Graalians - Need help with Virus

Graalians (https://www.graalians.com/forums/index.php)

- Technology (https://www.graalians.com/forums/forumdisplay.php?f=54)

- - Need help with Virus (https://www.graalians.com/forums/showthread.php?t=9265)

Quote:

Posted by fp4 (Post 176563)

Hello actual computer technician here, who deals with this kind of thing regularly (this is my secret formula):

1. Download and run TDSSKiller:
http://support.kaspersky.com/downloa...tdsskiller.exe

Before running it click Advanced Options, and check the 'Check for TLDFS Filesystem' checkbox.

2. Download and run a Malwarebytes Anti-Malware Quick Scan (Looks like you've already done this):
http://ninite.com/malwarebytes/

3. If the Virus still persists I recommend that you run ComboFix:
http://www.bleepingcomputer.com/download/combofix/

When downloading ComboFix, click Save and give the file a name like REDDRAGONS (this tends to be enough to fool viruses looking for anti-virus tools).

If it still persists after all that, try running them all while in Safe Mode, if still then we'll have to do a more in-depth check.

Ran it and it found some thing called akamai, so I quarentined it.

Quote:

Posted by Rexx (Post 176628)

Delete the system32 folder, that should solve your problems.

Technically it would solve the problem...

@fp4 did the step 3 combo fix thing, now whenever I try to open any program I get the error "Illegal operation attempted on a registry key that has been marked for deletion"... How do I fix this?
oh btw i was wrong when I thought the virus was gone
think I might try a system restore

ok system restore seems to have fixed the problem with programs not working.

not sure if virus is gone...

ran tdss killer and its back -_-

Run ComboFix one more time, the virus likely hijacked the registry key that's accessed when you open programs.

since I just did a system restore would I have to run it twice?
should I set up another system restore point?

I have a weird feeling combofix had an error messing with the registry...

I would think the system restore would have brought back the virus.
What stops it from screwing my registry again?

System Restore just restores your registry, not files. If the virus made registry keys and it was in your registry, it is likely a harmless key pointing to a non-existent virus file.

seems like combofix is stuck at preparing the log report and its telling me not to open any programs until its done.

edit: oh ran it again, same registry error... guess I gotta do the system restore again...

Well if it happens when it's doing the log report then it's not a big deal. Sounds like your virus is gone though.

Quote:

Posted by Rexx (Post 176628)

Delete the system32 folder, that should solve your problems.

Nah. Delete that whole darn Windows folder.

Quote:

Posted by fp4 (Post 176713)

Well if it happens when it's doing the log report then it's not a big deal. Sounds like your virus is gone though.

Nope, I'm still redirecting to a bunch of stupid sites :/

Quote:

Posted by Skill (Post 176727)

Nope, I'm still redirecting to a bunch of stupid sites :/

Open a cmd prompt and do these commands:

diskpart
list disk
select disk 0
list partition

Take a screenshot and show me the partitions it lists.

Example: http://i.imgur.com/NqE8k.jpg

Run the command:

ipconfig /all > connection_info.txt

Then go into your user folder, and paste the contents of connection_info.txt on here.

Quote:

Posted by fp4 (Post 176743)

Run the command:

ipconfig /all > connection_info.txt

Then go into your user folder, and paste the contents of connection_info.txt on here.

did this and nothing happened
did it without the connectioninfo part and got this:

wait my bad misread

PHP Code:


		
			


Windows IP Configuration



   Host Name . . . . . . . . . . . . : HomeUser-PC

   Primary Dns Suffix  . . . . . . . : 

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller

   Physical Address. . . . . . . . . : 20-CF-30-F0-E9-DE

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::788b:6d0b:42d1:ed40%10(Preferred) 

   IPv4 Address. . . . . . . . . . . : 192.168.0.50(Preferred) 

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.0.1

   DHCPv6 IAID . . . . . . . . . . . : 237031216

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-BA-53-75-20-CF-30-F0-E9-DE

   DNS Servers . . . . . . . . . . . : 192.168.0.1

   NetBIOS over Tcpip. . . . . . . . : Enabled



Tunnel adapter isatap.{75E551A9-C9B6-48C5-AC82-9EFECB1E6BE2}:



   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes



Tunnel adapter Teredo Tunneling Pseudo-Interface:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:2469:1c03:3f57:ffcd(Preferred) 

   Link-local IPv6 Address . . . . . : fe80::2469:1c03:3f57:ffcd%11(Preferred) 

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

and TDSSKiller came up clean? I will have to look more into the virus.

Run HiJackThis:
http://sourceforge.net/projects/hjt/

and post a log.