Suspect malware, but can’t find it.

[johnnyb58]

I tried Malwarebytes and it said it stopped something, but to be honest I really don’t trust it and actually I think it may have added something.

I’m using Bitdefender total security and I’ve heard that it was good, but there is something wrong. last week it went berserk and I had to reinstall it.

Anyway my computer is taking a really long time booting up since Bitdefender first messed up and I had to restore to a previous date. Also Firefox and MS Word are really slow loading up Plus Videos running in Firefox seem to be crashing all the time as well.

Anyone have any ideas or point me toward something I could use to clear it up.

 

[johnb35]

Start by doing the following and we will go from there.

1.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

2.

Please download Junkware Removal Tool to your desktop.

•Shutdown your antivirus to avoid any conflicts.
•Very important that you run the tool in this manner:
Right-mouse click JRT.exe and select Run as administrator
Do NOT just double-click it.
•The tool will open and start scanning your system.
•Please be patient as this can take a while to complete.
•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
•Post the contents of JRT.txt in your next message.

3.

Please download Malwarebytes' Anti-Malware and save it to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr, Rkill.exe, or Rkill.com. If you are still having issues running rkill then try downloading these renamed versions of the same program.

EXPLORER.EXE
IEXPLORE.EXE
USERINIT.EXE
WINLOGON.EXE

But DO NOT reboot the system and then try installing or running Malwarebytes. If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it. Once a log appears on the screen, you can try running malwarebytes or downloading other programs.

Please post the log that Malwarebytes displays on your screen.

4.

Download OTL to your Desktop


•Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
•Click on Minimal Output at the top
•Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
◦When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Just post the OTL.txt file in your reply.

So in your original thread asking for help, please give us a short description of what the problem is and then post the logs from the following 4 programs.

1. Adwcleaner
2. Junkware removal tool
3. Malwarebytes
4. OTL

 

[johnnyb58]

Wow John, that’s going to take some doing.
I may have to wait till this weekend when I have more time, but first I have to muster up some bravery, because it’s a little scary to download and install so many programs that I know nothing about.
I'm thinking maybe I should also remove all my stuff off the computer first in case I may need to replace the hard drive afterward.

 

[johnb35]

If you believe the hard drive is failing then yes, backup any important data first. Those programs aren't hard at all, pretty simple to download and run and post the logs. Does the hard drive activity light stay lit up all the time? If so, its possible you have a rootkit. Please run this program first to make sure no rootkits are active.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

 

[johnnyb58]

The drive is always running and sometimes I pull the internet cable off just in case something’s being up loaded because it doesn’t want to shut down. I have also pulled the power plug a few times.

I think the hard drive is fine, but I was thinking more if I can’t clean it of malware I’d just start all over again with a new HD like I’ve done 10 times before. I have a boxful of hard drives contaminated with virus and malware that I couldn’t get rid of. Most of the drives are obsolete now and I keep them because I’m not sure if I want to try and retrieve some of my old files someday.

 

[johnb35]

Wow. Sounds like you need to change your internet habits. Your traditional antivirus program won't catch most of today's malware. Usually other programs are required such as the ones I've already mentioned and others. If we can determine what you are infected with, I should be able to tell you what you are doing wrong so you can start saving yourself some headaches.

 

[johnnyb58]

Well it’s all really been from downloading free programs which I don’t do anymore and thats why I’m so hesitant in downloading these programs you have listed. It just scares me to death. The worst of it were from when my kids were teens and downloaded music.

 

[johnb35]

You can rest assure that anything I have you download will not harm your pc.

 

[johnnyb58]

OK I just ran TDSSKiller and it did not find anything.
I have to go to work now, but I'll give the others a try when i get home.

 

[johnnyb58]

I ran adwcleaner.exe and cleaned it to delete the adware.
it deleted

•Please post the content of that logfile in your reply.

It Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Windows\system32\AI_RecycleBin
Folder Deleted : C:\Users\Owner\AppData\Roaming\Babylon
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Program Files\Mozilla Firefox\user.js

plus some Registry keys, but I'm a little nervous about posting the entire contents because it looks like there is some personal information about my computer.

What information do you actually need? I would rather not disclose all the users.

 

[johnb35]

Just edit out the users names if you feel its necessary, but I need to see the whole log. Also run junkware and the other programs as well.

 

[johnnyb58]

AdwCleaner(SO)

# AdwCleaner v3.024 - Report created 19/04/2014 at 14:35:10
# Updated 18/04/2014 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Owner -
# Running from : C:\Users\Owner\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Windows\system32\AI_RecycleBin
Folder Deleted : C:\Users\Owner\AppData\Roaming\Babylon
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Program Files\Mozilla Firefox\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D3D233D5-9F6D-436C-B6C7-E63F77503B30}]
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16545

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\c65b1168.default\prefs.js ]


[ File : C:\Users\------\AppData\Roaming\Mozilla\Firefox\Profiles\5l8z5lt7.default\prefs.js ]


[ File : C:\Users\------\AppData\Roaming\Mozilla\Firefox\Profiles\98eejtyd.default\prefs.js ]

Line Deleted : user_pref("extentions.y2layers.installId", "9d828845-f0c9-4e23-9f8f-81fa958fb455");

[ File : C:\Users\--------------\AppData\Roaming\Mozilla\Firefox\Profiles\osjwjjk0.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [3736 octets] - [19/04/2014 14:33:46]
AdwCleaner[S0].txt - [3677 octets] - [19/04/2014 14:35:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3737 octets] ##########

 

[johnnyb58]

JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows Vista (TM) Home Premium x86
Ran by Owner on Sat 04/19/2014 at 14:58:42.51
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{41FD672A-0F19-488F-8CD0-35AA18969CF6}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Owner\Local Settings\Application Data\browse~2"



~~~ FireFox

Successfully deleted: [File] C:\user.js
Emptied folder: C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\c65b1168.default\minidumps [298 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/19/2014 at 15:10:37.79
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[johnnyb58]

Malwarebytes.txt

It’s probably too late, but I’m just not comfortable with my computer info posted to world

 

[johnb35]

Still waiting for the OTL log but I want you to go ahead and do 2 more things, after I've reread the thread. You said you've been downloading free programs. I'm concerned that these free programs have taken over your computer. Please do the following.

1.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


2.

After combofix has ran and produced a log, please navigate to c:\Qoobox and in that folder will be a file named add-remove programs.txt Open that file and copy and paste the contents back here.

Please both both the combofix log and the add-remove programs log.

 

[johnnyb58]

OTL.Txt I guess i missed one.

It’s probably too late, but I’m just not comfortable with my computer info posted to world

 

[johnnyb58]

I'm having trouble running ComboFix because I can't seem to turnoff Bitdefender.

 

[johnb35]

Just run it without disabling it.

After running combofix and getting both logs, do the following.

I need you to open OTL again and copy and paste the following into the custom scans/fixes box at the bottom.

:OTL
IE - HKLM\..\SearchScopes\{96DCF532-06B1-4F77-A7EC-F13F62AF7F32}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKCU\..\SearchScopes\{96DCF532-06B1-4F77-A7EC-F13F62AF7F32}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - Reg Error: Value error. File not found
O2 - BHO: (no name) - MRI_DISABLED - No CLSID value found.
O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 10\SnagitIEAddin.dll (TechSmith Corporation)
O4 - HKLM..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe File not found
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - Reg Error: Value error. File not found
@Alternate Data Stream - 64 bytes -> C:\Users\Owner\Documents\Garden.MOD:TOC.WMV
@Alternate Data Stream - 64 bytes -> C:\Users\Owner\Desktop\ Breakin 1-8-15.avi:TOC.WMV

Then click on the run fix button.

 

[johnnyb58]

combofix froze up the computer while deleting something in winsys32. I finally had to pull the plug after 8 hrs of nothing. I’m a little disappointed and I’m not sure I trust these downloads anymore.

Anyway it’s 2:30 in the morning, I’m tired and need time to think. I don’t know how much damage there is, but it looks like I may have to at least reinstall BitDefender again because it’s missing some stuff and has a huge warning about some issues that need fixed.

Well I’m going to bed.

 

[johnb35]

Try running combofix in safe mode and see if it completes. Actually if you are having issues with windows then I would just reinstall windows from scratch. Save any data you need before doing so.

As I said, anything I have you download won't harm your computer. These programs are used everyday to clean thousands of computers. You can also download and install revo uninstaller which will get rid of bit defender and then you can download and install another program such as Avast. Here is the download for revo uninstaller.

http://www.revouninstaller.com/

The program will try using bit defenders uninstall program to get rid of it but then will scan your system for leftover files to completely remove it. Make sure you click on the delete files box before clicking on finish when it finds leftover registry and leftover system files/folders.