I had a virus(s)...don't think I do anymore...

SakuraWulf · Aug 7, 2010

First off, let me say thank you for your detailed and very helpful instructions.
I followed all of the steps for malware removal in your posts.
I had a virus(s) that wouldn't let me log onto my account at all.
I had to try many, many times until it let me start up with the last known good configuration option.
Not even safe mode would work.
After I got on it wouldn't let me get on task manager or use other features like show desktop icons and changing the background.
The computer was very slow and connection to the internet was cut off after a while.
I googled how to restore task manager and got the running to delete some unknown processes.
I then ran ccleaner and after that installed avg. ( I did not have antivirus before x.x)
The computer was alot better after that...but connection was still lost after a while and then it wouldn't let me open any programs.
I then googled how to fix that problem and came across malwarebytes and your forums.
I figured I would try your steps and here I am now.
I ran SUPERAntiSpyware and took a nap (it took 1h 45m to complete lol. found 71 infections.) and then got the log.
I ran malwarebytes' anti-malware and it crashed when scanning with a message saying doctorwatson postmortem debugger has encountered a problem.
I noticed that after it crashes there is a process in task manager called drwtsn.exe ( I guess that was a component of mbam?)
I cancelled that process because it wouldn't let me start up anti-malware with it running. (mb.exe)
It stopped scanning at windows\system32\dis(something.dll). I don't know if that has anything to do with anything.
I went on to using combofix and let it do it's thing and got that log.
I then ran RootRepeal and got the log.
I then ran MG and got that log.
I then tried running anti-malware one more time but it crashed at the same point.
I toggled sysem restore.
I tried googling some stuff and it was fine. ( whenever I used to click on a link it would redirect me to ads)
In task manager it doesn't say 80-100% cpu usage like it did before. (8% tops with opera running)

I think I uploaded the 4 logs I got...

Thank you so much for your helpful posts, chaslang!

SakuraWulf · Aug 8, 2010

the redirecting me to other pages when I click on a link came back x.x

TimW · Aug 8, 2010

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"=http://
Click to expand...

Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now use windows explorer to find and delete:
c:\windows\Jmusiriqurejadan.bin
c:\windows\Cnodanonulurupoh.dat

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message.

SakuraWulf · Aug 21, 2010

MBRcheck log attached.

TimW · Aug 21, 2010

Its been a few weeks now, so tell me what issues you are having, if any.

SakuraWulf · Aug 21, 2010

Redirecting to ads and other websites.

Kestrel13! · Aug 21, 2010

Go to TDSSKiller and Download TDSSKiller.zip to your Desktop

Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.

Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor.

Allow the application to run and a window will open showing that it is TDSSkiller from Kaspersky

Click Start scan

It will run rather quickly and will notify you of whether anything is found or not.

Follow the instructions to delete/quarantine if asks you what to do when if finds something.

Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

Log in or Sign up

I had a virus(s)...don't think I do anymore...

SakuraWulf Private E-2

Attached Files:

combofixlog.txt

rrlog.txt

saslog.txt

MGlogs.zip

SakuraWulf Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

SakuraWulf Private E-2

Attached Files:

MBRCheck_08.21.10_14.51.09.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

SakuraWulf Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member