Lots of problems / Logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by mexicola, Apr 30, 2009.

  1. mexicola

    mexicola Private E-2

    Hello all! I was hoping it wouldn't come to this but it appears I am badly infected. I can't pin point the possible time and date either as I was away for a few weeks and other people had been using my computer. Someone must have been using the IE browser and clicked on an .exe of some sort though because I have my FIREFOX browser set to always ask before downloading any type of files.

    I ran all of the procedures in this forum for cleaning in XP to a t and though it seems the infection is now less severe I am still having all kinds of problems I didn't have before.

    Notably, I am getting all kinds of "file is corrupted and unreadable" pop ups when I try to run just about anything it seems... though I am still able to run the programs.
    I can't run defrag
    My Firefox browser had to be uninstalled because it simply would not open after running all of these malware removal programs.
    I have not reinstalled it yet.
    And I have something that was redirecting my google searches through adware in Mozilla. I found this Gooredfix.exe which took care of the problem but only until I rebooted my pc.
    Now google search isn't working at all in my IE browser, meaning that when I click a search result I get redirected to the top of the page.


    My DVD Decrypter was also displaying the "too many secrets" message I see others on this forum have had problems with but that now appears to be fixed.
    Apologies if I forgot anything. I've been working on this for days. If someone could help I would be most appreciative! Jeffrey
     

    Attached Files:

    mexicola, Apr 30, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Please use add/remove programs to uninstall:


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
acea0986
ovfsthxdamkkydc

File::
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\loader100.exe
c:\windows\system32\edacded0_x.dat 
c:\windows\system32\drivers\ovfsthxdamkkydc.sys 
c:\windows\system32\ovfsthxmphwjyhc.dll
c:\windows\system32\ovfsthxptubyvea.dat 
c:\windows\system32\ovfsthxtloxnvuj.dll
c:\windows\system32\ovfsthxujetsbsv.dll 
c:\windows\system32\ovfsthxvvgdctdw.dat
C:\Documents and Settings\JEFF\Start Menu\Programs\Startup\chkdisk.dll  
C:\Documents and Settings\JEFF\Start Menu\Programs\Startup\chkdisk.lnk 
C:\WINDOWS\SYSTEM32\KRNLUBEUJ
C:\WINDOWS\SYSTEM32\DRIVERS\acea0986.sys
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, May 3, 2009
    #2
  3. mexicola

    mexicola Private E-2

    TimW, thanks a ton for looking at my logs. I'm dying to get my pc clean but I'm not experienced enough to locate the root of the infection alone.

    I went through the 1st step of your instructions but there is a discrepancy to what is shown in the Hijackthis log and what you instructed me to remove so I'm attaching the log here BEFORE I remove anything. Forgive my ignorance but if you could specifically point out what to fix I will get right on it and continue from there. Thanks again, Jeffrey
     

    Attached Files:

    mexicola, May 3, 2009
    #3
  4. mexicola

    mexicola Private E-2

    Re: Lots of problems / Logs attached = Rootkit

    Tim, since I never found what you were asking me to remove with Hijackthis I simply completed the rest of the steps exactly as you asked. The new logs are attached. Last time I ran Combofix it had to reboot my pc because of a "rootkit activity" warning. I'm afraid to even shut my pc off because I have to continue to run combofix every time I do in order for all of my programs to run properly.
    Thanks again for the help. I really need it! Jeffrey
     

    Attached Files:

    mexicola, May 6, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if we can finish this up.

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 6
    My Way Search Assistant

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete:
    C:\Documents and Settings\Local Settings\protect.dll

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 9, 2009
    #5
  6. mexicola

    mexicola Private E-2

    Tim,
    uninstalled: J2SE Runtime Environment 5.0 Update 6
    but was unable to uninstall: My Way Search Assistant
    and got this error message "The specified module could not be found"

    Hijack this worked fine
    Merged the code to my registry successfully

    C:\Documents and Settings\Local Settings\protect.dll
    The above was not found on my pc either..

    Downloaded the new java and everything appears to be working great so far!

    New MG log attached! Thanks again, Jeffrey
     

    Attached Files:

    mexicola, May 9, 2009
    #6
  7. mexicola

    mexicola Private E-2

    Just an update:

    I used regedit to track down and remove My Way Search Assistant
     
    mexicola, May 10, 2009
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looks good. One last request:
    Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, May 13, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds