Possible infection

*EDITED by dr.m - revised reply.

 

Welcome to MajorGeeks!

Step 1:
Now download Sophos Anti-Rootkit 1.5 and save to a location you will be able to find such as your desktop

1. Run sar_15_sfx by double clicking on it.
2. Click Accept to agree to the EULA
3. Click Install (if you wish to change the default installation location do so here but remember where you install to, the default is C:\SOPHTEMP)
4. Once it finishes copying files, exit the installer

Running the scan

1. Navigate to the location that you installed the software to (Default: C:\SOPHTEMP)
2. Run the sargui Application by double clicking on it. (Note: if using Vista or Windows 7, use right click and select Run As Administrator).
3. Ensure that all three of the options are checked
4. Click Start Scan
5. Once the scan is complete, close Sophos Anti-Rootkit by closing the scan window and clicking Exit in the main window

DO NOT CLICK 'CLEAN UP CHECKED ITEMS' OR ATTEMPT TO HAVE SOPHOS ANTI-ROOTKIT FIX ANYTHING UNLESS SPECIFICALLY INSTRUCTED TO IN THE THREAD YOU ARE WORKING ON

Finding the logs

1. Click on Start --> Run
2. Type in %TEMP%\sarscan.log and press enter
3. The log file will open in the default editor (probably Notepad)
4. Click File --> Save As and save the file to your desktop or other location for easy retrieval.

Step 2:
Please download OTL by OldTimer, saving it to your desktop:

• Close all open windows on the Task Bar. Double-click the OTL icon to start the program and let it run uninterrupted.
• When the windows appears, underneath Output at the top - change it to Minimal Output.
• Under the Standard Registry box, change it to All.
• Check the boxes beside LOP Check and Purity Check.
• Now click the Run Scan button at Top left and let the program run - the scan may take 5-10 minutes.
• Do not TOUCH your keyboard until the scan completes!
  • It will produce two (2) logs on your desktop, one will pop up called OTL.txt and the other - Extras.txt. These logs are saved normally directly under your C:/ directory.
  • Now exit Notepad.
  • Exit OTL by clicking the [X] at top right.

Please attach the below logs to your next reply:

• OTListIt.txt
• Extras.txt
• sarscan.log
• The remaining requested logs from the R & R ME FIRST guide:
  • SASlog.txt log from SuperAntiSpyware.
  • Malwarebytes Anti-Malware log

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

 

You're welcome, mquelch

Step 1:
Please look in Add/Remove Programs for the following and uninstall if found. If you get any errors just make a note and continue on.

Step 2:
Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Step 3:
Now run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following that is inside of the code box:

Code:

:OTL
:Processes
explorer.exe
@Alternate Data Stream - 158 bytes -> C:\ProgramData\Temp:D1B5B4F1:Commands
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Attach the new log it produces in your next reply.

Step 4:
Open CCleaner - select "Cleaner" > "Run Cleaner" <---use this function ONLY!

Step 5:
Now install the latest Sun Java Runtime Environment

Step 6:
Please go to Start > Run and paste in the following:

• The resultant log will be retrievable @ C:\collect.zip

Step 7:
Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

Please attach the below logs to your next reply:

• C:\MGlogs.zip
• updated OTL.txt log
• C:\collect.zip

* Make sure you tell me if you had any problems running this procedure; and answer this - "What malware problems are you still experiencing?"

dr.m

 

You never attached the MBAM logs I requested.
C:\Users\Michael Quelch\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-06-28 (22-21-11).txt
C:\Users\Michael Quelch\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2010-06-29 (12-50-06).txt

*These files indicate that something was found:
Quarantine\BACKUP3.53943 - Quarantine\QUAR3.53943

Downloading torrents is an easy way to get infected. I also found evidence of foistware that was installed. Re: "SearchSettings.dll"

Please upload the following file to VirusTotal:

• Click the Browse... button.
• Navigate to the file C:\Windows\”ôÍ
• Then click the Send File button
• Either post a link to the results, or copy & paste the results into Notepad and attach the text file.

How is your machine running now???

 

You're welcome, mquelch.

Your logs look good! If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif