[Inactive] Lost all control over my laptop

[easy80]

Somehow I managed it again... I google an innocent search ("dictionary" this time!), click on an apparently not so innocent search result and some malware takes over my laptop.  Third time in 1.5 year....almost equally concerning is that the previous 2 times you guys helped me out I followed all final protection suggestions, but it looks like somehow those changes get disabled after a while! (or expired? or me just that dumb...)

Anyway, the symptoms after infection are typical: google searches are being redirected, computer slows down noticeably. In fact this time around my laptop has become useless: I can't even run any program at all anymore.... So can't run any scans... . Oh yeah and before it became useless I got all kinds of fake warnings about infections and fake scans showed all kinds of fake stuff I supposedly downloaded or accessed.

Hope somebody can help!

Thanks,

[Hoov]

As you have been helped here before I will skip all the preliminaries.

Can you boot the computer to safe mode? Do you have access to another computer that is clean and has a CD burner and a broadband internet connection?

[easy80]

Hi Hoov,

Thanks for helping out. Sorry for late reply, was out, I probably should have waited with posting.

Anyway: I tried it again, i can start up my laptop, but can't seem to connect to the internet...

I can go to safe mode, but for some reason I can't login, it doesn't recognize my regular login password (took case and everything into account; also double checked that the pw still works for regular login; only tried the simple "safe mode" option, not the one with "networking" etc)

Computer with CD burner: it'll be some hassle, but it can be done if necessary.

BTW, if it is any help, I kept getting an alert from Winpatrol, asking me about a change to a file called "HOSTS" located at c:\windows\system32\drivers\etc\hosts   ..... so far I have neither rejected or accepted this change.

Thank you!

[Hoov]

Hosts file is a file that helps protect your browser. Don't accept any change until we are aure you are clean.

Try following the instructions below and see if you can connect to the internet.

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Let me know how that goes. If you still cannot connect to the internet, then you are going to have to download some programs and burn them to a CD or a thumbdrive and take it to the problem computer so you can run them there.

[easy80]

Hi,

I did all the steps, but still no internet connection (which is kind of weird because that wasn't one of the original "side effects").

Thumb drive will be easier than CD burning.

Thanks again

[Hoov]

Do you have a router or modem between you and the internet?

Open a command prompt (all programs > Accessories > Command Prompt) and type in
Ipconfig /all > ipconfig.txt and then hit enter. Then type in ipconfig.txt to open notepad with the log. Copy it and paste it in to your next response.

Download the programs below and follow the instructions to run them. Hopefully by the time you get to Malwarebytes' Anti-Malware you will be able to connect to the internet again. If you can't then skip the update and just run the quick scan following the rest of the instructions.


Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on click on the change parameters option.
  
  
  
  
  
• Once you are in there, check all four boxes and then click on the OK button.
  
  
  
  
• Now click the Start Scan button.
  
  
  
  
• This is what you will see during the scan,

• and this is what you will see when the scan is done if any threats are found. Don't change any of the recommended actions. Click the continue button.
  
  
  
  
• Once the fix is done you might see this,

• or it may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes'' Anti-Malware
  
• Launch Malwarebytes'' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

[easy80]

Feedback on questions/instructions:

* I connect to the internet through regular AT&T UVerse box, other laptops and iphones that get signal from it work fine, so must be my laptop...
* Tried the command prompt thing, but it already has a default path in there ("my documents and settings" + my login profile) so if I type in what you instructed nothing happens, it just jumps to a next line, which looks like the original before typing anything.
* Installed TDSSKiller and ran it, at first pasted report below, but when I tried it didn't let me because some warning page came up on how I did something prohibited and that I was requesting some kind of attack, does that ring any bells?? (btw the TDSSKiller result was a bunch of files I could skip and one that needed to be "cured")
* Unfortunately still no working internet. At first it says that the wireless is perfectly connected, strong signal and all, but when I try to reconnect after disconnecting, I can't connect anymore.
* I transferred over Malware bytes, but didn't run it because instructions said working internet connection required....

[Hoov]

At the command prompt type in C: and then hit enter. Then you should be able to run ipconfig.

About TDSSKiller, zip up the file and attach it. This is a security issue on our end. It is being worked on. In the future try posting the log, and if you get the same message, zip up the file and attach it.

As for Malwarebytes' Anti-Malware ,

Download the programs below and follow the instructions to run them. Hopefully by the time you get to Malwarebytes' Anti-Malware you will be able to connect to the internet again. If you can't then skip the update and just run the quick scan following the rest of the instructions.

[easy80]

Hi Hoov,

Oops, overlooked that part on MBAM :) , sorry.

* I ran it now, log below.

* Also attachted TSDDKiller report in zip

* About command prompt, still doesn't work, as soon as I hit enter the next line looks the same, never get a "clean" C:  line.... I can open the ipconfig.txt that way, but it just tells me that an internal error has occurred and that this request is not supported...

Still puzzled why the internet doesn't work...that wasn't an original side effect of the malware...

MBAM log:


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
u0042741 :: GLG6A05 [administrator]

4/11/2012 10:49:44 PM
mbam-log-2012-04-11 (22-49-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 255556
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCU\Software\Microsoft\Windows\CurrentVersion|nah_options (Malware.Trace) -> Data: NEWOPTS -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion|nah_id (Malware.Trace) -> Data: 4379470139 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\temp\jyhgje.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\fka0.19159964340989477.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)


Thanks!

[Hoov]

With the command prompt try this, cd c:\ then hit enter. If it is still not on C: type in C:\ and hit enter.

From your Malwarebytes' Anti-Malware and TDSSKiller log, it looks like you had more than a few rootkits and several Trojans. How is your computer working now? Browser redirects?

[easy80]

The laptop itself seems to be fine, can open things without everything freezing up, but can't connect to the net... The wireless connection itself is OK...Almost makes me think that some kind of setting got disturbed...like something simple that I don't have an idea about.

About the command prompt, that indeed did the trick to get to a "clean" C: line, but when I pull up the ipconfig.txt it says the same as before: "an internal error occurred. the request is not supported" and "additional information: unable to query host name"

[Hoov]

Click Start. click run, type: cmd, and press Enter
Type: netsh winsock reset, and then press the ENTER key.
Type: Exit and press ENTER.
Restart the computer.


Open a command prompt (all programs > Accessories > Command Prompt) and type in Ipconfig /all  and then hit enter. Let me know if you get a response. Also test your internet connection and let me know how it goes.

[easy80]

Hi,
Followed all instructions, but still no internet connection (even though it shows I am connected to my wireless network).
Ipconfig: same message about internal error - request not supported...

[Hoov]

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

now try running ipconfig again. Once you have run it, run msconfig and select normal startup, then click apply then OK and reboot.

Let me know how that went.

[easy80]

I did all the steps, but no difference, still no internet (btw, in all the previous steps i was still in "selective startup" from when you first instructed me to do so).

I keep getting the Winpatrol message about how I can accept or reject a change to the "hosts" file in c:\windows\system32\drivers\etc\hosts   , it seems this file is IP related, is that were the problem sits?

Thanks!