Need help with malware infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by shannh, Aug 9, 2009.

  1. shannh

    shannh Private E-2

    My laptop became infected on Friday just before 9pm while I was viewing messages on the Beach District Wrestling Forum. I have Windows XP Home Edition. Immediately messages started popping up about installing Windows Antivirus Pro, and although I clicked to stop is before installation completed it is everywhere in my computer. I have two users on the computer. The user that was originally infected is pretty much locked down. I can't do much out of there. The other user that I am operating out of is not yet completely locked down but still would not allow me to run most of the programs in the Read and Run Me First. System restore is locked down in both users and the administrator. A message pops up saying the System Restore has been turned off due to group policy.

    I went through the Read and Run procedures. I am unable to Add and Remove Programs, so anywhere that I was asked to do that manually I could not.

    I did not want to deal with the slow connection or other issues, so I downloaded all the tools form another computer to USB storage and attempted to run them on the infected desktop.

    I downloaded SAS to USB drive and renamed but could not install it. I would attempt to extract files for a half second and then disappear. Also in safe more I attempted to access the group policy editor from Run and got the message Windows cannot find gpedit.msc.

    I renamed the Malewarebytes to mb.exe and it installed then prepared to scan for 18 seconds, then disappeared.

    I saved Combofix.exe and attempted to open and it would not even open.

    Root Repeal scan only took a second and found no hidden files.

    MG Tools appeared to work fine.

    I appreciate your help!
     

    Attached Files:

    Last edited: Aug 9, 2009
    shannh, Aug 9, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You neglected to make the agtreement to run HJT. Please make sure you do that when I ask you to run it later.

    First, use a different computer and download, then transfer it via cd The Avenger by Swandog469 to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    -
    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). Make sure you accept the agreement to run HJT!

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Aug 11, 2009
    #2
  3. shannh

    shannh Private E-2

    Ok. I ran into a snag and here is where I am at.

    The registry copy and paste info worked and gave me a success message.

    I ran The Avenger and have attached that log.

    Then the computer rebooted, and the error message "rundll32.exe application not found" popped up. I had never received that error previously.

    When I then went to run CCleaner the window popped up asking me to "Choose a program you want to open this file:"

    I stopped there because when I selected CCleaner from the list of programs I got the message "C:\Documents and Settings\Shan\Desktop\CCleaner\CCleaner.exe is not a valid Win32 application."

    Also, during the original READ & RUN at did click twice to Accept HJT as the directions stated, if there any other reason it wouldn't have shown up or something else I should be aware of when I get to that part?

    Thank you very much for your help and I will be waiting for instructions as to what I should do next.
     

    Attached Files:

    shannh, Aug 11, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    There is a new virus that we are just learning about. It can stop HJT from running, so I want you to download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Attach the new C:\MGLogs.zip
     
    TimW, Aug 14, 2009
    #4
  5. shannh

    shannh Private E-2

    Here is the new log. Thank you for your help I will keep checking back to see what to do next.
     

    Attached Files:

    shannh, Aug 19, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try it again.

    Please use add/remove programs to uninstall:
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME
    J2SE Runtime Environment 5.0 Update 2"
    J2SE Runtime Environment 5.0 Update 3"
    Java 2 Runtime Environment, SE v1.4.2_03

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:


    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now download and install:
    Java Runtime 6

    Now try double clicking on C:\MGtools\analyse.exe --> if it runs, attach the log. ( Do a system scan only).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    * C:\Avenger.txt
    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    TimW, Aug 22, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds