Viruses with Tencent (RootRepeal didn't work)

Discussion in 'Malware Help (A Specialist Will Reply)' started by Enigma42, Jun 4, 2012.

  1. Enigma42

    Enigma42 Private E-2

    My dad had been downloading a lot of Chinese software over the last four months without using ANY protection. Heck, this desktop has been reformatted multiple times already because he seemed to be an expert at running it into the ground. Surprisingly, it can run on normal mode, but it is pretty deathly slow.

    To make matters worse, I may have accidentally downloaded the download manager, mistaking it for the actual download, and a bunch of other software found its way on May 31 when I downloaded Dropbox, Auslogics Defrag, Advanced SystemCare, Avast, and Foxit. I wish I took a picture of them all, but I used the standard uninstaller for some of them before turning to Iobit uninstaller, so registry files may still be lingering. I deleted them and a bunch of Chinese apps. Some suspicious files: Youku, Privacyware, Python 2.5.2 (which refuses to uninstall), etc.

    On May 31, I ran malwarebytes. A quick scan already produced 35 threats, and a full scan captured 15 more. Over several days, I ran the full scan twice, but nothing happened.

    Then I attempted everything on the two stickies (though I downloaded most of the programs onto the downloads folder and was slow or maybe even sloppy to realize that I needed to disable windows live and superantispyware came up with 30+ more threats. Tencent was extremely prominent, which also happened to show up on this thread:

    http://forums.majorgeeks.com/showthread.php?t=176691

    I also was an idiot and installed 7zip in the middle, for I was tired of the Chinese Winzip that didn’t display any coherence and uninstalled that.

    Unfortunately, my text files got deleted the moment my computer rebooted for the two scanners, so I will have to substitute more recent ones, so it may appear that I ran the scanners out of order. To my chagrin, Tencent still appears intact, embedded in appdata, roaming, program files, and probably dozens of places I don’t even know of.

    I attempted to delete them and then have CCleaner mop up the registry, but don’t know how effective that will be.

    An additional SuperAntiSpyware full scan got an adware from Tencent. I was only able to save the file before the reboot: it disappeared right afterwards.

    Malwarebytes turned out nothing twice. I used full scans for both: is that okay?

    Every test ran smoothly except RootRepeal, which caused the computer to freeze when it was initializing (according to other threads, it's a fifty-fifty program).

    Given the number of mistakes, should I start over? I assume I suffer from a similar problem to the other thread, and deep registry changes have been made in these four months. I am on the verge of giving up and reformatting once more: I’m stuck with this computer for 3 more months.
     

    Attached Files:

    Enigma42, Jun 4, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
    Kestrel13!, Jun 4, 2012
    #2
  3. Enigma42

    Enigma42 Private E-2

    I tried to run rootrepeal again and this time gave it a whole day to attempt to do its work. It actually got pretty far (and found a good number of suspicious locked files), but then it got to PC health check and couldn't get past that for 12 hours. When I tried to at least screenshot it, my computer completely froze. :banghead

    I managed to make out only three things:

    80e34444-adef-11e1-ba63-0021974311ed
    80e3448-adef-11e1-ba63-0021974311ed
    7fe8edec-adc4-11e1-ad740021974311ed

    And unfortunately, they weren't even the full names, so I'm not sure if it's any help.

    Anyway, the TDSKiller found 4 suspicious files, while MBRCheck ran into interference. Problem is certainly far from over! :\

    Thank you very much for the help you've given me so far. :)
     

    Attached Files:

    Enigma42, Jun 5, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    After clicking Fix exit HJT.


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Briefly, and to the point, explain what issues remain. :)
     
    Kestrel13!, Jun 5, 2012
    #4
  5. Enigma42

    Enigma42 Private E-2

    Hijackthis did find two R0 Redirects. One was a (seemingly harmless) hp redirect, but another was called "R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = " instead. I decided to delete that one anyway.

    A success message appeared for the registry editing, and MGTools ran smoothly.

    Here are the files. I decided to attach the Hijackthis log in case any additional reference is needed.

    I will be rebooting shortly. Hopefully we're close to finished.
     

    Attached Files:

    Enigma42, Jun 5, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Not seeing any issues now.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 6, 2012
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds