RootKits galore

Hello,

Unknown scripts running slowing down computer. I say to stop the script, but in a few minutes I get the same message again.

Browsers freezing

Having a hard time shutting down.

Last night I ran malwarebytes and it found and deleted:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe (Security.Hik) -> Quarantined and deleted successfully.


today avg said I had 3 copies of trojan horse Generic19.RPZ It was only able to quarentine one of the three.

Then I noticed that that my browser has been Hijacked by Yahoo.

So I started the read and run instructions

ran SAS

ran MB

then uninstalled avg 2011

- a good thing. Also found rements of avg 9 and avg 10 too.

combo fix stalls after backing up the registry. tried 4 time , last time waited about an hour.

rootrepeal ran finding lots off stuff untill it got to c:\Windows\winsxs\Manifests then it closed without finishing after a hour.

I ran it again until it stalled. This time I took pictures (3) to show all the bad files before it closed, also at about an hour.

Ran MGtools.

last rr file and MGlog on next message

Thanks for checking this out.

Pete22

 

The rest of the files.

Hope I've given you enough to work with.


Pete22

 

Hello Tim,

Downloaded Avg remover and ran it. and

Also downloaded AVG Identity Protection Remover and ran it.

Ran C:\MGtools\analyse.exe


O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
done

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Not there

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
done

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
done

O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
done


ran Regedit
It was successful.

installed comodo antivirus instead of avg. It ran its first scan.

It gave me these results.

UnclassifiedMalware@24748696 C:\Users\Margery\Documents\Margery's stuff\desktop\ComboFix.exe
Joke.Stressreducer@6032153 C:\Users\Margery\Documents\Margery's stuff\My Documents\My Downloads\Stress reliver game\stress reducers.exe
Joke.Stressreducer@6032153 C:\Users\Margery\Documents\Margery's stuff\My Documents\My Downloads\Stress reliver game\weapon_closet.zip|stress reducers.exe
Heur.Suspicious@22281151 C:\Users\Margery\Documents\Margery's stuff\My Documents\repair programs\Diagnose and repair\BZ\Malware\ComboFix.exe
Heur.Suspicious@23829438 C:\Users\Margery\Documents\Margery's stuff\My Documents\repair programs\programs for getting rid of malware\ComboFix.exe
Heur.Suspicious@22281151 C:\Users\Margery\Documents\Margery's stuff\My Documents\Utilities\Diagnose and repair\BZ\Malware\ComboFix.exe
Win32.PSWTool.NetPass.~BAAD@2910135 C:\Users\Margery\Documents\Margery's stuff\My Documents\Utilities\Password retrieval\iepv\iepv.zip|iepv.exe
ApplicUnsaf.Win32.PSWTool.PassView.A@48021562 C:\Users\Margery\Documents\Margery's stuff\My Documents\Utilities\Password retrieval\protected storage passwords\pspv.zip|pspv.exe
Heur.Corrupt.PE@-1 C:\Users\Marie\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U55E2V0N\avg_remover_stf_x86_2011_1165[1].exe
Joke.Stressreducer@6032153 C:\Users\Marie\Documents\My Downloads\Stress reliver game\stress reducers.exe
Joke.Stressreducer@6032153 C:\Users\Marie\Documents\My Downloads\Stress reliver game\weapon_closet.zip|stress reducers.exe
Heur.Suspicious@23354895 C:\Users\Marie\Documents\stuff from desktop\EasyLink_Connect.exe
Win32.PSWTool.NetPass.~BAAD@2910135 C:\Users\Marie\Documents\Utilities\Password retrieval\iepv\iepv.zip|iepv.exe
ApplicUnsaf.Win32.PSWTool.PassView.A@48021562 C:\Users\Marie\Documents\Utilities\Password retrieval\protected storage passwords\pspv.zip|pspv.exe

I think some of these are false positives. I have not told comodo what to do with them yet.

Computer acting better. Browser is no longer hijacked. So far I have not had a slow script notice, nor crashes. Have not worked on it long though.


What else would you like me to do?


Thanks for your time,

Pete22

 

Hello Tim,


This morning I thought the computer was freezing several times. Later I heard the sound of device delete or add. So I wonder if the drivers are being messed with. The freezing could be true or it could be the mouse driver stopping or both.

Comodo anti virus did several alerts this morning and I deleted those files.


Still seems to shut down slowly.




Thanks for checking my files,


Pete22


Edit: yes it is also freezing without the device sound.

 

Hello Tim,

Glad to hear My logs are clean.

I ran ccleaner and then cleaned out
C:\Users\Marie\AppData\Local\Temp\
C:\Users\Margery\AppData\Local\Temp\


I ran the TDSSKiller.exe and it did not find anything.


I did let that MGgetlog program run completely and got the message that it was done and to press any key to close the window or something like that. However, it took about 5 minutes after I started it before it did anything. I thought that was strange.


I decided to run the MGgetlogs again just to see if it would do a complete scan. This time it started much quicker. It ran most of the way, but before it was done, suddenly the window closed without warning or message. Any ideas?


Pete22

 

I deleted the old MGtools.

I downloaded the new file to my desktop because I could not download it to c:\ am using Vista.

I had trouble running it and had to download it 3 times before it would run. I have included the logs. Did it run the complete program?

Thanks for checking,

Pete22.

 

Hello Tim,

Glad the program completely ran.

Please check the instructions you sent me. For some reason they are mangled.

I'll wait for your new and improved instructions.


Pete22

 

Hi Tim,

Never mind, I figured it out.

I did as you suggested. I was sucessful with the fixme.

I removed the file
C:\Users\Marie\AppData\Roaming\AVG10
also
C:\Users\Margery\AppData\Roaming\AVG10

Also any files other files that I could find relating to avg.

Bought a new mouse... that helped the driver issues.

Still having issues with browsers refusing to close.


Pete22.

 

Tim,



Thanks for fixing your info. It really was crazy.


My browser is hijacked again with the Yahoo search. Also get the message about the the slow script again too.

Pete22

 

Hello Tim,

I forgot to mention ads that used to be blocked by my browser are no longer blocked.


To run MGtools, I turned off uac and rebooted. When it restarted, windows explorer crashed. It also said that the shell could not be started or something like that. Not sure if it related.


Thank you again for your help.


Pete22

 

Hello Tim,

I ran tdss, it did not find anything.

I ran eset scan and it found some stuff.

When I finished, comodo antivirus started a scheduled scan and it found some stuff too. So I added the text file.


It does not appear that anything is hijacked at the moment. However, I have not had much time to check it out. I will keep testing it while I am wait for your reply.


Pete22