Malware Issue

Discussion in 'Malware Help (A Specialist Will Reply)' started by CMach08, Apr 29, 2010.

  1. CMach08

    CMach08 Private E-2

    I ran the Malware removal guide, because I had this bad ave.exe program running some fake anti-virus. Now that I 'deleted' it, I can't open any program cause it asks me what should I use to open the program with.

    ie: Firefox... tried to open it and it asked me how to open it and I selected Firefox, but if I wanna open itunes, a game, etc. I don't know what to do. :(

    EDIT: It seems like all the file paths were deleted. I tried to open up a game, and I basically had to go through my desktop and link the shortcut to the proper .exe file.
     
    CMach08, Apr 29, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 29, 2010
    #2
  3. CMach08

    CMach08 Private E-2

    Tim, you rock! Thanks so much.

    Here's my other problem. I have ran that Malware removal guide 2xs in the past 4 days because that ave.exe or w/e has come back or just came out of being dormant. Is there something else I should be doing? I want to remove this thing FOR GOOD! It's so annoying, I do most of my banking and use passwords. I am like nervous to even use my PC for banking anymore. ;(
     
    CMach08, Apr 29, 2010
    #3
  4. CMach08

    CMach08 Private E-2

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    4/29/2010 4:09:17 PM
    mbam-log-2010-04-29 (16-09-17).txt

    Scan type: Quick scan
    Objects scanned: 122916
    Time elapsed: 5 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 5
    Registry Data Items Infected: 3
    Folders Infected: 2
    Files Infected: 12

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gotnewupdate000.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyvoddjb (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsdefrag (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Machi\AppData\Local\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Machi\AppData\Local\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Machi\AppData\Local\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
    C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Users\Machi\AppData\Roaming\B4226D827D85C79E8D5BD07DB50CAEC2\gotnewupdate000.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    C:\Windows\system32\Drivers\pqrff.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\Temp\stpec7af.exe (Trojan.FraudTool) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\Temp\xoscamerwn.exe (Adware.AdRotator) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\Temp\AOCR.exe (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\Temp\RarSFX0\hor0410e.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Machi\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\lbpyniswi\xfyhlbvtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Roaming\Microsoft\Windows\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    C:\Users\Machi\AppData\Local\Temp\wxnmrsoeca.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
     
    CMach08, Apr 29, 2010
    #4
  5. CMach08

    CMach08 Private E-2

    I posted that log from the MalwareByte's I just ran right now.
     
    CMach08, Apr 29, 2010
    #5
  6. CMach08

    CMach08 Private E-2

    Last edited by a moderator: Apr 29, 2010
    CMach08, Apr 29, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Apr 29, 2010
    #7
  8. CMach08

    CMach08 Private E-2

    Sorry, here's the uploaded HJT log.
     

    Attached Files:

    CMach08, Apr 29, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are not asking for a HJT log. Please follow the link I gave you for doing the Read and Run First instructions.
     
    TimW, Apr 29, 2010
    #9
  10. CMach08

    CMach08 Private E-2

    Here we go. Sorry again. ;/
     

    Attached Files:

    CMach08, Apr 29, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Please use add/remove programs to uninstall:
    Java(TM) 6 Update 15"
    Java(TM) 6 Update 6"
    Java(TM) SE Runtime Environment 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::
RenV::
c:\program files\Cacheman\cachemantray .exe
c:\program files\Synaptics\SynTP\syntpenh .exe

AtJob::
File::
C:\Windows\Tasks\Qxbfbp.job
c:\users\Machi\AppData\Local\lbpyniswi
c:\windows\system32\config\systemprofile\AppData\Local\dabmtegxc
c:\users\Machi\AppData\Local\jparkfmwu
C:\Users\Machi\AppData\Local\c7vdif       
C:\Users\Machi\AppData\Local\KLry0l
C:\Users\Machi\AppData\Local\RIiYj0K8
C:\Users\Machi\AppData\Roaming\Microsoft\Windows\Templates\c7vdif       
C:\Users\Machi\AppData\Roaming\Microsoft\Windows\Templates\KLry0l
C:\Users\Machi\AppData\Roaming\Microsoft\Windows\Templates\RIiYj0K8
C:\ProgramData\c7vdif
C:\ProgramData\KLry0l
C:\ProgramData\RIiYj0K8
C:\Windows\System32\zuwunali
C:\Windows\Temp\E950.tmp
C:\Windows\Temp\KLry0l
C:\Windows\Temp\ls46.id
C:\USERS\MACHI\LOCALS~1\TEMP\c7vdif
C:\USERS\MACHI\LOCALS~1\TEMP\LS46.ID
C:\USERS\MACHI\LOCALS~1\TEMP\PSSYSCHK.LOG
C:\USERS\MACHI\LOCALS~1\TEMP\RARSFX0
C:\USERS\MACHI\LOCALS~1\TEMP\RIIYJ0K8
C:\USERS\MACHI\LOCALS~1\TEMP\TMP5AA6.TMP
C:\USERS\MACHI\LOCALS~1\TEMP\TMP6E26.TMP
C:\USERS\MACHI\LOCALS~1\TEMP\TMP8177.TMP
C:\USERS\MACHI\LOCALS~1\TEMP\TMP86C4.TMP
C:\USERS\MACHI\LOCALS~1\TEMP\TMP8F6C.TMP
C:\USERS\MACHI\LOCALS~1\TEMP\TYYSQCC.EXE
C:\Users\Machi\AppData\Local\Temp\po6s6nj67w.exe
C:\Users\Machi\AppData\Local\jparkfmwu\oypvouutssd.exe
C:\Users\Machi\AppData\Local\Temp\nosarwxcme.exe
C:\Users\Machi\AppData\Local\Temp\Jz1.exe

Folder::
C:\Users\Machi\AppData\Local\jparkfmwu
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kelntiqq]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YVIBBBHA8C]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\hsf87sdhfush87fsufhuie3fddf]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\kelntiqq]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\lsdefrag]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\YVIBBBHA8C]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85c08c6a-4771-440a-8b99-bd99eb652053}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and install:
    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 29, 2010
    #11
  12. CMach08

    CMach08 Private E-2

    So far it's been running well. Please let me know if we've eliminated the bug! Thanks again for all your help! :]
     

    Attached Files:

    CMach08, Apr 29, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Looking much better. Use windows explorer to see if these still exist:
    c:\users\Machi\AppData\Local\lbpyniswi
    c:\windows\system32\config\systemprofile\AppData\Local\dabmtegxc

    It you find them, delete them. Tell me if you have any problems doing that.
     
    TimW, Apr 30, 2010
    #13
  14. CMach08

    CMach08 Private E-2

    Deleted both folders perfectly fine. So far, these past few days... I've been running great! Thanks again.
     
    CMach08, May 1, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, May 1, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds