Infected computer, logs attached

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by limigator, May 8, 2011.

  1. limigator

    limigator Private E-2

    Hi all, let me begin by saying thank you for providing us with such a wonderful site that we can trust! You are a safe haven in a sea of pollution out there!

    I noticed a few days ago that my computer was infected, began redirecting my browser, pop ups, etc. I have since followed all the instructions here for Malware Removal and have attached the logs as instructed. Please note, I encountered problems when I tried to run ComboFix. I attempted to run it twice and both times it froze up in the scan. The first time I gave it over an hour and nothing happened at all. I had to hard shut down the computer. The second time I was not prompted to install the Windows recovery console, it went into scan mode but I never got the message that it was changing my clock settings or anything. It just sat there. Again, had to hard shut down the computer. I don't *seem* to have any problems right now, but I am nervous that I still have something lurking and I did not want to proceed to Step 4, Toggle System Restore, in case the machine is not clean.

    Thank you in advance for all your help!
     

    Attached Files:

    limigator, May 8, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You did not run Combofix, so if after completing the below you happen to still have any issues then I would advise it be run.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKUS\S-1-5-18\..\Run: [SSP] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Security Shield Pro\SSP.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [SSP] C:\Documents and Settings\NetworkService\Local Settings\Application Data\Security Shield Pro\SSP.exe (User 'Default user')

    After clicking Fix exit HJT.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :Files
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Security Shield Pro
C:\Program Files\Internet Explorer\en-US(2)

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, May 9, 2011
    #2
  3. limigator

    limigator Private E-2

    Here are the results from OTM (Thank you so much for your help!!!!!):)
     

    Attached Files:

    • OTM.txt
      File size:
      4.9 KB
      Views:
      1
    Last edited by a moderator: May 10, 2011
    limigator, May 9, 2011
    #3
  4. limigator

    limigator Private E-2

    Here is the new C:\MGlogs.zip file from running the MGtools\getlogs.bat as instructed. BTW, yesterday I noticed that when restarting/booting the computer, I get the black screen where you can choose what mode to boot in and one of the choices says do not select this debugger, or something along those lines. It only flashes up for a second or two when the computer starts so I can't read everything, but it says something about a debugger. I also don't recall the boot screen showing up when the computer is started up, I think this is a new thing. FYI, last night I did go to Microsoft's update page and update IE and it installed antimalware software. I also tried to install Comodo firewall and antivirus, as I currently have neither, and I initially installed both, but when I turned the computer on this morning, I only had the AV, no firewall. I tried to install the firewall and it made me uninstall the AV. When I tried to put the AV back on, I was unable.

    I hope I am not complicating things, but I want to protect the computer from further damage and right now it is quite vulnerable.

    Thank you for your help, I REALLY appreciate it!

    Lisa
     

    Attached Files:

    Last edited: May 9, 2011
    limigator, May 9, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    1. Now download The Avenger by Swandog469, and save it to your Desktop.

    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    2. Download Cleano 0.61

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.

    3. Run Combofix as per the instructions please.

    4. Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, May 10, 2011
    #5
  6. limigator

    limigator Private E-2

    Re: ComboFix stalled?

    I am running into the same problem with ComboFix... I started the scan 45 minutes ago and I still haven't gotten the message about changing the clock settings. In fact, the clock on the computer is frozen at the time I started the scan. I haven't gotten any messages. How long should I give it or do you think it has stalled?
     
    Last edited: May 10, 2011
    limigator, May 10, 2011
    #6
  7. limigator

    limigator Private E-2

    ComboFix seems to be frozen, it has been over 2 hours since I started the scan and nothing has happened. Can you please advise me of the best/safest way to shut down the computer? The computer is nonresponsive. Last time I held the power button down but I would rather proceed with your instruction.
    Thank you (again!)
    Lisa
     
    limigator, May 10, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Shut it down anyway you can even if that means holding down the power button. Restart the machine then and continue with my steps obviously skipping the Combofix part.
     
    Kestrel13!, May 10, 2011
    #8
  9. limigator

    limigator Private E-2

    OK, I shut it down and finished the rest of the instructions. Attached is the MGlogs.zip file.

    Thank you!! :)
     

    Attached Files:

    limigator, May 10, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you run Ccleaner as per my instructions in post # 2 or Cleano in post #5? I am seeing many temp files some of which look a bit funny. Let me know if you had a problem running either program.

    Also do this:

    Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    • C:\WINDOWS\TEMP
    • C:\Documents and Settings\Robert\Local Settings\TEMP

    How are things running? Looks like we can wrap up very soon. :)
     
    Kestrel13!, May 10, 2011
    #10
  11. limigator

    limigator Private E-2

    Yes, I ran both as per your instructions. When I tried to delete the temp files from the Windows temp file I got a message that I cannot delete Perflib_Perfdata_208 that it is being used by another person or program.

    When I tried to delete the temp files from the local settings file I got an error message "cannot delete dbdata.dll - access denied. Make sure disk is not full or write protected and that file is not currently in use".

    I am not sure that the problems are solved, as I have been trying to stay off the computer other than when running the fixes you are suggesting and trying to keep it off the internet as much as possible because I have no active AV or firewall at the moment. I had problems installing Comodo AV and Firewall.

    By the way, before I did all the tools recommened, I had installed AVG antivirus software and it detected a Trojan virus, Rx 7 I think and another one, but I can't remember the name.

    What should I do now?

    Thank you again!
     
    limigator, May 10, 2011
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Well, are you still having problems installing protection software? Let me know.
     
    Kestrel13!, May 11, 2011
    #12
  13. limigator

    limigator Private E-2

    I tried to reinstall the AVG software (which I really liked but had to uninstall it during this process) and I keep getting a message that it can't be installed b/c of a conflict with Comodo antivirus. Well, I check my add/remove programs and Comodo is not listed there and it isn't running in the tray either. I was not able to install the Comodo firewall and av together so I removed both. But it seems it is still lurking. What should I do, because I do need to get some AV protection!
    Also, is the fact that ComboFix will not run properly on my computer an indication that there is something wrong or that there is something malicious that is preventing it from running?
    Thank you and have a great day!
     
    limigator, May 11, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Uninstall the below

    COMODO GeekBuddy

    If it does not come out with the uninstaller then we will use something else. Try Revo Uninstaller.
    Choose the option on the bottom of the list (#4). Be very careful while deleting the bolded registry items ONLY!! This software will create a system restore point for you as well prior to uninstalling a software program.

    Run Ccleaner

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Now can you install AVG?
     
    Kestrel13!, May 11, 2011
    #14
  15. limigator

    limigator Private E-2

    Comodo persists!

    I tried the Revo uninstaller and I did not see the Comodo application listed to remove it. I was not sure what you meant by option #4 on the bottom of the list; a screen opened that showed all the applications (represented with icons) but I did not see Comodo anywhere. I also used Revo's search window to try to find it and it did not find it. I finally decided to do a search in windows explorer and so far it has found 70 files with the name Comodo! It is still going and is finding even more! It seems to be searching the same folders over and over again, I keep seeing the same names coming up in the "search" portion.. Now it is up to 78 files! What should I do?
     
    limigator, May 11, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [COMODO] C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLA.exe
    O4 - HKLM\..\Run: [CPA] C:\Program Files\COMODO\COMODO GeekBuddy\VALA.exe
    O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO GeekBuddy\CLPSLS.exe

    After clicking Fix exit HJT.


    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    We could try and rename combofix or try and run it in safe mode, but let's not worry too much, it is not always malware which prevents combofix from running.

    Are you now able to install avg?
     
    Kestrel13!, May 12, 2011
    #16
  17. limigator

    limigator Private E-2

    The lines you have indicated to select are not on the list generated by the scan. What should I do? I'm sure you are extremely busy, but if you could advise me asap, I would greatly appreciate it as I cannot use this computer. I very much appreciate all your help and wish I had you one on one!
    I will wait for your reply...

    Thank you!
     
    limigator, May 12, 2011
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Then skip that step and move on. :)
     
    Kestrel13!, May 12, 2011
    #18
  19. limigator

    limigator Private E-2

    Move on to what? Sorry, but I don't know how to resolve this issue. Why is this Comodo antivirus so hard to remove? It is acting like a virus!
     
    limigator, May 12, 2011
    #19
  20. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I think you already tried the Comodo Removal Tool? I thought I saw signs of that in your logs. Let me know. This is what I was saying move onto...

    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    We could try and rename combofix or try and run it in safe mode, but let's not worry too much, it is not always malware which prevents combofix from running.

    Are you now able to install avg?
     
    Kestrel13!, May 12, 2011
    #20
  21. limigator

    limigator Private E-2

    Nope. I ran the Comodo removal tool (which I must admit, the link looked suspicious!) and then avenger. The log for avenger is attached, it says the object was not found! So I right clicked the start key and searched C drive for comodo and the same thing is happening that happened yesterday, it is finding the comodo file, over and over and over and over again! Now, it has added Comodo Cleanup.ini to the list showing its location in the avenger folder! I feel like I am infecting my computer with all these tools! Can I just delete the comodo file right from the Windows explorer window? This is getting to be very frustrating! I'm sure you are sick of hearing from me too!rolleyes
    Also, I might mention that on boot up, the boot screen says windows recovery something, don't select, debugger. It is only there for a second but it says something to that effect now on every boot up.
    Any suggestions as to how to resolve the comodo problem and is the boot screen message an issue? (As if I need another one at this point!)
     
    limigator, May 12, 2011
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm not sure what you mean. I would not link you to anything suspicious, I fight against all that is suspicious.

    Nope. Try again.

    Is that all that remains? One Comodo file? Yes delete it using window explorer.

    Nah, not at all, don't be daft. :)

    Sounds like you are referring to the Microsoft Recovery Console which is a useful thing to have ;)

    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.

    Attach the C:\newfiles.log
     
    Kestrel13!, May 12, 2011
    #22
  23. limigator

    limigator Private E-2

    Well, I tried again this morning and was finally able to install AVG!! :) When I ran the scan, it found a trojan horse downloader.agent2.amkd and moved it to the virus vault. I also search windows explorer again for Comodo and it found it the avenger folder. I am so tempted to right click it in the search results window and delete it but I don't know if that is advisable. Should I uninstall avenger now? Also, what about ComboFix? It shows up in Windows Explorer with a computer icon next to the name (what's that all about?!). I think otherwise I am good to go, computer seems to be doing well on the internet and other than the comodo files in the avenger folders, I think it is resolved as well.
    Thank you again for ALL your help, you have been a tremendous help! I appreciate your taking the time to help me (and everyone else you help!!!)
     
    limigator, May 13, 2011
    #23
  24. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Glad you are all sorted ;) These final steps should cover the rest of your concerns.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, May 13, 2011
    #24

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds