Malware messed up computer

Discussion in 'Malware Help (A Specialist Will Reply)' started by rdunn7881, May 3, 2011.

  1. rdunn7881

    rdunn7881 Private E-2

    Ok so the day before yesterday a friend brough his pc over so i could run some data recovery software on his secondary drive. I started the program and went to sleep when i awoke there were many errors on the screen saying things like memory unstable system unstable and such when i clicked on a random part of the screen the blue screen comes up and the pc restarts. Upon rebooting it takes awhile for the p[rofile to come up and whenit does all desktop icons are gone start menu has changed when in computer and clicking on any drives its show all drives with no folders. Internet does not work the admin tools in the control panel is empty.. There was some weird pop ups about windows recovery program or something which were obviously part of a malware issue so i ran malwarebytes it cleared up all of the pop ups but he still has all of the above mentioned problems... the comoputer is running windows 7 pro i have included the logs from the programs i was able to run.. Any help would be greatly appreciated..
     

    Attached Files:

    rdunn7881, May 3, 2011
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to attach the other requested logs:
    MBAM
    ComboFix

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else! But make sure this folder is emptied:
    C:\USERS\JRS\LOCALS~1\TEMP\

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 3, 2011
    #2
  3. rdunn7881

    rdunn7881 Private E-2

    Thank you for the quick response. First the regedit did take and i am now able to see a few files on the drives however some of them have padlocks next to them I can also see desktop shortcuts.. still nothing when i click on start menu and then programs. I did not include the combofix log as when i was performing all of the steps it would not run..The MBAM log im including is the one from before i came to this site it was ran in safemode as i couldnt boot into normal. Also after running avenger it did not auto reboot so i did manually and there was a blue screen then when it rebooted there was no avenger log file. It seems whenever the machine is rebooted there is a blue screen. Also there was an external drive hooked to this system when all of this occured and it shows up as empty should it have been reconnected during this whole process. It was used to store photos. Again thank you for the quick reply and the help
     

    Attached Files:

    rdunn7881, May 4, 2011
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay. Now let's try doing this:

    Download OTM by Old Timer and save it to your Desktop.




    Code:
    :Processes
explorer.exe

:Services
xydtp

:Files
C:\Windows\Tasks\wohs.job
C:\Users\JRs\AppData\Local\Wkokoxufa.dat
C:\Users\JRs\AppData\Local\Ylivoha.bin
C:\Users\JRs\AppData\Local\{F76AB5C4-B3BD-4A23-8B8E-CE431CAEFAEF}
C:\Users\JRs\AppData\Roaming\29DD.tmp
C:\Users\JRs\AppData\Roaming\3247.tmp
C:\Users\JRs\AppData\Roaming\3728.tmp
C:\Users\JRs\AppData\Roaming\A8E2.1B8
C:\ProgramData\072SY512.exe
C:\ProgramData\iI2V66R.dat
C:\ProgramData\~0
C:\ProgramData\~37609224
C:\ProgramData\~37609224r
C:\Program Files\ypkykqk.txt
C:\Windows\System32\glzr.log
C:\Windows\System32\tukdtjsr.txt
C:\Windows\System32\drivers\xydtp.sys

:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ).

    Then attach the below logs:

    * OTM Log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, May 5, 2011
    #4
  5. rdunn7881

    rdunn7881 Private E-2

    The machine still blue screens on every restart there are no prgram files under the start button everything appears to be the same as noted in the last post. I have included the 2 log files you requested..
     

    Attached Files:

    rdunn7881, May 6, 2011
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, May 6, 2011
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds