Redirects, then re-spawning malware in system32; logs attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by jmillerdls, Sep 13, 2012.

  1. jmillerdls

    jmillerdls Private E-2

    Initially it was just redirects on yahoo. I ran hitman and it found malware, which I had it remove. I thought it was fine, but then redirects were back. Then, amazon wouldn't let me use it unless I entered very personal information (credit card info, etc), which I declined to do. I ran hitman and same malware (different name). I went to where the malware was found, had hitman remove it, then watched as it instantly came back under a different name. MalwareBytes and TDSSKiller don't find anything and I'm not really that good with this kind of thing anyway. Followed the site instructions and logs attached.
     

    Attached Files:

    jmillerdls, Sep 13, 2012
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Uninstall the below very old versions of software:
    Java(TM) 6 Update 24

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\WINDOWS\system32\.crusader
C:\WINDOWS\system32\c_7265242.nls
C:\WINDOWS\system32\iDbvGTT.exe
C:\WINDOWS\Temp\1359282129.tmp
C:\Recycler\S-1-5-21-1229272821-2077806209-682003330-1004\desktop.ini
C:\Documents and Settings\Jonathan\Application Data\ndspn.dll
C:\Documents and Settings\Jonathan\Application Data\nlolal.dll
C:\Documents and Settings\Jonathan\Local Settings\Application Data\09c6~1
C:\Documents and Settings\Jonathan\Local Settings\Application Data\{27A6247D-F87F-11E1-8270-B8AC6F996F26}
C:\Documents and Settings\All Users\Application Data\036DFF61E16391830000EABC7B07D329

:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"æTorrent"=-
"iDbvGTT"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"nlolal"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"=-
[HKEY_USERS\S-1-5-21-1229272821-2077806209-682003330-1004\Software\Microsoft\Windows\CurrentVersion\run]
"æTorrent"=-
"iDbvGTT"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 13, 2012
    #2
  3. jmillerdls

    jmillerdls Private E-2

    Alright, after rebooting, the system seemed a lot more snappy. Usually I have to wait quite a few seconds when the OS seems frozen, and then it will unfreeze and I can start opening programs. There was no wait this time.

    However, there was an error on bootup:
    Error loading C:\Documents and Settings\Jonathan\Application Data\nlolal.dll
    The specified module could not be found.


    There was an error when I ran the program (before the reboot), that I think said that the file in the error I listed above couldn't be moved? Something like that.
     

    Attached Files:

    jmillerdls, Sep 13, 2012
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Reboot your PC. After reboot, look for the below file and delete it:
    C:\WINDOWS\system32\WwYNclh.exe

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 15, 2012
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds