Redirected from software to malware - wheee!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by headmeetwall, Jun 19, 2011.

  1. headmeetwall

    headmeetwall Private E-2

    Ok, let the fun begin!

    First off, I'm mad at myself, I thought I throughly cleaned my infection however as I think about it, the last system restore I was able to do when my new problems started - I think there must have been hints of it and I managed to bring it back (dummy) and doing windows updates on an infected computer...well...um...yeah...

    A few *notes* before my logs -

    for step 3 -

    I removed VP media player - didn't have any of the other ones.
    I removed all the JAVA updates etc, but since I can only operate in safe mode at the moment, I had to use Revo for that and the newest version will have to wait until I'm normal again. I have it saved to the desktop.

    for step 5 -

    I didn't have any of the ones listed in add/remove - so nothing deleted.

    for step 7 -

    I already have Malwarebytes (full) on my computer - so I ran that, hopefully any infection isn't messing with it - it did update correctly.

    On the disable of the UAC - I actually had to do this via a command prompt - I can't get any setting I try in control panel (or other configuration windows) to stick after reboot - not sure if it is a safe mode thing or this infection. It said it was successful, not sure if on reboot it stayed that way....not sure how to check either.

    COMBOFIX - If I run it the way tim said in the software forum adding the kill script - at the end it reboots my machine and since I'm still crashing in normal mode, there is no report made. I ran it without the kill script - and produced the log attached.

    ROOTREPEAL - had an issue running this selecting both C drive and recovery drive E- I got an error "unrecognized partition type 39 (0x27!) - and it froze with "initializing please wait" - I re-ran it only choosing the c drive and it worked.

    logs attached! thank you n advance!
     

    Attached Files:

    headmeetwall, Jun 19, 2011
    #1
  2. headmeetwall

    headmeetwall Private E-2

    and the MG.zip file....
     

    Attached Files:

    headmeetwall, Jun 19, 2011
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    Driver::
Viewpoint Manager Service

Folder::
C:\Users\Megan\AppData\Roaming\ParetoLogic
C:\ProgramData\ParetoLogic
C:\Program Files\ParetoLogic

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\srv1790]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
srv1790*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    • System Look log

    Make sure you tell me how things are working now!
     
    TimW, Jun 20, 2011
    #3
  4. headmeetwall

    headmeetwall Private E-2

    :banghead Argh! No change.

    Ok, soooo I ran the combofix with the scripts as directed, but once again it reboots at the end and it crashed after the welcome screen going into normal mode - so no log - does anything it did even "stick" if it doesn't reboot correctly?

    Other two ran fine....logs attached.
     

    Attached Files:

    headmeetwall, Jun 20, 2011
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Apparently not. Go ahead and re-run Combo and let's look at a new log. I don't believe you are having malware issues, but I would like to remove those locked reg. keys.
     
    TimW, Jun 21, 2011
    #5
  6. headmeetwall

    headmeetwall Private E-2

    grrrr

    Can't. I run it and it goes to reboot at the end now - and since it reboots to normal and I crash every time - I don't get a log.

    Any way to unlock them "manually" through permission editing or something? Although it seems things I do in safe mode don't seem to have staying power on reboot.
     
    headmeetwall, Jun 21, 2011
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is a common complaint with Vista and to some extent with Win7. There is no easy fix for those locked keys. Since we are not finding malware in your logs, probably the best procedure would be for you to back up your personal files and data and do a reformat and clean install.
     
    TimW, Jun 21, 2011
    #7
  8. headmeetwall

    headmeetwall Private E-2

    awwwww, crap apples - I was really hoping to avoid that....

    sigh....

    whimper...:cry

    :banghead

    thank you for the time you took - it was greatly appreciated!
     
    headmeetwall, Jun 21, 2011
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Do let me know how you make out. :)
     
    TimW, Jun 22, 2011
    #9
  10. headmeetwall

    headmeetwall Private E-2

    Sitting here impatiently waiting for my torrent d/l of a new install disk since my dog, literally, ate the one I had yesterday....

    un-freakin-believable....
     
    headmeetwall, Jun 23, 2011
    #10
  11. headmeetwall

    headmeetwall Private E-2

    yippiee! back up n running - now I have to reinstall all the vaio drivers, programs, docs...clean the crap...etc....but I have my puter back!

    happy dance!
     
    headmeetwall, Jun 24, 2011
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know. Safe surfing. :)
     
    TimW, Jun 24, 2011
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds