Taken Over by Malware

[unc2002]

Operating system: Windows 7
Architecture: 64 bit
Antivirus software and on-demand scanners on this system : Norton
Date and how issue started: Downloaded a photo shop program. System started just freezing. Tried antispy programs and they just freeze.
Current issues and symptoms: Still just freezing. Currently in safe mode.
Steps taken in order to remove the infection: Today I have tried the 5 step process "Remove Windows Maintenance Guard virus (Uninstall Guide)".


I was on step 4 of your instructions running MalwareBytes and my computer froze just has its been doing on any spyware program I run. It had been running for 44 1/2 minutes scanned 201838 objects and had detected 1 bad object before it froze. The last object displayed was: \Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\Sys​temProperties.

Even though MalwareBytes stopped I ran HitmanPro and it got 1 hit which it removed. I then ran MalwareBytes again, this time it ran 44 minutes. It scanned 201901 objects 0 objects detected. This time it stopped at \Windows\winsxs\amd64_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.1.7600.16385_none.azd4c18eccf004d0\rstrui.exe.
REQUESTED LOGS: OTL LOG
aswMBR LOG
Hope you have some ideas on what I can do. I have been trying for over a week to get my computer up with no luck.

Thanks in Advance

[unc2002]

Ok. I have found I have a Java/Agent.BV Trojan.

Can anyone help me now? Please.....

[Jack]

Hi and welcome to the MalwareTips.com forums!

I'm Jack and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

---

Please run the following utility so that I can get a log of your system...
STEP 1 : Run a scan with Combofix

Please read and follow very carefully the below instructions

 
Download ComboFix from one of the following locations: 

COMBOFIX DOWNLOAD LINK #1 (This link will automatically download Combofix on your computer)
COMBOFIX DOWNLOAD LINK #2  (This link will automatically download Combofix on your computer)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop  
 

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  -----------------------------------------------------------
  
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection beforeperforming a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  -----------------------------------------------------------

How to run the Combofix scan :

1. Double click on ComboFix.exe & follow the prompts.
2. Accept the disclaimer and allow to update if it asks
3. When finished, it shall produce a log for you. 
4. Please include the C:\ComboFix.txt in your next reply.
   

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programms being marked for deletion then reboot, that will cure it.

---

What's next?

Please post in your next reply:
1.Combofix log
2.Let me know if you had any problems with the above instructions and also let me know how things are running now!

[unc2002]

Thanks Jack. I really appreciate your help. Right off it has taken me awhile to get my documents and pictures backed up, but finally got that done. I have gotten combofix downloaded and ready to run. When I ran it, it came back and said Norton is running, but I can't find it. How can I find this and shut it down.

Thanks

[Jack]

Please skip this step for now,we will scan later with Combofix ..
Can you please perform the following scans:
VERY IMPORTANT! Please run only one scan at the time!DO NOT START ALL THE SCAN AT ONCE!
STEP 1: Run a scan with RogueKiller

1. Please download the latest official version of RogueKiller.
   ROGUEKILLER DOWNLOAD LINK (This link will automatically download RogueKiller on your computer)
2. Double click on RogueKiller.exe to start this utility and then wait for the Prescan to complete.This should take only a few seconds and then you can click the Scan button to perform a system scan.
   
3. After the scan has completed, press the Delete button to remove any malicious registry keys.
   
4. Next we will need to restore your shortcuts, so click on the ShortcutsFix button and allow the program to run.
   

The report has been created on the desktop.In your next reply please post:

All RKreport.txt text files located on your desktop.

---

STEP 2: Run a HitmanPro scan

1. Download the latest official version of HitmanPro.
   HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
2. Start HitmanPro  by double clicking on the previously downloaded file. and then following the prompts.
   
3. Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click Next .
   
4. Click Activate free license to start the free 30 days trial and remove the malicious files.
   
5. HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
   

Add to your next reply, any log that HitmanPro might generate.

---

STEP 3: Run a scan with ESET Online Scanner

1. Download ESET Online Scanner utility.
   ESET Online Scanner Download Link (This link will automatically download ESET Online Scanner on your computer.)
2. Double click on the Eset installer program (esetsmartinstaller_enu.exe).
3. Check Yes, I accept the Terms of Use
4. Click the Start button.
5. Check Scan archives
6. Push the Start button.
7. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8. When the scan completes, push List of found threats
9. Push Export to Text file  and save the file to your desktop using a unique name, such as ESET Scan. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.
10. Push the back button.
11. Push Finish

---

STEP 4: Repair Background Intelligent Transfer Service
1. Click START
2. Type “cmd” in the Search Box and then press Enter
3. Right-click “cmd.exe" and select “Run as administrator”
4. Click “Continue” on the “User Account Control” Window
5. In the command prompt type the following command
sc create BITS binpath= “c:\windows\system32\svchost.exe -k netsvcs” start= delayed-auto
6.Restart your computer and check if the problem is solved.

---

STEP 5: Run Temp File Cleaner by OldTimer

1. You can download the TFC utility from the below link
   TFC DOWNLOAD LINK (This link will automatically download Temp File Cleaner on your computer)
2. Please double-click TFC.exe to run it. (Note: If you are running on Vista or 7, right-click on the file and choose Run As Administrator).
3. It will close all programs when run, so make sure you have saved all your work before you begin.
4. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
5. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

---

STEP 6 : Run a scan with OTL by OldTimer:

1. Download the OTL utility using the below link :
   OTL DOWNLOAD LINK (This link will automatically download OTL on your computer)
2. Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
   
3. When the window appears, underneath Output at the top change it to Minimal Output.
4. Check the boxes beside LOP Check and Purity Check.
5. Click the Run Scan button.
   
6. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
   Please post this 2 logs in your first reply..

Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: OTL.scr, or OTL.com.

---

What's next?

Attach the following logs to your post (You can find here details on how to use the Attachment System):

1.HitmanPro logs
2.RogueKiller logs
3.ESET log
4.OTL logs
5.Let me know if you had any problems with the above instructions and also let me know how things are running now!

[unc2002]

Evening Jack,

Finally got everything ran, but sorry to say it still runs a very short period of time and then freezes. I am attaching the different logs that you asked for. There were no logs from HitmanPro & ESET. Also I am attaching a txt document titled "Malware - Claro". I am wondering if this is the cause of all this madness.

Again thanks for all your help.

Serena

[unc2002]

Jack,

I had to finally uninstall Norton. It said it had an error and kept popping up trying to fix it, but it never could fix itself. I also uninstalled my Chrome browser just incase it was creating problems. Anyway after I did this I thought maybe now I can run the combofix, which I did. It ran up to the very last. It had the "Almost done...., Please wait...., ComboFix's log shall be located at c:\combofix.txt displayed when it hung up. I had to reboot the machine as it was froze. Once it rebooted though the log was there, so I am attaching it. I hope it sheds some insight into what is going on.

Thanks,
Serena

PS Computer is still freezing. About the only difference now is the mouse will move around (didn't before), but when you click on something it does nothing, so essentially it still does nothing.

[unc2002]

Fixed it myself