Various Infections

Kenny2014 · Feb 21, 2014

Hi,

My computer seems to be infected by various types of malware/viruses and none of the usuall security software, or the first 4 stages in the 'read&runme' seem to be solving it permanently. I get maybe a decent days use after running the programs, before things start getting dodgy again.

The symptoms tend to include general computer slowness (which I guess may also be due to other factors). My internet browsers seem to be affected the most; chrome doesn't open at all, even after uninstalling and reinstalling. Internet explorer usually only opens the first page, but shuts down if I link to another page, or try to open another tab or window.

I've also been regularly getting a dos window automatically opening with a 'taskeng.exe' message, and the computer generally just doesn;t seem very stable, for example, a lot of programs not responding, even basic office software like word. (it's even taking me numerous attempts to post this as IE stops working and shuts down every window when I try to attach logs).

My OS is Windows 7 . I normally use Microsoft Security Essentials with regular Malware Bytes scans, and some of the nasty sounding stuff it's been picking up in recent weeks has included;

Backdoor:Win32/Caphaw.AC
Backdoor:Win32/Qakbot.gen!C
PWS:Win32/Zbot.gen!Y
Exploit:JS/Neclu.C
Trojan:Win32/Sisproc
Trojan:2BOtr.Gen
Trojan:FakeMS.ED

Please find attached the requested logs. TDDSKiller seemed to be clear so no log for that. If you require further info, just let me know

Thanks very much for your time!

TimW · Feb 21, 2014

Rerun RogueKiller and have it fix these items:

Code:

¤¤¤ Registry Entries : 13 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Uwzifu (C:\Users\Kenny\AppData\Roaming\Deudiq\anina.exe [-]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : kSHmZrJyI1cUACccTePkuA== ("C:\Users\Kenny\AppData\Roaming\Autodesk\DWG TrueView 2013\R10\enu\Plotters\Plot Styles\expand.exe" [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2883517456-1296497140-253021282-1000\[...]\Run : Uwzifu (C:\Users\Kenny\AppData\Roaming\Deudiq\anina.exe [-]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2883517456-1296497140-253021282-1000\[...]\Run : kSHmZrJyI1cUACccTePkuA== ("C:\Users\Kenny\AppData\Roaming\Autodesk\DWG TrueView 2013\R10\enu\Plotters\Plot Styles\expand.exe" [-]) -> FOUND

Then have it fix these items:

Code:

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] mxszdenibhupd : C:\Windows\system32\cscript.exe - //E:javascript C:\Windows\TEMP\zdenibh.mkt [7][x] -> FOUND
[V2][SUSP PATH] Seagate NA03BDP1 Product Registration (Kenny) : C:\Users\Kenny\AppData\Roaming\Leadertech\PowerRegister\Seagate NA03BDP1 Product Registration.exe - /remind /language=ENG /SRNM="NA03BDP1" /BRND="Seagate" /BDSR="Seagate NA03BDP1" /loadsrnm="NA03BDP1" [7][x][x][x][x] -> FOUND

And finally this item:

Code:

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Kenny\AppData\Local\Google\Desktop\Install [-] --> FOUND

Now run Hitman and have it fix what it found.

Reboot and rescan with both RogueKiller and Hitman and attach the new logs.

Be sure to tell me how things are running.

Kenny2014 · Feb 22, 2014

Hi Tim, thanks a lot for helping me out here.

So far today, things seem to be running a bit smoother. IE's behaving itself (knock on wood) and i'm not getting these dos windows popping up.

Please find attached the latest Hitmanpro and Roguekiller logs after deleting the items requested. Hitmanpro still seems to be picking up a trojan.

Thanks

Kenny.

TimW · Feb 22, 2014

Download OTM by Old Timer and save it to your Desktop.

Right-click OTM.exe And select " Run as administrator " to run it.

Paste the following code under the http://farm3.static.flickr.com/2455/4173556815_a721a91733_o.png area. Do not include the word Code.
Code:
:Processes
explorer.exe

:Files
C:\users\kenny\appdata\roaming\deudiq

:Commands
[purity]
[ResetHosts]
[emptytemp]
[start explorer]
[Reboot]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.

OTM may ask to reboot the machine. Please do so if asked.

Copy everything in the Results window (under the green bar), and paste it in your next reply.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

Reboot and rescan with Hitman and attach that log as well.

Kenny2014 · Feb 22, 2014

Now that was a speedy reply!

I didn't get a copy of the OTM results window as I had rebooted before reading that request, sorry about that

The OTM and Hitman logs are attached

Thanks again

Kenny.

TimW · Feb 22, 2014

How are things running now?

Kenny2014 · Feb 23, 2014

Yeah, things seem relatively good today. I haven't had any problems, both internet browsers working fine, and I even managed to use some Autodesk software that's pretty taxing on the PC and has been unusable for the past few weeks.

TimW · Feb 23, 2014

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.

If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:

Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore

What we want you to do is to first disable System Restore to flush restore points some of which could be infected.

Then we want you to Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Kenny2014 · Feb 25, 2014

Ok, all done. Things are a lot better.

Again, thanks very much for your help Tim

All the best,

Kenny

TimW · Feb 26, 2014

You are most welcome. Safe surfing.

Log in or Sign up

Various Infections

Kenny2014 Private E-2

Attached Files:

RKreport[0]_S_02192014_184457.txt

mbam-log-2014-02-19 (18-57-35).txt

HitmanPro_20140219_1934.log

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Kenny2014 Private E-2

Attached Files:

RKreport[0]_S_02222014_145441.txt

HitmanPro_20140222_1505.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Kenny2014 Private E-2

Attached Files:

HitmanPro_20140222_2119.log

02222014_210129.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Kenny2014 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Kenny2014 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member