Still having problems after malware removal

tbag · Sep 18, 2011

I have been having problems with runtime errors and cursor freezing for a very long time and didn't think much of it and then seemed to come up with a variety of problems all at once. The only different things that happened around that time was that I was downloading music from MP3 Extreme. I did have a pop-up from microsoft windows saying that there was something wrong with my computer and I may have hit a wrong button in that while trying to get rid of it knowing that was probably not legit. I remember that I couldn't get the screen to go away. It froze and I had to reboot and then it got really bad with the Bsod, hijacked browser, saying that my computer was completely empty, not being able o search, very slow to do anything, shaw f secure disabled, Not letting me dowload and run other virus programs, etc. I am a computer idiot by the way and so far have appreciated your wonderful instructions that even i could follow. My Shaw F-secure caught and quarantined something and then I ran emsisoft a few times and it caught things too. This was a while ago now but I tried to write it down before I deleted them. I am having a hard time reading my own writing sorry.This included:

Exploit.Java.CVE-2010-0840!IK in C:\Documents and Settings\Teresa\Application Data\SunJava\Deployment\cache\6.0\32\789287204e651007

Value:HKEY_LOCAL_MACHINE\SOFTWARE\classes\CLSID\{1339B54C-3453-11D2-93B9-0000000000000}\Inprocserver32--Threading Model

Value:HKEY_CLASSES_ROOT\CLSID\{1339B54C-3453-11D2-93B9-000000000000}\Inprocserver32--Threading Model

I have followed all of your instructions on malware removal. It did not seem to want to delete browsing history but then sometimes I thought it did. After completing all of the instructions, I find that it is still very slow, cursor freezing, desktop shortcuts are back but muted( can't click them all...just ones i have used since this has all started), when starting it says that DF-secure DLL has encountered an error and needs to close. That's mostly what I have noticed. It has taken me long time to get through the procedures as I can only get on the computer for brief periods of time everyday. I have attached my logs as per your request. Please advise, Thank you.

tbag · Sep 18, 2011

continued

And the rest of my logs.I can't seem to find a couple now but will look harder. Sorry

tbag · Sep 18, 2011

Re: continued

And I cannot even seem to attach the logs I do have. lol. I'll try again

tbag · Sep 18, 2011

Re: continued

And here I try again after re-reading...so, so so sorry.

Kestrel13! · Sep 18, 2011

TDSSKiller reported finding a rootkit and dealing with it. Can you run this please?

Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)

It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.

MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

tbag · Sep 19, 2011

Thanks for your prompt response. I think you wanted me to run tdsskiller again and I have and attached the log as well as MBR. Seems okay.

Kestrel13! · Sep 19, 2011

Now we need to use ComboFix by sUBs

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!

If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.

If ComboFix tells you it needs to update to a new version, make sure you allow it to update.

Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
Code:
KILLALL::

Driver::
iupvsw
File::
C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
c:\windows\system32\drivers\yjithsu.sys
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr
Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe

At this point, you MUST EXIT ALL BROWSERS NOW before continuing!

You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.

Now use your mouse to drag CFscript.txt on top of ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Follow the prompts.

When it finishes, a log will be produced named c:\combofix.txt

I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

tbag · Sep 20, 2011

Done and done. I had another miscrosoft windows security come up and tell me that my antivirus is out of date but just closed it. I did not disable any virus programs as I assumed that you did not mean all these free internet ones that i have downloaded as per earle\ier instructions so I hope that is okay. I had trouble finding my notepad as the start menu still says that I have no accessories or anything except those things i HAVE put on since trying to fix the computer. I eventually found it under the windows folder although they were all hidden. I have run both programs and attached files. My computer froze while running mgtools at the preparing for standby screen so I had to turn it off and run it again. Thanks once again.

tbag · Sep 20, 2011

It is telling me that I cant attach combofix.txt as it is already in this thread and when i look at it , it doesn't have an updated date. Should I run it again as per your instructions?

Kestrel13! · Sep 20, 2011

Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:services
iupvsw

:files
C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz
c:\windows\system32\drivers\yjithsu.sys
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr

:Commands
[emptytemp]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

Please download GMER and save it to your desktop:

Unzip (extract) it to your desktop.

Disconnect from Internet and close all running programs.

There is a small chance this application may crash your computer so save any work you have open.

Double-click gmer.exe to run it.

Let the gmer.sys driver to load if asked.

If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO.

Click the Rootkit tab.

Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".

Then click the Scan button. Wait for the scan to finish.

Once done, click the Copy button.

This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop. Attach this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

Download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Vista and Windows 7 users Right-click OTL and choose Run as Administrator)

When the window appears, underneath Output at the top change it to Minimal Output.

Check the boxes beside LOP Check and Purity Check.

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Attach both of these logs into your next reply.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

tbag · Sep 21, 2011

Can't find notepad so i am pasting what results otm had on screen before I lose them...here it is
All processes killed
========== SERVICES/DRIVERS ==========
Service iupvsw stopped successfully!
Service iupvsw deleted successfully!
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz moved successfully.
File/Folder c:\windows\system32\drivers\yjithsu.sys not found.
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz moved successfully.
C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 41620 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Murray
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 725 bytes

User: Teresa
->Temp folder emptied: 1251603 bytes
->Temporary Internet Files folder emptied: 204739253 bytes
->Java cache emptied: 262 bytes
->FireFox cache emptied: 4503555 bytes
->Google Chrome cache emptied: 6796875 bytes
->Flash cache emptied: 291970 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 57344 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 44045 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 210.00 mb

========== FILES ==========
File/Folder C:\Documents and Settings\All Users\Application Data\P1kAlMiG2Kb7Fz not found.
File/Folder c:\windows\system32\drivers\yjithsu.sys not found.
File/Folder C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fz not found.
File/Folder C:\Documents and Settings\All Users\Application Data\~P1kAlMiG2Kb7Fzr not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes

User: Murray
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Teresa
->Temp folder emptied: 468405 bytes
->Temporary Internet Files folder emptied: 5509126 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb

OTM by OldTimer - Version 3.1.18.0 log created on 09212011_004152

Files moved on Reboot...
C:\Documents and Settings\Teresa\Local Settings\Temp\AdobeARM.log moved successfully.
File C:\Documents and Settings\Teresa\Local Settings\Temp\~DF9F7D.tmp not found!
File C:\Documents and Settings\Teresa\Local Settings\Temp\~DFA6A2.tmp not found!
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\S49G3B0F\adsCAGYYUG0.htm moved successfully.
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\ORF6EVJ2\like[1].htm moved successfully.
C:\Documents and Settings\Teresa\Local Settings\Temporary Internet Files\Content.IE5\E613GLE2\showthread[4].htm moved successfully.

Registry entries deleted on Reboot...

tbag · Sep 21, 2011

Instructions great as per usual but not all working for me. Ran the OTM and then went to save but all of my unhighlighted items on desktop disappeared ( ones that I havent used since trying to debug this computer) and I could no longer find my notepad..even in windows folder. So I had to send the log by pasting it in the message below. Then I tried the run the GMER and it wouldn't let me so I tried it in safemode and it would just turn my screen black and do nothing more so I gave up on that. Ran OTL and MGTools get logs just fine and all are attached. Computer is definitely picking up on speed but stil missing things on my computer.

Kestrel13! · Sep 21, 2011

Just run this and then I'll check the other logs also.

Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

http://download.bleepingcomputer.com/grinler/unhide.exe

Now run it. Did that help with things ate all such as notepad not being there etc?

tbag · Sep 22, 2011

Hi! I CANNOT download the last bleepingcomputer thing. It says that ie is blocking it. I say allow it anyways and then it just goes to blank page. I do however now have my desktop items, photos, notepad etc back but still all unhighlighted. I can get them though.

Kestrel13! · Sep 22, 2011

Try using a different browser please so we can get that run properly.

tbag · Sep 24, 2011

It's a beautiful sight to see after so long!!!! Thanks! Anything else I should do? Should I take off all these things I've put on trying to fix it?http://forums.majorgeeks.com/images/smilies/smile.gif

Kestrel13! · Sep 24, 2011

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required (If we renamed it please rename it back to Combofix.exe.

"%userprofile%\Desktop\combofix" /uninstall

Notes: The space between the combofix" and the /uninstall, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
related to MGtools and some other items from our cleaning procedures.

If you are running Win 7, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 7 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

tbag · Sep 25, 2011

Before I do this.. do I need to worry about the external harddrive that I backed up all my pictures and documents onto after I got the virus? It has not been plugged into the computer since I started cleaning it. Also, do I have to worry about the music I downloaded and want to download more from mp3extreme. Would I have been infected from this? It was similiar timing to the infection.

Kestrel13! · Sep 25, 2011

Before I do this.. do I need to worry about the external harddrive that I backed up all my pictures and documents onto after I got the virus? It has not been plugged into the computer since I started cleaning it.
Click to expand...

Plug it in and run a full system scan with Malware Bytes and SUPERantispyware and ensure you include in the options for it to scan the external.

Also, do I have to worry about the music I downloaded and want to download more from mp3extreme. Would I have been infected from this? It was similiar timing to the infection.
Click to expand...

I personally would not trust it.

tbag · Sep 27, 2011

They both said all clear so I am going to go ahead and start the ending procedures that u have given me. Do I have to delete what is in the quarantine on sas or malware bytes?

Kestrel13! · Sep 27, 2011

Do I have to delete what is in the quarantine on sas or malware bytes?
Click to expand...

Yes, you can empty quarantine if you like.

tbag · Sep 30, 2011

I am not blonde but as I said before, I am a computer idiot. I followed the instructions to the best of my ability but not sure if I deleted everything properly in Step 4 you gave me in final steps. For the most part I just right clicked on the icon on my desktop and hit delete. I did not have anything in the add/remove section except malwarebytes and sas so didn't know how to get the others off such as defogger, otl. otm, mer roorepeal etc. I have not retoggled the system yet until I make sure I did this properly. Sorry. Also i see some things on my desktop that are suspicious to me that I have never seen before such as a uninstall program and a bootsafe program by superadbocker...dated last may. Any recommendations on that. I have no idea here they came from

Kestrel13! · Sep 30, 2011

didn't know how to get the others off such as defogger, otl. otm, mer roorepeal etc.
Click to expand...

You can just delete them as you see them. For OTL:

Please double-click OTL.exe to run it.

Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.

This step removes the files, folders, and shortcuts created by the tools I had you download and run.

Also i see some things on my desktop that are suspicious to me that I have never seen before such as a uninstall program
Click to expand...

Right click the file and check the properties. That should give you some clues.

and a bootsafe program by superadbocker...dated last may. Any recommendations on that. I have no idea here they came from
Click to expand...

I think it could be part of SUPERantispyware, but I think you ought to uninstall this, (SUPERantispyware) reboot and reinstall properly, as there are files pertaining to it scattered all over the desktop and they should not be.

Still having problems after malware removal

tbag Private E-2

Attached Files:

tbag Private E-2

tbag Private E-2

Attached Files:

tbag Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Attached Files:

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

tbag Private E-2

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

tbag Private E-2

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Useful Searches