MalwareDefense Virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by jschwaiger, Jan 24, 2010.

  1. jschwaiger

    jschwaiger Private E-2

    Two days ago, I clicked on a link and a malicious .pdf began to download without any warning. Then a few legitimate-looking Window's firewall-like pop-up windows appeared saying that my computer was infected. There was also a window that asked if I wanted to purchase the "full-version" of MalwareDefense software to protect my system. I knew enough to just click on the close button for the various windows, and not follow any of their instructions, but it was a little late.

    The virus has disabled my McAfee On-Access Scan and also the McAfee Host Intrusion Prevention system tray icons. I have trouble downloading files from the internet (such as install files suggested in the Malware removal process on this forum -luckily I can download them on my wife's Mac and copy them via a USB flash card).

    Before I came to this website I was able to complete a scan with McAfee which removed only 3 suspected files. I was still having difficulties with MalwareDefense pop-ups, I got two blue screens of death, and I keep getting an error dialog for Google Installer saying that it needs to shut down. After much difficulty, I was also able to run MalwareBytes Anti-Malware software in Safe Mode which did seem to solve the problem - but upon restart, I got an annoying random beep sound every 3 minutes or so.

    Then I found this forum and decided to go through the malware removal process suggested. I was only able to download programs on another computer (the downloads would get canceled every time I tried them on my computer). I had to rename most of the install files to get them to run, and even then some of them would not run. I was able to run SuperAntiSpyware (log attached), could not get MalwareBytes Anti-Malware to run this time around (error message attached), I could not get the installer for Combofix to run, I accidentally ran MGtools before RootRepeal, but both of them ran and the logs are attached.

    The beeping seems to be gone, but I am still getting Google Installer errors, McAfee seems to still be disabled, and I am having trouble downloading files still.

    Sorry for the long post. Thanks in advance for any help.
     

    Attached Files:

    jschwaiger, Jan 24, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please double-click the RootRepeal.exe previously downloaded.

    • Select File then Scan
    • On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    • When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
    C:\WINDOWS\system32\H8SRTamivftqutd.dll
    C:\WINDOWS\system32\H8SRTeirisexokg.dat
    C:\WINDOWS\system32\H8SRTkmeavyihli.dll
    C:\WINDOWS\system32\h8srtshsyst.dll
    C:\WINDOWS\system32\H8SRTsypbmcjllb.dll
    C:\WINDOWS\system32\H8SRTtyvgejonep.dll
    C:\WINDOWS\Temp\H8SRTc1b5.tmp
    C:\WINDOWS\Temp\H8SRTd77f.tmp
    C:\WINDOWS\Temp\H8SRTe06a.tmp
    C:\WINDOWS\Temp\H8SRTed21.tmp
    C:\WINDOWS\Temp\H8SRTf512.tmp
    C:\Documents and Settings\All Users\Application Data\h8srtkrl32mainweq.dll
    C:\Documents and Settings\All Users\Application Data\h8srtmainqt.dll
    C:\WINDOWS\system32\drivers\H8SRTjkcdpfywae.sys
    C:\Documents and Settings\JSchwaiger\Local Settings\Temp\H8SRTa669.tmp
    C:\Documents and Settings\JSchwaiger\Local Settings\Temp\h8srtmainqt.dll
    • After Wiping all files, immediately reboot your pc!
    After reboot, download/install/update and run the scanning tools you couldn't run!

    Please attach the new logs as well as running ComboFIx.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • MBAM log
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Jan 25, 2010
    TimW, Jan 25, 2010
    #2
  3. jschwaiger

    jschwaiger Private E-2

    Thanks TimW,

    The computer which was infected is from work, so a guy from work had me run TDSSKiller so that I could run the other programs like MalwareBytes. I ran those two, and everything seems to be working fine now. I also ran SAS - which I was now able to do without the "Alternate Start". So, sorry that I wasn't able to follow your instructions exactly, but since this is a work computer, I sort of had to go with his suggestions.

    I did go back and run the programs as you stated in your response though, and the logs are attached. Since things are working well though, I did not run Combofix (since there are so many "It wiped my desktop out" complaints on the forum lately). Is that necessary, or is there an alternative out there that accomplishes the same thing?

    Anyway, thanks again for your help and I apologize for not being able to follow your steps exactly.

    I am attaching both Mbam logs -one from this morning that cleaned some things out, and one from after your reply.

    -jschwaiger
     

    Attached Files:

    jschwaiger, Jan 25, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    ComboFix was causing problems for a day or two, but is now usable again. However, we will continue on without it.

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and then go back to this folder and remove everything that you can ( windows will not let you remove anything from today's date.):
    C:\Documents and Settings\JSchwaiger\Local Settings\Temp\

    You should also be doing the same for all users on this system, as each one has Admin. Privileges!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Jan 26, 2010
    #4
  5. jschwaiger

    jschwaiger Private E-2

    Thanks TimW,

    I don't have the password to disable McAfee. Is there any danger in running The Avenger with McAfee still enabled? I also don't have the passwords do be able to run this same process on all accounts, so I may have to just hand this one over to the guys back at the office.

    Is there any way to know if the other user accounts have been affected without being able to log on to them.

    Thanks again,

    -Jeff
     
    jschwaiger, Jan 27, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can try running it with your AV still enabled and we will see if any of it was blocked.

    Since all users have Admin. privileges, just continue on with your account and get me the logs.
     
    TimW, Jan 28, 2010
    #6
  7. jschwaiger

    jschwaiger Private E-2

    Thanks for sticking with this TimW. Sorry for the delay on this step.

    Attached below are the logs. The only hitch was that McAfee stopped "cleaner.exe" as a trojan and deleted it when I ran avenger.exe.

    When WindowsXP rebooted, I did receive an error message about Windows not being able to locate "cleaner.exe" - I'm not sure if that will cause problems, or if it is part of the malware - your input would be appreciated. So far I haven't noticed any ill effects on Windows.

    Thanks again, jschwaiger
     

    Attached Files:

    jschwaiger, Feb 1, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem.

    Avenger took care of those items and your logs are clean. :) I would suggest that you just run SAS and MBAM on each user account to be sure.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Feb 3, 2010
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds