Solved Have a virus, tried to follow 8 step thread, help appreciated

[nick16p]

I have contracted some sort of virus. My netbook will function normally for a time and then the bottom of the desktop (where program windows are, start, etc.) will change color and the internet will no longer work. I had AVG and Spybot and once this virus took hold, I could no longer update them. I used to have random porn sites pop up but I seemed to have fixed that. I also used to get error messages: "Generic Host Process for Win32 Services encountered a problem", etc. but that also no longer happens.

Other symptoms include: the resolution of my screen changes everytime I restart my computer (might just be a quirk that has to do with something else). I also can't go to the Windows Update website that is in the 8-step thread on this website and I can't update Java (also recommended by that thread) even after I've downloaded the updater...it just won't work.

I've uninstalled Sybot and AVG and since installed SAS, TFC, GMER, and DDS and tried to follow the steps. As per the thread, I've attached all the necessary logs.

Please let me know if I did anything wrong or am missing any information. I appreciate any and all help.

 

[nick16p]

Forgot to mention...my PC will freeze and Mozilla crashes much more often. Whenever anything out of the way happens, though, I restart my computer and it will work fine upon restarting.

However, it will always go back to acting strangely, seemingly without a trigger (other than being on for a seemingly random length of time)

Again, any and all help is appreciated.

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[nick16p]

Thanks! Few quick questions before I do this next step. How do I disable script-blocking? I'm not even sure I know what that is.

Also, should I be doing this in safe mode? I haven't been running anything in Safe mode to this point....I'm not even sure how to get into it.

 

[Broni]

You run Combofix in normal mode.

As for script blocking programs...do you use Spybot, or Windows Defender?
If you do...

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
NOTE. If on re-boot, Spybot inquires about registry change(s), allow it.

Alternatively, I suggest, you uninstall Spybot since it's a tool of the past.

=======================================================

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

 

[nick16p]

Combofix seemed to work Ok until it got to the scan. Partway through, it said it detected rootkit activity and needed to restart my computer. Upon the subsequent startup, I got a blue error screen and needed to restart again (should've copied down the exact error...wasn't thinking at the time). Anyway, the next restart was OK, other than a message that said

"To help protect your computer, Windows has closed this program:

'Generic Host Process for Win32 Services'"

After running Combofix again, I received the attached log.

BTW, I've tried running the updater on my Avira AntiVir and it always said an erro occurred during the download.

 

[Broni]

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

 

[nick16p]

Ok. Everything seemed to work ok with doing that step.

 

[Broni]

Delete your GMER file, download fresh one and give me mew log, please.

========================================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
c:\windows\Cyikah.bin
c:\windows\Mkunuwamoheyev.dat
c:\windows\ALCMTR.EXE


Folder::
c:\documents and settings\All Users\Application Data\avg9
c:\documents and settings\Nicholas Planty\Local Settings\Application Data\mhgmclq

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1035

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[nick16p]

Here is the log of the new GMER scan. I'm about to do the other step you posted.

 

[nick16p]

Followed the ComboFix step...now it's just saying

"Preparing Log Report. Do not run any programs until ComboFix has finished."

My computer isn't frozen (I can move the mouse around) but nothing is in the background. The ComboFix window is the only thing on the desktop (no icons, start, taskbar, etc.)

It's been like this for 4+ hours....is that normal?

 

[Broni]

No. Restart manually and try again.

 

[nick16p]

It worked OK the next time I tried it. Just wondering...do you think there's hope that I will be able to fix what's wrong with my computer? Thanks again for all the time you've taken to help me out...I appreciate it.

 

[Broni]

Good

How is your computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[nick16p]

That step went fine.

 

[Broni]

You never answered my question:

How is your computer doing at the moment?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[nick16p]

My computer seems to be quite normal again. I am finally able to access the Windows Update webpage, which before was blocked. I was also able to update Avira Antivir (I couldn't before) as well as Java and Adobe Reader.

Some questions:

1. What programs can I get rid of and which should I keep? Through my college, I can get Symantec Endpoint Security antivirus for free but it says to remove all other antivirus programs. Is it best to keep Avira or go ahead and get the Symantec?

2. Also, is there anything specifically I can do to prevent this from happening in the future? Any suggested programs/processes?

3. Should I create a System Restore point?

4. Lastly, my screen resolution always changes when I restart my computer (never did this before this episode) I have my netbook hooked up to an external monitor. It may be totally unrelated to the fiasco with the virus but I was wondering how I could get it to stay at the resolution I set after I restart my computer.


I truly appreciate all of your help...this forum and your work has been amazing!

 

[Broni]

We're not totally done yet, but I'm glad to hear good news

As for your questions...
1. I don''t like Norton at all. I suggest, you keep Avira
2. I'll give some suggestions at the end of this thread.
3. We'll get there.
4. Let's make sure, your computer is clean, first. Regarding resolution issue, you, most likely, will have to start new topic at Windows forum.

Now...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

========================================================

Disable your antivirus program.
Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt before clicking on the Save button. Then post it here.

 

[nick16p]

Been away for a while. I'll get on doing these steps today.

 

[nick16p]

Here's the results. I noticed my CTRL+ALT+DEL still isn't working properly. It will only let me see what applications are running...I can't switch to see processes or anything else because there are no tabs at the top.

 

[Broni]

Good

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[nick16p]

My computer seems to be running fine, except for that annoying CTRL+ALT+DEL glitch (still no tabs, can only see programs running), the fact that my resolution always reverts back to the maximum when I restart my computer, and I think my "start" tab is different from before...I no longer see my name and the picture I selected for my Windows User profile.

But these are minor issues I will look into. I cannot thank you enough for all of your help in restoring my computer to good working order.

 

[Broni]

I'm glad to hear good news

As for no tabs in Task Manager, double click on empty border space and tabs should be back:

Since your computer is clean, I suggest, you start new topic at Windows forum, regarding those two other issues.

Good luck and stay safe