Various Issues

Discussion in 'Malware Help (A Specialist Will Reply)' started by Retrophase, Jan 23, 2011.

  1. Retrophase

    Retrophase Private E-2

    I'm posting this thread because I've been having issues with my Toshiba Satellite running Vista recently. I've been getting blue screens with the error irql_not_less_equal or something similar, and various internet link redirects, coupled with strange behavior of svchost.exe.

    I have completed the instructions in read and run me first, and am currently working through the vista malware removal thread. My next post will contain the needed logs. I just thought I'd give some preface beforehand.
     
    Retrophase, Jan 23, 2011
    #1
  2. Retrophase

    Retrophase Private E-2

    An update; When trying to run combofix I get a bsod. I tried to rename it to "random".com, as I've seen suggested in other threads, and the same thing occurs. Maybe I should try it in safe mode?

    Anyway, attached are the logs for Super AntiSpyware and Malwarebytes. Rootrepeal and MGtools logs coming soon.
     

    Attached Files:

    Retrophase, Jan 23, 2011
    #2
  3. Retrophase

    Retrophase Private E-2

    Sorry about the double/triple posting.

    Rootrepeal and Mgtools ran correctly, logs are included.

    To further explain; after running these various programs I'm still having issues. I got an error depicted in the attached jpg shortly after reboot. I was getting these errors before, however it was a "host process for microsoft windows" that stopped working instead of the tos thing in the picture. Svchost.exe has seemed to quiet down, as before it was taking half of the processor power and more occasionally. I understand that it is a part of windows, but before I started having issues it's instances never used up so much resources. Finally, the redirecting of links has seemed to stop, but I wont be too sure until I do some more surfing.

    Thanks in advance to anyone that replies.
     

    Attached Files:

    Last edited: Jan 23, 2011
    Retrophase, Jan 23, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Are you running this PC without an antivirus program installed? I see left overs from Norton Internet Security but it does not appear to be installed.

    NOTE: Zack and Jeremy should each have their own user accounts and they should be restriected user accounts since the owner account is the admin account.



    Download TDSSKiller from Kaspersky to your directly onto your Desktop
    • Now double click the TDSSkiller.exe file to run it ( if using Vista or Windows 7 do not double click on it but rather, right click and select Run As Administrartor. )
    • If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123tdk.com).
    • Allow the application to run if prompted by Windows or any security programs you have installed
    • It will start the scan and run rather quickly and will notify you of whether anything is found or not.
    • Follow the instructions to delete/quarantine if asks you what to do when if finds something.
    • Whether an infection is found or not, a log file should be created on your C: drive ( or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )
    Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074
    O2 - BHO: (no name) - MRI_DISABLED - (no file)
    O4 - HKCU\..\Run: [{A378C84B-72F4-EC38-B239-884B1A9D64CB}] C:\Users\Zack&Jeremy\AppData\Roaming\Adin\izyrq.exe
    O4 - HKUS\S-1-5-21-162945283-913941628-437005688-1001\..\Run: [cacaoweb] (User '?')
    O4 - HKUS\S-1-5-18\..\Run: [Dcoga] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\cerolp.dll",Startup (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [Dcoga] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\cerolp.dll",Startup (User 'Default user')
    O4 - S-1-5-21-162945283-913941628-437005688-1001 Startup: eptex.exe (User '?')
    O4 - .DEFAULT User Startup: ufihdy.exe (User 'Default user')
    O4 - Startup: eptex.exe

    After clicking Fix, exit HJT.



    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Users\Zack&Jeremy\AppData\Local\Temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jan 23, 2011
    #4
  5. Retrophase

    Retrophase Private E-2

    Sorry for the delay, I had a lapse in my internet connection.

    During the last step of what you told me to do (Now run the C:\MGtools\GetLogs.bat file) mgtools seemed to hang up on the tdsskiller log, so I just included it seperately. Hope I didn't mess that part up.

    As for antivirus software, I thought iobit360 was an antivirus solution. If not I'll just have to get avast or something similar.

    Thank you very much for you help. I have had no blue screens yet after doing these fixes, and the browser redirects have stopped. I will continue to monitor for odd behavior.
     

    Attached Files:

    Retrophase, Feb 3, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    No! It is an antimalware/antispyware application only. See this: IObit Security 360


    We have a little more work to do.



    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 5, 2011
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds