Jump to content

persistent malware, antivirus/antimalware tools don't work, internet doesn't work, multiple iexplore popups, won't run hijackthis nor let me rename it

sandela

By sandela
in Resolved Malware Removal Logs

 Share

Recommended Posts

sandela

sandela

Posted
Posted

I'm having difficulty figuring out this persistent malware. I think it's likely that there are multiple issues.

I'm running Windows Vista.

The malware started off with "google redirect" symptoms, and disabling my Symantec software

Shortly following, I could no longer access the web. However, the malware itself would create an internet explorer popup every 5-10 minutes (not my default browser) that would go to "search sites" (none that I recognized....) and search for lewd topics. Running the taskmanager would show multiple instances of iexplore.exe running on my machine (one for each popup). The popups would have to be eliminated one by one using the task manager.

Trying to run a system restore, I discovered all restore points had been deleted.

I installed AVG antivirus and got it to run once which seemed to help the problem. However, upon restart, all issues were back and I could no longer run avg. Windows defender constantly pops up that a new trojan is attacking my machine.

At this point, I unplugged my internet connection and started using another machine. I had left my problematic computer alone for about a month.

Upon turning it on last night, each time I logged on, it gave me a warning that "Windows had encountered a critical error and will restart in one minute" and would restart. I tried running cmd (in that one minute) to intercept it, but the task manager would freeze if I tried to run it from there and explorer would freeze if I tried to run it from there. I also discovered my Guest account is not working.

I restarted in Safe Mode and ran msconfig and disabled all non-Microsoft services. Upon restarting my computer, I found I could successfully log on (although Guest account is still not working).

At this point I figured I ought to post a highjackthis log to a forum.

My computer would not let me install using HJTinstall.exe so I renamed it to HJTinstall.scr. After installation, highjackthis ran for about 1second and closed abruptly. My machine will not run highjackthis nor will it let me rename it. If I try to run it, it says that it cannot access the file, device or path and perhaps I don't have permission, and if I try to rename it, it says that I need permission to do so and asks if I'd like to try again. Right clicking does absolutely nothing. This is all the same in safe mode, although right clicking in safe mode will at least bring up the options.

I'm out of ideas. Any help would be greatly appreciated.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Vista users:

1. These tools MUST be run from the executable. (.exe)

2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted
Vista users:

1. These tools MUST be run from the executable. (.exe)

2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them

1) exeHelper

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.

A black window should pop up, press any key to close once the fix is completed.

Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

I cannot get this to download onto my desktop. It will complete the download and then...nothing. It's not on my desktop or anywhere else on my computer. I tried renaming it, which doesn't help.

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted
I cannot get this to download onto my desktop. It will complete the download and then...nothing. It's not on my desktop or anywhere else on my computer. I tried renaming it, which doesn't help.

I also tried to get it onto my system by using a usb key first and then transferring it over...it says I do not have permission to do this.

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted

No, that didn't help. Still won't give me "permission" if I try to transfer it from a USB; still saying it's finished downloading, without actually being anywhere on my system. In fact, after I download it, on the firefox "downloads" window, if I right-click it, "Open" and "Open Containing Folder" are unavailable options (light grey). If I try on iexplore, it just doesn't show up wherever I download it to.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Lets see if we can get the pc back on the internet.

1. Click on Start button.

2. Type Cmd in the Start Search text box.

3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.

4. Type netsh winsock reset in the Command Prompt shell, and then press the Enter key.

Restart the computer.

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted

Okay, I'm back on the internet, and my computer isn't doing the weird popup thing anymore.

iexplore only works for a short time before crashing.

Firefox seems stable --But I still can't get the exehelper onto my desktop, and I'm being redirected from sites like malwarebytes when I click on links from google.

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Lets see if we can get an online scan done.

Pay a visit to the Kaspersky Online Scanner 7 - I.E. is preferred for this scan.

  • Read the Information panel and then click Accept.
  • Allow the ActiveX download if necessary.
  • Both the anti-virus engine and database will need to be downloaded, which may take a little time.
  • Once this has been completed, select My Computer from the Scan section on the left hand side.
  • Put the kettle on!
  • Although it is recommended by Kaspersky that you should disable your anti-virus scanner before starting this scan, it should work OK with it still active - it does on my PC.
    Although you may find the scan speed increases if you carry out this step, I never like to disable my resident scanner while online, so I don't.
  • When the scan has completed, click View scan report at the bottom.
  • Click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save and pick a location for the file - the Desktop is always handy.

Copy and paste the report into your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted

Bah! Doesn't work....

It installs the program, and while updating, it says "Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Key is expired]

Link to post
Share on other sites
LDTate

LDTate

Posted
Posted

Lets try this.

Download Combofix from any of the links below but rename it to ABCD.exe before saving it to your desktop.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Link 1

Link 2

Double click on the ABCD.exe ComboFix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Link to post
Share on other sites
sandela

sandela

Posted
  • Author
Posted

Will that erase my machine's current memory?

Also, while playing around a bit, I realised HijackThis won't work because whatever is on my computer is changing the permissions for the file. I changed the permissions manually and it ran for all of 4 seconds before closing. The malware reversed my manual change....does this help anything? Do you still have the same recommendation?

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.