malware (Trojan) aftereffects

I have a Dell computer that runs Windows Vista 32-bit system. Yesterday while viewing a You Tube video of an Olympic Diver that bellyflopped, I started having computer issues. Twenty-two small windows indicating a writing error and a larger window showing that googleupdater.exe was wanting access to my computer. I cancelled all 22 of the small windows but they kept coming back every 5-10 minutes. I tried closing the googleupdater.exe window but it would not close. Most of the icons on my desk top were gone. I already had Malwarebytes on my computer and decided to run it if the computer would let me and it did. Log is attached. The desktop icons did not come back and all the pins and other icons were gone from the start menu as well. I could not find any of my documents or any of my pictures. I decided to run Malware bytes again and that post is also attached. Following the second running of Malwarebytes, nothing had changed and I decided to check out the majorgeeks.com website for assistance. Those logs will be attached in the next post.

 

I followed the directions on the Major Geeks website and am attaching the logs from all for downloads.

My desktop icons came back somewhat after unchecking hidden file extensions or doing the defogger disable. I say somewhat because they lack the bright vivid coloring the icons once had, they now look somewhat transparent or like a ghost of their former selves. However, when I click on them I am taken to where I need to go, so they do work. My concern is that they will again disappear when I undo the defogger actions or re-check hide file extensions. Also, I can now find my documents and photos but again their thumbnails are ghost-like.

I figured out how to get my start menu items back but have a bit of trouble with Internet Explorer. I had to search for Internet Explorer in the start menu to be able to pin it, but then the pin kept disappearing. I then searched on iexplore.exe and pinned that to the start menu and that seems to be sticking. My once stored favorites in internet explorer have disappeared and when I go to save an old favorite (like weather.com), I get a message saying that weather.com is already in the favorites. Weird.

 

Today, I decided to run a Malwarebytes scan again just to see what it had to say. The log shows only PUP.MyWebSearch entries - is there a way to be rid of that for good or will it always leave enough remnants behind to show up again?

Thanks,
Lori

 

Welcome to MajorGeeks, Lori

http://img805.imageshack.us/img805/9659/rktigzy.gif Repair Shortcuts with RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Fix Shortcuts button
When that is finished, press the Fix Proxy button
When it is finished, there should be two new RogueKiller logs on your desktop.
Attach the latest RogueKiller logs to your next message. (How to attach)

 

I ran these two scans and then remembered that I had turned my User Account Control back on. If that's a problem, I will rerun the scans.

The internet explorer favorites are back! The thumbnails and icons have lost that transparent look - thank you!

I learned today that I am missing icons for Microsoft Word and Microsoft Powerpoint in the Microsoft Office Folder in the list of programs. I don't know if that is related to this infection or not. My Word documents and powerpoint documents still operate so just the way to get to to that software is missing?

Thanks for your help!

Lori Oelfke

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

__

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• J2SE Runtime Environment 5.0 Update 10
• Java(TM) 6 Update 31

__

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Right mouse click on the OTL icon on your desktop and select Run as Administrator
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  activex
  netsvcs
  %windir%\system32\drivers\*.sys /lockedfiles
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

TDSSKiller Log attached.

J2SE Runtime Environment 5.0 Update 10 and Java(TM) 6 Update 31 were uninstalled.

OTL.txt attached.

Thanks,
Lori Oelfke

 

I decided to peruse the Microsoft Security Essentials window today. I changed the setttings tab from 'quarantined items' (which showed nothing) to 'All Detected Items' and found what shows in the attached screen shot. This information was in the section labeled "security essentials encountered the following error": Security Essentials encountered the following error:

Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
file:C:\Users\Dad\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\File_Recovery.lnk
file:C:\Users\Dad\Desktop\File_Recovery.lnk
folder:C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery\

I clicked on "removed all items" but thought you should know about this activity.

Thanks,
Lori Oelfke

 

Thanks for letting me know, Lori

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:otl[/COLOR]
SRV - File not found [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe -- (Symantec RemoteAssist)
SRV - File not found [Auto | Stopped] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service /p dellsupportcenter -- (sprtsvc_dellsupportcenter)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DDMI2.sys -- (SDDMI2)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive)
IE - HKLM\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^HJ^xdm077^S02028^us&ptb=21301FDC-D067-49AB-9017-D4FB803A0362&ind=2012072712&n=77edcb08&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-540794984-632158158-845780165-1004\..\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^HJ^xdm077^S02028^us&ptb=21301FDC-D067-49AB-9017-D4FB803A0362&ind=2012072712&n=77edcb08&psa=&st=sb&searchfor={searchTerms}
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - prefs.js..keyword.URL: "http://www.mystart.com/results.php?pr=zugo&id=bflixtoolbar&v=1_0&gen=ms&ent=tb&mkt=us&q="
FF - HKLM\Software\MozillaPlugins\@VideoDownloadConverter_4z.com/Plugin: C:\Program Files\VideoDownloadConverter_4z\bar\1.bin\NP4zStub.dll File not found
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\4zffxtbr@VideoDownloadConverter_4z.com: C:\Program Files\VideoDownloadConverter_4z\bar\1.bin [2012/08/08 13:55:53 | 000,000,000 | ---D | M]
[2010/07/24 16:59:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/20 07:13:20 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/18 21:45:45 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2012/07/27 09:48:15 | 000,000,000 | ---D | M] (VideoDownloadConverter) -- C:\Users\Dad\AppData\Roaming\mozilla\Firefox\Profiles\o86sghc0.default\extensions\4zffxtbr@VideoDownloadConverter_4z.com
[2007/12/04 15:59:00 | 000,000,000 | ---D | M] (Google Settings) -- C:\Program Files\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
[2012/08/07 19:41:27 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\SpeedMaxPc
[2012/08/07 19:41:27 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\DriverCure
[2012/08/07 19:38:54 | 000,000,000 | ---D | C] -- C:\ProgramData\SpeedMaxPc
[2012/08/07 11:12:02 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/07/27 09:49:14 | 000,000,000 | ---D | C] -- C:\Users\Dad\AppData\Local\VideoDownloadConverter_4z
[22 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[22 C:\ProgramData\*.tmp files -> C:\ProgramData\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2012/08/07 11:13:25 | 000,000,072 | ---- | M] () -- C:\ProgramData\-RLaghQSJKOeiwjr
[2012/08/07 11:13:25 | 000,000,072 | ---- | M] () -- C:\ProgramData\-RLaghQSJKOeiwj
[2012/08/07 11:13:22 | 000,000,368 | ---- | M] () -- C:\ProgramData\RLaghQSJKOeiwj
[2012/04/07 23:09:20 | 000,094,208 | ---- | C] () -- C:\Users\Dad\AppData\Local\common_functions.dll
[2011/09/02 04:08:50 | 000,102,400 | ---- | C] () -- C:\Users\Dad\AppData\Local\ie_runner_app.exe
[2008/12/12 10:44:36 | 000,000,020 | ---- | C] () -- C:\ProgramData\PKP_DLdu.DAT
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:8CE646EE
[COLOR="DarkRed"]:files[/COLOR]
C:\Program Files\Video Download Converter
C:\found.000 /d
type c:\rkill.log /c
c:\rkill.log /d
C:\Program Files\VideoDownloadConverter_4z
C:\Program Files\PlaySushi
xcopy /h/i/s/y "%temp%\smtmp\1" "%programdata%\start menu" /c
xcopy /h/i/s/y "%temp%\smtmp\2" "%appdata%\microsoft\internet explorer\quick launch" /c
xcopy /h/i/s/y "%temp%\smtmp\3" "%appdata%\microsoft\internet explorer\quick launch\user pinned\taskbar" /c
xcopy /h/i/s/y "%temp%\smtmp\4" "%programdata%\desktop" /c
C:\Windows\Tasks\*.job
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8}]
[COLOR="DarkRed"]:commands[/COLOR]
[emptytemp]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)

__

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

__

Let me know how the computer is running after you have completed these steps.

 

Attached are the logs you requested.

The computer seems to be running smoothly. Let me know if there's something else I should do.

Thanks,
Lori Oelfke

 

Latest logs are clean

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe