Have no idea whats going on

Discussion in 'Malware Help (A Specialist Will Reply)' started by vizarati, Feb 7, 2010.

  1. vizarati

    vizarati Private E-2

    For the past week when ever I try to log into my wachovia bank account or my aol email ( i put in username and password then hit enter) my browser gets a page that url and page sourse says belongs to that site. However that page is asking for my Bank Card #, Exp. date, CW2 # and ATM pin, Extremely paranoid, I contacted both wachovia and mediacom (my internet provider) and said I have some virus. I preformed a full system scan with mcafee security center and it found two Trojans infecting my system-volume files, it quarantined and removed them. Still have the problem. So I found this website and followed all instructions. Here are the logs it asked for:
     

    Attached Files:

    vizarati, Feb 7, 2010
    #1
  2. vizarati

    vizarati Private E-2

    On a side note I managed to save a copy of the page I get when trying to log into my aol email I have attached it to this post in case it can help in anyway.

    I copy and pasted source code into a text file.
     

    Attached Files:

    vizarati, Feb 7, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You have a dangerous Master Boot Record infection.

    Please run the below tool from Prevx

    Prevx 3.0 use the button that says Download Prevx 3.0

    After running the Prevx scan, reboot and then continue with the below.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\Program Files\CA\SharedComponents\CA_LIC\\lic98rmt.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

    After clicking Fix, exit HJT.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 17
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7

    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 7, 2010
    #3
  4. vizarati

    vizarati Private E-2

    I followed all directions and added the logs.

    I am still getting the same screen when trying to log into my aol.email and bank account.

    When I ran the prevx scan, it gave me this message: Threat found \\.\PhysicalDrive0\MBR; but I couldn't do anything about it because I haven't purchased the full version of the software. Also after the scan it found this: Threat $mbr:0 in c:\ Rootkit.MBR, it rebooted to delete it and scanned again and found it again (it did this 4 times before I just stopped doing the scan after reboot)
     

    Attached Files:

    vizarati, Feb 7, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    They used to remove it for free so perhaps they have changed their policies or they just cannot fix it anymore.

    We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove this infection. Note if you cannot boot to the Recovery Console you installed with ComboFix or if it fails to remove the infection, you will need your Windows XP boot CD.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 7, 2010
    #5
  6. vizarati

    vizarati Private E-2

    You are a genius. I can log into my email and bank account without getting that page anymore :cry:cry

    I have one other thing going on Im not sure if this is malware or not, when starting my computer after windows loads I get a Microsoft folder that pops up and contains a folder called Microsoft Search Enhancement Pack. Do you know how to get rid of this?

    Ill save the thanks till after you look at the logs =D

    I also added the log from combofix. During the scan I seen alot more things that didn't show up the first time I ran it
     

    Attached Files:

    vizarati, Feb 8, 2010
    #6
  7. vizarati

    vizarati Private E-2

    I am not tending to bump this thread but I was wondering if the new logs have been looked at. Starting my computer today about 10 programs have asked to be updated with security patches and things. I read in other threads not to do anything like that so wanted to know if it is safe or not.

    Thanks
     
    vizarati, Feb 9, 2010
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    But that is exactly what this did. It bumped you to the bottem of the queue and cost you at least 2 days more wait time.

    We have to make sure that the infection is truly gone by attempting to delete a few related files. We had done this previously but it did not work since PrevX failed to remove the source of the infection. Then we need tomake sure they don't come back. Let's wait on installing any updates until after we are sure the MBR infection is gone.

    Uninstall PrevX now since it is of no use to us anymore.


    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 12, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not really a topic for this forum since it is valid software ( part of Windows Live ) that you chose to install. You could try uninstalling the below which may remove it:

    Microsoft Choice Guard


    Other than that, you will have to pursue this in the Software Forum.
     
    chaslang, Feb 12, 2010
    #9
  10. vizarati

    vizarati Private E-2

    Hope it looks ok. I haven't installed any new software but several times I have came to my computer and it had be rebooted because of software updates. I think it was mostly with microsoft and maybe aol.
     

    Attached Files:

    vizarati, Feb 15, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Feb 16, 2010
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds