Did the malware removal guide and still having problems

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by exiledone1, Mar 10, 2009.

  1. exiledone1

    exiledone1 Private E-2

    Hello,

    Recently I posted one or two threads and please understand it's not about bumping, but just letting everyone know my progress, I ended up fixing the system restore issue, but lets go to work.

    1. I read and completed The Read & Run Me First thread and the windows xp cleaning section. I downloaded all required software and went to work. As I said before I made a few mistakes such as using msconfig and having it running on selective startup and used it to disable a few nasty little running pieces of adware i didn't want running. I also had a issue where my system restore tab went missing as I followed advice from another forum before coming here. I also ran some scans with ad aware and spybot and deleted what I found, but nothing helped.

    When I found this site I decided to start over from scratch and through help from another place was able to restore my system tab and also changed msconfig to normal start up. Currently my system restore is running. Now on to the rest of the info.

    I ran all checks as listed in normal mode and than safe mode and everything seems better except for two items. One is every time I start the computer I get the following message:


    Restarting Your Computer is required

    The computer must be restarted before updating can continue. Would you like to restart now?

    This pops up everytime I start the computer now when windows load and if I hit no everything seems fine. if I hit yes it just restarts me and back to the same issue. The next issue is I believe my browser is hijacked as whenever I go to google in firefox and click it a link it takes me to somewhere else. I noticed in the code at the bottom or the link it says

    clickfraudmanager.com and than some more link code. I deleted firefox and all trances of it, rebooted and reinstalled and it seems better, but I don't want to take any chances as I believe something may have been missed which is why it was hijacked and why I keep getting this wired start up message. Included are the first 3 logs and my next post will contain the final one. Any help in advance is thankful and look forward to learning how to clean my computer all the way with your help. Thank You.

    P.S. These logs all come from re running everything in normal mode and most of them were clean I believe except for the hijacking that seems to be going on in firefox, but I will let you, the experts decide if everything is good. Thanks in advance.

    Josh
     

    Attached Files:

    Last edited: Mar 10, 2009
    exiledone1, Mar 10, 2009
    #1
  2. exiledone1

    exiledone1 Private E-2

    Here is the final log and thank you again. Look forward to your help in cleaning the rest of my system.

    Josh
     

    Attached Files:

    exiledone1, Mar 10, 2009
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Reviewing your logs and will be back with a set of instructions as soon as possible. :)

    Continued from this thread HERE
     
    Kestrel13!, Mar 12, 2009
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Josh

    Let's do this:

    1) If you do not use Windows Messenger Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    2) Please go to Add or Remove Programs and uninstall the below old versions of java:


    • J2SE Runtime Environment 5.0 Update 6
    • Java(TM) 6 Update 3

    3) Now we need to use ComboFix to remove a couple malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    
KILLALL::

File::
c:\windows\system32\fuhirivu.exe
c:\windows\qawin32.INI
c:\windows\system32\wifahewe.dll
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe


      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    4) Now reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    5) Run Ccleaner!

    6) Now go to this link Using MGTools and download the new version of MGtools.exe using the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    7) Run the new MGTools.exe and attach the log it generates.

    8) Attach the log from running ComboFix

    9) Let me know how your machine is now behaving!

    Is the above still happening?

    Thanks
    Kes
     
    Last edited: Mar 12, 2009
    Kestrel13!, Mar 12, 2009
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Mar 12, 2009
    #5
  6. exiledone1

    exiledone1 Private E-2

    Hi,

    I did as you said and have attached the two logs you requested. I have installed all the stuff you asked and have been testing firefox out and so far I have not had a redirect. I have been at it for about 15 min just googling stuff and it appears to be fine at this moment, but

    I am still having the strange computer must be restarted message I mentioned before in my last post pop up everytime windows load. This never started happened until I got infected. So the browser seems to work, just this issue with the restart is next.

    Look forward to your reply and you guys are amazing

    Josh
     

    Attached Files:

    exiledone1, Mar 12, 2009
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good morning.

    Can I also see the log produced from running Gooredfix if you have it. Thanks :)

    Kes
     
    Kestrel13!, Mar 12, 2009
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Kestrel13!, Mar 12, 2009
    #8
  9. exiledone1

    exiledone1 Private E-2

    Hi,

    Ah, okay I didn't run that one since in your thread you said only run if it you are still having problems. Since firefox seemed to be cool I didn't run it. No problem though I will run it and post the results on my lunch break as I'm now at work. I will post it around 1:30pm eastern time today.

    P.S. Thanks for the link and I will check it out about the reboot

    Look forward to chatting again and I will post the log from goored or whatever it is called on lunch.

    Josh
     
    exiledone1, Mar 12, 2009
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No problem, enjoy your lunch. :)
     
    Kestrel13!, Mar 12, 2009
    #10
  11. exiledone1

    exiledone1 Private E-2

    Hello,

    I'm on my break and as promised here is the log for goored. As instructed I did not fix it, i just ran the scan as noted in the instructions for the program. I am about to try the fix for the restart issue and report back about that.

    Thanks

    Josh
     

    Attached Files:

    exiledone1, Mar 12, 2009
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your logs are clean.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:

    Let me know how the fix for the restart worked out. If it doesn't solve your problem I would say you'd be well advised to head to the good folks in software :)

    Thanks
    Kes
     
    Kestrel13!, Mar 12, 2009
    #12
  13. exiledone1

    exiledone1 Private E-2

    Hi and Wow,

    Some really great help here.

    First off, I went and did the soultion for the restart and it appears to have worked!! I had to do soultion 2 and I just restarted with no problem. Now the one thing I did notice is a file appeared on my desktop called Thumbs.db after I ran the goored and the removal process for the adobe removal. Any hint on what that is?

    Secondly, It's good to hear my logs are clean and thank you guys so much for your help and the creation of the wonderful tutorials that you give us for free. I have always been pretty good with computers, but have learned a lot about myself and how to remove malware. You guys are great here. So in other words, thank you!!!!

    I will do the final steps and let you know how that goes. Thank you

    Josh
     
    exiledone1, Mar 12, 2009
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh I am pleased to hear that :) I did a little research and just came across that link, so thought it wouldn't do any harm to give it a go.

    This is nothing to worry about and can easily be changed back. Your hidden files and folders were set to show automatically when we used MGTools.exe, and you can easily reverse it by following these instructions below:

    How to view hidden, system files & folders!

    ...simply reverse the steps given for your OS :)

    You're very welcome!


    Kestrel
     
    Kestrel13!, Mar 12, 2009
    #14
  15. exiledone1

    exiledone1 Private E-2

    Hi,

    Yeah it was funny because when you gave me the link I thought, you know I did update adobe lately lol and it was the cause.

    Ah, it's just a hidden file that is cool I know how to reverse that myself, thanks for the link though. Just wasn't sure about the file thumbs.db myself you know.

    I am about to do the final step which is create the restore points. Once again thanks for all your help and you wouldn't happen to be interested in Stargate Sg:1 would you? Reason I ask is someone I know from their new mmo coming out has the same username as you. Just thought odd?

    Also, do you guys have an area where I could make a donation since your help did save me tons of time and energy. If not, you guys should get one as I'm sure with all the people you help you would all be rich :)

    Either way thanks and good grace to you!

    Josh
     
    exiledone1, Mar 12, 2009
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    LOL Nope, it's not me... but I have googled my username in the past and it shocked me to see how un-unique I really was. Plenty a' Kes's out there. Did their username have the ! after it too?


    We don't have donations per se but what we would say is if you would like to make a contribution to the site to express your thanks, have a look at the clothing range There's some REALLY cool stuff in there :cool

    You are very welcome!

    Kestrel13!
     
    Kestrel13!, Mar 12, 2009
    #16
  17. exiledone1

    exiledone1 Private E-2

    Hello,

    Ah, okay lol just thought I would ask. I think he does have the exact same username so you just never know.

    I just finished the restore point toggle and moving on, but wanted to ask one question before I go. I just bought superantispyware and I would like to buy malwarebytes, but in your thread about keeping your pc protected you recommend only using one real time blocker.

    Yet, in this thread you mention purchasing both of them for good protection. Would it hurt me to have both paid version for maximum protection or would you just recommend one. I am also using nod32 and was curious if I should switch to a newer anti virus or is nod32 good still? Thanks

    Josh
     
    exiledone1, Mar 12, 2009
    #17
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can run both as what one wont pick up--the other will.

    Couldn't possibly comment as I am unfamiliar with nod32 but alot of people use it and like it. I personally use Avast Free Edition and am very happy with it. Basically the main thing to always remember is you are the best protection for your PC---watch your surfing habits and ensure that the sources you download from are always safe (I always come here and don't go elsewhere--each one of our downloads are thoroughly tested before being rolled out to us)

    If you are happy with Nod32 then keep it for now, & especially as it is paid for I would at least let your subscription run out.

    Kes :)
     
    Kestrel13!, Mar 12, 2009
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds