QuickHealCleaner Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by gavinscott, Sep 6, 2009.

  1. gavinscott

    gavinscott Private E-2

    Hello,
    I have been infected with the QuickHealCleaner Malware virus. It has been on my pc for about 12 hours. I downloaded it thinking it was a video codec. I have been through the Malware removal steps. I have been thorough and think I have done everything listed.
    QuickHealCleaner has hijacked my browser and is giving me loads of fake infection alerts and constant pop-ups. None of the free scan tools are picking it up.
    I ran:
    CCleaner
    Super Anti Spyware - log attached
    Malwarebytes - log attached
    Combofix - this would not run. Got as far as clicking 'Yes' to accept license, but the scan would not start.
    RootRepeal - This did not run either. the scan would start but my system would freeze at the 'looking for hidden/locked files' stage.
    MGtools - log attached

    Let me know if you need any further info.

    I really appreciate the help. Thank you in advance!
     

    Attached Files:

    gavinscott, Sep 6, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why are you running with no protection installed??? No wonder you are so badly infected as the length of the below will show.

    I see the below in your logs for NuTCRACKER 4, but I don't see that it is installed in your Add/Remove Programs list. Did you uninstall this?
    O4 - HKLM\..\Run: [NuTCSetupEnviron] H:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe
    O10 - Broken Internet access because of LSP provider 'h:\windows\system32\nutafun4.dll' missing

    Uninstall the below old versions of software:
    Java 2 Runtime Environment, SE v1.4.2_04
    Java(TM) 6 Update 5"
    Java(TM) SE Runtime Environment 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    R3 - URLSearchHook: (no name) - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - (no file)
    O2 - BHO: (no name) - {153FB1E1-5074-4CAC-0261-2800B7BFDABD} - H:\WINDOWS\system32\fillf.dll (file missing)
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {6B42C5E1-5071-4C98-0261-2800B7BFDABD} - H:\WINDOWS\system32\fillf.dll (file missing)
    O2 - BHO: (no name) - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - (no file)
    O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - (no file)
    O2 - BHO: (no name) - {FE41F1FF-871B-4444-89D9-4770F786D498} - (no file)
    O3 - Toolbar: (no name) - {97bceb59-cfcd-4b16-a863-b3f72cf9f196} - (no file)
    O4 - HKCU\..\Run: [SearchAndDestroyT] H:\Program Files\Search And Destroy\SearchAndDestroy.exe
    O4 - HKCU\..\RunOnce: [koyib0fn.exe] H:\WINDOWS\system32\koyib0fn.exe
    O20 - Winlogon Notify: rqrrstu - H:\WINDOWS\

    After clicking Fix, exit HJT.



    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    H:\WINDOWS\TEMP
    H:\Documents and Settings\Jones\Local Settings\Temp


    Now try to run RootRepeal and ComboFix per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • the logs from RootRepeal and ComboFix if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 10, 2009
    #2
  3. gavinscott

    gavinscott Private E-2

    Thanks a lot! Really appreciate your time!

    I have followed your instructions. same problems with Combofix and RootRepeal. I get the following error after running rootrepeal - 'error - invalid PE image found'.

    the quickhealcleaner pop ups have now dissapeared. thanks again!

    i do still however get frequent redirects while using google search with mozilla firefox. it redirects me to various ad sites. this has been happeninng for some time.

    i have attached the avenger and MGtools logs.

    cheers!

    btw. i have downloaded and am running antivir. i should have known better and only have my self to blame. sorry to waste your time.
     

    Attached Files:

    gavinscott, Sep 10, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    You forgot to answer my question about NuTCRACKER 4.

    Oops! Had a typo in my fixed that left out a / between C:\Windows and system32. Thus a load of bad files did not get remove. Try the below fix.



    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 10, 2009
    #4
  5. gavinscott

    gavinscott Private E-2

    Hi Chas,

    I don't remember ever downloading using or uninstaling Nutcracker. I'm not sure why this was ever on my system?

    I have followed your instructions. My logs are attached.

    Thanks a lot for your help!

    My Mozilla Firefox google search no longer takes me to add sites. However, it doesn't seem to direct me to any websites by clicking on the links. If I manually copy and paste the URL it works. But the Blue link does not seem to work. I don't have this problem in IE. Seems a little random?

    Thanks again!
     

    Attached Files:

    gavinscott, Sep 12, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does the below help you remember?

    http://www.scl.com/products/mks/datasheets/nutcracker4

    Not sure what you mean is random. Do you mean sometime the links work in FireFox and sometimes they do not?

    Your logs appear to be clean. Let's run one online scan tool.


    Please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. It does not save a log.
     
    chaslang, Sep 18, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds