Malware Issues

The problem started about two days ago. AVG began to quarantine trojans. They seemed to be at bay but weren't going away either. When I ran an AVG security scan, it found several threats but eventually disappeared. The only thing open was some "Security Defender"program, obviously a fake.

At that point, I figured that I was dealing with a rootkit as well. I ran AVG's rootkit scan to no avail, and since I already had Malwarebytes Anti-Malware I activated that. After that, Google warned me that I was attempting to use the site in ways that violated the terms of service.

I switched to another computer and found the forums. I followed initial steps detailed on the Read Me First. After uninstalling AVG, I:

1. Ran Super Anti-Spyware: Scanned, cleaned, and the log is attached.

2. I reinstalled the latest version of Malwarbytes Anti-Malware. I ran it and attached the log.

3. I intalled and ran ComboFix. The log is attached.

4. I installed and ran RootRepeal. The program always stalled on my Windows/winsks/Manifests folder. I restarted twice but it stalled in the same place. No logs.

5. I installed and ran MGtools. The program gave me a blue screen of death.


Now, moments after I connect to the Internet the fake scanner pops up and I have to restart unless Malwarebytes Anti-Malware is running.

Thank you for your help.

 

Hi and welcome to Major Geeks, Sciread77!

Please download RKill by Grinler to your desktop.
RKill is an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.

RKill can be downloaded from the following locations. Please note that the other filenames below are RKill as well, just renamed in order to allow it run by certain malware.
Note: You only need to get one of them to run, not all of them.

RKill.com Download Link
RKill.exe Download Link
RKill.scr Download Link
eXplorer.exe Download Link - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
iExplore.exe Download Link
WiNlOgOn.exe Download Link
uSeRiNiT.exe Download Link

Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

Please download OTL by Old Timer to your desktop.
See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

1. Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
2. When OTL opens, change the Output (at the top-right portion of the program) to Minimal Output.
3. Put check-marks in LOP Check and Purity Check.
4. Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.

When the scan is complete, two logs entitled OTL.txt and Extras.txt will be created on your desktop.
Attach both of these logs to your next message. (How to attach items to your post)

Is there a c:\MGlogs.zip file present? (at the root of C: ), if so, please also attach this file.

 

Last log and post to follow.

 

That seems to make everything better, unless it's hiding really well. Thank you. Do the logs indicate that I'm in the clear?

 

I still need you to attach Extras.txt from running OTL.

Not yet.

Answer the following:
Are you experiencing any issues with hidden/missing desktop icons,start menu, quick launch, program files, anything missing at all?

If you have not already, please complete step #6 in the READ and RUN ME -- Running defogger.exe.

From Programs and Features, please ensure that AVG 2012 is not still listed. If it is, uninstall it.

If certain step(s) here do not work properly, continue to the next step.

Now we need to make use of OTL by Old Timer.

• Double-click OTL.exe to run (Vista and Win7 right click and select Run as Administrator)
• When OTL opens, copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  Note: You will notice that I am also deleting ComboFix.exe, MGtools, and AVG remnants.
  
  Code:

  :processes
  killallprocesses
  :otl
  PRC - C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
  PRC - C:\Program Files\AVG\AVG2012\avgnsx.exe (AVG Technologies CZ, s.r.o.)
  PRC - C:\Program Files\AVG\AVG2012\avgrsx.exe (AVG Technologies CZ, s.r.o.)
  PRC - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
  PRC - C:\Program Files\AVG\AVG2012\avgcsrvx.exe (AVG Technologies CZ, s.r.o.)
  PRC - C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
  SRV - (AVGIDSAgent) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe (AVG Technologies CZ, s.r.o.)
  SRV - (avgwd) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
  DRV - (Avgmfx86) -- C:\Windows\System32\drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
  DRV - (Avgtdix) -- C:\Windows\System32\drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
  DRV - (AVGIDSFilter) -- C:\Windows\System32\drivers\AVGIDSFilter.sys (AVG Technologies CZ, s.r.o. )
  DRV - (AVGIDSShim) -- C:\Windows\System32\drivers\AVGIDSShim.sys (AVG Technologies CZ, s.r.o. )
  DRV - (AVGIDSEH) -- C:\Windows\system32\DRIVERS\AVGIDSEH.Sys (AVG Technologies CZ, s.r.o. )
  DRV - (AVGIDSDriver) -- C:\Windows\System32\drivers\AVGIDSDriver.sys (AVG Technologies CZ, s.r.o. )
  DRV - (Avgldx86) -- C:\Windows\System32\drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
  DRV - (Avgrkx86) -- C:\Windows\system32\DRIVERS\avgrkx86.sys (AVG Technologies CZ, s.r.o.)
  FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2011/09/02 20:22:19 | 000,000,000 | ---D | M]
  O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
  O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
  O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
  [2011/09/02 20:22:54 | 000,000,000 | ---D | C] -- C:\Users\owner\AppData\Roaming\AVG2012
  [2011/09/02 20:21:56 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012
  [2011/09/02 20:21:56 | 000,000,000 | ---D | C] -- C:\Windows\System32\drivers\AVG
  [2011/08/08 06:08:58 | 000,040,016 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\System32\drivers\avgmfx86.sys
  [2011/09/03 08:28:36 | 067,399,767 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
  [2011/09/03 08:19:25 | 000,000,589 | ---- | M] () -- C:\Users\Public\Desktop\Security Protection.lnk
  [2011/09/02 20:22:19 | 000,000,842 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk
  [2011/05/12 09:11:15 | 000,001,244 | -HS- | C] () -- C:\Users\owner\AppData\Local\g8x4u1837i1s
  [2011/05/12 09:11:15 | 000,001,244 | -HS- | C] () -- C:\ProgramData\g8x4u1837i1s
  [2011/05/07 11:25:00 | 000,001,336 | -HS- | C] () -- C:\Users\owner\AppData\Local\3cpi6tpt7m70gnf
  [2011/05/07 11:25:00 | 000,001,336 | -HS- | C] () -- C:\ProgramData\3cpi6tpt7m70gnf
  [2010/12/11 16:06:08 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\AVG10
  [2011/09/02 20:22:54 | 000,000,000 | ---D | M] -- C:\Users\owner\AppData\Roaming\AVG2012
  [2011/09/02 08:29:48 | 004,192,529 | R--- | M] (Swearware) -- C:\Users\owner\Desktop\ComboFix.exe
  :services 
  :files
  c:\combofix.txt
  c:\mgtools
  c:\mglogs.zip
  ipconfig /flushdns /c
  :reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command]
  ""=""%1" %*"
  :commands
  [purity]
  [emptyflash]
  

• Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click the OK button.
• A report will open.
• A log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (How to attach items to your post)

Now download ComboFix.exe by sUBs to your desktop.

• Right-mouse click and select Run as administrator to run.
• Follow the prompts
• When ComboFix is finished running, a log at C:\ComboFix.txt will be created. Attach this log to your next message

Please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log (How to attach items to your post)

C:\win32kdiag.exe -f -r


Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes). (How to attach items to your post)
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Now download MGtools.exe to the root of your C: drive.
Now run c:\MGtools.exe by right-mouse clicking it and selecting Run as administrator.
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

 

I'm sorry, I thought that Extra.txt was attached to my last post. It should be on this one.

 

I didn't seem to have icons, Start Menu items, program files, or quick launches missing.

I uninstalled AVG 2012 again and followed your instructions. I had trouble with running junction.exe through Run. The command prompt flashed but didn't stay up.

Since your last set of instructions, my computer appears to be running quite well. No unexpected "Defender" programs appeared and Google isn't saying that my computer is engaged in anything shady. Everything is back to normal, and running better than it has in a long time.

Thanks again for your help. I hope I'm in the clear.

 

From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21 <-- old
• Java(TM) 6 Update 7 <-- old

Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

KillAll::
File::
C:\Users\owner\AppData\Local\prvlcl.dat
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\3cpi6tpt7m70gnf
C:\Users\owner\AppData\Roaming\Microsoft\Windows\Templates\g8x4u1837i1s
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp44B4.tmp
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp67D4.tmp
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\csp8DA8.tmp
C:\Windows\Temp\spserv.dat
DirLook::
C:\Users\owner\AppData\Local\Kobo
C:\ProgramData\Affinegy
C:\Program Files\Kobo
C:\hugo2
C:\sj657
C:\Users\owner\AppData\Local\Temp\Low
FileLook::
C:\Windows\System32\drivers\tcpip.sys
C:\Windows\System32\ticrf.rat
Folder::
C:\$AVG
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,6d,f8,24,4d,00,09,41,9d,ff,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b1,6d,f8,24,4d,00,09,41,9d,ff,70,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Now install the current version of Sun Java from: Sun Java Runtime Environment

Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

 

Here they are.

 

Latest logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Fantastic! Again, thank you very much for your time and patience.

 

You're welcome. Surf safely!