Can't get PC fully clean, browser malware remains

Status
Not open for further replies.

Jenovation

Posts: 16   +0
Yesterday I opened up a faulty .exe which unleashed a mayhem of malware on my computer.
I immediatly came to an ActiveX video download, and a whole bunch of other trash appeared. Upon restarting, my PC wouldn't even run without
getting a blue screen of death during the boot. Fortunatly I got passed that and Malwarebytes was able to remove 20 infections.
(nearly got a heart attack)

Now my computer works fine, but it's still not 100% clean. Running a scan with both Malwarebytes and SpywareDoctor result in 0 infections.
But I'm sure it's not fixed. First off I kept getting an error upon startup about a file xccdf16_090131a.dll.
However after I manually deleted a rundll32.exe in Windows\System32\inf (where it shouldn't be I think)
that error stopped.

However my computer is still running a tiny bit slower and some processes, such as (you've guessed it) rundll32.exe in my task manager
seem somehow suspicious... (although I can only find the file now in the system32 folder)

The worst and most unpleasent thing is that my browser (mozilla) sometimes redirects me to a fake porntube website immediatly asking me to download
a 'video object' which is just more malicious trash... ("best.tube.download.org" and a bunch of stuff after that, I'm not going to post an unsafe link)
So I need to end Firefox with the taskmanager... it's very annoying, unsafe and I'd like my pc to be clean again.

These popups are also trying to stop me from downloading software which could help me. It started appearing much more
trying to download HijackThis.... Which I haven't been able to download since my Mozilla download log is showing downloads of .exe files
are being blocked by trendsecure.com. I'm going to get it off my other PC now and I'll post a log when I get it installed.

I really really hope you guys can help me, usually the few times I get virusses I can fix it myself with doing some forum searching,
but now it's beyond me how to fix this......

Thank you for your time and effort in advance
 
I've already uninstalled Spyware Doctor, I don't have anything else on it except Malwarebytes.
(Is spywaredoctor unsafe?)

The problem why I can't follow all the steps is because I cannot download any .exe files.
I believe it's being blocked by the virus.

I'm gonna see if I can get it of my other PC now.
 
Try Safe Mode with Networking. Also read below

The disclaimer and rules below only apply to the Virus & Malware removal forum.

Because of the complexity and variety of issues posted by users, we have found the necessity of creating a guide. Read: "8-step Viruses/Spyware/Malware Preliminary Removal Instructions".

2) We request ALL members that want Virus/Malware help to follow these simple steps which will ease the transition from coming to help to actually receiving it.


The logs are paramount before attempting support
 
Alright, will get back to you asap with the three logs.

Ok apparently SuperAntiSpyware found some stuff, here are the logs.
 

Attachments

  • hijackthis.log
    4.5 KB · Views: 5
  • mbam-log-2009-02-15 (14-07-54).txt
    960 bytes · Views: 7
Hmm, I can't read that language
But you do need an Antivirus (ie as per guide)

Install Avira free AntiVirus
And run a full scan
 
Are you talking about Malwarebytes, should I reinstall in english?

Currently doing the Avira scan, I'll post what it comes up with...
 
No you don't need to change your language for me ;) :D

But, I'm getting a bit slower at the moment, I might need to sign off for a while (presently supporting about 4 member's threads)
 
I ran Avira it found a bunch of other stuff, I'll attach the log (it seems full english ^_^ )

I'll use my computer a while now, see if the problems are fixed.

And also, thank you for taking the time, I really appreciate how you help all us people,
it must be a fulltime job!
 
Thanks :grinthumb

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log
 
Good :grinthumb

Run the Norton Removal tool (I saw some instances of horrible Norton on your computer)

Uninstall SuperAntispyware

Clear system restore points

  • Clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.

Restart.

How's it all going now? Good? Bad? OK?
 
Am running Norton remove now.

SuperAntispyware is removed.

Made a restore point,
however when typing cleanmgr I have no 'more option' tab,
it just asks me to pick a drive (C: or D:)
 
Oh, I had already run CCleaner, I do it after almost every action.

Ok so now when I startup there is a Windows version pick that appeared, is this normal? (One said Recovery something, it went away too fast to read)

After running the Norton tool there is also now a red shield in the taskbar annoying me about windows security. (because I disable Firewall and Automatic updates)

I have noticed the Firefox downloads are working again!!!

That's definitly a good sign, now to see if those malicious popups have stopped too...



EDIT: actually it seems a lot of standard services have been reenable that I turned off long time ago to get better perfomances
 
Well enable Windows firewall on your Network connection
But you can turn off "Security Center" (ie Disable) from going to Start->Run-> services.msc if you like

Oh I forgot about that :(

Yes I run these tools too
And yes :( I then must set up Services again)..... Sorry
 
Oh please don't apoligize, you have already helped me so much and I'm very grateful, disabling some stupid services is the least of my worries.

I'm going to see if I still get the popups, but so far it seems great.
Thank you so much! :)
 
The shocking part is to some, is when they click on the Windows Start button, and see Internet Explorer up the top ! You know it's very hard to explain in words, how to put Firefox back there. But I still do it anyway.

By the way if you used this before: http://www.mvps.org/winhelp2002/hosts.htm
Guess what? Hosts file is reset too :(
I'd say even if you never used that before, you need to download it
That'll help :grinthumb
 
actually explorer is not there with me.
But I did disable it completely in the program access. Internet Explorer's no good for me to be used.......EVER.

I have installed the Host files.
And I really think my pc is clean now, I haven't gotten the pupops anymore and downloading files seems to work perfect agian.

There is still a rundll32.exe running in my processes, (which I was suspicious about at first)
but if you can tell me it's safe I'd consider
the problem solved.

thank you :)
 
Oh those rundll32.exe entries, removable from running a HJT scan, are just your system icons (like Video settings etc) located near your system clock (bottom right hand side) That's all ;)
 
I think some pages are still being redirected :(
Clicking your link to Avira on this thread is redirecting me to Clube Zero9, sum spanish advertisement stuff.

Still something there......
 
Having the same problem. For me the virus is only activated in firefox, not internet explorer. Tried every scan i can think of, but noone seems to find the virus. I don't want some relative clicking a link and get directed to best-tube-download.org.
 
actually following the steps has fixed that fake porntube popup for me.
but perhaps you should make your own thread so they can help you on your own system
 
ok here are the logs



EDIT: previous redirects are now working again! yay! thanks!!! :)
it might be over after all, if I notice something else I will post it here (if not closed by then)
(and unless you notice something in the logs)
 
Status
Not open for further replies.
Back