Malware removed? Still having Firefox/Task Manager issues.

I was hit with the Fake Vista Antivirus several months ago. My Start menu and Programs folders were empty, and all my desktop icons were gone. MBAM removed that, and everything was fine for about a month. Then I started having Google redirect issues in Firefox, and MBAM detected a number of new threats. I've completed the steps in the Malware Removal Guide and attached the logs requested. I could not get Root Repeal to run.

Most of my problems have been fixed. However, now Firefox will not open at all, and there seem to be too many processes running in Task Manager. Almost all of the processes running have one or more duplicates.

What do I do from here? (Thanks in advance!)

 

These are the initial Malwarebytes logs from when the problem began.

 

Welcome to Major Geeks, shesactualsize!

Please attach the logs. (How to attach items to your post)

The version of MBAM in all 3 scans is out of date

Please update MalwareBytes to v1.51.2.1300, run a Quick Scan and attach this log.

 

D'oh! These were supposed to be attached to my first post. The version of MBAM is outdated in those logs because they are from several months ago. The log from today is here.

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Java(TM) 6 Update 21
• Viewpoint Media Player

http://img839.imageshack.us/img839/3005/combofixicon.gif Now we need to make use of ComboFix by sUBs

• Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop but do not run it!
  • If it is not on your desktop, the below will not work.
• Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
• Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\1767c4b5436f6c50b3fdd9a1ecc2dcc9
C:\1a1fcad7170f00dead9966
C:\340ad5186e5ed6789c0389e11b
C:\34826d508d5d2a630c2ded6224
C:\398d51d85c9d4da56f9e
C:\4ad6f6c4f0cc64bdca521c
C:\4eecab675411d336d5d049e017d10b
C:\6dbc1cbcf4039380f49fa7bef147
C:\7666c56c4080a37872d0e259176fbc
C:\7d992f26d3992d22a67bc80a6e24
C:\81434368590500d54d06
C:\81f676f62b5e2e50e00d
C:\89c763ecc2f9154dd7ca
C:\b7330160d3b49f8abacdbf2ebf7c9d9d
C:\ba2794b3afaace21d5d435
C:\f0ca8b4e859c14fedb
[COLOR="DarkRed"]File::[/COLOR]
C:\Users\Ashleigh\AppData\Local\6pb32ub1387f3qs570a50564mglrq4160
C:\Users\Ashleigh\AppData\Roaming\Microsoft\Windows\Templates\6pb32ub1387f3qs570a50564mglrq4160
C:\ProgramData\6pb32ub1387f3qs570a50564mglrq4160
C:\Windows\LTRDF14N.INI
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\Program Files\Mozilla Firefox\firefox.exe
[COLOR="DarkRed"]Folder::[/COLOR]
C:\$AVG
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

• Save the above as CFScript.txt and make sure you save it to the same location (should be on your desktop) as ComboFix.exe
• At this point, you must exit all browsers now before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe.
  http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
• This shall launch ComboFix.
  Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
• Allow ComboFix to update itself if prompted.
• When it finishes, a log will be produced at C:\ComboFix.txt
  Note: If after running ComboFix you discover none of your programs will open up because you receive the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
• Attach this log to your next message. (How to attach items to your post)

Please download GooredFix from the link below and save it to your Desktop. ( The download links are the text saying Download@MajorGeeks )


GooredFix

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Win 7).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear.
• Please attach the GooredFix.txt log to your next reply (it can be found on your desktop). (See: HOW TO: Attach Items To Your Post )

http://img685.imageshack.us/img685/3557/tdsskiller.gif Now we need to run TDSSKiller by Kaspersky
Follow the instructions here and attach your log when you are finished. (How to attach items to your post)


Please download MBRCheck by GeeksToGo to your desktop.
See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif

• Double click MBRCheck.exe to run (Vista and Win7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (How to attach items to your post)

http://img51.imageshack.us/img51/6489/javaicon.gif Now install the current version of Sun Java from: Sun Java Runtime Environment

http://img822.imageshack.us/img822/6835/baticon.gif Now run C:\MGtools\GetLogs.bat by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Then attach C:\MGlogs.zip to your next message. (How to attach items to your post)
Notes:

• This will automatically update all the logs inside MGlogs.zip
• Make sure you click Accept on the License Agreement from Trend Micro HiJackThis - v2.0.4 twice if prompted.

Have you tried uninstalling and reinstalling FireFox?

LET ME KNOW HOW THE PC IS RUNNING AFTER YOU HAVE COMPLETED THESE STEPS​

Also let me know if you are experiencing any issues with hidden/missing desktop icons, start menu, quick launch, anything missing?​

 

Viewpoint Media Player would not uninstall. It told me to log in as an administrator.

Java gave me some odd error messages, but I was able to delete the old version and update to the newest one.

• Error: User SYSTEM has previously initiated an installation for product MS Enterprise 2007. That user will need to run that installation again before using that product. Your current installation will now continue.

I'm not experiencing any problems with hidden/missing desktop icons or the start menu. I did have those problems when the malware first showed up, but since running the fixes my programs are back where they belong and running fine. Except for Firefox, which still will not open. I have not tried uninstalling and reinstalling it yet. I'd like to save my bookmarks if possible.

There still seem to be too many duplicate processes running in Task Manager. There are 11 instances of svchost.exe, for example.

 

Here's the remaining log requested.

 

The ComboFix log is incomplete. However it does look like it deleted the files we wanted it to. Did you have any issues running the CFScript.txt?

TDSSKiller removed a rootkit.

This is normal for svchost.exe, as well as chrome.exe. This is also something I hear they are going to address in Windows 8.

Not sure why

Read the following: Backing up and restoring bookmarks - Firefox
I would recommend uninstalling Firefox using Revo Uninstaller >> Download Link

Are you still having issues with Task Manager? If so, try the below:

Please download Tweaking.com - Windows Repair by Tweaking.com to your desktop.

• See the download links under this icon: http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
• Double-click Tweaking.com-WindowsRepair.exe to run the program.
• Click the Start Repairs tab on the far right.
• Click Custom Mode so there is a bullet in it.
• Click the Start button (bottom right)
• Click Unselect All
• Put a checkmark in Remove Policies Set By Infections
  Note: Leave everything else unchecked
• Put a checkmark in Restart System When Finished
• Now click the Start button (bottom right)

The rest of your logs are clean

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

ComboFix ran as described. I'm not sure why the logs are incomplete.

It looks like the scans took care of the lingering malware, and everything has been running fine for the last couple days. The number of running processes is still more than it was before these issues starting cropping up, but there's no discernible difference in performance. As long as my machine's clean, I'm happy.

Thank you so much for all your help.

 

You're welcome. Surf safely!