Win 7 AntiVirus 2012

Discussion in 'Malware Help (A Specialist Will Reply)' started by Saken, Jan 3, 2012.

  1. Saken

    Saken Private E-2

    Hey guys, i'm helping a friend to fix his laptop, which was infected with this nasty thing. I did get rid of it by using Rkill and TDSSKiller, followed up by a complete scan with an updated MBAM.

    Now i'm also running your removal procedures just to get rid of anything extra that may be hidden (he didn't have an anti virus :|)

    So i couldn't run ComboFix as it would not run past the bit where it asks for permission, then a bunch of files install (green progress bar), the bit before the blue cmd prompt is meant to come up. As soon as the files install, nothing else happens. The blue cmd prompt does not pop up.

    RootRepeal crashed multiple times in one instance of it running, i will attach a log of one of the error dumps

    MGTools also failed at a certain bit, and couldn't get a log.
    It had this error codes:

    Application has generated an exception that cannot be handled

    Process id = 0x12ac(4780)
    Thread id =0x1434(1492)

    MBAM and SAS ran fine, however.
     
    Saken, Jan 3, 2012
    #1
  2. Saken

    Saken Private E-2

    Looks like i forgot the logs :p
     

    Attached Files:

    Saken, Jan 3, 2012
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

    Please also attach the log from TDSSKiller.
     
    Kestrel13!, Jan 3, 2012
    #3
  4. Saken

    Saken Private E-2

    Logs obtained

    MBRCheck found something wrong with the MBR
     

    Attached Files:

    Saken, Jan 3, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You said something got fixed by using TDSSKiller, but the log you attached does not reflect this. Can you attach the correct log please showing what it removed?

    Just because MBRCheck reports back with "unknown mbr" does not ALWAYS mean it is a bad MBR. So I need for you to describe how things are running, what is wrong, how the computer is behaving to give me some clue as to how to proceed. :) The last thing I want to do is fix an MBR that is fine.

    Please type the following into your browser address bar (Google Chrome)

    • chrome:extensions

    Does anything relating to Relevant Knowledge show up?

    Uninstall this:: Searchqu 410 MediaBar (or it may show as Windows Searchqu Toolbar)

    Also uninstall this unless it was paid for: Registry Mechanic 10.0


    We need to run an OTL Fix

    • Right-click OTL.exe And select " Run as administrator " to run it. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
    Code:
    Code:
    :otl
@Alternate Data Stream - 145 bytes -> C:\ProgramData\Temp:BB24555F
@Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:AF4CCAAD
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:ABE89FFE
@Alternate Data Stream - 102 bytes -> C:\ProgramData\Temp:D1B5B4F1

:files
C:\Users\lazaros\AppData\Local\2frjs66arvj16e2u7rjfjxp322446i327b67tq
C:\ProgramData\2frjs66arvj16e2u7rjfjxp322446i327b67tq
  
:commands
[EMPTYTEMP]
[RESETHOSTS]
[REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.

    Now run OTL again like you did in post number 3 and attach the log. (The extras log will not be created again)
     
    Kestrel13!, Jan 4, 2012
    #5
  6. Saken

    Saken Private E-2

    Sorry Kestrel, i shoulda made it clearer but i used TDSSKiller, but i don't think it removed anything. I used a guide on bleepingcomputer.com and it said that the virus is usually associated with a TDSS rootkit infection. So i ran TDSSKiller just in case, and there must have been no infection. Sorry about that...

    To me, the computer still runs sloppy, but as this is not my laptop, i don't know how it ran when it was originally purchased.
    It boots up fairly nicely, but going thru menus is delayed and sloppy.
    His browser suffers the same sloppiness (he runs IE with a few toolbars, no doubt slowing it down even more)

    I'll get to work on the other stuff as soon as i can, thank for all the help so far Kestrel :)
     
    Saken, Jan 4, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And how are you getting on...? :)
     
    Kestrel13!, Jan 6, 2012
    #7
  8. Saken

    Saken Private E-2

    Hey Kestrel, thanks for the concern :)

    But as i was out one day, the person that wanted it fixed came to my house, and he assumed i had fixed it (because i told him i had gotten rid of the Win 7 antivirus 2012, but not that i(we is probably a better word :p) had finished cleaning, he probably assumed i had finished everything), my mom therefore gave it to him, and he parted with it, ending the clean prematurely.

    I quickly told him to install an antivirus as he does not have one, and i'm not sure if he's aware that his UAC is off, and the hidden folders are showing etc.

    It's sad because he said that he's taking it to another guy at his work to fix, and he's gonna pay him money to fix it, when i was doing it for free.
    His reasoning was he needed it for work and couldn't wait :)S)

    Anyway, i thank you for your help anyway, your efforts and help are always appreciated :)
     
    Saken, Jan 8, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh that *is* a shame.
    Most welcome. ;)
     
    Kestrel13!, Jan 8, 2012
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds