Nasty virus

Viruses and worms
1

I’m working on a friend’s laptop and it is insanely infected. I had to run all scans in safe mode or the machine slows so badly it takes forever to do anything.

Anyway, here’s my AdwClear logs, MBAM logs, and OTL logs.

I’ve ran these scanners several times in order for this thing to even be usable, so here are the latest logs.

ps, it was so bad I had to pull the drive from the laptop and scan it on my pc. I use sas then norton 360, then mbam. I put the drive in and still bad. I went into safe mode and ran mbam and it found almost 600 more things, but still machine was useless. I then found, “Java 7 Update 6” installed and immediately removed it as I have had issues with this version since it was released.

It was better, but still needed safe mode, which is when I made these logs.

If you need anymore info, let me know.
-=Mark=-

ps, thism machine has microsoft security essentials for protection and defender was disabled and no other firewall protection installed.

2

Argus is notified, he is online right now.

I can recommend to uninstall SuperAntiSpyware cause it has bad detection rates, and so its just slowing the PC down.

3

This is strange, I have Norton 360 (free from Comcast) and paid MBAM and I got infected and neither could detect the issue. I tried SAS and it picked up several and removed them and my pc was seemingly fine back then. I decided to purchase SAS atc that time and replaced mbam with it.

I uninstalled sas as I didn’t think I need that many anyway and it was just the free version anyway.

Thank you for the notification, hopefully I can cure this thing this weekend.

-=Mark=-

4

is your malwarebytes log from a safe mode scan?
if so, update MBAM and run a quick scan from normal mode if able to…

5

You can just wait for an malware remover who guides you through the cleanup process.

6

Hi,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKLM\..\SearchScopes\{fa326c38-b191-4de2-90cb-b697e4b52440}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=9Zxdm008YYus&ptnrS=9Zxdm008YYus&ptb=CDFF7792-AD88-4F93-AD60-11A6A2E4D53C&ind=2012101122&n=77ee3a02&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-1628958811-961018352-3646669283-1000\..\SearchScopes\{104C80D4-D788-4A2C-ACA0-40AFC799BA82}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3284668&CUI=UN36732081799044959&UM=2
IE - HKU\S-1-5-21-1628958811-961018352-3646669283-1000\..\SearchScopes\{2F6FD36F-8AAE-448D-8250-CAA54C501BA6}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=8B1F2A67-4DD9-4A50-96C3-8577F199FEB8&apn_sauid=72D8A036-4AD3-4EB8-B5D5-B708A587C7D6
IE - HKU\S-1-5-21-1628958811-961018352-3646669283-1000\..\SearchScopes\{fa326c38-b191-4de2-90cb-b697e4b52440}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=9Zxdm008YYus&ptnrS=9Zxdm008YYus&ptb=CDFF7792-AD88-4F93-AD60-11A6A2E4D53C&ind=2012101122&n=77ee3a02&psa=&st=sb&searchfor={searchTerms}
FF - prefs.js..extensions.enabledAddons: {65f9f6b7-2dae-46fc-bfaf-f88e4af1beca}:10.15.0.62
 HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {462BE121-2B54-4218-BF00-B9BF8135B23F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {65F9F6B7-2DAE-46FC-BFAF-F88E4AF1BECA} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {462BE121-2B54-4218-BF00-B9BF8135B23F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {65F9F6B7-2DAE-46FC-BFAF-F88E4AF1BECA} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1628958811-961018352-3646669283-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O33 - MountPoints2\{563cabf0-75d0-11e2-816e-001f169911fd}\Shell - "" = AutoRun
O33 - MountPoints2\{563cabf0-75d0-11e2-816e-001f169911fd}\Shell\AutoRun\command - "" = F:\TL-Bootstrap.exe
O33 - MountPoints2\{86635970-cd24-11e1-9d84-001f169911fd}\Shell - "" = AutoRun
O33 - MountPoints2\{86635970-cd24-11e1-9d84-001f169911fd}\Shell\AutoRun\command - "" = E:\TL-Bootstrap.exe

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.

------------- Next ------------

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

7

Here are the new report files.

Thank you for your help
-=Mark=-

8

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

9

I ran TDSKIller, but it found nothing.

Here’s the report.

Again, thanks for your help
-=Mark=-

10

Scan with Combofix:

[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

11

OK, here’s the ComboFix log. I didn’t see it run.

Thanks
-=Mark=-

12

Remove icon ComboFix from the desktop and download new CF.

Rerun Combofix.

13

OK, I redownloaded ComboFix, but it was the same version.

Here’s the log file again.

14

Argus is probably in bed right now. He’ll be on tomorrow.

15

BUMP.

I hope someone can help me. I think I’m still infected.

16

In the Reports I do not see malware

Download and install CureIt in safe mode then scan the PC

ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

Upon completion of the process, click File> Save report list and save the log on the Desktop.

Please attach here log

17

For some reason I don’t get a menu bar to save the log. I looked in doenloads and there was no log file created.

Would it be somewhere else? I can’t seem to access a save feature.

It did however find a toolbar infection. I told it to neutralize it as it suggested.

I reran it a second time as the first time it put me in a protection mode, so this time I told it no and it is running on the desktop. Still no menu bar and no way to save anything.

Let me know what to do next.
-=Mark=-

18

Please download zoek.zip (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

19

Here’s the log file from zoek.

I found the report option in CureIt. I missed that there was a link option in the results area. I was too busy looking for toolbars/menubars.

Thanks again for your help
-=Mark=-

20

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

emptyclsid;
C:\Users\Steve Sari\AppData\Local\teeveewatchSA;fs
C:\Windows\BuzzSocialPointsChecker;fs
emptyalltemp;
autoclean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log