Malware is kicking my butt, need help

My kid's Acer Netbook got a nasty virus that I cannot get rid of and need some help identifying and removing it please.

Error message that got me digging around was a BSOD upon bootup after windows loaded "Stop 0X0000008E (0X00000005, 0XF75DA71D, 0XA4C718, 0X000000), ATAPI.SyS - adress F75DA71D base at F75D0000

I was able to boot in Safe mode and noticed a few things right away, Microsoft Security Essentials was off, Firewall was off and when I went to the Internet I was redirected. My internet security settings were all changed to custom and pop-up blocker was set to minimum.

When I tried to re-engage the antivirus it would time out, When I changed my IE settings they would change back.

I installed and ran Malware Bytes and came up with 322 hits, Wow, hoping that was it I rebooted and received the same error. Ran again with 52 hits...rinse and repeat, still getting hits.

Programs I tried to kill infection, Windows Malware, HWvendorDetection, RKill (Then Malware Bytes) and IObit and a few others. They all found and tried to remove numerous viruses or at least acted like it

Then I found you guys and the very detailed removal guide which I followed and am still infected, still receive the BSOD and my settings are still jacked.

P.S. I even tried a Windows Recovery, and received the error that my KDCOM.dll was not loaded (Code 4). Also tried system restore on each and every one and could not. I cant remember the other things I was trying but my Group policy was changed too and I could not access it either.

Anyway attached is the requested logs and looking for expert help on getting this netbook back up and running

Thanks a bunch

Thanks

 

Another log that was requested

 

Welcome to Major Geeks!

I will review your logs. Please be patient as there is a lot of information to review.

 

From Add/Remove Programs (via Control Panel). Please uninstall the following:

• Ask Toolbar
• Java(TM) 6 Update 17

Go to the below link and follow the instructions for running TDSSKiller by Kaspersky

• 
  TDSSKiller - How to run
  Remember to attach your log from TDSSKiller (How to attach items to your post)

Please also download MBRCheck to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now download and install Sun Java Runtime Environment 7
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

Let me know how the PC is running after you've completed these steps!

 

thisisu,

Thanks for the quick response, As today was to hectic to try anything I'll accomplish your requested actions tomorrow, post my logs and let you know how it goes.

 

thisisu,

Thanks for the help, Attached are the requested logs. Below is the rundown in 2 phases,

Phase One, All actions accomplished in Safe Mode, due to BSOD

1. Tried to remove Ask Tool Bar and Java, Received message "The windows installer could not be accessed, this can be occur if you are running in Safe Mode, or if installer is not correctly installed, contact support personnel for assistance"

Note: Check Windows installer in services, It was not started, tried to start but it would not allow it

2. Ran TDS - Found Item, log attached

3. Ran MBRCheck - Found Non-standard or infected MBR, Pressed No, Log Attached.

4. Tried to install JAVA just to see if it would overwrite, _ Received error message, System Admin has set policy to prevent installation

Note: running as admin, so unless its a safe mode thing, I don't mess with the group policies

5. Ran MG, no hijack-this popped up for me to accept, Zip attached.

accomplish a full reboot,and DID NOT receive the BSOD, started Phase 2

1. Tried to uninstall, Ask Tool bar again, Received error, windows installer could not find it.

2. Uninstalled Java 6, installed requested Java file.

I did not want to run anymore test until you reviewed what has been accomplished so far, please let me know

Thanks again

 

Logs are looking better but you have a MBR infection, do you have your WinXP boot CD?

If you do, then see if you can boot from this CD and get into the Recovery Console. See the second section in the below link where it says "How to use the Recovery Console"

http://support.microsoft.com/kb/307654

If you can get to the command prompt of the Recovery Console, type fixmbr and hit enter. After it finishes type exit to reboot and remove the CD to allow Windows to boot normally.

If you were able to run fixmbr, rerun MBRCheck and attach a new log. Also tell me how things are working.

 

Computer is running alot better, No BSOD anymore, IE settings are staying where they belong and no re-directs.

However I am still finding viruses on it using SuperAnitspyware and MalwareBytes. Logs attached, I don't know if something is still "open" allowing them to get on the system

MS Security Essentials and Firewall is up and operational again and while the computer was just idle it popped up with 2 More.....Backdoor:Win32/proxybot.c and Trojan:js Hiloti.D.

P.S. I have update to IE 8, and applied all the windows security patches (now that the MS Updater is working again) except for Microsoft.Net Framework 1.1 SP1 (KB979906). This one will not install for some reason, I am going through the MS readme on it to figure out why.

Thanks for all your help, I am re-running scans now to see if anything comes up.

 

Glad to hear that the computer is running better. The items in your SAS log are all cookies, cookies are not harmful. If you did the SAS procedure correctly though, you will have noticed that we don't even want you to scan for tracking cookies. These items reported are nothing to be concerned about and they will keep coming back as you continue to browse the web.

Your MBAM log is only reporting items that are in System Restore (infected System Restore points). MBAM took care of them, but I will have you flush all your system restore points when it is time to.

Your infected MBR is also gone now, so that is good

Can you rerun GetLogs.bat from C:\MGtools and then attach MGlogs.zip here

 

Thanks for all the help so far, attached is the zip.

 

The MBR infection may have been blocking removing certain items before. There is still some malware in your logs. From NORMAL mode, please uninstall the following from Add/Remove Programs

• Ask Toolbar

Note: If you get a message that it could not find the item, have it remove it from the list (Add/Remove list) instead.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Please download Disable/Remove Windows Messenger to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click MessengerDisable.exe
2. Place a check-mark in Uninstall Windows Messenger
3. Click Apply
4. Click Exit

Now download The Avenger by Swandog46 to your Desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Open avenger.zip and extract avenger.exe to your Desktop
2. Run avenger.exe by double-clicking on it.
3. Click OK at the warning to continue to use The Avenger
4. Do not change any of the check box options!
5. Shut down your protection software now to avoid possible conflicts.
6. Copy everything in the Quote box below, and paste it into the Input script here: part of The Avenger
   
7. Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button
8. Click Yes to the prompt to confirm you want to execute.
9. Click Yes to the Reboot now? question that will appear when The Avenger finishes running.
10. Your PC should reboot, if not, reboot it yourself.
11. A log file from The Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.
12. Attach this log to your next message. (How to attach items to your post)

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

Thanks for all the help so far, you ability to view these logs and pick out malware and then know which tool to use to remove it is awesome.

First the Ask Tool bar, would not remove in Add/Remove programs, First it popped up a message that a current install is active, then on the second attempt it asked for the file location. No way to manually remove it from the list that I could find.

Attached are the logs, I did notice that the Avenger did not find a couple of keys to delete.

 

Doesn't seem to be showing up anymore.
Just a few more things now...

Now we need to use ComboFix

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• Follow the prompts.
• When it finishes, a log will be produced named C:\ComboFix.txt
• Attach this log to your next message. (How to attach items to your post)

Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If after running ComboFix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now run C:\MGtools\GetLogs.bat by double-clicking on it (Vista and Win7 right click and select Run as Administrator)

This will automatically update all the logs in MGlogs.zip!
Make sure you click Accept on the License Agreement from HiJackThis!/analyse.exe twice (yes twice) if prompted.

Then attach C:\MGlogs.zip to your next message (How to attach items to your post)

 

Thanks,

Ran ComboFix script, Logs are attached

 

You're welcome Now all your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

All task accomplished, thanks for your help and time