\fs3fl.exe     
C:\Documents and Settings\Administrator\fs3fm.exe    
C:\Documents and Settings\Administrator\fs3fs.exe     
C:\Documents and Settings\Administrator\fsafs.exe     
C:\Documents and Settings\Administrator\g0ye1.exe    
C:\Documents and Settings\Administrator\g40ye.exe    
C:\Documents and Settings\Administrator\g4613.exe    
C:\Documents and Settings\Administrator\g461a.exe    
C:\Documents and Settings\Administrator\g461g.exe    
C:\Documents and Settings\Administrator\g46m2.exe   
C:\Documents and Settings\Administrator\g46s3.exe    
C:\Documents and Settings\Administrator\g46sa.exe    
C:\Documents and Settings\Administrator\g4dlr.exe     
C:\Documents and Settings\Administrator\g4e1a.exe    
C:\Documents and Settings\Administrator\g4e1g.exe    
C:\Documents and Settings\Administrator\g4eg4.exe    
C:\Documents and Settings\Administrator\g4erg.exe     
C:\Documents and Settings\Administrator\g4es3.exe    
C:\Documents and Settings\Administrator\g4fm2.exe   
C:\Documents and Settings\Administrator\g4fs3.exe     
C:\Documents and Settings\Administrator\g4ye1.exe    
C:\Documents and Settings\Administrator\gafm3.exe    
C:\Documents and Settings\Administrator\gafs3.exe     
C:\Documents and Settings\Administrator\gYe14.exe
C:\Documents and Settings\Administrator\gye1a.exe    
C:\Documents and Settings\Administrator\gyeg4.exe    
C:\Documents and Settings\Administrator\gyfm3.exe   
C:\Documents and Settings\Administrator\gyrg4.exe    
C:\Documents and Settings\Administrator\l2046.exe
C:\Documents and Settings\Administrator\l20lr.exe     
C:\Documents and Settings\Administrator\l20rs.exe     
C:\Documents and Settings\Administrator\l20y6.exe     
C:\Documents and Settings\Administrator\l20ye.exe     
C:\Documents and Settings\Administrator\l20yr.exe     
C:\Documents and Settings\Administrator\l2dfm.exe    
C:\Documents and Settings\Administrator\l2dle.exe     
C:\Documents and Settings\Administrator\l2dlr.exe     
C:\Documents and Settings\Administrator\le1a6.exe
C:\Documents and Settings\Administrator\le1af.exe     
C:\Documents and Settings\Administrator\leg4e.exe     
C:\Documents and Settings\Administrator\lfs3d.exe     
C:\Documents and Settings\Administrator\lm20y.exe    
C:\Documents and Settings\Administrator\lr0dl.exe
C:\Documents and Settings\Administrator\lr0lr.exe     
C:\Documents and Settings\Administrator\lr0y6.exe     
C:\Documents and Settings\Administrator\lr0ye.exe     
C:\Documents and Settings\Administrator\lr0yr.exe     
C:\Documents and Settings\Administrator\lr1a6.exe     
C:\Documents and Settings\Administrator\lrg46.exe     
C:\Documents and Settings\Administrator\lrg4e.exe     
C:\Documents and Settings\Administrator\lrgye.exe     
C:\Documents and Settings\Administrator\lrgyl.exe     
C:\Documents and Settings\Administrator\lrgyr.exe     
C:\Documents and Settings\Administrator\m2046.exe
C:\Documents and Settings\Administrator\m204e.exe   
C:\Documents and Settings\Administrator\m20le.exe    
C:\Documents and Settings\Administrator\m20lr.exe    
C:\Documents and Settings\Administrator\m20ye.exe   
C:\Documents and Settings\Administrator\m20yr.exe   
C:\Documents and Settings\Administrator\m23dl.exe    
C:\Documents and Settings\Administrator\m2d46.exe   
C:\Documents and Settings\Administrator\m2dl2.exe    
C:\Documents and Settings\Administrator\m2dle.exe    
C:\Documents and Settings\Administrator\m2dlr.exe    
C:\Documents and Settings\Administrator\m2dm2.exe  
C:\Documents and Settings\Administrator\m2dm3.exe  
C:\Documents and Settings\Administrator\m2dyr.exe   
C:\Documents and Settings\Administrator\m2gye.exe   
C:\Documents and Settings\Administrator\m30lr.exe    
C:\Documents and Settings\Administrator\m316s.exe   
C:\Documents and Settings\Administrator\m3dl2.exe    
C:\Documents and Settings\Administrator\m3dlr.exe    
C:\Documents and Settings\Administrator\m3dm2.exe  
C:\Documents and Settings\Administrator\m3dms.exe  
C:\Documents and Settings\Administrator\m3g4e.exe   
C:\Documents and Settings\Administrator\mr04e.exe
C:\Documents and Settings\Administrator\mr1af.exe    
C:\Documents and Settings\Administrator\mrgye.exe    
C:\Documents and Settings\Administrator\r03dm.exe
C:\Documents and Settings\Administrator\r046s.exe     
C:\Documents and Settings\Administrator\r04e1.exe     
C:\Documents and Settings\Administrator\r0y1a.exe     
C:\Documents and Settings\Administrator\r0ye1.exe     
C:\Documents and Settings\Administrator\r0yeg.exe     
C:\Documents and Settings\Administrator\r0yrg.exe     
C:\Documents and Settings\Administrator\r1461.exe    
C:\Documents and Settings\Administrator\rg461.exe
C:\Documents and Settings\Administrator\rg46s.exe     
C:\Documents and Settings\Administrator\rg4e1.exe     
C:\Documents and Settings\Administrator\rg4e6.exe     
C:\Documents and Settings\Administrator\rg4es.exe     
C:\Documents and Settings\Administrator\rg4ye.exe     
C:\Documents and Settings\Administrator\rgy6s.exe     
C:\Documents and Settings\Administrator\rgye1.exe     
C:\Documents and Settings\Administrator\rgyeg.exe     
C:\Documents and Settings\Administrator\rgyer.exe     
C:\Documents and Settings\Administrator\rgyr0.exe     
C:\Documents and Settings\Administrator\rle1a.exe     
C:\Documents and Settings\Administrator\rs3dl.exe     
C:\Documents and Settings\Administrator\rs3dy.exe     
C:\Documents and Settings\Administrator\rsd46.exe     
C:\Documents and Settings\Administrator\s1afm.exe    
C:\Documents and Settings\Administrator\s20ye.exe    
C:\Documents and Settings\Administrator\s2dl2.exe     
C:\Documents and Settings\Administrator\s30yr.exe     
C:\Documents and Settings\Administrator\s3dl2.exe     
C:\Documents and Settings\Administrator\s3dlr.exe     
C:\Documents and Settings\Administrator\s3dm2.exe   
C:\Documents and Settings\Administrator\s3dmr.exe    
C:\Documents and Settings\Administrator\s3dms.exe    
C:\Documents and Settings\Administrator\s3f6s.exe     
C:\Documents and Settings\Administrator\s3fm2.exe    
C:\Documents and Settings\Administrator\s3fm3.exe    
C:\Documents and Settings\Administrator\s3fsa.exe     
C:\Documents and Settings\Administrator\sa6sa.exe     
C:\Documents and Settings\Administrator\sadlr.exe     
C:\Documents and Settings\Administrator\safm2.exe    
C:\Documents and Settings\Administrator\safm3.exe    
C:\Documents and Settings\Administrator\safs3.exe     
C:\Documents and Settings\Administrator\Y0Ye1.exe
C:\Documents and Settings\Administrator\y61af.exe     
C:\Documents and Settings\Administrator\y6s3d.exe    
C:\Documents and Settings\Administrator\y6saf.exe     
C:\Documents and Settings\Administrator\ye13d.exe    
C:\Documents and Settings\Administrator\ye13f.exe     
C:\Documents and Settings\Administrator\ye146.exe    
C:\Documents and Settings\Administrator\ye14e.exe    
C:\Documents and Settings\Administrator\ye1a6.exe    
C:\Documents and Settings\Administrator\ye1af.exe     
C:\Documents and Settings\Administrator\yeg0y.exe    
C:\Documents and Settings\Administrator\yeg46.exe    
C:\Documents and Settings\Administrator\yeg4e.exe    
C:\Documents and Settings\Administrator\yeg4f.exe     
C:\Documents and Settings\Administrator\yega6.exe    
C:\Documents and Settings\Administrator\yegaf.exe     
C:\Documents and Settings\Administrator\yegye.exe    
C:\Documents and Settings\Administrator\yes3d.exe    
C:\Documents and Settings\Administrator\yflrg.exe     
C:\Documents and Settings\Administrator\yr0y6.exe    
C:\Documents and Settings\Administrator\yr1a6.exe     
C:\Documents and Settings\Administrator\yr1af.exe     
C:\Documents and Settings\Administrator\yr20y.exe    
C:\Documents and Settings\Administrator\yrg46.exe    
C:\Documents and Settings\Administrator\yrg4e.exe     
C:\Documents and Settings\Administrator\yrg4f.exe     
C:\Documents and Settings\Administrator\yrgye.exe     
C:\Documents and Settings\Administrator\yrgyr.exe  
C:\WINNT\Temp\1377453.cvr
C:\WINNT\Temp\1377593.od
C:\WINNT\Temp\1410734.cvr
C:\WINNT\Temp\1410859.od
C:\WINNT\Temp\3.tmp
C:\WINNT\Temp\4.tmp
C:\WINNT\Temp\5.tmp

Folder::
C:\WINNT\Temp\lgrb
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX00.000
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX00.687
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX00.734
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX01.453
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX01.828
C:\Documents and Settings\Administrator\Local Settings\temp\Rar$EX02.000

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"6D747075767A7476"=-
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now please run this:
    TDSSkiller - How to run

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * TDSSKiller log
    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jun 5, 2011
    #4
  5. mpizzo10

    mpizzo10 Private E-2

    I haven't noticed svchost acting up since running those procedures, although some Windows Defender process has been using 25-50% of the CPU. The process is called msmpeng.exe.

    I have tested out a few google searches, and it doesn't seem that redirection is still an issue.

    Some other notes:

    -When combofix was finishing and preparing its log, AntiVir found two detections of a trojan. I attached a photo of that description so you could see exactly what it told me. (I know all protection programs were supposed to be disabled, but upon its ComboFix's final reboot of my PC, my firewall and AntiVir were enabled. I chose not to touch anything while CF finished its log).

    -My D: is still not present under my computer. Before I make you go crazy, when I got rid of the dust inside of my tower (when the PC was not booting), I checked some cables and the ram, etc. I really don't recall messing with the hard drive cables, but I will wait for your advice before checking inside the tower.). I had used Daemon Tools in the past, so I'm not sure if turning off disk emulation affected my drives. Or, maybe I have no idea what I am talking about, which is very possible.

    -While typing this message, that Windows Defender process seems to have stopped, but I won't erase what I mentioned earlier in case it provides you some kind of information.

    -Thank you for your time.
     

    Attached Files:

    mpizzo10, Jun 5, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You should create a new user account with limited privileges and use that for surfing.

    It looks like TDSSKiller took care of the MBR infection, so let's just run this to check:
    Please also download MBRCheck to your desktop

    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...

    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message.
     
    TimW, Jun 6, 2011
    #6
  7. mpizzo10

    mpizzo10 Private E-2

    MBRCheck log is attached.

    May I ask why you recommended I create another user account for surfing? I have never heard someone recommend this before, though it's not like I am around here often.

    The following is not to discredit your suggestion. I am just stating it to see if it effects any of the process of cleaning the machine:
    My intention to clean this machine is because I want to transfer files over to a laptop and ensure I am not carrying any infections. I haven't fully decided if I am going to get rid of this machine, but it is starting to show its age.
     

    Attached Files:

    mpizzo10, Jun 6, 2011
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's for safety sake. Surfing on an Admin. account allows any malware that may get into your system free rein to your entire computer.

    Your MBR is clean.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0

    Help Support MajorGeeks
    Buy Discounted Software @ Majorgeeks Store. Giveaways Too!

    Majorgeeks Geek Wear. Hats, T-Shirts, Hoodies

    MajorGeeks on FaceBook
     
    TimW, Jun 7, 2011
    #8
  9. mpizzo10

    mpizzo10 Private E-2

    I followed all the steps except the last one, although it probably wouldn't affect what I am after.

    I still am not sure why my D: (additional hard drive) is not appearing under my computer. I understand this may not be a malware issue, but before I bring it to another section of the forum, I would like to verify it with you.

    Sorry about the delay in response. I have been quite busy these past two days.

    Thank you again.
     
    mpizzo10, Jun 9, 2011
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I don't know why your external drive is not showing. Again, this should be pursued in the software forum.

    And you are most welcome. Safe surfing. :)
     
    TimW, Jun 10, 2011
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds