Brutal Malware - help

Hi rf6647

Your help is welcome rf6647 I am a team player and I can use all the help I can get on this one.

Jump in anytime.

Hmmm! I have used XCleaner_Micro for years. It is from XBlock producer of the highly rated XCleaner Anti Trogan software. They have an excellent reputation and highly reguarded in the industry.

It seems to mainly go after the worse or most prevalent.

It deserves more recognition than it gets. I used to use it as a pre clean before SpyBot AdAware and MalwareBytes .

But a few months ago on one of my clients really whacked machines I ran it after all 3 of the above and it actually found what all the others had missed.

I was even more inpressed then!

Good to talk to you.

Mike

Mike-

Thanks again...more progress! I'm at work now, so I can't post the logs, but I will tonight (in about 8 hours or so). I'd appreciate if you could take a look later.

Update: I was able to download, install and run MBW. Downloaded in safe networking mode, installed in diagnostic mode, and re-named "run this". I ran it twice in safe networking mode and it caught viruses both times. I was then able to download and install SAS. It looks like it will work in normal mode, so I will run both again after work in normal. Hopefully, I can then follow the 8 steps from start to finish. I'll post the logs after that. I'm not out danger yet, but this is real progress.

I can't thank you guys enough, you are doing saints' work. What is the best way to repay? Recommendations, dontations, etc?

Great news! But post all the logs FIRST!

In MWBAM click logs attach in the order oldest to newest!

In SAS click Preferences-Statistics/logs oldest to newest.

After that run both again until the ycome up clean or find something it can not clean. Post logs each run!

When doing the 8 steps do all but these 2 as you have already done these.

Mike

EDIT: we are not out of the water yet, your thanks is all I need!
Did some of the links I sent download and install? Which onesI may need this info for others.

I've been following this tread and have tried almost everything just as Skein did and my sysmptoms have been almost identical, since I picked up the virus 2 days ago.

I don't want to jack Skein's thread so should I start my own?

Yes start your own. Post your issues.

Do follow instructions in his post.

But post alll log in the new thread.

As soon as you create the new post. I have more info on this issue and will post it.

Mike

EDIT: give details of the current state.

Mike-

XClean and Autoruns links worked, and seemed to put me ahead enough to finally get MBW to download. Since I'm still at the SAS stage, I haven't yet tried the Magorgeeks links. I'll post the logs in order of running them later tonight. It is definitely still infected, but I can at least run MBW and SAS for the first time.

AsonJ, welcome to the party! Its not really fun and there is no spiked punch, but at least the conversation is good. : )

The Xclean was the first thing that helped me, then MBW downloaded in safe mode, run in diagnostic and renamed. If that works, things get a whole lot better. More to come...

Hi Skein

No need to do the othe links yet. Just do the MWBAM repeately post each log unti;; it comes up clean or with something it ca not clean.

Same for SAS!

Mike

Thanks for the welcome. This thread has been the most comprehensive I've found. and seems to be well on its way to solving both of our problems. I'll be following both this thread and my own to find the solution.

Attached are the 2 logs from running MBW. 07-35-02 is the older one, 07-55-48 is the newer one. Both were run in safe mode with networking.

I'm now going to run SAS in normal mode, and will post the log when it is complete.

Just curious skein, how long did each scan take?

Mike- Attached is the SAS log run in normal mode, and the HJT log run after that. I'm going to run MBWM now in normal mode and will post presently.

AsonJ- Each scan is taking around 15-30 minutes.

Skein

You are doing great!

If the final runs do not get the below

Code:

C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa8f6.tmp
C:\Documents and Settings\DELL\Local Settings\Temp\TDSSa96e.tmp

Then do this in MWBAM click More Tools-Run Tool.

Then copy paste the 2 lines in the box above one at a time to the file name box click open and follow prompts to delete.

Mike

Have you regained control of your browser and virus protection yet?

After my first MBAM scan it seems that things are back to normal. I'm still going to run all the scans I can in normal and safe modes to make sure I've gotten everything.

Attached is the latest MBW log. Mike, I didn't see your last post till now, so will cut and paste, and then re-run.

Nice progress!

PLease fix this in HJT.
O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)

Meanwhile, are you now able to download and run Combofix?

Mike- those C: files you listed were not found.

Momok: I was able to download Combofix for the first time and was running it when the computer restarted. When it started up, AvirGuard caught a number or registry changes:

google.com/ie
microsoft.com/isapi/redir.dll?....a bunch more stuff
microsoft.com/wlink/?linkID=....numbers
microsoft.com/wlink/?linkID=...numbers
microsoft.com/wlink/?linkID=....numbers
ie.search.msn.com/{sub....
autorun
load
scrnsave.exe

Also, a red shield shows up in the tray and a window pops up saying "Your computer might not be safe/No Firewall turned on/Click this balloon to fix this problem" I did not click the balloon.

Then Combofix completed its scan. I ran it again, and both logs are attached. 1 is the first one, 2 is the second one.

Finally, a windows update downloaded and shows up on the restart/log off dialog box. I have been restarting without loading it. Should I load it?

Also attached are HJT, MBW, and SAS logs. It seems like something is still there. I'm going to sleep now but will check back first thing in the morning EST. Thanks,

Also, here is one more AV Scan log before I call it a night.

Hi

Do this and run SAS again.

Before clicking Scan

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.


These are all OK allow them

Code:

google.com/ie
microsoft.com/isapi/redir.dll?....a bunch more stuff
microsoft.com/wlink/?linkID=....numbers
microsoft.com/wlink/?linkID=...numbers
microsoft.com/wlink/?linkID=....numbers
ie.search.msn.com/{sub....
autorun
load
scrnsave.exe

Click the Red Shield and re-enable the Windows Firewall
or let me know if it will not start.

Mike

Mike-

I turned on the firewall. Incidentally, I had those SAS instructions followed from a previous posting by you, so all the recent SAS logs I posted should have those preferences intact.

I went fully through the 8 steps and the logs are attached.

The computer keeps trying to restart. A dialog box from Windows Automatic Updates pops up saying it has downloaded updates and will restart in 5 minutes, then begins counting down.

Last- should I allow the computer to install updates on shutdown?

I'm off to work now, but will check for responses later today. Thanks,

Hello Skein

Good job. I think we are almost there!

Use HJT Scan only select for removal (will this one not go I and others have recommended removal earlier?)
O3 - Toolbar: LikeVine - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\LikeVine\tbcore3u.dll (file missing)

Yes shutdown and let it install updates.

----------------------------------------------------------------------------------------------------------------------------------

D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html
----------------------------------------------------------------------------------------------------------------------------------

After the above

Run SpyBot and do the Immunize (run scan also if you want)!

then

D/L http://www.javacoolsoftware.com/spywareblaster.html
install run update enable all protections
----------------------------------------------------------------------------------------------------------------------------------
After all the above recheck with SAS to ensure those tracking cookies are gone
----------------------------------------------------------------------------------------------------------------------------------

If you still have Windows update issues let me know and we will fix that.

Mike

Ok, I'll do that all tonight after work in about 10 hours or so. Thanks,