Major infection problem!

Hello, vlw104

Let's begin with this:

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator


You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now run this: Using Malwarebytes Anti-Malware

Now run this: Using MGtools


Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

• exeHelper log
• Malwarebytes Anti-Malware log
• MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

NOTE:

1. If you have problems downloading on the problem PC, download the tools and the manual updates for Malwarebytes onto another PC and then burn to a CD. Then copy them to the problem PC. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

dr.m

 

The MGlogs.zip file that you attached was ran on June, 2009, apparently from the thread you didn't finish with Kestrel13!.
http://forums.majorgeeks.com/showthread.php?t=191421

Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the new C:\MGlogs.zip file to your next reply.

dr.m

 

It wouldn't be there - it's found directly under your C:\ directory.

*Tools to download > transfer to the infected machine > run:

• Please download RootRepeal Beta file, and save it to your Desktop.
• Once you have downloaded it and saved to your Desktop, close all other programs and run it by double-clicking on the file named RootRepeal.exe
• Once the main window shows up, please click on the Report button on the bottom of the window.
• Next, please click the Scan button.
• Another window will pop up asking you to select what to include in the scan. Please uncheck everything except for the Stealth Code checkbox, and then click OK.
• Once the program has finished scanning, the results will appear. Click on the Save Report button, and save the report to your Desktop.
• Attach this log to your next message.

Now run this GMER - running with a random name and attach the log from GMER if it runs.

Now go to TDSSKiller and Download TDSSKiller.zip to your Desktop

• Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
• Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

"%userprofile%\Desktop\TDSSKiller.exe" -v

• Follow the instructions to type in "delete" when it asks you what to do when if finds something.
• When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.

Now go to this link MGTools and download the new version of MGtools....overwrite your previous MGtools.exe file with this one.

Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
  • Make certain to view the "Date Modified" column to attach the newest created zip file.
• RootRepeal Beta log
• TDSSKiller log.txt
• GMERlog

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

You're welcome, vlm104.

*Did you shutdown Avira AntiVir Personal on the infected pc as instructed in Vista Cleaning Procedure - Step 1: Downloading Tools before transferring it?

*Have you also tried running combofix.exe using the instructions given here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Did you try re-naming ComboFix to "123.com" and seeing if it will run?

Now download The Avenger by Swandog469, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the "Input script here:" part of the window.

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Compose A Script to Locate A File.
Please highlight, copy (Ctrl+C) and paste (Ctrl+V) the text inside the quote into a new Notepad document.

Save it on your Desktop as file type "All Files" (NOT as "Text Documents") and name it FindMe.bat
Close Notepad.
Double click FindMe.bat on your Desktop. (If you have Vista, right-click the file, choose Run as administrator and OK the Command Processor).
A window will open and close in a minute or two. This is normal.
A new file icon named look.txt will appear on your desktop. In your next reply, please post the contents of the look.txt file, or tell me if it's blank.

*If you were NOT successful in getting MGTools.exe updated/ ran/ and have an updated MGLogs.zip to attach - then do this:

Please download OTL by OldTimer, saving it to your desktop:

• Close all open windows on the Task Bar. Double-click the OTL icon to start the program and let it run uninterrupted.
• When the windows appears, underneath Output at the top - change it to Minimal Output.
• Under the Standard Registry box, change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Now click the Run Scan button at Top left and let the program run - the scan may take 5-10 minutes.
• Do not TOUCH your keyboard until the scan completes!
  • It will produce two (2) logs on your desktop, one will pop up called OTL.txt and the other - Extras.txt. These logs are saved normally directly under your C:/ directory.
  • Now exit Notepad.
  • Exit OTL by clicking the [X] at top right.

Please attach these logs to your next reply:

• C:\avenger.txt
• both OTListIt.txt and Extras.txt logs
• updated MGLogs.zip if possible
• Contents of "look.txt"

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

You are using an outdated ( more than a year ) version of MGtools and you are not running it from your C drive as required which is why your logs are incomplete. You need to download the current version of MGtools and run it from the C drive.

You also improperly ran ComboFix from your E drive and it needs to be on your Desktop on the C drive.

As far as OTListIt.txt and Extras.txt, you will not have these logs until you download and run the tool like dr.moriarty requested.