Malware Removed (I think) but problems linger

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Zapurdead, Jul 7, 2011.

  1. Zapurdead

    Zapurdead Private E-2

    First things first, I am running Windows 7 Home Premium 64-bit. Now, I'm unsure as to where to start, as my problems are many. I am currently typing this into WordPad because my internet is not functioning (more on this later). It all started about one week ago, when I got a virus called "Win 7 Internet Security". I knew it was a fake antivirus so I followed the directions from bleepingcomputer.com (running ckill, scanning with MBAM) and I was feeling like a boss, thinking my malware problems were over. Well, at first I had no issues. But a few days ago, we left for a vacation. I shut off my computer and turned it back on later to find that there were numerous problems with my computer, including:
    The stuff in red has since been resolved but I am including it in case it is of importance.

    -No programs can access the internet. I know my internet itself is working and I am connected, because when I ping from the command prompt I get a response. However, IE9, Google Chrome, and Starcraft II all cannot actually connect to the Internet, and not only that, they eventually freeze and crash. As a matter of fact, ever since I removed the virus, Firefox and Thunderbird crash on startup and are totally usable as of currently. I have reset my hosts file and changed my proxy settings, and I am also using DHCP, so none of those are the issue.

    -Windows Security Center Service is missing. Not only can I not enable it (I get a warning message saying it can't be started), but when I check the Services, it doesn't even exist anymore.

    -My antivirus software is all messed up. This is really complicated, so let me explain thoroughly. Before my computer was infected, I used Windows Firewall, CA Antivirus, and Spybot S&D's passive immunize tool and TeaTimer. CA Antivirus actually didn't really work on my computer. As a matter of fact, it was essentially useless in stopping the infection; I'm assuming the software was actually just completely useless, especially the firewall, which never even started (only later did I read and find out that CA Antivirus has serious problems running on x64 systems). Now, CA Antivirus does not appear in my taskbar, as it used to, but it is still running because I see the various processes by CA in the task manager. I suspect that my internet problems from above have to do with CA Antivirus, but I am unsure, of course. However, I can't uninstall CA Antivirus, as I get some sort of "plugin error", and I can't seem to run it, or at least open the GUI. Spybot and Windows Firewall seem to be untouched, but I will definitely replaced Windows FW if my computer ever comes back to normal.

    -Various programs don't run, including iTunes, iPhoneBrowser, and (as stated before) Thunderbird/Firefox, both of which crash immediately upon startup. iTunes and iPhoneBrowser show up as running under the Windows Task Manager Processes list, but they don't appear.

    Update: After running SuperAntiSpyware (which removed 3 trojans) and the WinSock repair utility, CA Antivirus is back up and “running”, IE9, Thunderbird, iTunes, etc. can all run and access the Internet. Even Malwarebytes’ is back up. The only thing left is that the Windows Security Center Service is still disabled.

    Here are the logs. Sorry if this is a problem, but I don’t want to use ComboFix at the moment unless you require it... At this point I don’t think I have much malware on my computer, and I’m having trouble disabling my antivirus. I don’t want the possibility of messing up my computer unless it’s necessary. :-o

    Also, this is a random question, but if my C drive is NTFS, and I have an external drive that is FAT32, and I make a disc image of my C drive onto my external drive, will there be problems if I need to restore my C drive?
     

    Attached Files:

    Last edited by a moderator: Jul 9, 2011
    Zapurdead, Jul 7, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    When you say make a disk image, are you using an application to make a single file image? For example Acronis does this by creating a .TIB file. If so it should not be a problem.

    ASK TOOLBAR <--- Uninstall this.
    WinSCP 4.3.3 <--- Uninstall this only if you did not intentinally install it yourself.


    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{26D0B1F1-F5C7-4908-94A4-6C9F2C247C45}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{26D0B1F1-F5C7-4908-94A4-6C9F2C247C45}]

:files
C:\ProgramData\caxgied5y78r866jn7by1
C:\Users\Michael W\Desktop\~WRL1826.tmp
C:\Users\Michael W\AppData\Local\caxgied5y78r866jn7by1
C:\Users\Michael W\AppData\Roaming\Microsoft\Windows\Templates\caxgied5y78r866jn7by1

:Commands
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Are these two folders empty? If so delete them both.

    C:\Users\Michael W\AppData\Local\{BC3FB5FA-F260-42E4-8489-9F83F49AE74F}
    C:\Users\Michael W\AppData\Local\{D703CB9E-C88D-4F1A-A64A-267FDCBF2FDC}

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now! and what issues remain.
     
    Kestrel13!, Jul 9, 2011
    #2
  3. Zapurdead

    Zapurdead Private E-2

    Yes, I was planning to use Paragon (since it is free) but then I decided against disk imaging because I regularly do disk backups on an external HD anyways.

    I would uninstall the Toolbar (probably some crap that came with an installer) but it doesn't exist in my list of installed programs. If it's an addon, I don't see it in my list of FF extensions. I removed Ask.com from my list of search engines in IE9, but that's the only trace I could find of it. I'm keeping WinSCP because I use it to SSH.

    When I ran the program, I had to manually restart because my system wouldn't even after clicking "yes" to the prompt. Otherwise, no problems.

    K, done.

    I chose to run it as the administrator, but I read and got popups talking about permission denied, so I figure that might affect the results. I restarted after running MGTools and it looks like the problem still exists.

    Thanks for taking the time to help me out, even for something that seems just like a little annoyance. :p
     

    Attached Files:

    Zapurdead, Jul 10, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What problem exactly? Be specific so I can help you.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run

    If you are still having problems after running this then perhaps you need to run Combofix after all.
     
    Kestrel13!, Jul 11, 2011
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That is fine as long as you only want to back up files but it will not image your whole operating system.
     
    Kestrel13!, Jul 11, 2011
    #5
  6. Zapurdead

    Zapurdead Private E-2

    My problem was that the Windows Security Center service won't start up, and still does not. When I try, I get a message that the service "can't be started" or something. It doesn't exist as a Service when it should either.

    Just so you know, I've already checked the integrity of my system files twice using the command prompt, if that's of any help, and found no errors.

    All clean except for one locked file, which I skipped.

    Yeah, I'm not too interested in that, given the time it takes.
     

    Attached Files:

    Zapurdead, Jul 11, 2011
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try start > cmd > type in net start wscsvc Has that started the service?

    Does this registry key exist?

    Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc

    If not then you could be looking at having to export a copy of it from a working Win 7 machine and let it merge with your registry. But, I am afraid this is all something to further discuss in the software forum. As there could be alot more to the fix than what I described.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jul 12, 2011
    #7
  8. Zapurdead

    Zapurdead Private E-2

    Sorry for the long response. Neither the cmd prompt method works nor does the registry key exist.

    I suppose if I ever want the service back I might have to do a system restore. Maybe I will contact Microsoft and see if they have some way for me to reinstall it (seems like a long shot), but it's not a huge deal since it's mostly just an annoyance. Thanks for all your help!
     
    Zapurdead, Jul 18, 2011
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Try posting in the software forum here at Majorgeeks! :)
     
    Kestrel13!, Jul 18, 2011
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds