System Infested - Help Please

Discussion in 'Malware Help (A Specialist Will Reply)' started by Fishead2k, Oct 6, 2008.

  1. Fishead2k

    Fishead2k Private E-2

    Hello-

    Been a long time since I've been here, huge thanks again for help before.
    You guys ROCK!
    Helping a friend rid system of virus/s (I hope).

    His system is pretty well stuffed...usual impaired functions, sealed off from admin privelages, Sys-Restore is a blank window, search disabled.

    I am on my (uninfected) laptop and have read and d/l all the tools etc. and will attempt to burn tools to CD and run on infected system.
    Any recommendations/thread referrals you can advise to start with (reg edits etc.) I can do (prior) to restore some control/access with this system beyond what is spelled out in the "READ & RUN ME FIRST. Malware Removal Guide" thread?
    As is usually the case, getting the first few inches back...finding WHAT has gotten in, is always the tough/time consuming part.

    I am thankful and happy to say I've had no problems for a year! ...knock wood...lessons learned rolleyes

    Any prelim advise to help get me toward something show you is Much Appreciated, Thanks!!
    ><((((*<
     
    Fishead2k, Oct 6, 2008
    #1
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    Not really, if the PC can boot into normal or safe mode then you should be able to run most if not all the applications in the guide as our malware guys would need some logs to know whats infecting you as without these its a random guess as to whats infected the PC, a blind random reg edit is asking for trouble as what would you delete, again would need to know the infection before editing or running registry scripts.

    I would start with the clean up steps of the guide then run one scan at a time, if you hit any snags then write down why the app in question wouldnt work and any error messages, then continue with the next scan/

    As you rightly say its a time consuming process but a worthy one, plus at the end you will have to assist your friend with what security steps you are using as they seem to be working well.
     
    DavidGP, Oct 7, 2008
    #2
  3. Fishead2k

    Fishead2k Private E-2

    hello,
    I'm back.
    Cleaned House, ran the scans, here are MGlogs.
    Spybot, and MalwareBytes found a ton of crap.

    Thanks for having a look and advice how to proceed...
    You guys rock!

    Fishead
     

    Attached Files:

    Fishead2k, Oct 8, 2008
    #3
  4. Fishead2k

    Fishead2k Private E-2

    Sorry guys don't mean to bump here, but seems we've slid off the charts...

    The system has remained untouched since last scan (attached)

    Few more bits of info on what Spybot S&D found/cleaned:
    MoveLand (16) trojans
    AdawareAlert (3) ent. MALc
    AntiSpyWare2007 (10) ent. MALc
    AntiSpyWareMaster (3) ent. MALc
    CoolWWWSearch (1) Hijacker
    DittoSideBar (6) ent. MALc
    Ferret (2) Hijackers
    MicrosoftSecurityCenterAntivirusOverride (1) Sec.
    SearchPixelBar (1) ent.
    Smitfraud C 1 ent..

    At first I was unable to run (in order) SUPER AntiSpyware, and Spybot S&D at all because whatever was infecting system was killing off some program start-ups.
    So I moved on to Malwarebytes.
    Once I ran this and it cleaned out a bunch of junk, I was able to return and run the first 2 progs. , and Spybot found and cleaned what is seen in the list above. Then I ran MGTools to generate the reports.

    Standing by for your advice to proceed....

    Thanks very much in advance for any help!!!!

    Fishead2k
     
    Fishead2k, Oct 10, 2008
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Could you now please attach also the logs generated from:

    • MalwareBytes
    • Superantispyware
    • combofix

    Thanks

    Don't Bump! It Only Hurts You!!!
     
    Last edited by a moderator: Oct 10, 2008
    Kestrel13!, Oct 10, 2008
    #5
  6. Fishead2k

    Fishead2k Private E-2

    Kestrel13!

    Thanks very much for picking this up!

    Having difficulty locating Spybot log, and see I may have failed to run SUPERAntiSpyware, so I am running a fresh pass of scans and will post them along with a fresh MGTools log.
    Sorry, one step forward, two steps back...will post as soon as I get done.

    Again many thanks!

    Fishead2k
     
    Fishead2k, Oct 10, 2008
    #6
  7. Fishead2k

    Fishead2k Private E-2

    Requested logs....fresh/new MGTools log to follow...
     

    Attached Files:

    Fishead2k, Oct 10, 2008
    #7
  8. Fishead2k

    Fishead2k Private E-2

    MGTools log

    Await your review and recommendations....
    Many thanks!

    Fishead2k
     

    Attached Files:

    Fishead2k, Oct 10, 2008
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi


    According to your logs, Norton AntiVirus program is showing signs of potential problems. Is it working properly for you?
    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 3
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download and run the current version of MGtools.exe


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Kestrel13!, Oct 12, 2008
    #9
  10. Fishead2k

    Fishead2k Private E-2

    Greetings,

    First, thanks again for your help!
    FYI- I am assisting through my uninfected system, as I tech his system offline...with exception I have briefly connected a couple times to email log files to my sys to forward on to you. His burner is apparently messed-up in this or otherwise. In turn I have been d/l tools etc. and burning to CD to transfer to his system.

    Ok, I followed your directions to a T, and following are results and current status of system running down your list...

    NortonAV- Prior to infection, my friend apparently had let this OEM install of NAV expire for updates. Once he started to notice issues with system, he recently purchased Norton-360 and attempted uninstall of old and new install of Norton-360. The install failed (as described to me) because some of NAV was left behind/running. I can see updater etc. still in add/remove program list.
    This I believe was after he went to the web for answers, and may have attempted some anti-virus scans etc. I have observed some anti-virus pop-ups etc. early on here (presumed bogus) but not seen now past these last couple scans. But is may be possible a second AV program is installed? You may better be able to see this from logs...So the system is currently without virus protection at moment. Can you offer advise to remove last vestiges of NAV so I can fresh install 360 for him and update?

    I ran the Windows Messenger disable/removal tool you referred me to, however it failed and returned a screen thus: run-time error '_21470247770 (8007007e)':
    --this with the (remove/uninstall) item ticked. I re-tried with the other options to disable user , and system-wide options ticked, and with both the tool did nothing (apparent).

    Uninstall of JS runtime - successful

    Ran HJT- as specified and successfully removed the items noted.

    Combox- successfully ran script provided. THANK YOU :)

    ATTACHED ARE LOGS REQUESTED, with many thanks for your continued assistance.

    On a side note:
    He has this AT&T (sbc/yahoo) Self Help tool pop-up that is a POS, any advice for its removal appreciated also.

    Again, many thanks. Await your response...

    Fishead2k
     

    Attached Files:

    Fishead2k, Oct 13, 2008
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Fishhead2k

    Just a few things to do now.

    1) Please navigate to the folder indicated below which you can safely delete.


    2) I would like to remind you that you still need to go to Add and Remove Programs to uninstall the below. An older version of Java appears to still be installed along with some more software that should have been uninstalled as per step 1 of the Read and Run me First.


    • J2SE Runtime Environment 5.0 Update 3
    • Viewpoint Media player
    Then be sure to reboot the machine before installing the most up to date version available in the clickable link below:

    Java Runtime 6


    3) Now Run Ccleaner!


    4)With regards to the disabling of Windows Messenger not working correctly please refer to this: http://support.microsoft.com/kb/302089

    5) Yes Please run the below then reboot. After reboot run it one more time.


    Norton Removal Tool (SymNRT)

    Thanks
    Kestrel13!
     
    Kestrel13!, Oct 15, 2008
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds